Key9 Identity
  • Welcome To Key9 Identity
  • SSH
    • Installation & Setup
      • MacOS Yubikey Smartcard/PIV instructions.
        • 1. Installation of MacOS software
        • 2. Changing the Yubikey PIN.
        • 3. Generating Keys and Certificates for the Yubikey
        • 4. Enrolling the public key to Key9
        • 5. Testing and configuring SSH
      • Windows Yubikey Smartcard/PIV instructions
        • 1. Installation of Windows software.
        • 2. Getting the system ready for libykcs11.dll
        • 3. Adding libykcs11.dll to SSH configurations.
        • 4. Generating Keys and Certificates for the Yubikey
        • 5. Enrolling the public key to Key9
        • 6. Testing your SSH key.
      • OpenSSH with Yubikey / FIDO2 protected keys
        • 1. Prerequisites
        • 2. OpenSSH command for Yubkey FIDO2
        • 3. Enrolling your public key to Key9
        • 4. Testing your SSH key
      • Setting a Yubikey PIN without Yubikey software.
        • 1. Using Key9 "registration" to register a new Yubikey PIN.
        • 2. Using "webauthn.io" to register a new Yubikey PIN.
      • RSA Password Protected SSH Key
        • 1. Key9 Settings to allow RSA
        • 2. Generating RSA SSH Key
        • 3. Enrolling your public key to Key9
        • 4. Testing your SSH key
      • Determine your Yubikey Type
        • 1. Linux "lsusb" command
        • 2. MacOS "ioreg" command
        • 3. Windows 11
      • Useful External Links
      • Windows Powershell with Yubikey/FIDO2-protected SSH keys
        • 1. Download OpenSSH for Windows.
        • 2. Setting up your SSH keys
        • 3. Enrolling your public key to Key9
      • Technical Notes
        • Pop!_OS - "agent refused operation"
      • Key9 SSH for Debian 12 [Bookworm] Howto
        • 1. Installing GPG
        • 2. Configuring the Key9 Debian 12 Repo.
        • 3. Configuring the Key9 SSH client
        • 4. Configuring Name Service Switch [/etc/nsswitch.conf]
        • 5. Configuring the OpenSSH server
        • 6. Modifying "sudoers" [optional]
        • 7. Configuring "k9-tail" for logs [optional]
        • 8. Automatic home directory creation [optional]
  • Web
    • Marketplace Applications
      • Amazon Web Services
      • Atlassian Jira
      • Cyera
      • GitBook
      • Google Workspace
      • KnowBe4
      • LibreNMS
      • NetBox
      • SentinalOne
      • Wiz
Powered by GitBook
On this page
  1. SSH
  2. Installation & Setup
  3. Windows Powershell with Yubikey/FIDO2-protected SSH keys

2. Setting up your SSH keys

Previous1. Download OpenSSH for Windows.Next3. Enrolling your public key to Key9

Last updated 4 months ago

First, verify that you have the latest version of SSH installed. As your regular user, open a PowerShell terminal and type ssh -V

Once that has been verified, execute the following command in Powershell.

ssh-keygen.exe -t ed25519-sk -O resident -O verify-required -O application=ssh:key9.dev

The -t flag specifies the type of key to be generated by OpenSSH. We intend to use ED25519 with the "Security Key" option, indicated by the -sk at the end. Additionally, the -O verify-required option mandates the input of a PIN before the SSH key can be utilized.

After execution, you should see something link the below. Select the "Security Key" option.

You may encounter the following screen, which you should click on "OK".

At this point, you'll be ask to enter your Yubikey's PIN.

After you click "okay," it may seem like the setup is finished, but it's not. You will be taken back to a Powershell. In Powershell, you will be asked to enter a "file to save your key" and a "passphrase." If you only have one key, it's best to just press "enter" for the file location. This is also the default location OpenSSH will look for the key.

When prompted for a "Passphrase", simply hit "enter". Our key will be signed with our Yubikey and there is no need for a "Passphrase".

In short, you can hit "enter" through all the prompts.

You should see something like the below.

Example output from ssh -V
Where to save your ED25519 key.
The software is letting you know ssh-sk-helper.exe is about to be executed
Continue setup
Enter your Yubikey PIN number
Touch your key to prove proximity
Screen letting you know the key is setup, but there is more!
OpenSSH prompts for key file location and "passphrases"