admin/gg
1
0
Code Issues Packages Projects Wiki
Page: ssh key generation, FIDO priviate key info
Pages
3 Path to Peace 7 Behavior Influencers, Characteristics of Governance, 7 Preconditions 7 Elements of Ontology 7 Essential Needs of Man 7 Main IT Solution Delivery Functions Basic Concept Consuming IT Solutions - NCBC Council: Means to Good Governance Data Center Digital Age > Age of Information > Age of Cloud Service Delivery > Age of Good Governance Git (As a Protocol) Good Governance: Solution to Poor Governance Good Governance Calendar (GGC) Good Governance Council on TOPIC Good Governance IT Solution Continous Life Cycle Loop Good Governance Standards GrapheneOS Key Metric for Flourishing of Mankind - Population Managed Services of Good Governance For Reformed Churches Resources - Opensource TPM 2.0 YHWH's 3 Act Unfolding Tale of God's Glory nix os Info ssh key generation, FIDO priviate key info
Clone
1
ssh key generation, FIDO priviate key info
admin edited this page 2026-02-17 08:16:46 -05:00
  • ssh-keygen -t ed25519-sk -O resident -O verify-required -f /home/user/.ssh/id_my_example_1sk
  • ssh-copy-id -i /home/user/.ssh/id_my_example_1sk.pub -o IdentitiesOnly=yes user@192.168.122.96
  • ssh -i /home/user/.ssh/id_my_example_1sk -o IdentitiesOnly=yes user@192.168.122.96

ssh-keygen -t ed25519-sk -O resident command, the private key's critical material is stored on your FIDO2 hardware security key, not as a traditional file on your computer's disk. Instead of the actual private key, a small "key handle" or "credential ID" file is saved locally on your computer (by default in ~/.ssh/id_ed25519_sk in a Unix-like environment). This file is essentially a pointer that tells your SSH client how to find and use the key material securely stored on the physical security device. Key characteristics of resident keys:

  • Physical Storage: The actual private key is secured within the secure element of your FIDO2 authenticator (e.g., a [YubiKey](https://www.complete.org/easily-using-ssh-with-fido2-u2f-hardware-security-keys/)).

  • Local File: A companion file is created on your host machine to act as a reference to the on-device key.

  • Portability: The primary advantage of a resident key is that you can use it on any computer without having to transfer any sensitive key files; the key can be loaded directly from the security key using ssh-add -K or ssh-keygen -K.

  • Security: Accessing the key for an SSH session requires both physical possession of the security key and authentication via a PIN (and potentially a physical touch, depending on the device/operation).

The -O verify-required option, when used during the generation of a FIDO/U2F SSH key (like ed25519-sk), specifies that user verification (typically a PIN entry) must be performed for every operation using that key.

The -o IdentitiesOnly=yes option tells ssh-copy-id (and underlying ssh command) to only use identity keys explicitly specified on the command line or in configuration files, and to ignore any identities stored in an active ssh-agent or default key files in ~/.ssh directory. This is primarily used to prevent "Too many authentication failures" errors, which occur when an SSH client offers too many different keys to the server before the correct one is accepted. The option ensures that only the intended key is offered during the authentication process necessary for ssh-copy-id to function.