Add support for 2FA (FIDO2) ssh keys

[fbettag]

I'd like to be at least able to provision VMs with FIDO2 keys, even if the openssh on SmartOS doesn't yet. I am explicitly looking for "sk-ecdsa-sha2-nistp256@openssh.com " as key-type.

But i am guessing it's the same as #227, am i right?

[arekinath]

Yes, roughly. There is at least now an X509 format for Ed25519 keys, so that can be done now without issues. But these "sk" keys are not likely to receive X509 algorithm IDs anytime soon, since U2F/FIDO2 keys are very limited in the format of the data they can sign. They can't sign a valid http-signature payload -- the whole structure of the signed data would have to be changed to allow them to work.

FWIW if you're using a YubiKey or similar fully-featured device which also has a PIV applet, you can use keys stored in that to authenticate with Triton. There's even some support for validating and enforcing attestation certificates which allow the system to know/enforce that the key was generated on-device (so can't be copied) and whether touch-button confirmation is required on a certain key -- it's in UFDS and CloudAPI but not wired up into AdminUI yet that I know of. This is what I'd normally suggest for 2FA with Triton at the moment (and what I use every day)

[fbettag]

Well i actually don't want 2FA for triton as much as just have it in my list of auto-provisioned SSH keys for VMs. I know this can be solved with tools like ansible, but funny enough, i just opened a pull request to Ansible to enable those keys being deployed (as they didn't have support for it either). But i get the general problem.

Sadly i am not using a YubiKey, i opted for a solokey (hacker edition).

We gonna leave it open for a maybe? :)