SSH private keys can be store on fido2 devices using ssh-keygen -t ed25519-sk -O resident (https://man.openbsd.org/ssh-keygen.1). However, when I tried this on my canokey, the key just can't be store.
In detail:
$ ssh-keygen -vvv -t ed25519-sk -O resident
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=13326
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x21, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: ssh_sk_enroll: using device /dev/hidraw1
debug1: ssh_sk_enroll: fido_dev_make_cred: FIDO_ERR_PIN_REQUIRED
debug1: sshsk_enroll: provider "internal" returned failure -3
debug1: ssh-sk-helper: Enrollment failed: incorrect passphrase supplied to decrypt private key
debug1: ssh-sk-helper: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -43
debug3: reap_helper: pid=13326
Enter PIN for authenticator:
debug3: start_helper: started pid=13336
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x21, challenge len 0 with-pin
debug1: sshsk_enroll: using random challenge
debug1: ssh_sk_enroll: using device /dev/hidraw1
debug3: ssh_sk_enroll: attestation cert len=443
debug1: ssh-sk-helper: reply len 713
debug3: ssh_msg_send: type 5
debug3: reap_helper: pid=13336
Enter file in which to save the key (/root/.ssh/id_ed25519_sk):
/root/.ssh/id_ed25519_sk already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ed25519_sk
Your public key has been saved in /root/.ssh/id_ed25519_sk.pub
The key fingerprint is:
SHA256:xxx root@xxx
The key's randomart image is:
xxx
then I try to download the private key:
$ ssh-keygen -K
Enter PIN for authenticator:
No keys to download
or
$ ssh-add -K
Enter PIN for authenticator:
$ ssh-add -L
The agent has no identities.
no keys found on canokey. I wonder if canokey just can't support this?
my canokey's version and firmware:
In addition: I can't find a way to manage fido resident keys. When using ykman:
$ ./ykman -r "Canokeys" info
Device type: Security Key NFC
Serial number: xxx
Firmware version: 5.5.5
Form factor: Keychain (USB-A)
NFC transport is enabled.
Applications USB NFC
FIDO2 Enabled Enabled
OTP Not available Not available
FIDO U2F Enabled Enabled
OATH Enabled Enabled
YubiHSM Auth Not available Not available
OpenPGP Enabled Enabled
PIV Enabled Enabled
$ ./ykman -r "Canokeys" fido credentials list
Enter your PIN:
Error: Authenticator does not support Credential Management
and also, bitlocker report that this key is not compatible:
SSH private keys can be store on fido2 devices using
ssh-keygen -t ed25519-sk -O resident
(https://man.openbsd.org/ssh-keygen.1). However, when I tried this on my canokey, the key just can't be store.In detail:
then I try to download the private key:
or
no keys found on canokey. I wonder if canokey just can't support this?
my canokey's version and firmware:
In addition: I can't find a way to manage fido resident keys. When using ykman:
and also, bitlocker report that this key is not compatible:
What's wrong with my key?