I am not able to use keys generated using -O no-touch-required option with ssh-keygen. One of the nice things of Onlykey is that I need to authenticate against the device, so an unlocked Onlykey means that I already confirmed I know the PIN. From then on, it is convenient to not have to confirm presence for every SSH operation.
I use during my development work and it adds friction to automated flows to require me to touch the device on operations like pushing commits to Git repos or running ansible playbooks.
ssh git@github.com -vv log:
...
debug1: Server accepts key: /home/aitor/.ssh/id_ed25519_sk ED25519-SK SHA256:yKtAT/JzW09V6rRWRQmkjCmWtZvHgg5G8nP8+qDUpMI authenticator
debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper
debug1: process_sign: ready to sign with key ED25519-SK, provider internal: msg len 184, compat 0x0
debug1: sshsk_sign: provider "internal", key ED25519-SK, flags 0x20
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by cred
debug1: check_sk_options: option uv is unknown
debug1: sk_try: fido_dev_get_assert: FIDO_ERR_SUCCESS
...
I am not able to use keys generated using
-O no-touch-requiredoption withssh-keygen. One of the nice things of Onlykey is that I need to authenticate against the device, so an unlocked Onlykey means that I already confirmed I know the PIN. From then on, it is convenient to not have to confirm presence for every SSH operation. I use during my development work and it adds friction to automated flows to require me to touch the device on operations like pushing commits to Git repos or running ansible playbooks.ssh git@github.com -vvlog: