🔑 FIDO2 SSH Authentication

Prerequisites Generate SSH Key Server Configuration Client Login Cross-Device Key Migration

📋 Prerequisites

Before you begin, ensure the following requirements are met:

Operating System: Windows 10/11, macOS, or mainstream Linux distributions.
OpenSSH: Both client and server must be version 8.2 or above. Version 8.3+ is recommended for full feature support. Check with ssh -V.
Hardware Key: Insert your MiixKey and ensure a FIDO2 PIN has been set. This PIN is typically configured the first time you use the key management tool.

🛠️ Generate SSH Key

Open a terminal (PowerShell, cmd, or bash) and follow these steps:

Step 1: Generate the Key

Navigate to your .ssh directory and run:

ssh-keygen -t ed25519-sk -O resident -O verify-required -O application=ssh:ubuntuserver -O user=metoo -C "linhui62@live.com" -f id_ed25519_sk

Parameter Explanation

Parameter	Description
`-t ed25519-sk`	Specifies ED25519-SK key type.
`-O resident`	Stores the key as a resident key on the hardware. This is essential for cross-device migration.
`-O verify-required`	Forces PIN verification, enabling true two-factor authentication (2FA/MFA).
`-O application=...`	Creates a separate credential for different servers.
`-O user=...`	Specifies the username for this key.

Step 2: Follow the Prompts

Set PIN: If not already set, you will be prompted to create a FIDO2 PIN.
Touch Confirmation: You will need to touch the MiixKey to confirm the operation.
Set Passphrase (optional): An additional password for extra protection. Recommended.

🖥️ Server Configuration (Critical Step)

You need to add the public key generated by MiixKey to the server's authorized keys.

Step 1: Get the Public Key

In the directory where you generated the key, find id_ed25519_sk.pub. Copy its contents.

Step 2: Copy to Server

Use ssh-copy-id for automatic setup:

ssh-copy-id -i id_ed25519_sk.pub user@your-server.com

Or manually copy the key:

user@your-server.com:~$ mkdir -p ~/.ssh
user@your-server.com:~$ vim ~/.ssh/authorized_keys   # Paste the public key on a new line and save

After completing the above steps, you can log in to the server using MiixKey.

Standard Login

Ensure the hardware key is inserted, then use a regular SSH command:

ssh user@your-server.com
# Or specify the key explicitly
ssh -i ~/.ssh/id_ed25519_sk user@your-server.com

Automated Configuration (~/.ssh/config)

To avoid specifying the key file every time, configure ~/.ssh/config:

Host ubuntuserver
    HostName your-server.com
    User metoo
    IdentityFile ~/.ssh/id_ed25519_sk
    IdentitiesOnly yes

After configuration, simply run ssh ubuntuserver.

🔄 Cross-Device Key Migration

This is a standout feature of FIDO2. When you switch to a new computer, you can use the same MiixKey to log in to the server without regenerating keys or reconfiguring the server.

Insert MiixKey into the new computer.
Run the following command:

ssh-keygen -K    # Requires administrator privileges on Windows

This command downloads the resident credentials stored on the key to the current directory. If multiple credentials are downloaded and you only need the original one, simply keep the public key file corresponding to your server.

Managing FIDO Time Synchronization