- Install OpenSSH
ssh-keygen -t ed25519-sk -O resident -O verify-required -C "Your Comment"
– t : Specifies the type of key to create. We are using
ed25519-sk– 0 : Specify a key/value option.
resident : Indicate that the key handle should be stored on the FIDO authenticator itself.
verify-required : Indicate that this private key should require user verification for each signature.
- Copy public key
ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub user@host - And finally update SSH server
# Support public key cryptography (includes FIDO2)
PubkeyAuthentication yes
# Enforce User Verification
PubkeyAuthOptions verify-required
# Public keys location
AuthorizedKeysFile .ssh/authorized_keys
# Allow root only with MFA
PermitRootLogin prohibit-password
# Disable password authentication
PasswordAuthentication no
PermitEmptyPasswords no