As of OpenSSH version 8.2, FIDO2 support is available. Deploying FIDO2 public keys is fortunately dead-simple. First create a FIDO2 key pair:

~$ ssh-keygen -O resident -t ecdsa-sk -f ~/.ssh/id_ykn4

Here, we’re using a resident key which is a FIDO2 feature by adding the resident option. This enables us to download the on-disk private key (called “key handle” in OpenSSH FIDO2 lingo) off our FIDO2 device. Stored in the device there is also an irretrievable per-device private key.

That way, we don’t have to carry around our FIDO2 device *and* the private key (the “key handle” part in this case). It will be derived on the host from the FIDO2 device together with the public key for our convenience! Kudos to the OpenSSH team and the FIDO2 people.

The ~/.ssh/config snippet for our example:

Host fido2Host
  User admin
  Hostname 10.0.0.254
  IdentityFile /home/admin/.ssh/id_fido2_pink

Copy the public key to the remote host and add it to ~/.ssh/authorized_keys:

~$ ssh-copy-id  -f -i .ssh/id_fido2_pink fido2Host:

Verify you’re able to use the new FIDO2 key for a successful remote login:

~$ ssh fido2Host:
 Confirm user presence for key ECDSA-SK SHA256:LEbDvsuj3/Mt9pNlsWua65iyP9hPOazIB8XbraidM/n
admin@fido2Host:~$ 

BTW, if we forget to plug in the FIDO2 device above verification will fail like so:

~$ ssh fido2Host: 
  Confirm user presence for key ECDSA-SK
sign_and_send_pubkey: signing failed for ECDSA-SK "/home/admin/.ssh/id_fido2_pink": invalid format
Password:

That’s it for this one! Happy FIDO2!

One more thing:

We may download the private (the “key handle” part of it, anyway) and public key from a FIDO2 device, or to add it directly to ssh-agent, respectively, use the -K option:

~$ ssh-keygen -K
~$ ssh-add -K 

Obviously, this requires us to plug a FIDO2 key in, from which to download. If we have more than one FIDO2 key plugged in, we may specify the right one manually.