Before you start:
• You have a Windows PC computer.
• You have a FIDO2 card connected to your desktop.
• Your SSH client and server are updated to support FIDO2 (OpenSSH 8.2 or later).
• You have administrative access to your SSH server.
Setting up SSH with a FIDO2 device on Windows using Windows Subsystem for Linux (WSL) or native Windows with OpenSSH:
1. Enable OpenSSH Client:
• Ensure the OpenSSH Client is installed and enabled via the “Apps & features” settings (optional if using WSL).
2. Generate a FIDO2 SSH key (using WSL or PowerShell):
• Open WSL or PowerShell as administrator.
• Run the same command as for Linux: ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
• Touch your FIDO2 device as prompted to generate the key.
3. Copy the public key to the server:
• If using WSL, you can use ssh-copy-id as in Linux.
• From PowerShell, manually copy your public key text to ~/.ssh/authorized_keys on the server or use any SCP too
4. Connect using your FIDO2 device:
• Open your SSH client (WSL, PowerShell, or PuTTY with FIDO2 support): ssh your_username@your_server
• Authenticate by touching your FIDO2 device when prompted.
• Ensure your server’s SSH configuration (/etc/ssh/sshd_config) permits public key authentication and is updated to the latest version supporting FIDO2.
• For servers not supporting FIDO2, consider using third-party tools or updating the SSH server.
• Test your setup with a fallback authentication method in case the FIDO2 setup encounters issues.
This guide gives you a general approach to using SSH with a FIDO2 device across different operating systems. Depending on specific setups or device brands, additional steps might be needed.
