SSH authentication with a FIDO2 card
(For Windows only)

Step by step tutorial

Before you start: 
• You have a Windows PC computer.
• You have a FIDO2 card connected to your desktop.
• Your SSH client and server are updated to support FIDO2 (OpenSSH 8.2 or later).
• You have administrative access to your SSH server.

Windows Setup

Setting up SSH with a FIDO2 device on Windows using Windows Subsystem for Linux (WSL) or native Windows with OpenSSH:

1. Enable OpenSSH Client:
• Ensure the OpenSSH Client is installed and enabled via the “Apps & features” settings (optional if using WSL).

2. Generate a FIDO2 SSH key (using WSL or PowerShell):
• Open WSL or PowerShell as administrator.
• Run the same command as for Linux: ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
• Touch your FIDO2 device as prompted to generate the key.

3. Copy the public key to the server:
• If using WSL, you can use ssh-copy-id as in Linux.
• From PowerShell, manually copy your public key text to ~/.ssh/authorized_keys on the server or use any SCP too

4. Connect using your FIDO2 device:
• Open your SSH client (WSL, PowerShell, or PuTTY with FIDO2 support): ssh your_username@your_server
• Authenticate by touching your FIDO2 device when prompted.

Tips

• Ensure your server’s SSH configuration (/etc/ssh/sshd_config) permits public key authentication and is updated to the latest version supporting FIDO2.
• For servers not supporting FIDO2, consider using third-party tools or updating the SSH server.
• Test your setup with a fallback authentication method in case the FIDO2 setup encounters issues.

This guide gives you a general approach to using SSH with a FIDO2 device across different operating systems. Depending on specific setups or device brands, additional steps might be needed.