FIDO key enroll without touch

mfg · July 26, 2024, 12:20am

Hello,

is it possible to enroll a fido key without touch ? I would like to use onlykey on a bastion host, with ed25519-sk keys. And have the users generate the keys ssh-keygen -t ed25519-sk -O no-touch-required -f ~/.ssh/users_keyfile. The goal is that the keys are useless without having access to the the host that has the onlykey plugged in. Due to the fact, that the host shall be located in a datacenter where touch is not possible It would be convenient, if I could setup FIDO to enroll keys with no touch required. Is this possible ?

Second Question: Is it possible to remove the pin set with onlykey-cli change-pin

Kind regards,
Manon

t11 · July 30, 2024, 5:23pm

is it possible to enroll a fido key without touch ?

No, but you should be able to use OnlyKey Agent for this - OnlyKey SSH/GPG agent | Docs

Is it possible to remove the pin set with onlykey-cli change-pin

No, OnlyKey requires a PIN. With OnlyKey DUO a PIN is optional so you can use most features without a PIN.

Topic		Replies	Views
Ssh with FIDO2 - how to set up? which PIN code? SSH, OpenPGP, GPG	3	611	July 5, 2022
Error when using fido2 keys SSH, OpenPGP, GPG	3	713	February 15, 2024
Ssh-keygen on linux without the agent SSH, OpenPGP, GPG	4	510	July 6, 2022
Possible to disable unlock-PIN or require less numbers? Feature Requests	2	330	September 28, 2023
Challenge setting up the onlykey as fido2/U2F	4	278	January 5, 2022

FIDO key enroll without touch

Related topics