Ssh-keygen on linux without the agent

I’m trying out several security keys with openssh on opensuse. I usually don’t use an agent when I use ssh, and I’m not using it for these initial tests. When I try and generate ecdsa-sk and ed25519-sk keys I’m asked to touch the onlykey. I want to avoid triggering a key wipe, and I think the onlykey docs tell me that this won’t happen if the key displays a blue light. But I see no light at all, and a short keypress of one of tthe 6 buttons isn’t interpreted as a touch.

Setting the option no-touch-required doesn’t help. What’s the way around this short of usin the agent? Or what have I missed in the documentation.

Using openssh with OnlyKey is a different thing then using the agent. If you are using the FIDO2 security key feature of openssh here is a doc for how to do that - OpenSSH | Docs

Since you are using Linux also make sure UDEV rule is set up correctly - Using OnlyKey with Linux | Docs

If you decide to try the agent instead for SSH and GPG usage that guide is here - OnlyKey SSH/GPG agent | Docs

1 Like

First, thanks for the prompt reply.
I did see the OpenSSH Docs you reference, and as expected, it asks me to touch the key.
My problem is how to touch the key (not a problem on less capable keys with only one button). I don’t want to trigger a wrong PIN sequence and wipe the key, although I have tried pressing just one of the buttons once, to no effect with ssh-keygen.
I did find an onlykey document which tells me that I won’t trigger a bad PIN sequence if the key is showing a blue light, but ssh-keygen does not show a blue light.
It’s true that I am only testing at the moment, so I have no valuable data on there at the moment, so I could be more adventurous. However it took quite a while to initialize the key, so I’m just being careful at the moment.

So what is the button sequence that should be entered on the key when ssh-keygen wants it touched?

I believe the UDEV rule is already setup properly, as lsusb shows the key and my Yubico, Solo1, Titan and Trustkeys all respond, but I will check this again.


For OnlyKey you would need to unlock your key with the on-device PIN. Then once unlocked use with openssh. Setting a PIN is described following documentation at OnlyKey | Getting Started - CryptoTrust

I did make a PIN, so it sounds like the step I didn’t find was to unlock it.
In principle I like that this key seems like it can do lots. IN practice, it’s also a lot to learn. Thanks.