Ssh with FIDO2 - how to set up? which PIN code?

I do not understand your Documentation about OpenSSh use nor the FIDO2 Resist Keys
There are to less information! This is a Quick Guide for OnlyKey Gurus! but nothing for “dummys” …
I have Debian 12 with ssh v8.4 and a OnlyKey v2.1.2
This command:

ssh-keygen -t ed25519-sk -O resident -f ~/.ssh/id_mykey_sk

I get:
Enter PIN for authenticator:
If I Enter first Onlykey PIN code, Onlykey stop on the “Slot 3a” and write down the config of the Slot 3a for a Website Login …
What I have to do?
And pleas can your write better Documentation for dummys, not for gurus?
If you like I can help as a dummy tester :wink:


Enter PIN for authenticator:

This is your FIDO2 pin which is entered via the keyboard, this is not the PIN you enter on the OnlyKey device itself that is just for physical unlock of device.

thanks for the answer, I found it
But like described, some more Words or links in your Manual
at least every dependencies - I think - has to described or linked
or you can give us beginners a step by step how-to, which include every dependence’s to get a working solution - for the main features … :wink:

regards from germany

A lot has become clear to me since this tip from Tim :sweat_smile:

ssh-keygen -t ecdsa-sk & ssh-keygen -t ed25519-sk generated keys work great with OnlyKey for serverlogin.

Resident keys get stuck on invalid format:

marco@t520:~$ ssh-keygen -t ed25519-sk -O resident -f ~/.ssh/id_mykey_sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
Key enrollment failed: invalid format

marco@t520:~$ ssh -V
OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1n  15 Mar 2022

Edit: Oh damn I got it :upside_down_face:
Hints: onlykey-cli is only needed on one device.

onlykey-cli set-pin
ssh-keygen -t ed25519-sk -O resident -f ~/.ssh/id_ed25519_sk

After that, you can put the OnlyKey in all other devices and download all available resident keys & write public/private key files with “ssh-keygen -K”. Or add resident keys directly to ssh-agent without writing files to the file-system using “ssh-add -K”.
See OpenSSH 8.2 Release Notes: FIDO2 resident keys

marco@w530:~$ ssh-keygen -K
Enter PIN for authenticator:
You may need to touch your authenticator to authorize key download.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Saved ED25519-SK key to id_ed25519_sk_rk

:joy: Incredible, an SSH key on a PIN-protected USB token. Works everywhere, no other tools needed except OpenSSH 8.2. SSH-key is also PIN+password protected.
I will still test backup & restore on other OnlyKeys.