You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: source/components/nitrokeys/features/fido2/ssh.rst
+6-19Lines changed: 6 additions & 19 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,9 +3,7 @@ SSH Authentication with FIDO2
3
3
4
4
.. product-table:: nk3 passkey fido2
5
5
6
-
SSH (Secure Shell) is a network protocol used to securely access and manage remote systems such as servers or code repositories. It uses cryptographic key pairs for authentication, allowing passwordless logins with strong security.
7
-
8
-
With a Nitrokey, the private SSH key is generated and stored directly on the device, so it never leaves the hardware. Each login requires you to touch the Nitrokey, adding a simple physical confirmation that protects against unauthorized access. For example, when connecting to a server, GitLab, or GitHub.
6
+
SSH (Secure Shell) is a network protocol used to securely access and manage remote systems such as servers or code repositories (e.g. GitLab, GitHub). It uses cryptographic key pairs for authentication, allowing passwordless logins with strong security. With a Nitrokey, the private SSH key is generated and stored directly on the device, so it never leaves the hardware. Each login requires you to touch the Nitrokey, adding a simple physical confirmation that protects against unauthorized access.
The ``-O resident`` option stores key handles on the Nitrokey, allowing others with physical access to list them and see where the key was used.
32
-
33
27
.. note::
34
28
35
29
Resident keys can later be listed and imported on another system with:
@@ -39,13 +33,13 @@ Generating SSH Key
39
33
ssh-keygen -K
40
34
41
35
42
-
4. During key generation, you may also be asked to set a **passphrase**. This passphrase encrypts the local key handle stored in ``~/.ssh/`` (not the private key on the Nitrokey, which always stays securely inside the device). The passphrase is **different from the FIDO2 device PIN**: the PIN protects the physical key itself, while the passphrase protects your local SSH key files. Using both increases overall security.
36
+
3. During key generation, you may also be asked to set a **passphrase**. This passphrase encrypts the local key handle stored in ``~/.ssh/`` (not the private key on the Nitrokey, which always stays securely inside the device). The passphrase is different from the FIDO2 device PIN. The PIN protects the physical key itself, while the passphrase protects your local SSH public key file. We recommend to use a passphrase to protect non-resident keys only.
43
37
44
-
5. When asked for a file path, accept the default option (``~/.ssh/id_ed25519_sk``) or choose a custom name like ``id_ed25519_sk_gitlab``.
38
+
4. When asked for a file path, accept the default option (``~/.ssh/id_ed25519_sk``) or choose a custom name like ``id_ed25519_sk_gitlab``.
45
39
46
-
6. If the Nitrokey blinks, confirm the operation by touching it.
40
+
5. If the Nitrokey blinks, confirm the operation by touching it.
47
41
48
-
7. By executing the command, the following files will be created:
42
+
Eventually the following files will be created:
49
43
50
44
``~/.ssh/id_ed25519_sk`` → handle to the private key (stored securely on the Nitrokey)
51
45
@@ -64,8 +58,6 @@ Adding Your Public Key
64
58
65
59
Once your SSH key pair is generated, the public key must be added to the service or server you want to access.
66
60
67
-
For Git Services (GitLab, GitHub, etc.)
68
-
69
61
1. Display your public key:
70
62
71
63
.. code-block:: shell-session
@@ -76,9 +68,4 @@ For Git Services (GitLab, GitHub, etc.)
2. Copy the output and add it to your account’s SSH key settings.
80
-
81
-
See `GitLab <https://docs.gitlab.com/user/ssh/#add-an-ssh-key-to-your-gitlab-account>` or `GitHub <https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account>` for detailed steps.
82
-
83
-
84
-
To enable SSH remote server access, add your public key (from ``~/.ssh/id_ed25519_sk.pub``) to the ``~/.ssh/authorized_keys`` file of the user account. This allows passwordless authentication using your Nitrokey.
71
+
2. Copy the output and add it to your account’s SSH key settings. See `GitLab <https://docs.gitlab.com/user/ssh/#add-an-ssh-key-to-your-gitlab-account>` or `GitHub <https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account>` for detailed steps. To enable SSH remote server access, add your public key to the file ``~/.ssh/authorized_keys`` of your user account on the SSH server.
0 commit comments