Tech:FIDO2 SSH

If you have access to a FIDO2 key, you can use it to add 2FA to your SSH login.

Generating the key
There are two options when creating FIDO2-backed keys: sk-ssh-ed25519 and sk-ssh-ecdsa. Due to policy, only Ed25519 keys are allowed.

Generate your key via. This will create a non-discoverable key. Some additional considerations.


 * Stay clear of no-name FIDO2 keys! Avoid knock-offs of dubious security, as they undermine the security of FIDO2 SSH, get a Yubikey if you're going to do this.
 * no-touch-required and no-verify-required keys are not allowed.
 * For added security, do not use resident/discoverable keys.

This will create your standard public key, and a key handle/identification. This identification is not the private key itself. It is only useful to the specific key you used to create the SSH key. However, treat it as if it was the private key anyway, so make sure to choose a good passphrase (what it is exactly depends on how your key handles these types of keys, see https://www.yubico.com/blog/yubicos-u2f-key-wrapping/ for how this works on Yubikeys).

Getting the key on Miraheze
Fork miraheze/puppet on GitHub, go to  and look for your shell account. Replace your SSH public key with your newly generated public key. Get a hold of someone from Infrastructure if you yourself do not have write access to Puppet.

If you use signed commits or OpenPGP, now would be a good time to use them for extra assurance. Example: https://github.com/miraheze/puppet/pull/3203.