FIDO2 / Hardware Keys
ZestSSH supports FIDO2-based SSH authentication using hardware security keys such as YubiKeys. This provides phishing-resistant authentication backed by a physical device.
Availability: Free tier — All platforms
Overview
Section titled “Overview”FIDO2 SSH keys (using the [email protected] or [email protected] key types) require a physical security key to be present and touched during authentication. The private key material is stored on the hardware key itself, not on your device.
Prerequisites
Section titled “Prerequisites”- A FIDO2-compatible hardware security key (e.g., YubiKey 5 series).
- An OpenSSH server version 8.2 or later with FIDO2 key types enabled.
- The public key registered on the server in
~/.ssh/authorized_keys.
Using FIDO2 Keys
Section titled “Using FIDO2 Keys”- Generate a FIDO2 SSH key on a desktop system using
ssh-keygen:Terminal window ssh-keygen -t ed25519-sk - Add the resulting public key to your server’s
~/.ssh/authorized_keys. - Import the private key handle file into ZestSSH.
- When connecting, ZestSSH will prompt you to touch your hardware key to complete authentication.
Platform Notes
Section titled “Platform Notes”Hardware key support depends on the platform’s USB/NFC capabilities and FIDO2 stack. Behavior may vary across devices and operating systems.