Feature request – integrate U2F / FIDO2 into gpg-agent for use as ssh-agent

Michael Sierchio's Avatar

Michael Sierchio

08 Jul, 2020 12:09 AM

There is some discussion of using yubikey for FIDO with ssh, but not using the crypto card function


Which, if you read the comments, I consider to be retrograde. Apart from Google Chrome, there's not a lot of support for FIDO2 out there. Is it possible to get this on a roadmap somewhere? My argument is that the use of the yubikey with gpg-agent as the ssh-agent already has 3 factors – a PIN (actually a passphrase) to unlock the card – the private key is kept in the device itself – you can program the yubikey to require a touch for signing and decryption.

Is this remotely feasible?

  1. Support Staff 1 Posted by Luke Le on 10 Jul, 2020 07:58 AM

    Luke Le's Avatar

    Hi Michael,

    I do believe that this might in fact be already possible.
    Did you come across this article in your research?

    Hope that helps.

  2. 2 Posted by George Wayne on 10 Jul, 2020 09:52 AM

    George Wayne's Avatar

    You would be better off to switch from gpg-agent to FIDO2 U2F authentication. The author in this blog post clearly points out the benefits.

  3. Support Staff 3 Posted by Luke Le on 20 Jul, 2020 04:05 PM

    Luke Le's Avatar

    Hi Michael,

    in addition it appears that this is now supported out-of-the-box by SSH itself using YubiKey: https://buttondown.email/cryptography-dispatches/archive/cryptograp...

  4. Steve closed this discussion on 30 Jul, 2020 01:03 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac