How do I get my Yubikey to work with SSH in Windows 10?

Question

after buying a Yubikey 5 NFC for technical interest (firmware 5.2.7) and setting up FIDO2 authentication where possible, I ran into the problem that I could no longer connect to my GitLab server via SmartGit because the second factor is not requested and therefore I can't connect to the server.

I then decided to deal with it on Windows 10 via Git Bash and SSH. Unfortunately, the documentation here assumes a lot of prior knowledge and I am an absolute beginner on the subject. In the meantime I managed to connect to the server with Git Bash and SSH using a locally generated SSH certificate.

Now I would like to use the Yubikey instead of the certificate stored locally on the computer. Unfortunately, all instructions (e.g. this one https://docs.github.com/en/github/authenticating-to-github/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key-for-a-hardware-security-key) lead to the same error message for me:

$ ssh-keygen -t ed25519-sk -C "[email protected]"
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Key enrollment failed: invalid format

Before that, I am prompted to enter the PIN. The interesting thing: The message looks exactly the same, whether I have inserted the Yubikey or not does not matter. The attempt with ecdsa-sk leads to the same result.

(btw. I have already successfully stored an OpenPGP certificate on the Yubikey.)

Now I also read something about libfido2, however I can't find any instructions on how to use it on Windows 10.

So my question: how do I manage to use my Yubikey instead of my local key? Or: How do I install libfido2 if this is the problem?

Answer 1

May 2021

So: it is true Security keys are now supported for SSH Git operations , as announced early this month (May 2021) on GitHub, but, as discussed here, there are still issues.

Your error message looks like a bug in progress on Debian: "issue 980393: /usr/bin/ssh-keygen -t ecdsa-sk fails with "Key enrollment failed: invalid format"".
And it is still being reported this month.

If this fails also with -t ecdsa, try and using a plugin for OpenSSH to connect to FIDO/U2F security keys through native Windows Hello APIs might help.
Type export SSH_SK_HELPER=/usr/lib/ssh/ssh-sk-helper.exe first, as seen in tavrez/openssh-sk-winhello issue 1.
Check your OpenSSH version is at least 8.2. It is on my side with the latest Git for Windows:

ssh -V
OpenSSH_8.5p1, OpenSSL 1.1.1k  25 Mar 2021

The OP DroidDroid adds in the comments:

Nevertheless, I now have the problem that GitLab doesn't support security keys yet: issue 213259

---

Feb. 2022: those security keys should be supported on GitLab now.

See GitLab 14.8 (February 2022)

Support for ecdsa-sk and ed25519-sk SSH keys

OpenSSH 8.2 added support for FIDO/U2F hardware authenticators with new ecdsa-sk and ed25519-sk key types.

GitLab now supports these key types, allowing users to take advantage of hardware-backed SSH authentication.

https://about.gitlab.com/images/14_8/ssh_key.png -- Support for ecdsa-sk and ed25519-sk SSH keys

See Documentation and Issue.