What is the -sk ending for ssh key types?
In OpenSSH FIDO devices are supported by new public key types "ecdsa-sk" and "ed25519-sk", along with corresponding certificate types.
To quote:
FIDO/U2F Support
This release adds support for FIDO/U2F hardware authenticators to OpenSSH. U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH FIDO devices are supported by new public key types "ecdsa-sk" and "ed25519-sk", along with corresponding certificate types.
Source: https://www.openssh.com/txt/release-8.2
-sk
SSH key-pairs can be either ecdsa-sk
or ed25519-sk
. The -sk
extension stands for security key. Note that an ed25519-sk key-pair is only supported by new YubiKeys with firmware 5.2.3 or higher which supports FIDO2. This means YubiKeys with firmware below 5.2.3 are only compatible with ecdsa-sk key-pairs. If possible, generate an ed25519-sk
SSH key-pair for this reason. Source: https://cryptsus.com/blog/how-to-configure-openssh-with-yubikey-security-keys-u2f-otp-authentication-ed25519-sk-ecdsa-sk-on-ubuntu-18.04.html