When trying to figure out why ssh-agent forwarding wasn't working from Windows to an Ubuntu 22 server, I saw that build V220.127.116.11p1-Beta of Microsoft's OpenSSH port included U2F/Fido2 hardware authenticators.
There's a few ways to install this, I'll use winget (should already be available in Windows 10/11).
From a regular powershell prompt:
This will automatically restart the Microsoft ssh-agent using the new version in C:\Program Files\OpenSSH:
Creating a SSH Key
I'll create a key using my YubiKey 4 and put it into the .ssh\yubikey4 file. I'll set the ssh key comment to "yubikey 4" as a reminder to myself which hardware this key goes with. Be sure to use the newer OpenSSH in
C:\Program Files\OpenSSH rather than the older system one in
This pops up some dialog boxes:
The ssh key itself is stored on the yubikey, the "private key" file just contains some related metadata (See the PROTOCOL.u2f file at the bottom of this page for details). You need both the hardware key and the file data in order to use this. You can make multiple ssh keys with the same hardware key, each will be unique.
Trying to generate a new ssh key using WSL2 fails because it tries to talk directly to the hardware (which is not available in the WSL2 VM):
But listing the key works:
As well as using it to login:
ssh pops up a confirmation dialog when I use this key:
This needs OpenSSH 8.2 or higher on both the client and the server, so it doesn't work for Rocky Linux 7 (OpenSSH 7.4p1) or 8 (OpenSSH 8.0p1).
Trying to add the U2F/Fido2 key from WSL2 ssh-add or from KeePassXC fails. Windows OpenSSH has their own SSH agent code in order to integrate with the Windows systems. I opened a bug report with the details and then a PR to fix this issue.