tech-note: Fedora 41 yubi resident ssh key
After moving some hardware around I ended up with a Lenovo M720q on my desk in addition to my macbook docking setup. This is a nice used SFF available at a reasonable cost with integrated Intel GPU, and as such I thought it’d be a decent test bed for wayland (my previous Linux Desktop had a Nvidia 4060Ti which preferred X).
As I’ve gravitated to only using yubikey based ssh keys one of my first setup tasks was to generate one that would remain in this system on my desk. As this is the second time doing this hitting the same rough edges I wanted to document the main details.
necessary packages
Of course you need a few packages:
sudo dnf install libfido2-devel fido2-token ykmansolving the USB user issue
By default, my desktop user didn’t have access to the yubi device. To do this, some UDEV configuration is required.
In my case I opted to add a new group, and add my user as a member:
sudo groupadd plugdev
sudo usermod -aG plugdev knasseryThen we need to install a rule in UDEV to give this group permission to the devices. There are a few ways to make this more restrictive, but in my case I’m providing access for the group to all of the /dev/hidraw* devices:
ammend the file: /etc/udev/rules.d/99-hidraw-permissions.rules:
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", GROUP="plugdev"clearing the key (if needed)
As I wanted to regenerate a resident key for this system, and had previously generated a ssh key from this particular yubi I got a fairly vague error:
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
You may need to touch your authenticator again to authorize key generation.
Key enrollment failed: invalid formatTurns out, I needed to re-initialize the FIDO2 subsystem:
ykman fido restThere are other possible reasons for that error, as it appears to be a bit of a catch-all for key generation errors.
generating the key
At this point I was able to perform the key generation:
ssh-keygen -t ed25519-sk -O residentIn my case I want presence enabled (aka touch) and for the key to remain on the yubi so that if I rebuild the system again I won’t have to redistribute to authorized_keys files across my systems.