Skip to content

Instantly share code, notes, and snippets.

@dadatuputi

dadatuputi/fido2_ssh_wsl.md

Last active June 10, 2025 15:08
Show Gist options
  • Save dadatuputi/3ebcfbaac26fffab73b0410cc3ef309e to your computer and use it in GitHub Desktop.
Save dadatuputi/3ebcfbaac26fffab73b0410cc3ef309e to your computer and use it in GitHub Desktop.
Download ZIP
Storing a SSH Key on a FIDO2 Hardware Token
Raw
fido2_ssh_wsl.md

FIDO2 SSH WSL on Windows 11

This was a mess, and still working through it. However, I managed to get a ed25519_sk key working - generated it on Windows and used it in WSL.

There are a few resources I used:

Steps:

Create the key

This can be done in Windows or Linux:

ssh-keygen -t ed25519-sk -f .\id_ed25519_sk -C "[email protected]" -O "resident" -O "verify-required"

The -O flags were required for me to force my hardware key (Token2 Pin+ Release 2) to store the key as FIDO2 instead of U2F.

Set up WSL

In WSL2, add this to your ~/.bashrc:

export SSH_SK_HELPER="/mnt/c/WINDOWS/System32/OpenSSH/ssh-sk-helper.exe"

The path may be different, so make sure it's correct.

Move key from Windows to Linux

You need to move the key from C:\Users\YOU\.ssh\id_ed25519_sk to your WSL ~/.ssh directory. Same for the .pub key.

Add key to WSL keychain

ssh-add ~/.ssh/id_ed25519_sk

Now, it should use that key and prompt you to put your pin in, touch the token, etc.

There should be a better way to automate ssh-agent to automatically load all the keys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment