This was a mess, and still working through it. However, I managed to get a ed25519_sk key working - generated it on Windows and used it in WSL.
There are a few resources I used:
- https://threatzer.com/posts/wsl-yubikeys/
- https://blog.nathanhigley.com/posts/hardwaresshkeysonwindows/
Steps:
This can be done in Windows or Linux:
ssh-keygen -t ed25519-sk -f .\id_ed25519_sk -C "[email protected]" -O "resident" -O "verify-required"The -O flags were required for me to force my hardware key (Token2 Pin+ Release 2) to store the key as FIDO2 instead of U2F.
In WSL2, add this to your ~/.bashrc:
export SSH_SK_HELPER="/mnt/c/WINDOWS/System32/OpenSSH/ssh-sk-helper.exe"The path may be different, so make sure it's correct.
You need to move the key from C:\Users\YOU\.ssh\id_ed25519_sk to your WSL ~/.ssh directory. Same for the .pub key.
ssh-add ~/.ssh/id_ed25519_skNow, it should use that key and prompt you to put your pin in, touch the token, etc.
There should be a better way to automate ssh-agent to automatically load all the keys.