resident-key aka discoverable credentials (`fido2-token -S` to set the PIN, otherwise all other things fails, after using the PIN an additional touch is needed but not declared. Check this with
to get the "resident-key aka dc" call `ssh-keygen -K`. you get the two files, but the private key is a stub.(?, https://github.com/openssh/openssh-portable/raw/master/PROTOCOL.u2f) yubikey seems to support only ecdsa and not ed25519
to add this "rk or dc thing" into the agent `ssh-add -K`. It seems that the `user@host` info gets lost while transfering this into the dongles space.
Using resident keys If your security key supports FIDO2 resident keys*, like the YubiKey 5 Series, YubiKey 5 FIPS Series, or the Security Key NFC by Yubico, you can enable this when creating your SSH key:
$ ssh-keygen -t ecdsa-sk -O resident
This works the same as before, except a resident key is easier to import to a new computer because it can be loaded directly from the security key. To use the SSH key on a new computer, make sure you have ssh-agent running and simply run:
$ ssh-add -K
This will load a “key handle” into the SSH agent and make the key available for use on the new computer. This works great for short visits, but it won’t last forever – you’ll need to run ssh-add again if you reboot the computer, for example. To import the key permanently, instead run:
$ ssh-keygen -K
This will write two files into the current directory: id\_ecdsa\_sk\_rk and id\_ecdsa\_sk\_rk.pub. Now you just need to rename the private key file to id\_ecdsa\_sk and move it into your SSH directory:
$ mv id\_ecdsa\_sk\_rk ~/.ssh/id\_ecdsa_sk
Finally, there’s one more feature to be excited about…