Use U2F/FIDO2 instead of GPG for SSH
trishankatdatadog opened this issue · 3 comments
We are blocked from using this until GitHub supports it.
GitHub now supports it;
https://github.blog/2021-05-10-security-keys-supported-ssh-git-operations/
I looked at using FIDO2 support in OpenSSH before this became known, however, and eventually settled on using this existing project with GPG instead, because the tooling around the FIDO2 support is still a bit wonky. The feedback you get from things like ssh-add is very minimal, FIDO2 support on the YubiKey 5 is shared with FIDO U2F, so resetting that part of the key to wipe the SSH keys also wipes your U2F identities for Google, GitHub, etc. in a way that didn't seem obvious.
Plus the fact that it requires OpenSSH 8.2 and up, which means that you need to install SSH from an external source on both macOS and Debian, which, while workable, isn't ideal, IMO?
These might be non-issues for some, but to me the GPG support felt much more solid, scriptable, etc., which is why I am moving forward with GPG instead of FIDO2. YMMV, of course :)
Maybe we should consider this closed for the reasons you delineated, @mejofi. Thanks!