The Nest
Explore
64
Pure-Rust asynchronous SSH library, both client and server

#88 Add sk-ssh-ed25519@openssh.com (FIDO2 security key) support

Opened by DzmingLi on March 18, 2026
DzmingLi on March 18, 2026

Add support for sk-ssh-ed25519@openssh.com key type, enabling authentication with FIDO2/U2F hardware security keys (passkeys). SKP256 (sk-ecdsa) not included to keep scope minimal; can be added later

Changes

thrussh-keys:

  • PublicKey::SKEd25519 variant with application field
  • Signature::SKEd25519 variant with flags + counter authenticator data
  • SK public key parsing/serialization (wire format and base64)
  • SK signature verification: SHA256(application) || flags || counter || SHA256(message)
  • SSH agent client support: identity listing, key blob serialization, sign request/response handling
  • OpenSSH SK private key parsing: extract key_handle and application
  • KeyPair::SKEd25519 variant for local FIDO2 signing via hardware token
  • Local signing via ctap-hid-fido2::FidoKeyHid::get_assertion

thrussh:

  • sk-ssh-ed25519@openssh.com added to algorithm negotiation lists
  • Named and PubKey trait impls for SK keys
  • Server-side auth: extract flags + counter from SK signature blob before verification
DzmingLi added a change on March 19, 2026
Add sk-ssh-ed25519@openssh.com (FIDO2/U2F security key) support
ZZHLVXTPSMXE4F446Z2YEWUJWDODZA36FNJH3LRHKKPG2C3QGOPAC