Using FIDO2 (YubiKey) on WSL for SSH
Daniel Nashed – 14 February 2026 17:02:07
In a previous post I looked a FIDO2 key in general.
On Windows 11 you can expose the USB key to your WSL Linux instance. In my case a Ubuntu 24.04 instance.
Here are the steps:
Step 1 ‐ Install usbipd on Windows
WSL does not automatically see USB security keys. We use usbipd to attach the device.
Install the Windows driver:
winget install usbipd
List devices:
Once installed, you can list the devices connected
usbipd list
Connected:
BUSID VID:PID DEVICE STATE
4-1 1050:0407 USB Input Device, Microsoft Usbccid Smartcard Reader (WUDF) Shared
4-10 8087:0033 Intel(R) Wireless Bluetooth(R) Not shared
Step 2 ‐ Attach the YubiKey to WSL
Bind the device:
usbipd bind --busid 4-1
Attach to WSL:
usbipd attach --wsl --busid 4-1
Now inside WSL list available devices:
lsusb
Output should show the device and WSL can access the FIDO2 interface.
Bus 001 Device 002: ID 1050:0407 Yubico.com Yubikey 4/5 OTP+U2F+CCID
Step 3 ‐ Create a FIDO2 SSH Key
Inside WSL create the key:
ssh-keygen -t ed25519-sk -O resident -O verify-required
What those options mean:
- -t ed25519-sk → FIDO2 security key
- -O resident → Key stored on the device (discoverable)
- -O verify-required → PIN + touch required
You’ll be prompted for:
- Security key PIN
- Touch confirmation
Private key material never leaves the YubiKey.
Step 4 ‐ Retrieve the Public Key
Because we used a resident key, you can retrieve it from the device:
ssh-keygen -K
Example output:
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1l...= root@nsh-t14
Add that public key to your server’s authorized_keys.
Why This Is Better Than Traditional SSH Keys
| Traditional Key | FIDO2 Key |
| Private key stored on disk | Private key stored in hardware |
| Can be copied | Cannot be extracted |
| No user presence check | Requires touch |
| Optional passphrase | Enforced PIN |
Architecture Overview
Flow:
- Windows sees USB device
- usbipd attaches it to WSL
- OpenSSH inside WSL talks FIDO2
- YubiKey performs signing
- Server validates via public key
Final Thoughts
TPM is great for machine identity.
FIDO2 is great for human identity.
For privileged SSH access, especially in mixed Windows/WSL environments, this is one of the cleanest and most secure setups you can run today.
- Comments [0]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}