Introducing Secure Key (FIDO/WebAuthn) Support in AbsoluteTelnet/SSH

Leave a Comment / SSH Client / By

We’re pleased to announce that AbsoluteTelnet/SSH now includes support for OpenSSH Secure Keys (“sk-ssh” keys), adding modern FIDO2/WebAuthn hardware authentication alongside the PKI and smart-card systems AbsoluteTelnet has supported for years.

This update brings AbsoluteTelnet into alignment with the security model used by recent OpenSSH releases, while preserving Absolute’s long-standing emphasis on user-controlled, predictable authentication.

🔐 What Are Secure Keys (sk-ssh)?

Secure Keys are a special class of SSH keys where the private key is stored entirely inside a FIDO2/WebAuthn hardware token such as a YubiKey, Nitrokey, SoloKey, Google Titan, and others.

Supported formats include:

Secure Keys differ from traditional SSH keys in important ways:

  • The private key is non-exportable
  • Each authentication requires explicit user presence (touch or biometric)
  • A PIN may be required depending on the token
  • Authentication operations are performed inside the hardware device

These formats were introduced in OpenSSH 8.2 and are increasingly used for hardened SSH authentication policies.

✅ How Secure Keys Work in AbsoluteTelnet

AbsoluteTelnet follows the standard OpenSSH implementation model for Secure Keys:

✅ You must generate the Secure Key using OpenSSH (ssh-keygen)

Before AbsoluteTelnet can use a Secure Key, you will need:

  • A FIDO2/WebAuthn hardware authenticator
  • The device plugged into USB (or paired via NFC/Bluetooth)
  • Access to OpenSSH’s ssh-keygen tool

Modern Windows systems already include OpenSSH:

  • Windows 10 includes an optional OpenSSH client you can enable under Settings → Apps → Optional Features
  • Windows 11 ships with the OpenSSH client enabled by default

This makes it simple to create Secure Keys directly on Windows without installing additional software.

Open a Command Prompt or PowerShell window and run:

ssh-keygen -t ed25519-sk

or:

ssh-keygen -t ecdsa-sk

During creation, OpenSSH will:

  1. Prompt you to touch your hardware key
  2. Ask for a PIN if your device requires one
  3. Create a non-exportable private credential inside the authenticator
  4. Generate two files:
  • ✅ a Secure Key stub file (public metadata + FIDO credential reference)
  • ✅ a matching .pub file for placement in authorized_keys on the server

The stub file stays on the client, the public key goes on the server, and the private key never leaves the hardware.

✅ AbsoluteTelnet requires this stub file for authentication

AbsoluteTelnet does not automatically discover, enumerate, or generate Secure Keys.
Instead, you select the specific stub file you want to use for a given connection.

Only the stub you choose is used — there is no automatic key fallback or probing, ensuring behavior is clear, deliberate, and predictable.

✅ Authentication is performed by the hardware token

When the server requests authentication, AbsoluteTelnet:

  • Loads the selected stub
  • Interacts with the FIDO device
  • Prompts you for user presence (touch)
  • Prompts for PIN if required
  • Submits the resulting signature to the server

This workflow matches OpenSSH’s behavior exactly.

🔒 Why Add Secure Keys When PKI Was Already Supported?

AbsoluteTelnet has offered hardware-backed authentication for many years through:

  • PKI smart cards
  • GSSAPI/Kerberos authentication

These systems remain fully supported.

Secure Keys do not replace PKI — they are a separate modern option with several unique advantages:

✅ Modern, platform-neutral hardware

Works with inexpensive, widely available FIDO2/WebAuthn devices.

✅ User-presence enforcement

Every signature requires a physical touch or biometric confirmation.

✅ Portable and convenient

The private credential lives on the hardware token;
the client uses the stub, and the server uses the public key.

✅ Seamless interoperability with OpenSSH

Secure Keys are increasingly adopted in hardened environments and cloud-managed infrastructures.

🚀 Available Today

Secure Key support is included in version 13.14 of AbsoluteTelnet/SSH.

This initial implementation focuses on:

  • Full compatibility with the OpenSSH sk-ssh-* formats
  • PIN and user-presence handling
  • Explicit, per-host stub selection
  • On-device signing via FIDO hardware

🔭 What’s Coming Next

This update lays a solid foundation for future improvements, including:

  • Optional Secure Key creation directly within AbsoluteTelnet
  • Improved stub-file management and UI integration
  • Resident-key enumeration on supported devices
  • Smart-card + FIDO hybrid authentication
  • PIN caching (with appropriate security controls)

All enhancements will align with AbsoluteTelnet’s core principle:
authentication that is user-controlled, transparent, and predictable.

Leave a Comment

Your email address will not be published. Required fields are marked *