We’re pleased to announce that AbsoluteTelnet/SSH now includes support for OpenSSH Secure Keys (“sk-ssh” keys), adding modern FIDO2/WebAuthn hardware authentication alongside the PKI and smart-card systems AbsoluteTelnet has supported for years.
This update brings AbsoluteTelnet into alignment with the security model used by recent OpenSSH releases, while preserving Absolute’s long-standing emphasis on user-controlled, predictable authentication.
🔐 What Are Secure Keys (sk-ssh)?
Secure Keys are a special class of SSH keys where the private key is stored entirely inside a FIDO2/WebAuthn hardware token such as a YubiKey, Nitrokey, SoloKey, Google Titan, and others.
Supported formats include:
Secure Keys differ from traditional SSH keys in important ways:
- The private key is non-exportable
- Each authentication requires explicit user presence (touch or biometric)
- A PIN may be required depending on the token
- Authentication operations are performed inside the hardware device
These formats were introduced in OpenSSH 8.2 and are increasingly used for hardened SSH authentication policies.
✅ How Secure Keys Work in AbsoluteTelnet
AbsoluteTelnet follows the standard OpenSSH implementation model for Secure Keys:
✅ You must generate the Secure Key using OpenSSH (ssh-keygen)
Before AbsoluteTelnet can use a Secure Key, you will need:
- A FIDO2/WebAuthn hardware authenticator
- The device plugged into USB (or paired via NFC/Bluetooth)
- Access to OpenSSH’s
ssh-keygentool
Modern Windows systems already include OpenSSH:
- Windows 10 includes an optional OpenSSH client you can enable under Settings → Apps → Optional Features
- Windows 11 ships with the OpenSSH client enabled by default
This makes it simple to create Secure Keys directly on Windows without installing additional software.
Open a Command Prompt or PowerShell window and run:
ssh-keygen -t ed25519-sk
or:
ssh-keygen -t ecdsa-sk
During creation, OpenSSH will:
- Prompt you to touch your hardware key
- Ask for a PIN if your device requires one
- Create a non-exportable private credential inside the authenticator
- Generate two files:
- ✅ a Secure Key stub file (public metadata + FIDO credential reference)
- ✅ a matching
.pubfile for placement inauthorized_keyson the server
The stub file stays on the client, the public key goes on the server, and the private key never leaves the hardware.
✅ AbsoluteTelnet requires this stub file for authentication
AbsoluteTelnet does not automatically discover, enumerate, or generate Secure Keys.
Instead, you select the specific stub file you want to use for a given connection.
Only the stub you choose is used — there is no automatic key fallback or probing, ensuring behavior is clear, deliberate, and predictable.
✅ Authentication is performed by the hardware token
When the server requests authentication, AbsoluteTelnet:
- Loads the selected stub
- Interacts with the FIDO device
- Prompts you for user presence (touch)
- Prompts for PIN if required
- Submits the resulting signature to the server
This workflow matches OpenSSH’s behavior exactly.
🔒 Why Add Secure Keys When PKI Was Already Supported?
AbsoluteTelnet has offered hardware-backed authentication for many years through:
- PKI smart cards
- GSSAPI/Kerberos authentication
These systems remain fully supported.
Secure Keys do not replace PKI — they are a separate modern option with several unique advantages:
✅ Modern, platform-neutral hardware
Works with inexpensive, widely available FIDO2/WebAuthn devices.
✅ User-presence enforcement
Every signature requires a physical touch or biometric confirmation.
✅ Portable and convenient
The private credential lives on the hardware token;
the client uses the stub, and the server uses the public key.
✅ Seamless interoperability with OpenSSH
Secure Keys are increasingly adopted in hardened environments and cloud-managed infrastructures.
🚀 Available Today
Secure Key support is included in version 13.14 of AbsoluteTelnet/SSH.
This initial implementation focuses on:
- Full compatibility with the OpenSSH
sk-ssh-*formats - PIN and user-presence handling
- Explicit, per-host stub selection
- On-device signing via FIDO hardware
🔭 What’s Coming Next
This update lays a solid foundation for future improvements, including:
- Optional Secure Key creation directly within AbsoluteTelnet
- Improved stub-file management and UI integration
- Resident-key enumeration on supported devices
- Smart-card + FIDO hybrid authentication
- PIN caching (with appropriate security controls)
All enhancements will align with AbsoluteTelnet’s core principle:
authentication that is user-controlled, transparent, and predictable.