I’d like to request support for hardware security keys (FIDO2/WebAuthn tokens like YubiKeys) in Bitwarden’s SSH agent functionality.
Current Situation: Bitwarden’s SSH agent currently supports standard SSH key types (RSA, ECDSA, ED25519), but doesn’t support security key variants like [email protected] and [email protected] that require physical hardware token interaction.
Use Case: Many organizations and security-conscious users are moving toward hardware-backed SSH keys for enhanced security. These keys provide:
- Physical presence verification for SSH authentication
- Protection against key extraction/theft
- Compliance with zero-trust security models
- Integration with existing FIDO2/WebAuthn infrastructure
Expected Behavior: When an SSH connection attempts to use a security key stored in Bitwarden’s SSH agent, Bitwarden should:
- Detect that the key requires hardware token interaction
- Prompt the user to interact with their security key (touch/tap)
- Forward the hardware token challenge/response through the SSH agent protocol
- Complete the SSH authentication successfully
Technical Details:
- OpenSSH security key types:
[email protected],[email protected] - Requires integration with the system’s FIDO2/WebAuthn stack
- Should work with common hardware tokens (YubiKey, SoloKey, etc.)
Current Workaround: Users currently need to maintain separate SSH keys or use other SSH agents that support security keys, which reduces the convenience of having all SSH keys managed in Bitwarden.
This would make Bitwarden’s SSH agent feature more comprehensive for users implementing modern SSH security practices.