Resident Discoverable SSH Keys not working


I am on a transition from macOS to NixOS. One piece of the puzzle that I am missing is the use of my fido2 SSH keys. Both macOS and Nix are using SSH version 9.6p1.

On both devices, I insert the Yubikey, do ssh-keygen -K, it asks for the Yubikey PIN, asks to set the keypair password and the public/private keys are output accordingly.

Then, on macOS I will do ssh -i .ssh/id_ed25519_sk_rk_xxx username@hostname. I’m prompted for the ssh key passphrase, the yubikey PIN and requested to touch the yubikey to confirm ‘user presence’ and I’m logged in.

However, on NixOS I also do ssh -i .ssh/id_ed25519_sk_rk_xxx username@hostname where I’m prompted for the ssh key passphrase, however I am not prompted for the Yubikey PIN or to touch it but instead returned with the error:

sign_and_send_pubkey: signing failed for ED25519-SK "id_ed25519_sk_rk_xxx" from agent: agent refused operation

In my configuration.nix I have:

environment.systemPackages = with pkgs; [
  pinentry-curses.  #For GPG


programs.ssh.askPassword = "";
services.pcscd.enable = true;

In home.nix:

programs.ssh = {
  enable = true;

services.ssh-agent = {
  enable = true;

Any suggestions would be greatly appreciated. Thanks

Hi @harvey, I can reproduce this scenario with my FIDO2 Security Key. It was frustrating for sure because I’ve never had it NOT work out of the box on Arch or Fedora.


     IdentitiesOnly yes
     IdentityAgent none

to my host in ~/.ssh/config solved it for me, which was suggested in this stackoverflow answer.

If this does not work, I recommend adding -vvv to your ssh commands and inspecting the output.