ssh-keygen fido2 keys without password
ssh-keygen -t ed25519-sk -O resident -C "yubikey-fido1
My understanding is that I should be able to generate openssh keys with fido2 without password and require touch-only. While that opens up a potential attack when both the device and hardware key get stolen, I am willing to accept that since I only use this key at a desktop device and don't carry it around.
However, if I print the resulting PK file (which was supposed to be just a reference to a key on hw device?) I can see
-----BEGIN OPENSSH PRIVATE KEY-----
which is immediately alarming because it indicate a plaintext private key.
So is this an actual private key and I am doing something seriously wrong or is the "reference" disguised in a regular PEM format?
I checked and the key is unusable with HW device not present, which would indicate it is indeed just a reference, but re-using a regular key file format seems rather bizarre to me.
