Your private SSH key is the key for the kingdom. This means always having a password on the key. With YubiKey, you can keep your secret key outside your machine too.
Excerpt from Wikipedia: The YubiKey allows users to sign, encrypt and decrypt messages without exposing the private keys to the outside world.
This is a short how-to to get startet with using Yubikey to SSH into your servers.
YubiKey as private SSH key
Install the YubiKey management software.
sudo dnf install yubikey-manager
Check that OpenPGP is enabled on your YubiKey.
Expected output should include the following.
If you get an error, restart your computer and goto 2. Yes, I know this is Linux, but we're just doing it the easy way. It should work the second time around.
Set preferred number of retries when entering PIN on YubiKey. Default is 3 for user pin, 3 for unlock user pin (reset), 3 for admin pin. In the example admin retries is increased to 5.
ykman openpgp set-pin-retries 3 3 5
Generate OpenPGP key on YubiKey
gpg2 for the rest.
Generate PGP certificate on the key.
gpg2 --edit-card gpg/card> admin gpg/card> generate
Follow the instructions.
Enter the password menu.
Change user PIN, menu
Change admin PIN, menu
3. The easiest is to keep to numbers to avoid accidentally locking you YubiKey. If that happens you need to reset it ...