From Wikipedia: The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance.
We’re going to create a ed25519 SSH key that lives on the YubiKey. This works a bit different than GPG keys. Both private and public key resides on the YubiKey.
Caveats ๐
Lets start with things that you should know.
- You will only have one copy of your key that can’t be used without the YubiKey.
- Ref. Arch Wiki/SSH keys there is a bug, you can’t use pin verification for every use.
- Presence is mandatory - push button on use.
- Ensure that you have a different key to access your computers, Yubikeys can be lost!
Configuration ๐
- If you haven’t set a pin on the Fido part of the YubiKey.
ykman fido access change-pin - Create a new key. Application
ssh:is mandatory,domainmay be useful anduseris optional.ssh-keygen -t ed25519-sk -O resident -O application="ssh:domain" -O user="$(whoami)" - Sett a password for the private key.
- Remove private and public key from you machine.
rm $HOME/.ssh/id_ed25519_sk*
Day to day usage ๐
Read the key from the YubiKey and SSH as normal. You need to press the key every time it starts blinking to verify that you are present.
- Add your YubiKey SSH key(s) to the
ssh-agent.ssh-add -K
Fetch a copy of the key(s) ๐
You still need the YubiKey to use SSH. But now your ssh-agent can know about the keys all the time.
- Go to you
.sshdirectory.cd $HOME/.ssh - Download your keys.
ssh-keygen -K - Set a password on the private key.