YubiKey/SSH

Many YubiKeys can be configured to provide FIDO/U2F authentication. OpenSSH 8.2p1+ supports ed25519-sk and ecdsa-sk algorithms.

Introduction
YubiKeys provide several interfaces which can be used to authentication or encryption. Several of the authentication modules provided by YubiKeys can be used for SSH authentication. U2F is extremely secure, and can be set up in multiple ways without much configuration.

USE flags
The  USE flag is not enabled by default and must be enabled for U2F/FIDO support.

Configuration
There are two main ways U2F can be implemented on a YubiKey.

The first method, Non-Discoverable credential mode, requires the generation of -sk variant keys outside of the YubiKey. These keys must be securely stored, but are used in conjunction with the YubiKey for authentication. This method ensures more separation of factors, but is not suitable for environments where it is not possible to move or safe to store the private key.

The second method, Discoverable (resident) mode stores the -sk variant key on the YubiKey's storage, and enables the usage of the key in more hostile environments, but also means a attacker could potentially authenticate using the YubiKey given the private key, and U2F key are both in one place.

Non-Discoverable
With the YubiKey inserted, execute:

First, will prompt for the YubiKey's FIDO PIN

Then, it will prompt for a password to protect the private key.

Destination configuration
The public key must be added to on the destination server, in the format:

Usage
Once the keys are created and deployed on the destination, they are ready to be used.

ssh-agent
The is not required, but is helpful as it can store keys. It can be started with:

Successful execution should return the PID for the created agent.

With an active keys can be added using :

The loaded keys can be viewed with:

Once the keys are installed, can be used without entering a password if the private key is already loaded into the. If an agent is not being used, the key can be manually specified, requiring the key password on every usage:

External Resources

 * ssh-agent(1) man page
 * ssh-add(1) man page
 * ssh(1) man page