Yubikey is my preferred solution for securing social account (Twitter, Facebook, Google), WordPress admin accounts, Git, Apple ID (since the iOS 16.3, and you need two keys) and OpenSSH (since v 8.2p1).
The Yubico how-to is great, I will just add couple of specifics on configuring the server and the clients.
I chose the “discoverable” config and followed the steps in the how-to. For MacOS Ventura 13.1, the latest is OpenSSH_9.1p1, OpenSSL 1.1.1s, so you can generate the key with ecdsa-sk.
The second specific that is not well covered in the Yubico how-to is the server config.
– For Debian 11.6 (with OpenSSH_8.4p1 Debian-5+deb11u1, OpenSSL 1.1.1n) add the following in your /etc/ssh/sshd_config
#Yubikey FIDO authentification
PubkeyAuthentication yes
PubkeyAuthOptions verify-required
PubkeyAcceptedKeyTypes ssh-ed25519,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com
you also need to disable PAM in the config with:
UsePAM no
– for OpenBSD 7.2 (with OpenSSH_9.1, LibreSSL 3.6.0) is the same, but it works even if you comment the PAM option:
#Yubikey FIDO authentification
PubkeyAuthentication yes
PubkeyAuthOptions verify-required
PubkeyAcceptedKeyTypes ssh-ed25519,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com
#UsePAM no
I have added the options ssh-ed25519,sk-ssh-ed25519 to PubkeyAcceptedKeyTypes because I have several Yubikeys with different firmware versions, and several generated keys types. For Yubikey with NFC support and firmware 5.4.3 I just need sk-ecdsa-sha2-nistp256.
Limitations:
– you need the Yubikey all the time (obviously). BUT if you need to login to a bastion A for example, and from the bastion A to another host B, you can not do it with this setup. You can do the config on your local client and your bastion A with the above setup, but you can not do it on host B thru a bastion. Because when you login in bastion A, you lose the Yubico verification (PIN and touch) as the ssh can not “see” your Yubikey plugged on your local client.
– you better have two Yubikeys in case you lose your primary one.