What is a Yubikey and why would you want to use it with SSH?

I’m not gonna go into much details about what a Yubikey is because there’s already plenty of online resources on them. The Yubikey is a cryptographic device for multi-factor authentication. From this point forward I’ll just assume you already know what SSH and SSH key pairs are.

There are multiple ways to use a Yubikey for SSH authentication. Each with their own pros and cons.

OpenPGP

You can use a auth subkey on the OpenPGP interface, which is extremely portable since the key resides on the Yubikey. The downside is that you need an SSH client configured to use those keys, which isn’t a given. The creation and management of the PGP keys are also tedious if you are not used to PGP.

Regular ed25519-sk or ecdsa-sk key pair

You can create a normal SSH key pair that is hardware-backed. It uses the Yubikey for the cryptographic operations, which means the key needs to be connected to the host and requires a touch to proceed with establishing the SSH connection. This method is widely supported on Linux with a recent enough version of OpenSSH. This method is very simple although not as portable. You need to carry your private key on something like a USB drive to connect from another host.

If you want to create such key pair simply need to do ssh-keygen -t ed25519-sk or ssh-keygen -t ecdsa-sk and follow the on-screen instructions.

Resident ed25519-sk or ecdsa-sk key pair

Now this is my favorite method and the whole reason I’m writing this post. This method I almost the same as the previous one, albeit with a twist. It uses the same encryption algorithms, but the key resides on the Yubikey itself. Which means you can extract the key pair from any host with a single command. Don’t worry, we can protect that operation by requiring the FIDO pin.

Here’s how we create the key pair: ssh-keygen -t ed25519-sk -O resident -O verify-required. Same options for the ecdsa algorithm.

This process still generates a private and public key pair that is stored on the computer. The pub key is obviously to be exported to hosts we which to connect to. But the private key is basically just a redirect to the actual Yubikey. It’s the same as the previous type of keys.

The difference here is that the private key is extractable from the Yubikey with a simple ssh-keygen -K. It will extract the same private and public key as when we created it the first time. Perfect for portability. The only caveat is the same as the previous method: it requires a hosts that supports hardware-backed SSH keys.

Conclusion

I think the importance of securing your machines with SSH keys is widely known by now. Using a hardware security key further improves safety and in the case of the resident type of key, improves the portability and convenience of SSH authentication.