OpenSSH with Yubikey / FIDO2 protected keys
These instructions are for using OpenSSH (version 8.3 or newer) to "sign" private keys with a Yubikey via FIDO2. These direction are focused on gerneric Unix like systems (Linux, OpenBSD, FreeBSD, etc)
The advantages of Yubikey FIDO2 signed keys:
Installation can be done without having to install third-party software.
Installation can be done quickly and supports multi-factor by design.
The disadvantage of Yubikey FIDO2 signed keys:
OpenSSH 8.3 or newer
You'll need supported hardware. For example, new Yubikey keys with FIDO2 security support (with ed25519 support).
Keys are signed but not stored on the Yubikey. This means every system will need a private key signed with your Yubikey.
Last updated