# OpenSSH with Yubikey / FIDO2 protected keys

These instructions are for using OpenSSH (version 8.3 or newer) to "sign" private keys with a Yubikey via FIDO2.  These direction are focused on gerneric Unix like systems (Linux, OpenBSD, FreeBSD, etc)

## The advantages of Yubikey FIDO2 signed keys:

1. Installation can be done without having to install third-party software.
2. Installation can be done quickly and supports multi-factor by design.

## The disadvantage of Yubikey FIDO2 signed keys:

* OpenSSH 8.3 or newer
* You'll need supported hardware.  For example,  new Yubikey keys with FIDO2 security support (with ed25519 support).
* Keys are signed but not stored *on* the Yubikey.    This means every system will need a private key signed with your Yubikey. 


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.k9.io/key9-identity/ssh/installation-and-setup/openssh-with-yubikey-fido2-protected-keys.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.