Making the most out of my YubiKey (SSH)

Since about 2020 I’ve been happily using a pair of YubiKey 5C NFCs. It’s a nice security addition to have FIDO2 on some websites (unfortunately, some websites still don’t provide proper support).

In the meantime, I discovered that OpenSSH 8.2 introduced FIDO/U2F support. This basically means that you can now store your SSH private key inside your YubiKey (called resident key) and authenticate with it.

⚠️ The private key can’t be extracted from your YubiKey. Meaning that you can’t share the same key with another device.

OK, with that in mind, let’s see how this all works. The process is really simple and shouldn’t take much time to finish.

🗒️ This is supposed to work with YubiKeys, your experience may be different with other FIDO keys.

Change your PIN

This is an important step, you should probably setup a PIN before anything. You can easily install the YubiKey Manager tool with Nix by running:

$ nix shell nixpkgs#yubikey-manager

Generate SSH Key

Considering that your YubiKey is still plugged, run the command below to create your private key and public key. Before you run it, you should consider two things first:

Now that you thought about the previous points, you can run the command. 😜

$ ssh-keygen -t ed25519-sk -O resident

This will guide you through a regular SSH key generation where you can set where the public key will be saved and the private key’s password. After this step, you should have your public key on disk and you can add it to your OpenSSH authentication agent with:

$ ssh-add -K
# list your keys
$ ssh-add -L

Articles from blogs I follow around the net

Trimming a Fake Object

A refactoring example. When I introduce the Fake Object testing pattern to people, a common concern is the maintenance burden of it. The point of the pattern is that you write some 'working' code only for test purposes. …

via ploeh blog November 20, 2023

Building a digital vigil for those we've lost

This post is hard to write in a lot of ways. It's more personal than most I've written. This is presumptively a tech blog, and this piece is about so much more than technology. But it's important. Making things, software or otherwise, is ultimatel…

via blog November 19, 2023

#122 Experimenting and Learning

Update on what happened across the GNOME project in the week from November 10 to November 17. GNOME Circle Apps and Libraries Workbench A sandbox to learn and prototype with GNOME technologies. Sonny says Workbench is a code playground and Library to learn, e…

via This Week in GNOME November 17, 2023

Generated by openring