Client

Prerequisites

On FreeBSD, something like this:

 workstation$ sudo pkg install py311-yubikey-manager

On Ubuntu, try this:

 workstation$ sudo apt install yubikey-manager

First, make sure you and ykman agree on finding your key:

workstation$ ykman list
YubiKey 5C Nano (5.7.4) [OTP+FIDO+CCID] Serial: 31234567

You'll need to set a PIN on your YubiKey, if you haven't already:

workstation$ ykman fido info
PIN is not set.
Always Require User Verification is turned off.
workstation$ ykman fido access change-pin -n 111222

Should go without saying, but ... Don't lose your PIN

OpenSSH + FIDO2

We're going to be creating a keypair directly on our YubiKey with a few important properties:

• It'll be a "resident key".
• It must have "verify-required" turned on to satisfy sshd.
• Give it a comment(-C), this is what shows up in plaintext at the end of an ssh pubkey, traditionally something like "user@workstation".
• Give it a meaningful application name(-O application=ssh:somename), ok to match this to comment, make sure you keep "ssh:" in the application name or ssh-agent may not treat the key as friendly.

workstation$ ssh-keygen -t ed25519-sk -O resident -O verify-required -C "ssh-yk-31234567" -O application=ssh:"ssh-yk-31234567"
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
You may need to touch your authenticator again to authorize key generation.
Enter file in which to save the key (/home/jontow/.ssh/id_ed25519_sk):
[...snip long output...]

Load your key up somewhere:

workstation$ ssh-copy-id -i .ssh/id_ed25519_sk.pub server.example.com
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_ed25519_sk.pub"

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'server.example.com'"
and check to make sure that only the key(s) you wanted were added.

Test it:

workstation$ ssh -i .ssh/id_ed25519_sk server.example.com
Confirm user presence for key ED25519-SK SHA256:xaiH3paeLaapaep7iele8Xeibiepaengeipha9oe5tha
Enter PIN for ED25519-SK key .ssh/id_ed25519_sk: 
Confirm user presence for key ED25519-SK SHA256:xaiH3paeLaapaep7iele8Xeibiepaengeipha9oe5tha
[...touch the contact on your yubikey to confirm user presence...]
User presence confirmed
Linux host.example.com 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr  3 17:24:16 BST 2023 aarch64
[...snip motd...]
server$

If that worked, feel free to add it to your ssh-agent in whatever way you currently use that, or put it in your ~/.ssh/config file ("IdentityFile ~/.ssh/id_ed25519_sk") above any others to prefer it, etc.

If it didn't work.. the "See Also" section is definitely for you!

Server

Limit authentication methods

On the server side, you may wish to stop accepting weaker forms of authentication. One method to do this is to harden the config by only allowing ED25519-SK type keys, such as the type now stored on your yubikey.

Relevant lines from sshd_config(5) to shutdown all methods but public key, and to limit acceptable public keys to sk-ssh-ed25519 type:

#PubkeyAuthentication yes
#HostbasedAuthentication no
#PasswordAuthentication no
#KerberosAuthentication no
#GSSAPIAuthentication no
KbdInteractiveAuthentication no

PubkeyAcceptedKeyTypes sk-ssh-ed25519@openssh.com
PubkeyAuthOptions verify-required

See Also

Lots of weird but good reading.. here are some selections:

• https://developers.yubico.com/SSH/
• https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html
• https://forums.freebsd.org/threads/howto-for-managing-a-yubikey-in-freebsd.84600/
• https://gist.github.com/daemonhorn/bdd77a7bc0ff5842e5a31d999b96e1f1
• https://www.corbado.com/blog/webauthn-resident-key-discoverable-credentials-passkeys
  • https://www.corbado.com/glossary/resident-key
  • https://www.corbado.com/glossary/non-resident-keys