(by assuming you already have a yubikey ... )
- OpenSSH version 8.2 or later on the client
- dCache 7.2 or later
$ ssh-keygen -t ecdsa-sk -C <user@dcache>
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_ecdsa_sk
Your public key has been saved in id_ecdsa_sk.pub
The key fingerprint is:
SHA256:xxxx <user@dcache>
The key's randomart image is:
+-[ECDSA-SK 256]--+
|B= .. |
|+ =..o |
|o. +o+o o o+o |
|+ooo=o . . .==+ |
+----[SHA256]-----+
The option -t ecdsa-sk instructs OpenSSH to create an ECDSA key on a FIDO security key instead of a traditional private key file.
$ cat id_ecdsa_sk.pub >> /etc/dcache/admin/authorized_keys2
On connect ssh client will ask you to touch the key:
$ ssh -p 22224 dcache-dev
Confirm user presence for key ECDSA-SK SHA256:xxx
User presence confirmed
dCache (7.2.2)
Type "\?" for help.
[dcache-dev] (local)>
That's it!
(if you don't see Confirm user presence message)
if gnome keyring is used or ssh agent, then message is not shown, but key is activated (the led starts to flush and touch works). See solutions here