I have bought a couple of Yubico 5 security keys, which work with modern ssh servers, and also with Githup (and lots of other web app).
Below is my recipe to create an ssh key with the secret stored on the Yubico secret key.
I am using Ubuntu 22.04 on both desktop and server - it works for me.
Update 2023-07-05: It turned out that I often had issues, I have now found out why: the opensc component was missing on my workstation
do the following to fix it
apt install opensc
# bug in Ubuntu 22.04, enable and start the pcscd service
systemctl enable pcscd
systemctl enable pcscd
make sure the ssh-agent is started in a session
echo 'eval "$(ssh-agent -s)"' >> ~/.bashrc
You need a newish Yubico 5, one bought within the last year should be just fine.
Set a PIN on your Yubico secret key - this is last defence if the key is lost. I use the "Yubico Authenticator" app to do it.
It is a good idea to set an identifier for the key - it makes it simple to verify key no 1 is on Yubico no 1 :-)
Use the option -O application=ssh:<short identifier>
ssh-keygen -t ed25519-sk -O resident -O verify-required -O application=ssh:pj-yubi-1
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
I entered the PIN
Enter file in which to save the key (/home/pj/.ssh/id_ed25519_sk):
I entered this filename to distinguish it from the other key belonging to the second Yubico (use 2 Yuicos :-))
/home/pj/.ssh/id_ed25519_sk-pj-yubi-1
ssh-keygen continues
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/pj/.ssh/id_ed25519_sk-pj-yubi-1
Your public key has been saved in /home/pj/.ssh/id_ed25519_sk-pj-yubi-1.pub
The key fingerprint is:
SHA256:<the hash here> pj@thehost
Copy the pub key to a server
ssh-copy-id -f -i id_ed25519_sk-pj-yubi-1.pub theserver
Two things should happen here:
- you must enter the PIN on for the Yubico 5
- you must touch the Yubico 5
ssh -i id_ed25519_sk-pj-yubi-1 theserver
Voila :-)