Comment by timewizard
3 months ago
> This is something that I probably care about more than most people, because as a system administrator I want to be able to log in to my desktop even in quite unusual situations.
If I understand correctly you can have your SSH key entirely on a Yubikey if you use PIV or OpenPGP.
Yes, this.
GPG supports smartcards (yes, the plastic smartcards) since ages. The Yubikey will appear as a smartcard on GPG and will work on pretty much sny setup.
Does every random system automatically picks up Yubikey? Does SSH on all platforms find that key?
Up to date systems should support it since about 2021
To get started you’ll need OpenSSH version 8.2 or later, and you’ll also need libfido2 installed. Windows users may need to use Cygwin for this.
https://www.yubico.com/blog/github-now-supports-ssh-security...
Now you can drop the PIV or PGP dependencies. OpenSSH can use webauthn to derive SSH keys.