Suggested edit for PGP/index - PuTTY-CAC for SSH keys

[thewishy]

The Guidance for SSH authentication generally points to GPG.

Setting up GPG is massively over-complicated if your objective is to store a simple RSA keypair on your Yubikey for SSH key based authentication. You can use PIV instead

• Use Yubikey manager to set a PIN and create a self signed certificate with a 2k RSA key
• If using Windows 7 / Older versions of Windows 10, Download the Smartcard Minidriver
• Download PuTTY-CAC, which supports PIV authenitcation.
• Go to Connection -> SSH -> Certificate, set CAPI Cert to the Self Signed Cert stored on your Yubikey.
• Select "Copy to Clipboard" to grab corrected formatted Authorized Key, add .ssh/authorized_keys
• You can now authenticate using PIV

Limitations

• Probably Windows only (Fine for me, I don't interact directly with Linux systems or Mac)

Thoughts on security

• Default is 3 failed PINs = key self destruct (More or less). I'm happy with that, it would be about 20 mins to redistribute a replacement key
• PUK is obviously a possibility, but seems excessive for this scenario

[acdha]

I agree with @thewishy — there's great documentation for Putty-CAC from the U.S. GSA: https://piv.idmanagement.gov/engineering/ssh/#ssh-using-putty-cac

The Mac process is also much simpler since Sierra was released in 2016: https://support.apple.com/en-us/HT208372 covers a number of related topics but it's basically two lines to get a configured Yubikey used for SSH authentication:

Exporting the public key to put in the authorized keys file:

$ ssh-keygen -D /usr/lib/ssh-keychain.dylib > ~/.ssh/my-yubikey.pub
$ ssh-copy-id -f -i ~/.ssh/my-yubikey.pub server.example.com

Configure ssh to use PKCS11 in ~/.ssh/config:

PKCS11Provider=/usr/lib/ssh-keychain.dylib

[joostd]

We have a separate guide for using PIV for SSH. See Using PIV for SSH through PKCS #11 .