Per Nilsson

On the subject that OpenSC doesn't show certificates - Attestation certificates are not stored on the device, they are dynamically generated by the attestation command supported by YubiKeys. This is...

As a pkcs11 client you could either filter certificates by CKA_TOKEN=CK_TRUE to skip the attestations altogether, or get that attribute for every certificate, and manually handle them differently.

To me this looks like an SSH configuration issue, on the server side, as it seems to accept the attestation key. This would indicate to me that is has been...

The attestation key is shared between a number of YubiKeys for privacy reasons, so as to not identify the particular YubiKey. As such it is also a special key that...

As I understand in in this case the problem is that somebody else has registered the attestation key, and you can't do anything about it. If that is correct than...

About the order of keys - libykcs11 presents keys in CKA_ID order, so the attestation key comes after any usable keys. The fact that ssh chooses it first is out...

Looks like your YubiKeys have different attestation keys, and I'd guess only one is registered on the server side. Just adding for clarity: Registering an attestation key on the server...

Closing this issue now as it seems to be a configuration issues outside the control of yubico-piv-tool

This is a known problem. You are correct that the PIN is 'consumed' by essentially any other activity, the PIV spec says that PIN has to be verified directly before...

Maybe this is helpful ? https://github.com/Yubico/yubico-piv-tool/issues/387