[jacobvosmaer]

The user experience of doing this is very bad. Every time I look into doing this I end up with blog posts that describe punching numbers into the GPG CLI, master keys, subkeys, PIN's. I don't want to be a GPG enthusiast, I just want to use my SSH key safely. (No offense to GPG enthusiasts!)

[lima]

You don't need any of that. This is all you need:

  # Generate key
  $ gpg2 --card-edit
  > admin
  > passwd
  change both user and admin PIN to a secure password (can be the same, it's called PIN but you can just use a regular alphanumeric password)
  > key-attr
  choose RSA, 4096 (or whatever you consider sufficient)
  > generate

  # Add this to your .bash_profile (use GPG agent instead of SSH)
  export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

  # Export your SSH public key
  $ ssh-add -L

[yayana]

I found an X509 oriented device relatively easy for ssh (for gpg it is naturally harder to use these non gpg devices with some kind of bridge daemon).

Assuming Linux or OsX where your distribution has an opensc that already supports your device, ssh is only about 3 incantations of magic:

https://nilsschneider.net/2013/06/20/epass2003-quickstart.ht...

But there is no safe way of getting away from having 1 pin.

[acdha]

On current versions of macOS it’s built in so all you need is to generate the key and add one line to your SSH config:

    PKCS11Provider=/usr/lib/ssh-keychain.dylib

https://support.apple.com/en-us/HT208372

[amaccuish]

I dislike GPG as well, but I have the OpenPGP smartcard. I've just loaded it with x509 certs. There's OpenSC so I can use it in a browser/VPN/SSH/Apple Mail etc.

[fragmede]

That's a side effect of the GPG being the back end technology that the Yubikey-based SSH keys are based on.

If you don't want to have to learn gpg (because why should you?) the master/sub keys, PINs, keyservers, and all that can be dumped, just like ssh-keygen is able to create keys without passphrases - not exactly recommended, but still better than the alternative.

[lvh]

FWIW: if you really, really don't want to learn GPG: Yubikeys will also speak PKCS11, it's a separate applet, and they ship PKCS11 libs for every major platform. We've used it for OpenVPN in the past (before we had wireguard).

If that's better... I dunno :-)