[DCKing]

EDIT: I misunderstood the post, and what I describe below is not true!

I'm incredibly excited about FIDO2, but this is quite underwhelming honestly. I'd like to SSH with a credential on my Yubikey, not by a credential or configuration already stored on my computer that is unlocked by my Yubikey. I'd like to be able to plug in my Yubikey anywhere and go. My Linux desktop, my Macbook, my Windows desktop, my Android phone.

- Yubikey with GPG/PIV for SSH: your Yubikey stores your private key. You can take it anywhere, plug it in, [have to go through all the setup required for your computer to talk GPG/PIV], and log in.

- Yubikey with FIDO2 for SSH: your Yubikey stores a symmetric key to unlock your private key on your computer. [You cannot take it anywhere], plug it in, don't have to set anything up if your client and server have this (eventually), and log in.

FIDO2 is solving a lot of authentication convenience problems, but not this one I think. I get that this pretty nice when integrating with Windows Hello or Apple's TouchID, but I don't think FIDO2 USB key with SSH is that great.

[stavros]

You misunderstand how FIDO2 works. Read the article, it details how to do exactly what you say it can't. You can resume your excitement now!

[DCKing]

In that case I'll need to update my understanding, but this still requires you to do manual configuration for your SSH key - the id_mykey_sk file in your example.

> ssh-keygen -t ecdsa-sk -O resident -f ~/.ssh/id_mykey_sk

I know this is just a reference, but it's still manual configuration. On a host with an SSH client that can speak PIV [this is a challenge], I can just plug in, enter the PIV PIN code, and go.

[StavrosK]

Read farther down, you don't need this key, you can delete it if you want. You'll just have to run `ssh-add -K` every session if you do, so your agent reads the key from the device.

[DCKing]

Ah I missed that. My apologies, I learned something new!

[StavrosK]

No problem, it's a fantastic way to use SSH, I'm just glad it exists.

[traceroute66]

"Yubikey with GPG/PIV for SSH"

There's no need to mess around with the GPG side of the Yubikey to get SSH working. Just the "plain" side of the Yubikey will work (which is great on a Mac because all you need is the basic dylibs - downloadable from Yubi and easily mv/cp installable in the relevant lib dir - rather than needing to mess around installing gpg). Added bonus is you enforce touch for key usage.

[DCKing]

Yes, that's the PIV applet.

[notaplumber]

You can, that's exactly what resident keys in this article is referring to.

Once all of those platforms have a more recent OpenSSH, you can ssh-add -K to add keys to your SSH agent.

[DCKing]

I fully understand what kind of credentials FIDO2 can store - but as I read it this still requires manual configuration on individual devices.

[notaplumber]

Nope. It's in the article. Just insert the key and ssh-add -K. I wouldn't be surprised if other SSH agents (e.g. Apple) added a UI to do this.