| You can use a GPG key stored on a YubiKey with openssh, but with some caveats: 1. gpg-agent must act as your ssh-agent (which means ssh-agent should be disabled and replaced by gpg-agent). 2. If using `pinentry-curses` (YubiKey usually permits access to the contained GPG key via the use of a pin), you must have `export GPG_TTY=$(tty)` (or your shell's equivalent of setting the GPG_TTY environment value to the output of `tty`). 3. You can fetch the public key of your GPG key with `ssh-add -L` (gpg-agent must be acting as your ssh-agent, and the YubiKey with the GPG key has to be plugged in). 4. You must have the line `enable-ssh-support` in your `$GNUPGHOME/gpg-agent.conf`. I used a guide[1] to set up a GPG key on to a YubiKey, and for those who don't want to use GPG, the guide also has a section[2] about just using an SSH key as well. [1]: https://github.com/drduh/YubiKey-Guide [2]: https://github.com/drduh/YubiKey-Guide#ssh |
Resident keys are (partially?) created on the hardware token and thus can't be replicated. The GPG keys can be pushed to a couple of YubiKeys before you delete them forever (or keep a paper backup somewhere safe).