[a-dub]

but wait a minute... this is just storing the private key material on the yubikey like any storage device and it is loaded and copied right off every time you use it, right?

doesn't that defeat the point of using a yubikey where the private key itself is never read from the device during authentication?

[xena]

Author of the article here. From what I understand it puts the private key material on the Yubikey itself and then during the signing part of SSH authentication the SSH client asks the yubikey to do the signature. The private key never leaves the device.

[sbf501]

Can you also include a screen shot of the ssh connection process? The article stops abruptly at the most interesting part: using the key.

[a-dub]

that's how i would hope it would work, but isn't the key in this example getting loaded into the agent?

[zrail]

The agent is a shim that talks to the Yubikey.

[a-dub]

interesting, just read through the release notes. pretty cool.

i think a small discussion of this (and how the agent/key handles/resident mode work) would make an excellent addition to the blog post. it was very clear how to set it up, but left me with questions as to if i should...

in practice i would wonder about backup authentication methods and key rotation....

but otherwise all in all pretty cool.

[jordemort]

No, the private key never leaves the YubiKey. SSH and GPG talk to the YubiKey as if it were a smartcard - data is send to the key to be signed or encrypted.