[xena]

Author of the article here. From what I understand it puts the private key material on the Yubikey itself and then during the signing part of SSH authentication the SSH client asks the yubikey to do the signature. The private key never leaves the device.

[sbf501]

Can you also include a screen shot of the ssh connection process? The article stops abruptly at the most interesting part: using the key.

[a-dub]

that's how i would hope it would work, but isn't the key in this example getting loaded into the agent?

[zrail]

The agent is a shim that talks to the Yubikey.

[a-dub]

interesting, just read through the release notes. pretty cool.

i think a small discussion of this (and how the agent/key handles/resident mode work) would make an excellent addition to the blog post. it was very clear how to set it up, but left me with questions as to if i should...

in practice i would wonder about backup authentication methods and key rotation....

but otherwise all in all pretty cool.