[progbits]

Even better, if possible switch to something like PGP keys on Yubikey which prevents exfiltration of the private key, and will only sign things when you enter PIN / touch the device.

[doubled112]

This has been my SSH key solution for a while now.

Worked smoothly on most systems.

Kind of messy on Windows, because there are so many SSH agent implementations, but GPG4Win's latest version works with the native SSH now. Real progress.

[tkanarsky]

I find that the PIV smart card stack is needlessly complicated if all you're trying to do is add a resident SSH key to your yubikey. Look at `ed25519-sk` [0], which is supported by default by recent versions of OpenSSH (and dropbear? idk)

[0]: https://news.ycombinator.com/item?id=29231396

[doubled112]

PGP is definitely complicated if you’re not going to use it for other functionality.

And that’s completely separate to the PIV functionality on the key.

[tkanarsky]

Oh, I was under the impression that PIV referred to the smart card protocol and PGP was an application making use of that protocol, something like TCP and HTTP. Looks like I'm mistaken, thanks!

[egberts1]

Not the map you are looking for but there is this comparison chart of SSH clients and its algorithms.

https://ssh-comparison.quendi.de/comparison/cipher.html

[doubled112]

https://github.com/rupor-github/win-gpg-agent/blob/main/docs...

Don’t forget this diagram of all the agents, protocols and bridges you might hit on Windows.

[egberts1]

That is the scariest system diagram chart that I have ever seen.

It should be a prime example of what NOT to do.