[4ad]

It's the same, you should not store or backup SSH Keys.

[carstenhag]

So I should get locked out of all services when my device breaks?

[dwattttt]

You should produce a key per device, and produce a backup key that is safely stored & not used anywhere.

You can recover if you lose all devices via your break-glass backup key, and you limit the blast radius of "my key got stolen" from rotating all your keys to just a single device (or maybe the more likely "I screwed up and pushed my key somewhere public")

[crote]

... which is completely nonviable if you connect to more than a single service.

I agree that you should use a different key per device, but when you connect to over a dozen different services/machines it quickly starts to become a serious chore to add another key. Have fun spending an hour enrolling your new device - provided you can even remember every single usage it should be enrolled with.

[4ad]

SSH certificates solve this issue.

AFAIK there is no equivalent for Passkeys.

[red_trumpet]

I have to store them on my disc, in order to use them tomorrow.

[Spunkie]

Oddly enough you don't. We've been storing our ssh keys(ed25519-sk) as resident keys for years now without issue.

So basically we've been storing ssh keys directly on yubikeys the same way passkeys are stored since before passkeys were a thing.

It seemed a clearly superior option compared to letting ssh private keys roam around on random computers.

[tsimionescu]

Sure, but then limits you to a handful of keys. The WebAuthn people don't like this, they want one key per service, so basically YubiKeys no longer really work with WebAuthn (unless you're fine with only ever using a max of 25 services).

[redeeman]

and then the real world comes knocking

[fellerts]

Can you elaborate on this? Why not?