Automatically add/remove PKCS11 provider from ssh-agent based on Yubikey presence

69-yubikey.rules

# Install in /etc/udev/rules.d/
# Reload with: udevadm control --reload-rules

# You might need additional model IDs here, depending on your particular Yubikey
ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0407|0115", TAG+="systemd", ENV{SYSTEMD_ALIAS}="/sys/subsystem/usb/yubikey"

# See https://github.com/systemd/systemd/issues/7587
# Interestingly, this also fixes smartcard.target, which seems otherwise broken.
ACTION=="remove", SUBSYSTEM=="usb", ENV{PRODUCT}=="1050/407/*|1050/115/*", TAG+="systemd"

README.md

Not-so-terrible Yubikey PIV SSH authentication

See https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html for the basics.

The trouble is running ssh-add -s /long/path/to/some/pkcs11_provider.so is a pain in the ass.

Also if the Yubikey is removed, ssh-add -l will still indicate the key is available, even though it's not, until the provider is removed with ssh-add -e /path/to/pkcs11_provider.so

And if the Yubikey is subsequently re-inserted, the ssh agent won't re-prompt for the pin, and so authentication will fail until the provider is removed and re-added.

Fortunately it's possible to automate these actions based on the insertion/removal of the Yubikey.

yubikey-ssh-agent.service

# Install in ~/.config/systemd/user/
# systemd --user daemon-reload
# systemd --user enable yubikey-ssh-agent.service

[Service]
Type=simple
RemainAfterExit=yes
ExecStart=/home/indigo/add-to-agent
ExecStop=/home/indigo/add-to-agent remove

[Unit]
Description=Add the Yubikey to ssh-agent
StopWhenUnneeded=yes

[Install]
WantedBy=sys-subsystem-usb-yubikey.device