Yubikey 2024

gistfile1.md

In this example, setting up from Windows Machine, and logging in from Linux machine.

Windows:

Git Bash - RUN as admin (won't work without run as admin)

ssh-keygen -t ed25519-sk -O resident -O verify-required -O application=ssh:gserv3 -f ~/.ssh/gserv3 (optional -O user=chas -C "gserv testing")
eval $(ssh-agent -s)
ssh-add -K -S internal (on linux just ssh-add -K)
ssh-add -L (or -l verify loaded identities)
ssh-copy-id -i /mnt/c/Users/myuser/.ssh/gserv3 user@remoteserver (copy public key to server)

debug;

ssh-add -D (delete all keys if just trying the first few etc.)
ssh-keygen -K (permently download to sys)

Linux: YubiKey with PIN workaround

error: sign_and_send_pubkey: signing failed for ED25519-SK "" from agent: agent refused operation
apt-get install ssh-askpass
which ssh-askpass(optional if path different)
eval "$(ssh-agent -s; SSH_ASKPASS=/usr/bin/ssh-askpass)" (spin up ssh agent and askpass to fix asking for Yubikey PIN)

Then;

ssh-add -K
ssh-add -L
ssh user@ip

Export the public key off the yubikey to copy onto different server;\

ssh-keygen -K -f ~/.ssh/gserv3
then rinse and repeat ssh-copy-id line.

Yubikey Manager (list / delete credentials)\

./ykman.exe fido list
./ykman.exe fido delete xxxxxxx

needs some emoji...

./ykman.exe fido credentials list --csv

-O application=ssh:name = give Label (must be ssh:)
-C = adds comment to pub keyfile
-O verify-required = would enforce PIN / or BIO

ssh-keygen -t ed25519-sk -O resident -O application=ssh:5c -C "5c"