Save SSH User Certificate on Yubikey

[Duck-dave]

Hey there! How can I save a ssh user certificate to a yubikey? Anyone tried this bevor? Thanks in advance!

[tashian]

Could you describe your use case a bit more?
The YubiKey PIV application has certificate slots for X.509, but not for SSH certificates.
But you can store an SSH private key in one of the key slots.

[Duck-dave]

Wanna issue a ssh user certificate from step-ca and store this one on the yubikey. If I login on a ssh server it should ask for the yubikey.

[maraino]

AFAIK an SSH certificate cannot be stored in a YubiKey. But you can sign a certificate for an ecdsa-sk or ed25519-sk key that require the YubiKey present. This is how:

1. Create your choice of sk key, with a YubiKey present, you will need to touch it:

ssh-keygen -t ed25519-sk

2. Sign the public key with the CA, it will create ~/.ssh/id_ed25519_sk-cert.pub:

step ssh certificate --sign [email protected] ~/.ssh/id_ed25519_sk.pub

3. Assuming the SSH server is configured with the valid TrustedUserCAKeys and the certificate has a valid principal, just:

ssh [email protected]
# OR 
ssh -i ~/.ssh/id_ed25519_sk [email protected]

You must provide the password (if any) and touch the YubiKey to log in.

You can also add the key and cert to the ssh-agent, but you will need a recent version because not all versions support importing sk keys:

ssh-add ~/.ssh/id_ed25519_sk
ssh [email protected]