YubiKey Setup

Hardware

Device	Model	Purpose
Primary	YubiKey 5C NFC	Daily use, resident keys
Secondary	YubiKey 5C NFC	Backup, identical configuration

Device

Model

Purpose

Primary

YubiKey 5C NFC

Daily use, resident keys

Secondary

YubiKey 5C NFC

Backup, identical configuration

Initial Setup

Set FIDO2 PIN

# Set PIN (required for resident keys)
ykman fido access change-pin

# Verify PIN is set
ykman fido info

Generate Resident SSH Keys

# Generate resident key for d000 domain
ssh-keygen -t ed25519-sk -O resident -O verify-required \
    -f ~/.ssh/id_ed25519_sk_rk_d000 \
    -C "evanusmodestus@d000-yubikey"

# Generate on secondary YubiKey with same options
ssh-keygen -t ed25519-sk -O resident -O verify-required \
    -f ~/.ssh/id_ed25519_sk_rk_d000_secondary \
    -C "evanusmodestus@d000-secondary"

Options explained: * -t ed25519-sk: Ed25519 with hardware security key * -O resident: Store key on YubiKey * -O verify-required: Require PIN on every use

Key Recovery

List Resident Keys

# List keys stored on YubiKey
ssh-keygen -K

# Downloads discoverable credentials to current directory

Export Key Handles

# Key handles are in ~/.ssh/
ls ~/.ssh/id_ed25519_sk_rk_*

# id_ed25519_sk_rk_d000           # Private key handle
# id_ed25519_sk_rk_d000.pub       # Public key
# id_ed25519_sk_rk_d000_secondary
# id_ed25519_sk_rk_d000_secondary.pub

FIDO2 Management

View FIDO2 Credentials

ykman fido credentials list

Delete Credential

# List credentials to get ID
ykman fido credentials list

# Delete specific credential
ykman fido credentials delete <credential-id>

Reset FIDO2 (Destructive)

This deletes all FIDO2 credentials.

ykman fido reset

Testing

Test SSH Authentication

# Test connection (will prompt for YubiKey touch)
ssh -v hostname "hostname"

# Expected prompts:
# Enter passphrase for key '...id_ed25519_sk_rk_d000':
# Confirm user presence for key ED25519-SK SHA256:...
# User presence confirmed

Verify Key Type

# Check key is resident
ssh-keygen -lf ~/.ssh/id_ed25519_sk_rk_d000.pub

# Output should show:
# 256 SHA256:... evanusmodestus@d000-yubikey (ED25519-SK)

Troubleshooting

Key Not Found

# Ensure YubiKey is inserted
ykman info

# Check resident keys
ssh-keygen -K

# Verify ssh-agent
ssh-add -l

PIN Issues

# Check PIN retries remaining
ykman fido info

# Reset PIN (requires current PIN)
ykman fido access change-pin

Permission Denied

# Check public key is in authorized_keys
ssh-copy-id -i ~/.ssh/id_ed25519_sk_rk_d000.pub hostname

# Verify with verbose output
ssh -vvv hostname