Yubikey First Setup

Download the authenticator app or the CLI. In the authenticator app theres gotta be an option somewhere to set a pin for the first time.

In a terminal with your yubikey inserted, generate the FIDO2-backed SSH keys:

ssh-keygen -t ed25519-sk -O resident -O verify-required -C "pnl1@bfh.ch"

after this is going to ask you to touch your yubikey and insert a pin, then you can check that your keys were created by executing:

ykman fido credentials list # if you installed the CLI

If you didnt install the CLI you can see this in the passkeys section in the authenticator app.

Key Generation Options Explained - -t ed25519-sk or -t ecdsa-sk: Key type.

• -O resident: Creates a resident key, stored on the YubiKey itself. Enables portability across machines. Requires a PIN.

• -O verify-required: Requires both PIN entry and a physical touch for every use. (OpenSSH 8.3+).

• -O application=ssh:<name>: Optional label if storing multiple SSH credentials.

• -C "comment": Helps identify the key.

If you omit -O resident, a non-resident key is created. Its private key handle is stored on disk, but still requires user presence (touch). Use -O verify-required to enforce PIN verification.

The Key Generation Process

• Prompt to touch your YubiKey (user presence).

• If creating a resident key, prompt for your FIDO2 PIN (user verification).

• Optionally set a local passphrase for the handle file.

• The .pub file is your public key for servers or GitHub.

Once the .pub file is added to the servers you can ssh into them as usually just know that you have to specify the key with -i in the ssh command.