Question 1

How do I generate an SSH key using a YubiKey security key?

Accepted Answer

On my Windows client I used ssh-keygen with the security-key type (the one that ends in “-sk”). That’s what forces the prompts to use the YubiKey and ask you to touch the key. After that, you’ll have a normal-looking keypair, but the public key will be marked as a security-key style key.

Question 2

What OpenSSH version do I need for YubiKey SSH (FIDO) authentication?

Accepted Answer

You need OpenSSH 8.2 or higher on both the client and the server. That’s when support for FIDO/security keys showed up. If you’re on something older (like some repos on Oracle Linux 8), it just won’t work until you upgrade or use a newer environment.

Question 3

Why doesn’t YubiKey SSH work on my Oracle Linux 8 server?

Accepted Answer

In my case, the latest OpenSSH package available in the repo was older than what I needed (I saw 8.0). Since security key auth needs 8.2+, that’s a hard blocker. I didn’t upgrade the whole box—I just used a CentOS Stream 9 container where the packages are newer.

Question 4

How do I add the YubiKey SSH public key to my server?

Accepted Answer

I printed the public key on my client and then pasted it into ~/.ssh/authorized_keys on the server. After that, SSH can recognize it as a security-key backed key (you’ll notice it’s labeled differently and includes the “sk” style). Once it’s there, the server will accept it like any other key, but it will still require the touch confirmation.

Question 5

How do I SSH with a specific YubiKey-generated key file?

Accepted Answer

I used ssh -i to specify the key file directly. If you don’t specify the key, you might not actually use the security-key-backed one you just generated. When it’s working, you’ll see the “confirm user presence” prompt and you’ll have to touch the YubiKey.

Question 6

What does “confirm user presence” mean when SSHing with a YubiKey?

Accepted Answer

That prompt is basically the whole point: it’s asking you to prove you’re physically there. I had to touch the YubiKey button to complete the login. After that, the session proceeds normally and you’re logged into the server.

Question 7

Do I still need an SSH passphrase if I use a YubiKey?

Accepted Answer

You can still set a passphrase like normal ssh-keygen, but I skipped it in the video. The YubiKey touch requirement is already adding an extra confirmation step. If you want even more defense-in-depth, adding a passphrase is totally an option.

Boost Your SSH Security with YubiKey – Here’s How!

About This Video

Frequently Asked Questions

🎬 More from sass drew