... | ... | @@ -170,8 +170,6 @@ In particular, `-sk` keys are currently *not* supported by our |
|
|
This guide should be followed if you want to use SSH without depending
|
|
|
on OpenPGP *or* FIDO2.
|
|
|
|
|
|
### Token setup
|
|
|
|
|
|
YubiKey 5-series tokens, which support the [FIPS 201](https://en.wikipedia.org/wiki/FIPS_201)
|
|
|
standard also known as PIV, can be used as a convenient second factor to for ssh
|
|
|
public key authentication.
|
... | ... | @@ -182,6 +180,13 @@ only support `ssh-rsa` keys. This has also been observed on Pantheon.io, a DevOp |
|
|
platform for websites. For modern SSH servers, the `ed25519-sk` key type is
|
|
|
preferred.
|
|
|
|
|
|
*WARNING: because `yubikey-agent` requires exclusive access to the yubikey, this
|
|
|
method is only practical when the yubikey's OpenPGP interface is **not** used.
|
|
|
Otherwise, the more practical solution is to use the OpenPGP interface with an
|
|
|
authentication subkey that can be used as an SSH key pair.*
|
|
|
|
|
|
### Token setup
|
|
|
|
|
|
First, one must install [yubikey-manager](https://github.com/Yubico/yubikey-manager).
|
|
|
On Debian 11 (bullseye), a simple `apt install yubikey-manager` is sufficient. On
|
|
|
older versions of Debian, one should install it via `pip3` in order to have a
|
... | ... | |