howto/yubikey: add warning about yubikey-agent

Had this in my git stash, still relevant although I've since migrated away from PIV tokens

howto/yubikey: add warning about yubikey-agent
ce3687b5 · Jérôme Charaoui · 1089adf3 · ce3687b5
Verified Commit ce3687b5 authored 1 year ago by Jérôme Charaoui
--- a/howto/yubikey.md
+++ b/howto/yubikey.md
@@ -170,8 +170,6 @@ In particular, `-sk` keys are currently *not* supported by our
 This guide should be followed if you want to use SSH without depending
 on OpenPGP *or* FIDO2.

-### Token setup
-
 YubiKey 5-series tokens, which support the [FIPS 201](https://en.wikipedia.org/wiki/FIPS_201)
 standard also known as PIV, can be used as a convenient second factor to for ssh
 public key authentication.
@@ -182,6 +180,13 @@ only support `ssh-rsa` keys. This has also been observed on Pantheon.io, a DevOp
 platform for websites. For modern SSH servers, the `ed25519-sk` key type is
 preferred.

+*WARNING: because `yubikey-agent` requires exclusive access to the yubikey, this
+method is only practical when the yubikey's OpenPGP interface is **not** used.
+Otherwise, the more practical solution is to use the OpenPGP interface with an
+authentication subkey that can be used as an SSH key pair.*
+
+### Token setup
+
 First, one must install [yubikey-manager](https://github.com/Yubico/yubikey-manager).
 On Debian 11 (bullseye), a simple `apt install yubikey-manager` is sufficient. On
 older versions of Debian, one should install it via `pip3` in order to have a