Yubikey Configuration
Some services a yubikey is good for:
- SSH from any host (i.e. accessing my homelab server
kyufrom a random computer) - Github (Passkey and/or 2FA)
- Discord (2FA)
- UC Berkeley account (2FA)
- Bitwarden (2FA)
Naming
I add a small stickers to my yubikeys and name the corresponding SSH key / passkey / anything else, whenever possible and prompted, after that sticker.
FIDO2 SSH Key
Generate an SSH key on the yubikey: ssh-keygen -t ed25519-sk -O resident -C "your_email@example.com". I skip the password. I do set a name (see Naming above). For an explanation of each part of the command, see the page below:
dev.yubico: Securing SSH Authentication with FIDO2 Security Keys
I do not include -O verify-required because I don't want to be prompted for the pin all the time. For more information on User Verification, check this page:
dev.yubico: User Presence vs User Verification
Loading SSH key on new hosts
Run ssh-keygen -K.
dev.yubico: Securing SSH Authentication with FIDO2 Security Keys
Setting a Pin
If you try to register your yubikey with certain services without setting a pin, it will error. For example, on Github, you may see the following:
Passkey registration failed. This cannot be used as a passkey.
Below are the steps to set the pin.
-
Install and Open YubiKey Manager
- On NixOS:
nix-shell -p yubioath-flutter - Then, run
yubioath-flutterto open the GUI.
- On NixOS:
-
Navigate to Passkeys -> Change Pin and set the pin.
Discord
User Settings (bottom left corner gear icon) -> My Account -> Register a Security Key