• caglararli@hotmail.com
  • 05386281520

Reading SSH private key physically stored on yubikey to remote into external PC

Çağlar Arlı      -    6 Views

Reading SSH private key physically stored on yubikey to remote into external PC

I was wondering if it's possible to only store and read a ssh private key on a yubikey and not read the private key the yubikey generated from a client computer?

Currently the only way it seems to work is that I store the private key on client pc then plug my yubikey in to authenticate like so: PS C:\Users\User\Desktop> ssh -i .\ed25519-sk user@remote_linux

Ideally I'd never want any private key stored on any client and instead read the private key file from the yubikey when it's plugged in.

I've already managed this with a external USB stick which only stores the private key on the USB stick and is able to ssh me into a remote system only when I plug the USB stick in. I'd like to achieve the same with the yubikey with the obvious benefits of the yubikeys authentication.

These are the steps I took to generate the ssh keys with an elevated powershell window:

  1. Plugged yubikey into PC
  2. Installed a beta openssh version on my windows client and confirmed the version to be: OpenSSH_for_Windows_9.1p1, LibreSSL 3.6.1
  3. Also confirmed my remote Linux machine to be above openssh 8.2p1
  4. Generated the key pair in my windows client Desktop directory: PS C:\Users\User\Desktop> ssh-keygen -t ed25519-sk -O verify-required
  5. Follow yubikey prompts, enter PIN and touch yubikey
  6. Copied the public key contents to my remote Linux computers ~/.ssh/authorised_file

But I'm only able to ssh into my Linux machine with the private key stored somewhere on my client windows PC, like I mentioned in earlier.

Is what I'm trying to achieve possible?

According to this guide:

The private key is stored on your yubikey directly and you can add it with ssh-add -K. You can delete the ssh key stub at ~/.ssh/id_ed25519_sk and then your yubikey will be the only thing holding that key.

I'm not exactly sure what this means and I'm not sure if this would help me with what I want but whenever I try run the command it doesn't work even though the yubikey is plugged in and I'm in the directory where the key pair is located

PS C:\Users\User\Desktop> ssh-add -K
Cannot download keys without provider