I'm looking for a current guide or help in adding a Yubikey 5 for ssh. seeing a number of differing items - i don't have the experience to sort through the differences. and it looks like i will have to replace dropbear with openssh? Has anyone used yubikey with their ssh login?
I don't have a Yubikey, but I am using an OpenSC supported smartcards to logon and this is very secure. It is fully integrated with ssh client and this allows to connect automatically with hard crypto.
Visit https://github.com/OpenSC/OpenSC/wiki for more information.
Usually, Yubikeys are fully supported by OpenSC. Export your SSH public key from the Yubikey. Install it in ./ssh/authorized_keys et voilà. OpenSC PKCS#11 provider handles the rest. There should be a Yubikey guide on OpenSC site.
1 Like
so what sits on the router ? is it PAM?
thanks for that i'll take a look
https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html
Yubikey released a PKCS#11 provider. You can probably use OpenSC PKCS#11 provider directly, it is the strandard for crypto tokens.
You can connect directly with ssh -I XXX/libykcs11.so user@remote.example.com
If you were using OpenSC, just type: ssh user@remote.example.com, it can't be more simple.
OpenSC guide is here:
1 Like
This is an old thread, but showed up in my search.
You do not need OpenSC or PAM if you use the gnupg applet on the yubikey. I personally use the gnupg smartcard with an ssh-agent for public key authentication against the standard OpenWRT ssh server.
This is a very detailed intro on how to generate the pgp keys and store them on the yubikey: https://github.com/drduh/YubiKey-Guide