I’ve been getting increasingly paranoid about computer security over the years. There’s always plenty to improve as new threats and technologies keep evolving. For example, dependency chain compromises like the one disclosed by PyTorch in December 2022 show that even a seemingly-benign action like installing a well-known package can result in exposure of secrets, including private SSH keys.

As part of improving my security stance, I bought a couple of YubiKeys a couple of years ago and started using them wherever possible (either directly on supported sites or indirectly via Yubico Authenticator). At some point, I realised that YubiKeys may be used for SSH access as well, but I only got around to setting it up today. Turns out it’s pretty simple.

One problem with YubiKeys is that they often offer more than one way of doing things, and SSH access is no exception. Andrej Friesen covered the options for SSH in an accessible post, which led me to the official Yubico page on securing SSH with FIDO2. I went with the discoverable key option along with ed25519 as the algorithm (see this post for a short explanation of the different algorithms).

Following the official guide was straightforward, but then I hit this error: sign_and_send_pubkey: signing failed for ED25519-SK "..." from agent: agent refused operation. The common cause of this error is having the wrong permissions on the private key file, but that wasn’t the case for me. After a bit of digging, I found this Reddit thread that points to a gnome-keyring issue as the root problem (I use Ubuntu 22.04 on my laptop). As suggested on the Reddit thread, adding IdentityAgent none to the relevant hosts in my SSH config sorted out the issue. It seems like a reasonable workaround for now – I’m happy that I now have my SSH access tied to my YubiKey.

Edit: Connection multiplexing can be useful for reducing the need to re-authenticate when running parallel connections.