Passwordless SSH login with YubiKey and FIDO2

How to use your YubiKey with OpenSSH to authenticate securely against servers without a password.

Passwordless SSH login with YubiKey and FIDO2
OpenSSH Key Authentication with YubiKey 5 

I am using a YubiKey for quite some time now for my most valuable accounts:

  • Google Account
  • Bitwarden

These are the most important ones. If you obtain control over my Google account you can reset every password for every service I am registered with.

Bitwarden stores my actual passwords so pretty important as well.

That was about it what I use my YubiKey 5 NFC for. I was asking myself what else can I do with this key, especially for my servers which I need to connect to via SSH. Looks like quite a lot!

YubiKey SSH Key login methods

YubiKeys allow a few different methods to make your ssh login more secure.


This will just give you the option to add a second factor with a One Time Password. Boring. And not as secure and more suited to a more legacy version of OpenSSH.


Personal Identity Verification. This is more suited to an enterprise where you want to centrally manage all your keys. Overkill for a homelab.


I looked briefly into this and watched a few videos. Honestly, this seems to be very complex as everything with PGP that I came across. A lot of folks say that PGP is a major pain in your behind. You certainly can use your YubiKey with PGP and SSH.

I will pass for now.

FIDO2 - The Cool Stuff

Let's go to the coolest and easiest solution for private use in my opinion: FIDO2 which stands for Fast Identity Online.

You can create 2 different keys. Be sure to create a FIDO2 PIN for the YubiKey. This can be done with the YubiKey Manager via CLI or GUI. And write that PIN down. If you lose that you are in trouble like me.😏

You can reset the PIN anytime, but then all your U2FA will be reset as well. So be careful. I was an idiot so you don't have to be.

Anyway, let's go forward with the 2 types of keys.

You have discoverable Credentials and non-discoverable Credentials.

Discoverable Credential Non-Discoverable Credential
openssh-server >8.3 openssh-server >8.2p1
No private key in ~/.ssh Creates a private key in ~/.ssh
Can be used by someone who finds the YubiKey The YubiKey itself is useless
Portable Less portable

I also checked for you which commonly used server distros has which openssh-server version:

Operating System open-ssh server version
Ubuntu 22.04 LTS (Jammy) 8.9p1-3
Debian 11 (Bullseye) 8.4p1
Ubuntu 20.04 LTS (Focal) 8.2p1
Debian 10 (Buster) 7.9p1
Ubuntu 18.04 LTS (Bionic) 7.6p1
Debian 9 (Stretch) 7.4p1

Discoverable Credential

This will use the YubiKey as your SSH key. Meaning as long as you have your YubiKey plugged in you can SSH into your servers. You can take the key to another system and you are still able to log in via SSH since the YubiKey is your SSH key. Pretty amazing. I would like to do just that!

Unfortunately, my YubiKey 5 NFC does have an older firmware (5.1.2) and can not do this. Also, you can not update YubiKey Firmware. What a bummer. 😞

Non-Discoverable Credential

This will create an SSH key on your local system in ~/.ssh but only works together with the YubiKey. So if I remove my YubiKey or lose the YubiKey altogether I can not use this SSH key anymore. That also means other people can not use this YubiKey on their machines. But that also means I have to copy this private key to all of the servers I want to use this on.

You can basically create two types of keys here:

  • ecdsa-sk
  • ed25519-sk

The -sk stand for security key. Since I use an id_ed25519 already (because of reasons) I thought let's go with that one. Nope. Again my firmware was too old. You have to have at least a YubiKey with version 5.2.3. Everything below can only do ecdsa-sk.

Meh, then let's use the ecdsa-sk version:

ssh-keygen -t ecdsa-sk -C "test"

Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator: 
You may need to touch your authenticator (again) to authorize key generation.
Enter file in which to save the key (/home/andrej/.ssh/id_ecdsa_sk): test	
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in test
Your public key has been saved in
The key fingerprint is:
SHA256:Qc1skzFfEyvlE0mwpteOEOckgPcAjevgF3vXF62hgBQ test
The key's randomart image is:
+-[ECDSA-SK 256]--+
|      .=E=oo.oBo |
|      o.=.Bo =.+ |
|       +.=o.B +. |
|    . o ..oO oo..|
|   . o oS ooo..+ |
|    . + . .oooo  |
|     . . .  ...  |
|                 |
|                 |

I did not use a password since I want to only touch the YubiKey when using SSH. Now I copied my public key over to my server. Tried SSH and the YubiKey is flashing. One tap and I am on my server. How cool is that!

I have to say this is pretty cool. I am still a bit bumped out that I can not use the Disvocerable Keys, but I do not want to spend another 50 Euros or more to get a second YubiKey.

If you have a YubiKey or any other FIDO2 standard security key give this a go.


❤️ Enjoy the newsletter?

Forward to a friend and let them know where they can subscribe (it is here).

Questions or feedback? Hit reply to send me a mail and say hello.

Have a great day!