Guide on using YubiKey for SSH access

Simple `how to` for my dumb arse on how to use my YubiKey with SSH.

SSH access to rlab servers requires a YubiKey. No YubiKey = no access.

Prerequisites

YubiKey 5 Series plugged in
yubikey-manager is installed (ykman command is available)
openssh-sk-dummy is installed too (for Fedora: sudo dnf install openssh-sk-dummy)
Access to the server you want to test connection with. (in this case pve-1).

Setting up YubiKey SSH on a server.

Simply run:

curl https://docs.rlab.uk/init.sh | bash

The Init script does a few useful bits (found at scripts/init.sh).

The bits relevant to me are stetting up service accounts [terraform and anable] and my (ru4en) user account.

All these accounts share the same KEY (TODO: maybe we should move away from this Philosophy).

Anyway, we have keys attached to top of the init file in master_key and yubi_key. So in the chance you fuck it up change that there and run it on all the instances we previously ran that on.

Setting Up on a new client machine

1. Check the YubiKey

List all credentials on the YubiKey:

ykman fido credentials list

Look for an entry with RP ID ssh:rlab.

Do not generate a new key if ssh:rlab already exists. Generating a new key burns a new credential slot and invalidates the public key on every server.

ssh:rlab exists

Pull the existing credential from the YubiKey onto this machine:

cd ~/.ssh
ssh-keygen -K

You should now have:

~/.ssh/
├── id_ed25519_sk_rk_rlab
├── id_ed25519_sk_rk_rlab.pub
└── known_hosts

ssh:rlab does NOT exist

Generate a new key

rm -f ~/.ssh/id_ed25519_sk_rk_rlab*

ssh-keygen -t ed25519-sk -O resident -O application=ssh:rlab \
  -f ~/.ssh/id_ed25519_sk_rk_rlab -C "yubikey-ssh"

cat ~/.ssh/id_ed25519_sk_rk_rlab.pub

You must now update authorized_keys on every rlab server and the server init script with the new public key, otherwise you will be locked out.

Add the public key via the PVE web console:

echo 'sk-ssh-ed25519@openssh.com AAAA...' > ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

so you can test that it works REMEMBER TO add to init file and run it on all servers.

3. Test the connection

ssh -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519_sk_rk_rlab ru4en@pve-1.rlab.uk

Touch the YubiKey when it blinks. You should get a shell.

Troubleshooting

Symptom	Cause	Fix
`FIDO_ERR_NO_CREDENTIALS`	Handle doesn't match YubiKey slot	Re-run `ssh-keygen -K` or generate new key
`device not found`	`openssh-sk-dummy` not installed	`sudo dnf install openssh-sk-dummy`
`Permission denied (publickey)`	Public key not on server	Update `authorized_keys` via PVE console
Multiple keys pulled by `ssh-keygen -K`	Multiple resident slots exist	Use `id_ed25519_sk_rk_rlab` specifically
Remove identities `ssh-add -D`	remove All identities for debugging	Just something I found useful