search for: work_ed25519

...tiple sk keys, eg you might want a different key per job. You do need to export part of the private key onto the client node: `ssh-keygen -K` covers this. Then a typical workflow for me involves signing some other key which will be used for certificate authentication: ``` ssh-keygen -s ~/.ssh/sk/work_ed25519_sk -I tim@<localhost> -n work -V -5m:+8h ~/.ssh/certkeys/work_ed25519 ``` That creates a cert which will be valid for eight hours. The remote servers are configured to accept certs signed by my yubikey together with the principal name of "work". The benefit of this approach is the...

Stuart Henderson wrote: >> This is why I push for challenge/response tokens, not simply >> cert authentication, and really wish that FIDO (such as yubikey) >> was an option, but the discussions I've seen about suporting >> that have not been encouraging. > > hmm? That works pretty well in OpenSSH. hmm, what I'm finding doesn't seem to use the FIDO