How to use your Yubikey (private key) to login on your Linux servers
Welcome to our comprehensive guide on setting up a YubiKey for secure SSH login to Linux servers. In today’s digital landscape, ensuring robust authentication methods is paramount, and YubiKey provides an excellent solution by combining convenience with strong security. Whether you’re new to YubiKey or looking to enhance your server’s security posture, this tutorial will walk you through the step-by-step process of configuring and using YubiKey for SSH authentication.
By the end of this guide, you’ll have a solid understanding of how to integrate YubiKey into your SSH workflow, adding an extra layer of protection against unauthorized access while simplifying your login process. Let’s dive in and secure your Linux servers with YubiKey!
Prerequisites.
Hardware:
-
-
- Yubikey
- Laptop or desktop (USB port necessary) with Linux (Ubuntu in my case)
-
Software:
-
-
- openssl
- yubikey-manager
-
Let’s install all necessary software:
| sudo apt install openssl yubikey-manager -y |
Create a private key and store it in the YubiKey:
In your SSH terminal type the following command:
| ssh-keygen -t ed25519-sk -O resident -O application=ssh:COMPANY -C “username@domain.com” -f ~/.ssh/id_company_sk |
Command explanation:
-t ed25519-sk |
Generate a hardware-backed SSH key using the YubiKey’s FIDO2 interface. |
-O resident |
Store the key on the YubiKey itself so it can be retrieved later (e.g., if the file is lost). |
-O application=ssh:COMPANY |
Assign a custom application string (ssh:COMPANY) as the Relying Party ID. Useful for namespacing and managing multiple keys. |
-C "username@domain.com" |
Add a comment to help identify the key when viewing the public key or using key agents. |
-f ~/.ssh/id_company_sk |
Set the output file name for the public and reference private key files. |
When you run the above ssh-keygen command, it creates two files in your ~/.ssh/ directory:
id_company_sk (Private Key Stub)
- This is not a traditional private key file.
- It’s a reference file (stub) that tells your SSH client how to interact with your YubiKey.
- It contains metadata that identifies the resident key stored on your YubiKey and allows SSH to communicate with it when authenticating.
- The real private key never leaves your YubiKey — it’s securely stored and unlocked via touch and optional PIN.
id_company_sk.pub (Public Key)
- This is your public SSH key.
- You copy this to remote servers to grant access.
- It includes the comment you added with the -C flag.
Recreate stub and public key
If you lose your stub and public key, you can recreate them with the following command:
| ssh-keygen -K |
List private key inside your YubiKey
You can list the SSH private keys in your YubiKey with the following command:
| ykman fido credentials list |
Delete a private key inside your YubiKey
You can delete a key from your YubiKey with the following command:
| ykman fido credentials delete ssh:COMPANY |
Copy public key and configuration SSH on Linux Server
Now that we have our YubiKey-backed public key and its corresponding stub file in place, it’s time to configure the Linux server to accept it. We’ll manually add the public key to the user’s authorized key and adjust the SSH daemon settings to enforce key-based authentication. Let’s walk through it step by step.
Manually copy the contents of id_company_sk.pub into:
| ~/.ssh/authorized_keys |
On the server:
| sudo nano /etc/ssh/sshd_config |
Either add or remove comment sign of the following lines:
| PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys |
To harden the security:
| PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no |
Restart the sshd service:
| sudo systemctl restart ssh |
Now when you login using the following command you should be asked to have your YubiKey inserted and touch it.
| ssh -i ~/.ssh/id_company_sk user@your-server |
SSH login with YubiKey - 18 May 2025 - Christopher
