Github の SSH で Yubikey を使ってみた話

 $  ssh -V
OpenSSH_8.6p1, OpenSSL 1.1.1k  25 Mar 2021

 $  pacman -Q libfido2
libfido2 1.7.0-2

 $  ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
You may need to touch your authenticator (again) to authorize key generation.
Enter file in which to save the key (/home/taiki/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/taiki/.ssh/id_ecdsa_sk
Your public key has been saved in /home/taiki/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:tQxv05Ou9kXmQHpxXz7o6KHyx/OCRG9l+bthiZpRBh0 taiki@echo
The key's randomart image is:
+-[ECDSA-SK 256]--+
|             E   |
|            . .  |
|        . ..o.o .|
|         * =.B.o.|
|        S O O++.o|
|         o *=*..o|
|        . ++.oo+.|
|       . .+*=....|
|        o+o==. ..|
+----[SHA256]-----+

 $  ssh-add ~/.ssh/id_ecdsa_sk
Enter passphrase for /home/taiki/.ssh/id_ecdsa_sk:
Identity added: /home/taiki/.ssh/id_ecdsa_sk

 $  ssh-keygen -t ecdsa-sk -O resident
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
Key enrollment failed: requested feature not supported

 $  ykman info
Device type: YubiKey 5 NFC
Firmware version: 5.1.1
Form factor: Keychain (USB-A)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled.

Applications    USB             NFC
FIDO2           Enabled         Enabled
OTP             Enabled         Enabled
FIDO U2F        Enabled         Enabled
OATH            Enabled         Enabled
YubiHSM Auth    Not available   Not available
OpenPGP         Enabled         Enabled
PIV             Enabled         Disabled