I recently got a YubiKey to manage my PGP keys so I can reduce my attack surface and use the same private key on multiple computers without copying my key or exposing it to a host machine. Today I decided to use the YubiKey PIV module to use it for SSH as well as GPG following this guide.
While generating the SSH keys went off largely without a hitch (I had trouble accessing PIV for a while because I forgot to install ykcs11) I found that actually using the key with my ssh-agent was a bit uncomfortable as I had to run
ssh-add -s /usr/local/lib/libykcs11.so to load it in my ssh-agent before I could use it to connect to anything. Making that command run on login wasn't particularly elegant, either, because it meant I had to enter the PIN for my ssh keys even if I had no intention of using SSH at the moment. I looked on SuperUser for a while, but didn't find any particularly useful results that achieved the elegance that I wanted. After trying to put
IdentityFile /usr/local/lib/libykcs11.so in my SSH config just to see if it would work (it did not, because a smartcard is not a keyfile.) I thought that if the
IdentityFile option exists, there has to be one for smart cards too. After reading through the SSH docs for a while, I discovered it was
SmartcardDevice. So, if you too want to use your YubiKey's PIV module to authenticate SSH sessions without having to manually add it to ssh-agent or unlock it at an inconvenient time, add the following to your
~/.ssh/config file and replace the path with the path to where libykcs11 is installed on your system (This example is from my Arch Linux machine).
Host * SmartcardDevice /usr/local/lib/libykcs11.so