SSH MFA with Yubikey

FIDO2 method with MFA

Requirements

OpenSSH version 8.2 or later on both the client and server since FIDO2 is required (check with ssh -V).
Yubikey firmware 5.2.3 or later (check with lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{print $2}')

Install the required package

sudo apt install libfido2-dev

Generate your key

ssh-keygen -t ed25519-sk -C "$(hostname)-$(date +'%Y-%m-%d')-yubikey1"

Copy your key to your remote host

ssh-copy-id user@remotehost  

Now you will need your private key AND the Yubikey to connect to a remote host.

Yubikey-agent method

Setup yubikey-agent from here. If you need a guide for setting that up please let me know.

When it's up and running you can add an entry like this to your ~/.ssh/config file.

 Host myservername
      HostName hostname/IP address
      user myremoteuser
      IdentityAgent /run/user/1000/yubikey-agent/yubikey-agent.sock

Then when you run ssh myservername it will prompt you for your Yubikey PIN and then touch your key.