Bugfixes
--------
* ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from
a PKCS11Provider; bz#3141
Well this one is good to see as that used to be pretty annoying, although I’ve now switched to yubikey-agent to not have to deal with the PKCS#11 implementation anymore.
What does the yubikey-agent get you that isn’t native to OpenSSH >= 8.2?
It seems like the yubikey-agent stuff was a fill-gap for older versions of OpenSSH that didn’t support FIDO out of the box, or maybe I am missing something?
It’s absolutely a fill-gap, because FIDO support requires OpenSSH >= 8.2 on both sides of the connection. There’ll be a long tail of servers running older OpenSSH, and it’s nice to have a solution for people stuck connecting to them. For example, Ubuntu 18.04 is supported until April 2023 with extended support until April 2028, and uses OpenSSH 7.6.
Right, exactly this. I have personal servers running sshd that ships with the OS that aren’t yet on 8.2+, and similar for work.
My employer gives all employees a YubiKey but our servers run Debian and we don’t backport newer OpenSSH versions, so yubikey-agent allows me to have an easy way to use it without the complicated and slightly flaky PKCS#11 setup.
Another advantage of yubikey-agent is it allows you to re-plug your YubiKey and it doesn’t break. The stock ssh-agent (combined with OpenSC) generally stops working if the YubiKey is unplugged and it’s fiddly to get it working again.
Well this one is good to see as that used to be pretty annoying, although I’ve now switched to yubikey-agent to not have to deal with the PKCS#11 implementation anymore.
What does the yubikey-agent get you that isn’t native to OpenSSH >= 8.2?
It seems like the yubikey-agent stuff was a fill-gap for older versions of OpenSSH that didn’t support FIDO out of the box, or maybe I am missing something?
It’s absolutely a fill-gap, because FIDO support requires OpenSSH >= 8.2 on both sides of the connection. There’ll be a long tail of servers running older OpenSSH, and it’s nice to have a solution for people stuck connecting to them. For example, Ubuntu 18.04 is supported until April 2023 with extended support until April 2028, and uses OpenSSH 7.6.
Cool, I basically live on OpenBSD current, so I have had this (both ends) for some time now. Would be handy for github though!
Right, exactly this. I have personal servers running sshd that ships with the OS that aren’t yet on 8.2+, and similar for work.
My employer gives all employees a YubiKey but our servers run Debian and we don’t backport newer OpenSSH versions, so yubikey-agent allows me to have an easy way to use it without the complicated and slightly flaky PKCS#11 setup.
Another advantage of yubikey-agent is it allows you to re-plug your YubiKey and it doesn’t break. The stock ssh-agent (combined with OpenSC) generally stops working if the YubiKey is unplugged and it’s fiddly to get it working again.