1. 30
  1. 2
     * ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from
       a PKCS11Provider; bz#3141

    Well this one is good to see as that used to be pretty annoying, although I’ve now switched to yubikey-agent to not have to deal with the PKCS#11 implementation anymore.

    1. 2

      What does the yubikey-agent get you that isn’t native to OpenSSH >= 8.2?

      It seems like the yubikey-agent stuff was a fill-gap for older versions of OpenSSH that didn’t support FIDO out of the box, or maybe I am missing something?

      1. 4

        It’s absolutely a fill-gap, because FIDO support requires OpenSSH >= 8.2 on both sides of the connection. There’ll be a long tail of servers running older OpenSSH, and it’s nice to have a solution for people stuck connecting to them. For example, Ubuntu 18.04 is supported until April 2023 with extended support until April 2028, and uses OpenSSH 7.6.

        1. 5

          Cool, I basically live on OpenBSD current, so I have had this (both ends) for some time now. Would be handy for github though!

          1. 3

            Right, exactly this. I have personal servers running sshd that ships with the OS that aren’t yet on 8.2+, and similar for work.

            My employer gives all employees a YubiKey but our servers run Debian and we don’t backport newer OpenSSH versions, so yubikey-agent allows me to have an easy way to use it without the complicated and slightly flaky PKCS#11 setup.

            Another advantage of yubikey-agent is it allows you to re-plug your YubiKey and it doesn’t break. The stock ssh-agent (combined with OpenSC) generally stops working if the YubiKey is unplugged and it’s fiddly to get it working again.