Here is the corrected version of your post with grammar, spelling, and clarity improvements:
Setting Up YubiKey for SSH on Windows 11
Prerequisites
- A YubiKey 5.7 (or later) security key with a user PIN activated for FIDO2 functionality
- Git installed and a GitHub repository
- GitHub CLI tool (
gh) - Administrator rights for
ykmanoperations
Step 1: Install YubiKey CLI and GUI Tools, Set PIN for FIDO
YubiKey offers two management tools:
winget install Yubico.YubiKeyManagerCLI # Deprecated Windows app
winget install Yubico.YubikeyManager # Modern CLI tool: ykman
Run the following command in an administrative terminal to set or change your PIN:
ykman fido access change-pin
Alternatively, you can set the PIN using the YubiKey Manager GUI.
Step 2: Configure GPG Agent for SSH Support
Locate and edit (or create if missing) the following configuration file:
$env:AppData\Roaming\gnupg\gpg-agent.conf
Alternatively, it may be under the .gnupg directory. Add or update the file with:
# Enable SSH support through GPG agent
enable-ssh-support
enable-win32-openssh-support
enable-putty-support
# Cache settings
default-cache-ttl 600
max-cache-ttl 7200
default-cache-ttl-ssh 1800
max-cache-ttl-ssh 7200
# Use a standard socket for SSH control
use-standard-socket
Step 3: Generate an ED25519-SK SSH Key
Run the following command to generate an SSH key using the YubiKey:
ssh-keygen -t ed25519-sk -O resident -O verify-required -C "Your Comment"
To generate multiple credentials on the same security key:
ssh-keygen -t ed25519-sk -O resident -O application=ssh:Description -C "Your Comment"
Replace Description with a unique identifier, such as your email.
Step 4: Verify Credentials
Run the following command in an elevated terminal to check stored credentials:
ykman fido credentials list
Example output:
Enter your PIN:
Credential ID RP ID Username Display name
50f... ssh: openssh openssh
Ensure that your SSH public key is added to your GitHub account for code signing and, optionally, for authentication.
GitHub documentation
gh ssh-key add ~/.ssh/ed25519-sk.pub --title "Key linked to YubiKey" --type signing
gh ssh-key add ~/.ssh/ed25519-sk.pub --title "Key linked to YubiKey" --type authentication
Step 5: Test SSH Authentication
Test your SSH connection to GitHub if the key has the authentication option:
ssh -i "C:\Users\User\.ssh\id_ed25519_sk" -T git@github.com
Expected output:
Confirm user presence for key ED25519-SK
SHA256:J...
User presence confirmed
Hi username! You've successfully authenticated, but GitHub does not provide shell access.
Step 6: Configure Git for Signed Commits
Set up your repository for commit signing:
git config --local user.name "your_username"
git config --local user.email "your_username@users.noreply.github.com"
git config --local commit.gpgsign true
git config --local gpg.format ssh
git config --local user.signingkey "C:/Users/Username/.ssh/id_ed25519_sk"
Step 7: Update SSH Config File
Edit ~/.ssh/config to streamline authentication. I recommend adding your key after your primary key to avoid frequent authorization prompts during git fetch:
Host github.com
User git
Port 22
IdentitiesOnly yes
PreferredAuthentications publickey
PasswordAuthentication no
IdentityFile ~/.ssh/id_ed25519.home # Primary key for Git operations
IdentityFile ~/.ssh/id_ed25519_sk # Additional key if added to GitHub as an authentication key
Step 8: Verify Git Authentication
Try pulling from your repository:
git pull
Expected output:
Confirm user presence for key ED25519-SK
SHA256:...
User presence confirmed
Already up to date.
You will receive the same notification when committing changes.
References
This guide ensures secure SSH authentication using YubiKey on Windows π
Top comments (0)