I tried this on my macbook pro today - latest OS version. First I installed openssh with brew. Then I found I could barely get the new ssh key working with GitHub, frequently getting `sign_and_send_pubkey: signing failed for ECDSA-SK / invalid format` errors while trying to commit and not actually being prompted to press the Yubikey, despite it being plugged in and ready. I keep my mini Yubikey USB-C in my laptop persistently which I wonder could be the issue.

Anybody else having similar issues?

I don't understand - what's the new feature here? Yubikeys have always supported SSH authentication, and you have always been able to use that for git. What is the new functionality that Github has added?

Other than being a random untrusted USB device, is there any reason to not use the cheapest generic U2F device you can find?

I've been wanting to start using them for a while, but yubikeys are too expensive for me to get a bunch of.

Does anyone know if there is a way to have ssh just use the security key without having to have the key files on disk?

I work from several computers and VMs. It is somewhat of a pain to have to generate and register keys for each computer and VM. It would be nice if I could just generate the ssh key once on my security key and use that everywhere.

This looks like an SSH client feature that is invisible to the server. Does the server operator (GitHub) even have to do anything?

I use Secretive to authenticate to SSH (including GitHub) with my Mac’s TouchID. Feels like this is (almost) as secure, while being more convenient (no extra hardware required). Of course it is a Mac-only solution.

I just made a suggestion to dasKeyboard that they put a place to dock your Yubikey on top of their keyboards, since people will be touching them much more often now.

I'm going to ask a naive but honest question: what is the security benefit of a piece of "key-hardware" over a passphrase protected key stored on a "normal" storage device?

I understand that for someone that moves between multiple physical machines it may be a benefit of convenience, but what threat vector does a physical key eliminate that exists for passphrased "normal" SSH keys?

Maybe I miss something, but I have been using yubikeys (or any pgp key for that matter) for SSH and git since many years already through `gpg-agent --enable-ssh-support`.

PATs are still superior to SSH keys because 1) PATs allow more fine-grained access control 2) HTTPS is more widely available through firewalls and proxies 3) SSH without certificates is more vulnerable to MITM than HTTPS (with certificates) 4) it's easier to specify different PATs for different remote repos than it is different SSH config aliases for different remote repos. Yet people still prefer SSH because........ ?

And since the SSH private key used in this way is merely a pointer to a security token, it doesn't matter if it gets compromised. This is an interesting way to continue the status quo of not explaining to users how to create SSH keys using the new SSH key format (which prevents password cracking vulnerabilities in the old key format).