Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreigjxbn2rbznpncmpa2flzkgljjhlbvwxos6gzoilyit65vv3h5rva",
    "uri": "at://did:plc:hrmcjdks6yqnd6blyz33hrp4/app.bsky.feed.post/3mj2dys4we2b2"
  },
  "path": "/2026/04/thoughts-on-increasing-ssh-security-using-a-hardware-security-key/",
  "publishedAt": "2026-04-08T13:08:48.000Z",
  "site": "https://neilzone.co.uk",
  "tags": [
    "six year old\nissue in the Termux Github repo"
  ],
  "textContent": "I have been using hardware security keys (including YubiKeys and Titan keys) for FIDO2 and TOTP for a while, but not for ssh.\n\nAt the moment, I harden the ssh config on my servers, lock down access by IP address, and use password-protected certificates for authentication, blocking password-based authentication.\n\nSo I think that I do at least reasonably well as it is.\n\nBut I was interested to see if I could introduce a further aspect of security for ssh, using a security key.\n\nMy security keys support the generation of both resident and non-resident keys. Resident keys are stored on a slot on the YubiKey, while non-resident keys are stored on the client computer, but require the YubiKey.\n\nI picked non-resident.\n\nI set a passphrase as part of the ssh-keygen process, so, when it comes to using that key, I need to enter that passphrase _and_ insert and touch the security key.\n\nSo now someone would need:\n\n  * to be connected to the correct network\n  * to have a copy of my private key\n  * to know the passphrase for that private key\n  * to have one of my security keys (my main security key, and my backup security key)\n\n\n\nI can, I think, add a PIN to the YubiKey but, to date, I have not done this. Perhaps I should.\n\nHonestly, I was probably fine without this, but, well, I had the security keys, so why not.\n\nBut, while this works fine from my laptop, I can’t get it to work on my phone (GrapheneOS).\n\nAt the moment, I use Termux, and from there, I can ssh in to my servers. But I can’t get Termux to use my _*_-sk keypair.\n\nThere is a six year old\nissue in the Termux Github repo which indicates that it might, some point, be coming, and that would be welcome.\n\nApparently it can be done using a closed source tool, but since I’m only looking to use FOSS, that’s not on the cards for me.\n\nSo that is a bit of a pain, as it is convenient to be able to log in from my phone from time to time.",
  "title": "Thoughts on increasing ssh security using a hardware security key",
  "updatedAt": "2026-04-08T13:08:48.000Z"
}