Resident keys?

Ron Frederick ronf at
Wed Feb 19 03:16:01 AEDT 2020

On Feb 18, 2020, at 12:46 AM, Gabriel Kihlman <gk at> wrote:
>> I tried using “change-pin” in yubico-piv-tool, but that didn’t seem to
>> make a difference. I still got the same error after successfully
>> changing the PIN.
> That PIN is for the PIV application on the yubikey.
> Use "ykman fido set-pin" instead using the Yubikey Manager.

Ah - that was it, thanks very much!

After setting the PIN this way, I was able to get “ssh-keygen -K” and “ssh-add -K” to work, and was also about to use “ykman fido list” to see the list of installed resident keys.

With OpenSSH, is there a way to use a resident key without actually reading it out of the token if you provide the username and application to identify which key you want to use, or do you need to actually provide the PIN every time? I understand you can use ssh-agent to mitigate this and only provide the PIN when loading the keys into the agent, but generally that would still mean providing the PIN every time you signed on to the machine running the SSH client. I’m just wondering if there are any options to be able to use  a key with only physical access to it.
Ron Frederick
ronf at

More information about the openssh-unix-dev mailing list