Security of ssh across a LAN, public key versus password

[David Lang]

Stuart Henderson wrote:

>> This is why I push for challenge/response tokens, not simply
>> cert authentication, and really wish that FIDO (such as yubikey)
>> was an option, but the discussions I've seen about suporting
>> that have not been encouraging.
>
> hmm? That works pretty well in OpenSSH.

hmm, what I'm finding doesn't seem to use the FIDO challenge/response to the 
server, instead it looks like a public/private key that's unlocked with a touch, 
possibly storing the private key on the hardware dongle (but it seems like 
there's still a key you need to put on the client system)

Quoting from the yubikey website:
OpenSSH version 8.2p1 added support for FIDO hardware authenticators. FIDO 
devices are supported by the public key types “ecdsa-sk” and “ed25519-sk", along 
with corresponding certificate types.

It then goes on to talk about generating the key with ssh-keygen

I could easily be missing something about this.

David Lang