I have a gpg key I use through a smartcard (yubikey neo) to ssh to many hosts. Some of these hosts use certificates as well as keys to authorize logins. For normal keys that are stored locally there are three files involved:
- id_rsa
- id_rsa.pub
- id_rsa-cert.pub
I cause ssh to use the .pub and -cert.pub files together to authenticate by specifying the private key file -i ~/.ssh/id_rsa
. this causes it to offer woth the public key and the certificate. like so:
debug1: Authentications that can continue: publickey
debug1: Offering RSA-CERT public key: /home/user/.ssh/id_rsa
debug1: Server accepts key: pkalg [email protected] blen 1086
debug1: ssh_rsa_verify: signature correct
when the private key is stored on the smart card there is no such file to offer, and the certificate is not sent even though the RSA key signed by the certificate is being offered:
debug1: Next authentication method: publickey
debug1: Offering RSA public key: cardno:000XXXXXXX2
Which is rejected for lack of a signature.
If you want to use yubikey NEO to authenticate you to remote servers, there is simple tool and howto, directly from yubico:
https://developers.yubico.com/yubico-piv-tool/SSH_with_PIV_and_PKCS11.html