Using YubiKey PIV with Windows' native SSH client


To use Windows' native SSH client with the PIV smart card function of the YubiKey, you will need to download and install Yubico's YKCS11 library, which comes bundled with Yubico PIV Tool.

 

To obtain a copy of YKCS11, download the latest release of Yubico PIV Tool for your system architecture here. For example, if you're running 64-bit Windows, you should download the file ending with -win64.msi (under the latest version heading). For 32-bit Windows, download the one ending in -win32.msi instead.

 

In order for the libykcs11.dll to be found by ssh, add its folder to the Windows environment variable system path:

  1. Device specifications -> Advanced system settings -> Environment Variables -> System variables 
  2. Select Path and then click Edit...
  3. Click New
  4. Add the path for the folder containing the libykcs11.dll file, by default this is "C:\Program Files\Yubico\Yubico PIV Tool\bin\" and then click OK.

 

Verify your OpenSSH version is at least OpenSSH_for_Windows_8.1p1 by running ssh -V in PowerShell. Your output should resemble OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2.

 

If an earlier version is reported, update your SSH client version. See Get started with OpenSSH for Windows for instructions on installing and updating.

 

Once you've verified you have both the minimum OpenSSH version and YKCS11, open PowerShell and run the following command:

 

New-Item -Path $env:USERPROFILE\.ssh\ -Name "config" -ItemType "file" -Value 'PKCS11Provider "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll"'

 

This configures Windows' SSH client to use YKCS11 to access the YubiKey. Note, if you installed the 32-bit PIV Tool on 64-bit Windows, your path will differ slightly (it will begin with C:\Program Files (x86) instead of C:\Program Files).

 

You can verify that this command succeeded by running:

type $env:USERPROFILE\.ssh\config

 

If everything is correct, the output should be PKCS11Provider "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll".

bulb-light-icon.svg Tip: If you installed the 32-bit PIV Tool on 64-bit Windows, your path will differ
  slightly (it will begin with C:\Program Files (x86) instead of C:\Program Files).

 

Once you've verified all of the above, run the following, with a YubiKey that has a certificate enrolled inserted.

 

ssh <user>@<remote_host>

 

As long as the remote host has the fingerprint corresponding to the YubiKey's certificate in its ~/.ssh/authorized_keys file, you should be presented with a PIN prompt to unlock the YubiKey's smart card function:

 

Enter PIN for 'YubiKey PIV #12345678':

 

If something went wrong, it should revert to password authentication.