Using YubiKey PIV with Windows' native SSH client


To use Windows' native SSH client with the PIV smart card function of the YubiKey, you will need to download and install Yubico's YKCS11 library, which comes bundled with Yubico PIV Tool.

 

To obtain a copy of YKCS11, head over to https://developers.yubico.com/yubico-piv-tool/Releases/ and download the latest release for your system architecture. For example, if you're running 64-bit Windows, you should download the file ending with -win64.msi (under the latest version heading). For 32-bit Windows, download the one ending in -win32.msi instead.

 

Verify your OpenSSH version is at least OpenSSH_for_Windows_8.1p1 by running ssh -V in PowerShell. Your output should resemble OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2.

 

If an earlier version is reported, you'll need to update your SSH client version. See  https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse for instructions on installing and updating.

 

Once you've verified you have both the minimum OpenSSH version and YKCS11, open PowerShell and run the following.

 

New-Item -Path $env:USERPROFILE\.ssh\ -Name "config" -ItemType "file" -Value 'PKCS11Provider "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll"'

 

This configures Windows' SSH client to use YKCS11 to access the YubiKey. Note, if you installed the 32-bit PIV Tool on 64-bit Windows, your path will differ slightly (it will begin with C:\Program Files (x86) instead of C:\Program Files).

 

You can verify that this command succeeded by running:

type $env:USERPROFILE\.ssh\config

 

If everything is in order, its output should be PKCS11Provider "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll". Note, if you installed the 32-bit PIV Tool on 64-bit Windows, your path will differ slightly (it will begin with C:\Program Files (x86) instead of C:\Program Files).

 

Once you've verified all the above, run the following, with a YubiKey that has a certificate enrolled inserted.

 

ssh <user>@<remote_host>

 

As long as the remote host has the fingerprint corresponding to the YubiKey's certificate in its ~/.ssh/authorized_keys file, you should be greeted with a PIN prompt to unlock the YubiKey's smart card function:

 

Enter PIN for 'YubiKey PIV #12345678':

 

If something went wrong, it should revert to password authentication.