YubiKey FIDO2 SSH on an Anubiz Offshore VPS
FIDO2 hardware tokens like the YubiKey are phishing-resistant in a way TOTP is not - the key holds a private signing key in tamper-resistant hardware and refuses to sign without the physical touch. OpenSSH 8.2+ supports ed25519-sk keys natively, and Ubuntu 24.04 ships a recent enough OpenSSH client and server. On an Anubiz VPS this is the strongest SSH auth you can deploy. Always provision a second YubiKey as backup before you start - lockout is otherwise expensive.
Need this done for your project?
We implement, you ship. Async, documented, done in days.
Step 1: Generate the Key
Plug in YubiKey. ssh-keygen -t ed25519-sk -O resident -O application=ssh:anubiz. Touch the key when prompted. The private key handle lives on disk; the actual signing key is on the YubiKey.
Step 2: Push to VPS
ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub luis@vps-ip. Test from new terminal - touch the key when prompted.
Step 3: Disable Software Keys
Once YubiKey works, remove ed25519 software keys from authorized_keys. Keep one software backup key in a sealed envelope for emergencies if appropriate.
Step 4: Backup YubiKey
Provision a second YubiKey with the same procedure, add its pubkey to authorized_keys. Store in a safe. A single YubiKey is a single point of failure.
Step 5: Resident Keys for Travel
The resident flag lets you SSH from a borrowed laptop with ssh-keygen -K to download key stubs from the YubiKey. Useful when your usual machine is across an ocean.
Related Services
Why Anubiz Host
Ready to get started?
Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.