Issues with yubikey

Jose_Araujo · May 22, 2026, 11:02pm

Hi Yang,

I have issues when try to config access o my server using yubikey 9a

## OCI-SERVER ##

Equivalent Command: ssh -i /Users/xxxxxxx/.ssh/yubikey_9a.pub -vvv -o ServerAliveCountMax=3 -o ExitOnForwardFailure=yes -o ServerAliveInterval=15 -o CertificateFile=/Users/xxxxxxx/.ssh/yubikey_9a.pub xxxxx@157.137.231.xxx
17:57:08 Connecting...
17:57:08 OpenSSH_9.8p1, OpenSSL 3.0.14 4 Jun 2024
17:57:08 debug1: Reading configuration data /Users/xxxxxx/.ssh/config
17:57:08 debug1: /Users/xxxxxx/.ssh/config line 7: Applying options for *
17:57:08 debug1: Reading configuration data /etc/ssh/ssh_config
17:57:08 debug3: /etc/ssh/ssh_config line 22: Including file /etc/ssh/ssh_config.d/100-macos.conf depth 0
17:57:08 debug1: Reading configuration data /etc/ssh/ssh_config.d/100-macos.conf
17:57:08 debug1: /etc/ssh/ssh_config.d/100-macos.conf line 1: Applying options for *
17:57:08 debug3: /etc/ssh/ssh_config.d/100-macos.conf line 3: Including file /etc/ssh/crypto.conf depth 1
17:57:08 debug1: Reading configuration data /etc/ssh/crypto.conf
17:57:08 debug3: kex names ok: [ecdh-sha2-nistp256]
17:57:08 debug2: resolve_canonicalize: hostname 157.137.231.xxx is address
17:57:08 debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/xxxxxx/.ssh/known_hosts'
17:57:08 debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/xxxxxx/.ssh/known_hosts2'
17:57:08 debug3: channel_clear_timeouts: clearing
17:57:08 debug2: fd 3 setting O_NONBLOCK
17:57:08 debug2: fd 4 setting O_NONBLOCK
17:57:08 debug3: ssh_connect_direct: entering
17:57:08 debug1: Connecting to 157.137.231.xxx [157.137.231.xxx] port 22.
17:57:08 debug3: set_sock_tos: set socket 5 IP_TOS 0x48
17:57:08 debug1: Connection established.
17:57:08 debug1: identity file /Users/xxxxxx/.ssh/yubikey_9a.pub type 0
17:57:08 debug1: certificate file /Users/xxxxxx/.ssh/yubikey_9a.pub type 0
17:57:08 debug1: load_public_identity_files: key /Users/xxxxxx/.ssh/yubikey_9a.pub type RSA is not a certificate
17:57:08 debug1: Local version string SSH-2.0-OpenSSH_9.8
17:57:09 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7
17:57:09 debug1: compat_banner: match: OpenSSH_8.7 pat OpenSSH* compat 0x04000000
17:57:09 debug2: fd 5 setting O_NONBLOCK
17:57:09 debug1: Authenticating to 157.137.231.xxx:22 as 'xxxxx'
17:57:09 Authenticating...
17:57:09 debug3: record_hostkey: found key type ED25519 in file /Users/xxxxxx/.ssh/known_hosts:5
17:57:09 debug3: record_hostkey: found key type RSA in file /Users/xxxxxx/.ssh/known_hosts:8
17:57:09 debug3: record_hostkey: found key type ECDSA in file /Users/xxxxxx/.ssh/known_hosts:9
17:57:09 debug3: load_hostkeys_file: loaded 3 keys from 157.137.231.xxx
17:57:09 debug1: load_hostkeys: fopen /Users/xxxxxx/.ssh/known_hosts2: No such file or directory
17:57:09 debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
17:57:09 debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
17:57:09 debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
17:57:09 debug3: send packet: type 20
17:57:09 debug1: SSH2_MSG_KEXINIT sent
17:57:09 debug3: receive packet: type 20
17:57:09 debug1: SSH2_MSG_KEXINIT received
17:57:09 debug2: local client KEXINIT proposal
17:57:09 debug2: KEX algorithms: ecdh-sha2-nistp256,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com
17:57:09 debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
17:57:09 debug2: ciphers ctos: aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
17:57:09 debug2: ciphers stoc: aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
17:57:09 debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-512,hmac-sha1
17:57:09 debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-512,hmac-sha1
17:57:09 debug2: compression ctos: none,zlib@openssh.com,zlib
17:57:09 debug2: compression stoc: none,zlib@openssh.com,zlib
17:57:09 debug2: languages ctos:
17:57:09 debug2: languages stoc:
17:57:09 debug2: first_kex_follows 0
17:57:09 debug2: reserved 0
17:57:09 debug2: peer server KEXINIT proposal
17:57:09 debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,kex-strict-s-v00@openssh.com
17:57:09 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
17:57:09 debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
17:57:09 debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
17:57:09 debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
17:57:09 debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
17:57:09 debug2: compression ctos: none,zlib@openssh.com
17:57:09 debug2: compression stoc: none,zlib@openssh.com
17:57:09 debug2: languages ctos:
17:57:09 debug2: languages stoc:
17:57:09 debug2: first_kex_follows 0
17:57:09 debug2: reserved 0
17:57:09 debug3: kex_choose_conf: will use strict KEX ordering
17:57:09 debug1: kex: algorithm: ecdh-sha2-nistp256
17:57:09 debug1: kex: host key algorithm: ssh-ed25519
17:57:09 debug1: kex: server->client cipher: aes128-gcm@openssh.com MAC:  compression: none
17:57:09 debug1: kex: client->server cipher: aes128-gcm@openssh.com MAC:  compression: none
17:57:09 debug3: send packet: type 30
17:57:09 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
17:57:09 debug3: receive packet: type 31
17:57:09 debug1: SSH2_MSG_KEX_ECDH_REPLY received
17:57:09 debug1: Server host key: ssh-ed25519 SHA256:syN5H8yHF00w8sxxxx
17:57:09 debug3: record_hostkey: found key type ED25519 in file /Users/xxxxxx/.ssh/known_hosts:5
17:57:09 debug3: record_hostkey: found key type RSA in file /Users/xxxxxx/.ssh/known_hosts:8
17:57:09 debug3: record_hostkey: found key type ECDSA in file /Users/xxxxxx/.ssh/known_hosts:9
17:57:09 debug3: load_hostkeys_file: loaded 3 keys from 157.137.231.xxx
17:57:09 debug1: load_hostkeys: fopen /Users/xxxxxx/.ssh/known_hosts2: No such file or directory
17:57:09 debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
17:57:09 debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
17:57:09 debug1: Host '157.137.231.xxx' is known and matches the ED25519 host key.
17:57:09 debug1: Found key in /Users/xxxxxx/.ssh/known_hosts:5
17:57:09 debug3: send packet: type 21
17:57:09 debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
17:57:09 debug2: ssh_set_newkeys: mode 1
17:57:09 debug1: rekey out after 4294967296 blocks
17:57:09 debug1: SSH2_MSG_NEWKEYS sent
17:57:09 debug1: expecting SSH2_MSG_NEWKEYS
17:57:09 debug3: receive packet: type 21
17:57:09 debug1: ssh_packet_read_poll2: resetting read seqnr 3
17:57:09 debug1: SSH2_MSG_NEWKEYS received
17:57:09 debug2: ssh_set_newkeys: mode 0
17:57:09 debug1: rekey in after 4294967296 blocks
17:57:09 debug2: KEX algorithms: ecdh-sha2-nistp256,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com
17:57:09 debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
17:57:09 debug2: ciphers ctos: aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
17:57:09 debug2: ciphers stoc: aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
17:57:09 debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-512,hmac-sha1
17:57:09 debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-512,hmac-sha1
17:57:09 debug2: compression ctos: none,zlib@openssh.com,zlib
17:57:09 debug2: compression stoc: none,zlib@openssh.com,zlib
17:57:09 debug2: languages ctos:
17:57:09 debug2: languages stoc:
17:57:09 debug2: first_kex_follows 0
17:57:09 debug2: reserved 0
17:57:09 debug3: send packet: type 5
17:57:09 debug3: receive packet: type 7
17:57:09 debug1: SSH2_MSG_EXT_INFO received
17:57:09 debug3: kex_input_ext_info: extension server-sig-algs
17:57:09 debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
17:57:09 debug3: receive packet: type 6
17:57:09 debug2: service_accept: ssh-userauth
17:57:09 debug1: SSH2_MSG_SERVICE_ACCEPT received
17:57:09 debug3: send packet: type 50
17:57:10 debug3: receive packet: type 51
17:57:10 debug1: Authentications that can continue: publickey
17:57:10 debug3: start over, passed a different list publickey
17:57:10 debug3: preferred publickey,keyboard-interactive,password
17:57:10 debug3: authmethod_lookup publickey
17:57:10 debug3: remaining preferred: keyboard-interactive,password
17:57:10 debug3: authmethod_is_enabled publickey
17:57:10 debug1: Next authentication method: publickey
17:57:10 debug3: ssh_get_authentication_socket_path: path '/var/run/com.apple.launchd.2nZEtfFVoL/Listeners'
17:57:10 debug1: get_agent_identities: bound agent to hostkey
17:57:10 debug1: get_agent_identities: agent returned 1 keys
17:57:10 debug1: Will attempt key:  RSA SHA256:EQshWtswYxZOyjJLWDLLgnI/N,lk8k agent
17:57:10 debug1: Will attempt key: /Users/xxxxxxxx/.ssh/yubikey_9a.pub RSA SHA256:pdZDtydqP++P5LqhhhhgGT4veetJOmW7s explicit
17:57:10 debug2: pubkey_prepare: done
17:57:10 debug1: Offering public key:  RSA SHA256:EQshWtswYxZOyjJLWDLLgnI/NXexxxxxx agent
17:57:10 debug3: send packet: type 50
17:57:10 debug2: we sent a publickey packet, wait for reply
17:57:10 debug3: receive packet: type 51
17:57:10 debug1: Authentications that can continue: publickey
17:57:10 debug1: Offering public key: /Users/xxxxxx/.ssh/yubikey_9a.pub RSA SHA256:pdZDtydqP++P5Lqp5/RrcsIdddddd explicit
17:57:10 debug3: send packet: type 50
17:57:10 debug2: we sent a publickey packet, wait for reply
17:57:10 debug3: receive packet: type 51
17:57:10 debug1: Authentications that can continue: publickey
17:57:10 debug2: we did not send a packet, disable method
17:57:10 debug1: No more authentication methods to try.
17:57:10 xxxxxx@157.137.231.xxx: Permission denied (publickey).
17:57:10 Unexpectedly disconnected.

yang · May 23, 2026, 2:08am

According to the official YubiKey documentation, you need to specify libykcs11.so as the Identity.