On 2021-10-22, Paul de Weerd <we...@weirdnet.nl> wrote: > Hi all, > > I've been happily using a yubikey together with an id_ed25519 SSH key > when logging in over SSH: > > uhidev7 at uhub3 port 2 configuration 1 interface 1 "Yubico YubiKey > OTP+FIDO+CCID" rev 2.00/5.27 addr 9 > > I would now like to migrate over to a new yubikey with a USB-C > connector, as my new personal laptop has no USB-A ports. Digging > through the ssh-keygen manpage, I don't see an option to do this; it > seems you can only create new keys. > > Is this indeed impossible, or am I looking at the wrong manpage?
The key is in two parts, one is either in the sk file or aa a resident key on newer FIDO2 tokens, the other is always on the token and is not directly readable (it can be used to perform operations on the token and return results, but can't be read out and used to program another token). You will need to generate new keys and update authorized_keys on machines which you connect to.
