With OpenSSH now supporting FIDO security keys, I want to use my two Yubikeys to store my ssh credentials. I'd like to be able to login to a host using any of my two keys from any of my (mostly windows) clients, using the built-in OpenSSH client (v9.5)
So far I've created an ssh key on both sks (let's say ssh key sA on yubikey yA, same with sB/yB), and am able to use either to login through ssh by specifying the key to use in the ssh command.
This works, but it's annoying, so I then tried to add both keys to ssh-agent with ssh-add, and this almost does it, except that it doesn't display which key is being used first : when connecting, it tries the ssh keys in the order they were added, say sA then sB.
Because of this, if yA is plugged in and activated (PIN + touch) it all works, but if only yB is present I get the Windows popup asking for the pin and touch, only to fail because the key isn't recognized. Then ssh-agent tries to use sB, which works after yB is activated.
For now it's ok because I just added the keys, but if (when) I forget that order I'll have a 50/50 chance of using the right key first try.
Is there a way to have ssh-agent ask for which key to use before trying any, or maybe to use something else to manage the keys ?
