Why Securing SSH in Your Smart Home Matters

Sound familiar? You’re about to leave for vacation and quickly want to change something in your system – only to find that remote access suddenly stops working. Many people then simply open their SSH port to the internet or use the Home Assistant Web Terminal add-on in the browser. That sounds convenient, but it’s extremely dangerous: often a single password is all it takes for someone to gain full access to your entire system.

In this video, I’ll show you how to properly secure your SSH access with a YubiKey. It’s easier than you think – and I’ll walk you through it step by step.

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

What Is a YubiKey and Why Is It So Secure?

The YubiKey is a small USB stick that works like a digital key for you. It stores your access credentials in a way that they never reside on your computer and can’t be stolen. For SSH, the YubiKey uses the modern security standard FIDO2. Even if someone knows your password, they can’t access your server without the YubiKey. You plug in the stick, tap it – and you’re securely logged in. This is far more secure and convenient than traditional passwords or certificate files stored on your machine.

Where to Buy a YubiKey

You can get a YubiKey through my recommended links:

The following models are suitable for this project:

• 👉 YubiKey 5 NFC USB-A
• 👉 YubiKey 5C USB-C
• 👉 YubiKey C NFC USB-C
• 👉 More keys

Note: Links marked with affiliate link are affiliate links. As an Amazon Associate I earn from qualifying purchases. This means I receive a small commission if you purchase through these links — at no extra cost to you. The revenue helps me run this blog and YouTube channel and keep creating content. Thank you for your support!

― Joachim

Tip: Always order from the official retailer or a trusted shop to ensure you receive a genuine, sealed device.

Note: These are affiliate links. If you order through them, you support my blog – at no extra cost to you. Thank you!

The Three Ways to SSH Login – and Why YubiKey Is the Best Choice

1. Password: Simple, but insecure – passwords can be guessed, intercepted, or shared.
2. Certificate (key pair): Much more secure, but if someone gains access to your computer, they can copy the private key.
3. YubiKey: The private key doesn’t live on your computer – it’s securely stored on the YubiKey. Access is only possible with the physical stick and your confirmation.

Step by Step: Setting Up a YubiKey for SSH (Using Termius as an Example)

1. Choose your YubiKey: There are various models (USB-A, USB-C, NFC, Lightning). Think about which devices you’ll be using the stick with.
2. Install Termius: This app makes the setup particularly straightforward. (OpenSSH, PuTTY, etc. also work.)
3. Add the YubiKey: In Termius, go to “Keychain” → “FIDO2”, select the stick, enter your PIN, name and generate the key. Enable “Require user presence”, disable “Require PIN code”, and leave the passphrase empty.
4. Copy the public key to the server: Termius offers an export function that automatically adds the key to ~/.ssh/authorized_keys. You can also do this manually.
5. Test the connection: Start a new SSH session, tap the YubiKey – done!
6. Disable password login: Set PasswordAuthentication no in /etc/ssh/sshd_config and restart the SSH service.

Important Notes & Tips

• When setting up your YubiKey for the first time, you’ll need to set a PIN. This protects against misuse if someone finds the stick.
• The private key is split into two parts: one stays on the computer, one on the YubiKey. For a new machine, you’ll need to generate a new key pair and register the public key on the server.
• “Resident keys” (keys stored directly on the YubiKey) are a special case and aren’t yet widely supported by many tools.
• It’s best to set up a second YubiKey as a backup right away, so you don’t lock yourself out.
• If everything does go wrong: you can always access your machine directly with a monitor and keyboard.

YubiKey in Everyday Use: Much More Than Just SSH

The YubiKey can do much more: two-factor authentication for Google, Microsoft, Facebook, Dropbox, Amazon, password managers like Bitwarden or 1Password, online banking, email accounts, and much more. Once set up, it becomes a real everyday companion for everything that matters to you.

Conclusion

With a YubiKey, you make your SSH access – and many other logins – not only more secure, but also more convenient. You protect yourself against password theft, phishing, and many other attacks, all with a small stick that fits in any pocket.