Export SSH Public Key
For every machine that you'll need to SSH into, you will need to install your SSH public key. Normally this would be a file with a name like "id_rsa.pub", however because the key is actually a PGP subkey, that file doesn't exist.
There are two ways to "extract" an SSH public key from a PGP authentication subkey.
Using "ssh-add -L"
This is the easy way.
While the YubiKey is plugged in, run "ssh-add -L" and it will print the public keys for every secret key known to your "SSH agent" (which in our case is actually gpg-agent).
$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDhVIFZFwb0EoFsKRUrp0LTra3w6F06H2SLnE2NqQ0N
LFm1vtXPey9byXnKsxaWnMdqzPCrgUQypA1pIl1IYzmjdH/UO9H0bW3fxg/9+YyT1u9bl2TdVw8yZb30
/A0qV6ddOylWC42pFeEKOhzEFSU6PXiaJE2zNhOfmAcqB0r6mhTuQ5a754UMYu8254Bh1XUbEXm/Tpt7
K+1xIs4dTIVerL+7U55husgoMQ2HB6DcGSzfqpBwon208ll8ERhxkIBpwVKPfC1eJeyiuUgJOVp69O+r
TnPQ/oYzzX1kXCSfdOpBDZpu9oCQPAtRwjF9YfX7AK645qF4ua17cPRYmFTTa9d65E+VfGIbhgD0zpfM
6rnLU+XeZV3jqegxzphl7xNX2vOOlNYTDBGD7+izQV9a5AehoPkZ3MIM5JNzfzK3uEFduyD2L9RLJ3Tl
s2uCYOe7TjRfasbvY/rzgn3LAnF2nX3l46ckgsxJk9m2duvmHdsLYBzGMpnWOlzE+CWHnvdewhoUTXe4
fR0pkd5a7josJm5giBtUNgrUC4JevV5yWU2SY+5u0mePeaQLWjKW3vroZpmM1jPpYDcU4xL7JqJJzltb
bL90TAvlKXGRJXEt9t46SfulTGURp9n5yDP2xS8yapdI6NvFW/5bV5rEgltYwgi+evwOVnvi1eTUAkjI
Pw== cardno:12_345_678
The "cardno:12_345_678" at the end is a comment, and can be changed when adding the file to an authorized_keys file. I normally give my public keys comments like "j..1@j....net 2019-03-21 YubiKey Blue" instead of the serial number, so that if an authorized_keys file contains multiple lines, I can tell which one is which. (This particular key is stored on a YubiKey with blue stickers on the front and back.)
For example ...
$ cd ~/.ssh/
$ ssh-add -L >> id_rsa.pub
$ nano id_rsa.pub
- Replace the "
cardno:12_345_678" with a comment describing which public key this is.
You can then add this to your $HOME/.ssh/authorized_keys file on each machine you will need to log into.
$ cd ~/.ssh/
$ cat id_rsa.pub >> authorized_keys
Note that there is no way to get an "id_rsa" (without the ".pub") file. Such a file would contain the secret key, and the whole point of storing the keys on a YubiKey is because the secret keys cannot be extracted.
Using "gpg --export-ssh-key"
This is the method you'll have to use if your PGP key has more than one subkey with the [A] capability.
Key ID
If your PGP key has more than one subkey with the [A] capability, you will need to use the fingerprint of that specific subkey. (The key I use at work has two authentication keys - one ed25519 and one rsa4096.)
$ gpg --list-keys --with-subkey-fingerprints jms1
pub rsa4096 2019-03-21 [SC] [expires: 2024-01-01]
E3F7F5F76640299C5507FBAA49B9FD3BB4422EBB
uid [ultimate] John Simpson <j..1@j....net>
uid [ultimate] John Simpson <k....w@m...com>
uid [ultimate] John Simpson <k....w@k......us>
sub rsa4096 2019-03-21 [E] [expires: 2024-01-01]
3C8EC9C7B067A4C542F9727D795C2CF824364755
sub rsa4096 2019-03-21 [S] [expires: 2024-01-01]
77DEBB0C8C7FBAFF1E0E70DCE9E44ED30E2F2445
sub rsa4096 2019-03-21 [A] [expires: 2024-01-01]
7A6B95B6BF897A6497165AE436823233F8D09EB7
This key has only a single [A] subkey, so I could use any of them, but for this example I'm going to use the fingerprint of that subkey.
$ gpg --export-ssh-key 7A6B95B6BF897A6497165AE436823233F8D09EB7
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDhVIFZFwb0EoFsKRUrp0LTra3w6F06H2SLnE2NqQ0N
LFm1vtXPey9byXnKsxaWnMdqzPCrgUQypA1pIl1IYzmjdH/UO9H0bW3fxg/9+YyT1u9bl2TdVw8yZb30
/A0qV6ddOylWC42pFeEKOhzEFSU6PXiaJE2zNhOfmAcqB0r6mhTuQ5a754UMYu8254Bh1XUbEXm/Tpt7
K+1xIs4dTIVerL+7U55husgoMQ2HB6DcGSzfqpBwon208ll8ERhxkIBpwVKPfC1eJeyiuUgJOVp69O+r
TnPQ/oYzzX1kXCSfdOpBDZpu9oCQPAtRwjF9YfX7AK645qF4ua17cPRYmFTTa9d65E+VfGIbhgD0zpfM
6rnLU+XeZV3jqegxzphl7xNX2vOOlNYTDBGD7izQV9a5AehoPkZ3MIM5JNzfzK3uEFduyD2L9RLJ3Tls
2uCYOe7TjRfasbvY/rzgn3LAnF2nX3l46ckgsxJk9m2duvmHdsLYBzGMpnWOlzE+CWHnvdewhoUTXe4f
R0pkd5a7josJm5giBtUNgrUC4JevV5yWU2SY+5u0mePeaQLWjKW3vroZpmM1jPpYDcU4xL7JqJJzltbb
L90TAvlKXGRJXEt9t46SfulTGURp9n5yDP2xS8yapdI6NvFW/5bV5rEgltYwgi+evwOVnvi1eTUAkjIP
w== openpgp:0xF8D09EB7
The output is one long line of text (or not so long, for ed25519 keys). The last part, "openpgp:0xF8D09EB7", is a human-readable comment and can be changed without hurting anything.