// the find
FiloSottile/yubikey-agent
yubikey-agent is a seamless ssh-agent for YubiKeys.
yubikey-agent replaces the standard ssh-agent with one that uses the PIV applet on a YubiKey, so your SSH private key is generated on the hardware and never leaves it. Every connection requires a PIN and physical touch. Aimed at developers who want hardware-backed SSH keys without fighting gpg-agent or PKCS#11 plumbing.
The setup story is genuinely good — one command generates the key on-device, sets a sane management key, and wires up the socket. The persistent transaction model means it survives sleep and unplug without daemon restarts, which is the main pain point with PKCS#11-based alternatives. Written in pure Go against go-piv, so the binary is self-contained with no dependency on libpcsclite being in the right place at runtime on most platforms. The README honestly compares every alternative (gpg-agent, FIDO2, PKCS#11, pivy-agent) with real tradeoffs instead of pretending they don't exist.
The persistent transaction that makes it resilient is also a footgun: it locks the YubiKey's PIV applet exclusively, so gpg-agent and YubiKey Manager can't talk to the card while yubikey-agent is running. That's a real problem if you use the same key for GPG signing. Last commit was December 2023 and the Windows port is still marked WIP with no apparent progress. Only supports a single key slot (Authentication slot, PIV slot 9a) — no path to using multiple hardware keys or rotating to a new YubiKey without re-running setup and pushing the new public key everywhere.