This is a working guide to using a YubiKey for SSH on a real Linux fleet, plus the surrounding landscape — PIV, software-only alternatives, and SSH certificate authorities. The goal is to retire file-based SSH keys without breaking daily operations. The article is structured around four questions: What does a hardware-backed key actually do, and what knobs do you control? How do you combine those knobs into a policy that works for both root login and Ansible? What if you can't ship YubiKeys? When should you stop managing keys yourself and adopt an SSH CA? The problem with file-based keys Every classic SSH key is a file in ~/.ssh/ . That file holds the private key. To log in to a server, your SSH client reads the file and produces a cryptographic signature. There are really two issues here, and they compound: The private key is a file.…