I have two dozen co-located servers to log into. So far I've resisted the idea of setting up a bastion host, because that seems like a way to lock myself out of SSH access if that machine dies. I'm also not sure of the rationale for having a bastion host, other than "big companies do it". How do other non-cloud people handle this access vs. security tradeoff?

I'm also curious what people's preferred fallback method is for preserving access to machines if you lose access to your yubikey(s), assuming you keep your private SSH key stored on one.

If the yubikey dies, either another person can provision your replacement, or a configuration management system can do so.

We’re doing this successfully where I’m working.

I'm not sure I understand what you mean. I run a one-person business and my servers are 110 miles away in Sacramento; what do I do if my yubikey breaks?

I think the SOP is to have a second Yubikey registered and stored in a safe place and/or a set of one-time codes that you can use instead.

I actually had no idea SSH had support for one-time passwords, but I see docs for OTPW here: https://www.digitalocean.com/community/tutorials/install-and...

This looks like exactly the answer I needed; thank you!

It sounds like you're trying to do something like Yubikey OTP or U2F with SSH. Both are doable, but I don't think that's the normal way people use hardware tokens with SSH; what I've seen much more is that people use Y4 keys (which are basically pocket HSMs), generate RSA keypairs with them, and configure SSH to accept the public key on the token.

This doesn't require any support on the serverside; as far as the server's concerned, the Y4 is just another RSA key.

It does require the more expensive Yubikey, but there are some security advantages to using it.

> something like Yubikey OTP or U2F with SSH. Both are doable

I would be interested in how you think U2F with SSH is doable. Maybe with a custom SSH server and client?

Have you actually see this done in anger?