Hardware-backed SSH keys end to end: YubiKey, PIV, software alternatives, and where SSH CAs fit in
A working guide to using a YubiKey for SSH on a real Linux fleet — the four knobs (resident, touch, PIN, agent), a four-mode policy for root and Ansible, software-only alternatives, and where SSH CAs fit in.