There was recently a "two for the price of one" deal on the Yubikey 4 and now I have too many of them.
This got me thinking about things to do with them, more or less useful. Of course I already use the smart card features to secure my SSH CA and my personal SSH keys. But could it also be used to secure host keys?
This would most certainly require the use of an ssh-agent since it seems exceedingly impractical to enter the PIN code every time a client connects to the server. After a quick look in the sshd_config manual it is actually possible to point it to a SSH_AUTH_SOCK instead of files on disk for host keys using HostKeyAgent.
Could you elaborate your thoughts about the actual security gain in a setup like this? For me the most obvious is a physical key, you can always be sure that the key is not copied somewhere, and if the yubikey is gone you can easily notice this.