Using a Yubikey as smartcard for SSH public key authentication

The public key is written to the file rsa.public

Alternatively (and probably the preferred method, see below) you can
generate a key (not protected with a passphrase) on your computer and
import it into the Yubikey. Import the certificate into the Yubikey:

yubico-piv-tool –key=key –pin-policy=once –touch-policy=always \
-a import-certificate -s 9a -i cert.pem

At this point, unplug the Yubikey, and put it back into the USB slot
again. Since
nobody can get at the ssh key thats in the Yubikey, a short pin will
be fine – at least that’s what the system promises.

Source: undeadly.org