Why does it require internet access? If you use a private key stored on your yubikey and a public key stored in your ssh configs, that shouldn't require internet access.

Because there is a Yubico server involved in the auth process. No internet access means you cannot authenticate.

Why is there a Yubico server involved? Why can't it use public and private keys? What does the Yubico server do?

Hopefully this isn't using Yubico OTP, which is phishable:

https://developers.yubico.com/OTP/

Two offline alternatives come immediately to mind.

1. Reconfigure pam_yubico to use local challenge-response auth instead of YubiCloud. The ykpamcfg(1) man page[1] explains how to do so.

2. Use pam_u2f to enable FIDO2/U2F auth. See, e.g.,

https://support.yubico.com/hc/en-us/articles/360016649099-Ub...

https://docs.fedoraproject.org/en-US/quick-docs/using-yubike...

Though on Fedora (and RHEL), I personally prefer authselect to hand-editing /etc/pam.d; in particular, authselect's "sssd" default profile includes optional U2F support:

    $ authselect show sssd | fgrep -C 2 u2f | sed -ne '/u2f/,$p'
    with-pam-u2f::
        Enable authentication via u2f dongle through *pam_u2f*.
    
    with-pam-u2f-2fa::
        Enable 2nd factor authentication via u2f dongle through *pam_u2f*.
    
    without-pam-u2f-nouserok::
        Module argument nouserok is omitted if also with-pam-u2f-2fa is used.
        *WARNING*: Omitting nouserok argument means that users without pam-u2f
        authentication configured will not be able to log in *INCLUDING* root.
        Make sure you are able to log in before losing root privileges.

[1] https://raw.githubusercontent.com/Yubico/yubico-pam/5719a2f8...

This is awesome, thanks. But would still like to keep the auth server separate to minimize the attack surface something like the now deprecated [1].

[1] https://github.com/scumjr/yubikeyedup