- yubikey 5C NFC
- macOS Monterey 12.2.1
For in depth details on how to set up a Yubikey for SSH on a mac, check out the following:
- https://florin.myip.org/blog/easy-multifactor-authentication-ssh-using-yubikey-neo-tokens
- https://gist.github.com/ixdy/6fdd1ecea5d17479a6b4dab4fe1c17eb
- Install
gnupg
via homebrew. - Update yubikey settings and generate a key pair:
# use gpg to edit the yubikey
gpg --card-edit
# enter the admin mode
> admin
# change the default (insecure) PIN code
> passwd
# follow the instructions to change the main PIN
# the default value is 123456
> 1
# after the main PIN has been changed, change the admin PIN
# the default value is 12345678
> 3
# then quit
> Q
# update the key attributes from the default values
> key-attr
# for each key, select "1" for RSA and 4096 for key size
# finally, generate a new key
> generate
# follow the instructions to generate a new key
# then quit
> quit
- Add the following lines to
~/.gnupg/gpg-agent.conf
:
enable-ssh-support
default-cache-ttl 60
max-cache-ttl 120
- Add the following lines to
~/.zprofile
:
export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent
-
Run
ssh-add -L
to export the public key. -
To enable requiring touch to use yubikey for SSH auth, you must first install the yubikey manager cli:
brew install ykman
-
To require touch to use yubikey for SSH auth:
ykman openpgp touch aut on
ykman openpgp touch enc on
ykman openpgp touch sig on
- Add the following aliases:
alias ssh="gpg-connect-agent updatestartuptty /bye > /dev/null; ssh"
alias scp="gpg-connect-agent updatestartuptty /bye > /dev/null; scp"
See this stackoverflow post on how to set it up for gpg signing using pinentry and configuring git: https://stackoverflow.com/questions/39494631/gpg-failed-to-sign-the-data-fatal-failed-to-write-commit-object-git-2-10-0