- yubikey 5C NFC
- macOS Monterey 12.2.1
For in depth details on how to set up a Yubikey for SSH on a mac, check out the following:
- https://florin.myip.org/blog/easy-multifactor-authentication-ssh-using-yubikey-neo-tokens
- https://gist.github.com/ixdy/6fdd1ecea5d17479a6b4dab4fe1c17eb
- Install
gnupgvia homebrew. - Update yubikey settings and generate a key pair:
# use gpg to edit the yubikey
gpg --card-edit
# enter the admin mode
> admin
# change the default (insecure) PIN code
> passwd
# follow the instructions to change the main PIN
# the default value is 123456
> 1
# after the main PIN has been changed, change the admin PIN
# the default value is 12345678
> 3
# then quit
> Q
# update the key attributes from the default values
> key-attr
# for each key, select "1" for RSA and 4096 for key size
# finally, generate a new key
> generate
# follow the instructions to generate a new key
# then quit
> quit
- Add the following lines to
~/.gnupg/gpg-agent.conf:
enable-ssh-support
default-cache-ttl 60
max-cache-ttl 120
- Add the following lines to
~/.zprofile:
export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent
-
Run
ssh-add -Lto export the public key. -
To enable requiring touch to use yubikey for SSH auth, you must first install the yubikey manager cli:
brew install ykman -
To require touch to use yubikey for SSH auth:
ykman openpgp touch aut on
ykman openpgp touch enc on
ykman openpgp touch sig on
- Add the following aliases:
alias ssh="gpg-connect-agent updatestartuptty /bye > /dev/null; ssh"
alias scp="gpg-connect-agent updatestartuptty /bye > /dev/null; scp"
To renew keys:
Remember to update
~/.gitconfigwith the new gpg signing key.Contents of
~/.gnupg/gpg-agent.conf: