.bash_profile

# SSH PIV with Yubikey and PKCS11 can be challenging
#
# brew install openssh
# Add the to line from bellow to ~/.bash_profile
# ssh-agent or yubinit
#
# Many people "get agent refused operation"
# You can find many solution online, advising to delete symlink and create hard copies of files
# This is a bad idea 
# 
# The problem is that MacOS starts ssh-agent on demand
# This is defined in the file com.openssh.ssh-agent (/System/Library/LaunchAgents/com.openssh.ssh-agent.plist)
# It does not include the options to whitelist the locations for opensc or libykcs11
# Other article advise to alter that file but it requires disabling the file integrity System Integrity Proection (I don't like either)
# 
# My suggestion is to prevent the on demand start of the built-in "ssh-agent" by exporting a null SSH_AUTH_SOCK
# The create an alias for your ssh-agent 
# I also created the yubinbit alias to start a proper ssh-agent and add the yubikey piv
# Note that it requires the homebrew ssh if you don't modify it
#
# Another article suggest to create another service for the homebrew ssh (https://www.packetmischief.ca/2016/09/06/ssh-agent-on-os-x/)

alias ssh-agent='export OPENSC_LIBS=$(brew --prefix opensc)/lib;export SSH_AUTH_SOCK="";eval `/usr/local/bin/ssh-agent -s  -P /usr/local/lib/*,/usr/local/Cellar/opensc/*/lib/*.so,/usr/local/opt/opensc/lib/*.so,/usr/local/Cellar/yubico-piv-tool/*/lib/*.dylib`'
alias yubinit='export SSH_AUTH_SOCK="";eval `/usr/local/bin/ssh-agent -s  -P /usr/local/lib/*,/usr/local/Cellar/yubico-piv-tool/*/lib/*.dylib`;ssh-add -s /usr/local/lib/libykcs11.dylib'