Created
October 27, 2018 09:44
-
-
Save somm15/230e0329f6630919a20a84ed618928f3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# SSH PIV with Yubikey and PKCS11 can be challenging | |
# | |
# brew install openssh | |
# Add the to line from bellow to ~/.bash_profile | |
# ssh-agent or yubinit | |
# | |
# Many people "get agent refused operation" | |
# You can find many solution online, advising to delete symlink and create hard copies of files | |
# This is a bad idea | |
# | |
# The problem is that MacOS starts ssh-agent on demand | |
# This is defined in the file com.openssh.ssh-agent (/System/Library/LaunchAgents/com.openssh.ssh-agent.plist) | |
# It does not include the options to whitelist the locations for opensc or libykcs11 | |
# Other article advise to alter that file but it requires disabling the file integrity System Integrity Proection (I don't like either) | |
# | |
# My suggestion is to prevent the on demand start of the built-in "ssh-agent" by exporting a null SSH_AUTH_SOCK | |
# The create an alias for your ssh-agent | |
# I also created the yubinbit alias to start a proper ssh-agent and add the yubikey piv | |
# Note that it requires the homebrew ssh if you don't modify it | |
# | |
# Another article suggest to create another service for the homebrew ssh (https://www.packetmischief.ca/2016/09/06/ssh-agent-on-os-x/) | |
alias ssh-agent='export OPENSC_LIBS=$(brew --prefix opensc)/lib;export SSH_AUTH_SOCK="";eval `/usr/local/bin/ssh-agent -s -P /usr/local/lib/*,/usr/local/Cellar/opensc/*/lib/*.so,/usr/local/opt/opensc/lib/*.so,/usr/local/Cellar/yubico-piv-tool/*/lib/*.dylib`' | |
alias yubinit='export SSH_AUTH_SOCK="";eval `/usr/local/bin/ssh-agent -s -P /usr/local/lib/*,/usr/local/Cellar/yubico-piv-tool/*/lib/*.dylib`;ssh-add -s /usr/local/lib/libykcs11.dylib' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment