New standars recommands ed25519 over RSA as it tends to be faster and safer for more time.
ssh-keygen -t ed25519 -C your@email.com
ssh-keygen -t ed25519-sk -O resident -C your@email.com
-O resident is to save your key on your security key using Fido implementaion OpenSSH > 8.2. Your can easily import your key from the key when needed with ssh-keygen -K or ssh-add -K
Note: Run Git Bash (Cygwin) and WSL2 with Administrator privilege so it can detect the security key
Note2: I recommand to set a passphrase on your key for more safety.
In ~/.profile or ~/.bashrc
env=~/.ssh/agent.env
agent_load_env () { test -f "$env" && . "$env" >| /dev/null ; }
agent_start () {
(umask 077; ssh-agent >| "$env")
. "$env" >| /dev/null ; }
agent_load_env
# agent_run_state: 0=agent running w/ key; 1=agent w/o key; 2=agent not running
agent_run_state=$(ssh-add -l >| /dev/null 2>&1; echo $?)
if [ ! "$SSH_AUTH_SOCK" ] || [ $agent_run_state = 2 ]; then
agent_start
# NOTE: Uncomment if you want to load the key when opening new term
# ssh-add
#elif [ "$SSH_AUTH_SOCK" ] && [ $agent_run_state = 1 ]; then
# ssh-add
fi
unset envFrom Github Doc
Since I have a passphrase, I personally prefer to load the key in agent manually or the first time I use it.
To do so add at the top of .ssh/config
Host *
AddKeysToAgent yes
WSL don't have access to the security key because of libusb (see #2195), so we have to tell openssh to use extra dll on Windows.
For that, download and install openssh-sk-winhello in your Git Bash folder C:\Program Files\Git\usr\lib\
Add missing libs from C:\Program Files\Git\usr\bin\ in C:\Program Files\Git\usr\lib\ssh\
msys-2.0.dll
msys-cbor-0.8.dll
msys-crypto-1.1.dll
msys-fido2-1.dll
msys-gcc_s-seh-1.dll
msys-z.dll
Copy into your WSL2 Linux the file winhello.dll to avoid ssh-agent blocking it because the path is outside the machine
cp /mnt/c/Program\ Files/Git/usr/lib/winhello.dll /usr/local/lib/
in your .bashrc
export SSH_SK_HELPER=/mnt/c/Program\ Files/Git/usr/lib/ssh/ssh-sk-helper.exe
export SSH_SK_PROVIDER=/usr/local/lib/winhello.dll
if [ ! -S ~/.ssh/agent.sock ] ; then
eval $(ssh-agent -s -a ~/.ssh/agent.sock) > /dev/null
fi
In .ssh/config
Host *
AddKeysToAgent yes
and since loading resident key is not yet supported, you have to manually copy your -sk keys in ~/.ssh/ and don't forget to chmod 600 the private key.
Install latest OpenSSH version (> 8.2) with Homebrew
brew install openssh
Disable default MacOS ssh-agent for your user
launchctl disable user/$UID/com.openssh.ssh-agent
Create ~/Library/LaunchAgents/com.openssh.brew.ssh-agent.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.openssh.brew.ssh-agent</string>
<key>ProgramArguments</key>
<array>
<string>bash</string>
<string>-c</string>
<string>/opt/homebrew/bin/ssh-agent -D -a ~/.ssh/agent.sock</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
And load it
launchctl load -w ~/Library/LaunchAgents/com.openssh.brew.ssh-agent.plist
In .bash_profile
export SSH_AUTH_SOCK="$HOME/.ssh/agent.sock"
In .ssh/config
Host *
IgnoreUnknown UseKeychain
UseKeychain yes
AddKeysToAgent yes