Saturday December 9 2023

Setting up FIDO2 backed SSH keys on MacOS

After a recent re-install I had to go through this process again, figuring it out is the most tedious part. Once you know what to do it’s not so bad.

Install Homebrew

Then install openssh ( as even on MacOS Sonoma they’ve disabled the feature in the bundled version of SSH )

$ brew install openssh

And then setup ssh-askpass:

$ brew install theseal/ssh-askpass/ssh-askpass

Update your zsh, or other shell configuration to make sure the environment variables are exported:

export SSH_ASKPASS=ssh-askpass

Then add the following snippet below the environment variables:

#shellcheck disable=SC2120
checkSSHAgent() {
	if [ "$1" = "-k" ] ; then
		pkill -9 ssh-agent

	if [ -e "$ssh_agent_conf" ] ; then
		#shellcheck disable=SC1090
		. "$ssh_agent_conf"
	#shellcheck disable=SC2009
	if ! ps aux | awk '{print $2}' | grep -q "$SSH_AGENT_PID" \
		|| ! [ -e "$ssh_agent_conf" ] \
		|| [ -z "$SSH_AGENT_PID" ] ; \
		ssh-agent -s | grep -v echo > "$ssh_agent_conf"
		#shellcheck disable=SC1090
		. "$ssh_agent_conf"


I prefer to use the above shell function that’s more aggressive about checking that the agent is running, rather than relying on it being started at login and the environment variables appropriately inherited.

With that done, you should be able to fire up a new terminal and have SSH working with the Yubikeys, as well as the pop-up window to notify you when to tap the key.