Saturday December 9 2023

Setting up FIDO2 backed SSH keys on MacOS

After a recent re-install I had to go through this process again, figuring it out is the most tedious part. Once you know what to do it’s not so bad.

Install Homebrew

Then install openssh ( as even on MacOS Sonoma they’ve disabled the feature in the bundled version of SSH )

$ brew install openssh

And then setup ssh-askpass:

$ brew install theseal/ssh-askpass/ssh-askpass

Update your zsh, or other shell configuration to make sure the environment variables are exported:

export SSH_ASKPASS=ssh-askpass
export SSH_ASKPASS_REQUIRE=force

Then add the following snippet below the environment variables:

#shellcheck disable=SC2120
checkSSHAgent() {
	if [ "$1" = "-k" ] ; then
		pkill -9 ssh-agent
	fi

	ssh_agent_conf="$HOME/.ssh/agent"
	if [ -e "$ssh_agent_conf" ] ; then
		#shellcheck disable=SC1090
		. "$ssh_agent_conf"
	fi
	#shellcheck disable=SC2009
	if ! ps aux | awk '{print $2}' | grep -q "$SSH_AGENT_PID" \
		|| ! [ -e "$ssh_agent_conf" ] \
		|| [ -z "$SSH_AGENT_PID" ] ; \
	then
		ssh-agent -s | grep -v echo > "$ssh_agent_conf"
		#shellcheck disable=SC1090
		. "$ssh_agent_conf"
	fi
}

checkSSHAgent

I prefer to use the above shell function that’s more aggressive about checking that the agent is running, rather than relying on it being started at login and the environment variables appropriately inherited.

With that done, you should be able to fire up a new terminal and have SSH working with the Yubikeys, as well as the pop-up window to notify you when to tap the key.