Setup SSH (macOS, YubiKey FIDO)

ssh.bash

# Moved to https://github.com/hyunbinseo/blog/blob/master/posts/setup-ssh.md

### Preparation ###############################################################

# macOS bundled OpenSSH does not support FIDO.
# https://developer.apple.com/forums/thread/698683
# https://github.com/apple-oss-distributions/OpenSSH/pull/1

brew install openssh

ssh -V
# OpenSSH_9.3p1, OpenSSL 1.1.1t  7 Feb 2023

which ssh
# /opt/homebrew/bin/ssh


### Should You Set a Passphrase ###############################################

# SSH agent - which can store the key's passphrase - is not persistent.
# Therefore, on every boot, the keys should be re-added to the agent.

# The SSH agent included in the macOS 13 does support passphrase saving.
# However, it is not compatible with *-sk type keys. (e.g. ed25519-sk)

which ssh-agent
# /opt/homebrew/bin/ssh-agent

# The homebrew SSH agent does not support passphrase saving in macOS.
# The passphrase is required every time the key is added to the agent.
# To avoid this, do not set passphrase when generating a new SSH key.


### Generate New Key ##########################################################

# Paste the text below, substituting in your GitHub email address.
# https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent
ssh-keygen -t ed25519-sk -C "[email protected]"

# Generating public/private ed25519-sk key pair.
# You may need to touch your authenticator to authorize key generation.

# Enter PIN for authenticator:
# You may need to touch your authenticator again to authorize key generation.
# Enter file in which to save the key
# Enter passphrase (empty for no passphrase):
# Enter same passphrase again:

# Your identification has been saved in /Users/?/.ssh/id_ed25519_sk
# Your public key has been saved in /Users/?/.ssh/id_ed25519_sk.pub


### Add Keys to Local SSH Agent ###############################################

eval "$(ssh-agent -s)"
# > Agent pid 59566

ssh-add ~/.ssh/id_ed25519_sk # Should match the filename printed above.

# Enter passphrase for /Users/?/.ssh/id_ed25519_sk:
# Identity added: /Users/?/.ssh/id_ed25519_sk (?)

# The following error can occur if the SSH agent is not running.
# Could not add identity "/Users/?/.ssh/id_ed25519_sk": agent refused operation

ssh-add -l
# 256 SHA256:? ? (ED25519-SK) # Should match the entered type. (-t flag)


### Add Authorized Public Keys to the Server ##################################

# Option 1: On a local machine
ssh-copy-id username@host

# Option 2: On the server
nano ~/.ssh/authorized_keys


# Disable password authentication
sudo nano /etc/ssh/sshd_config

# Set password authentication to no.
# Remove the leading # if exists.

# PasswordAuthentication no


### Access the Server Using the SSH Agent #####################################

ssh username@host # Touch the blinking YubiKey.

# When there are multiple authorized keys in the server,
# and if the first public key's YubiKey is not connected,
# the following error can be shown. It can be ignored.

# sign_and_send_pubkey: signing failed for ED25519-SK "?" from agent: agent refused operation


### Check the Server's ED25519 Key Fingerprint ################################

# On a local machine
ssh username@host
# The authenticity of host 'host (100.x.y.z)' can't be established.
# ED25519 key fingerprint is SHA256:?.

# On the server
ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub
# 256 SHA256:? root@host (ED25519)

# Check if the two values are identical.

1. The SSH agent is not persistent. Added keys are gone after log-out or restart.
2. Passphrase(s) of ED25519-SK keys cannot be persistently stored on macOS.

ssh-add -l
# The agent has no identities.

# This is normal after (re)login.

To persistently store the passphrase(s), the agent bundled in the macOS should be used.

Since the openssh has been installed, the system is probably using it as the default agent.

which ssh-add
# /opt/homebrew/bin/ssh-add

ssh-add --apple-use-keychain ~/.ssh/id_ed25519_sk   
# ssh-add: illegal option -- -

The bundled version can be accessed, but it does not support YubiKey as mentioned above.

/usr/bin/ssh-add --apple-use-keychain ~/.ssh/id_ed25519_sk   
# Error loading key "/Users/?/.ssh/id_ed25519_sk": unknown or unsupported key type

Use Keychain to achieve the following on initial shell load.

• start SSH agent
• add specified key(s)
• be prompted to enter passphrase (if set)

brew install keychain

Usage

Add the following line to the ~/.zprofile file. The following code adds 2 keys.

• id_ed25519_sk
• id_ed25519

eval `keychain --eval --agents ssh id_ed25519_sk id_ed25519`

Logs

Initial zsh shell load

 * keychain 2.8.5 ~ http://www.funtoo.org
 * Starting ssh-agent...
 * Adding  2 ssh key(s): /Users/?/.ssh/id_ed25519_sk /Users/?/.ssh/id_ed25519

Enter passphrase for /Users/?/.ssh/id_ed25519_sk: 
Enter passphrase for /Users/?/.ssh/id_ed25519: 

 * ssh-add: Identities added: /Users/?/.ssh/id_ed25519_sk /Users/?/.ssh/id_ed25519

Non-initial zsh shell load

* keychain 2.8.5 ~ http://www.funtoo.org
 * Found existing ssh-agent: 33487
 * Known ssh key: /Users/?/.ssh/id_ed25519_sk
 * Known ssh key: /Users/?/.ssh/id_ed25519

Notes

If an error occurs,

1. Stop all agents
2. Close all terminals
3. Re-open terminal

keychain -k all

 * keychain 2.8.5 ~ http://www.funtoo.org
 * All ? ssh-agents stopped: 1942 3277

Moved to https://github.com/hyunbinseo/blog/blob/master/posts/setup-ssh.md