Skip to content

Instantly share code, notes, and snippets.

@hyunbinseo

hyunbinseo/ssh.bash

Last active May 5, 2025 18:25
Show Gist options
  • Save hyunbinseo/0bf2469b9853a00ec1d9270cf1e94660 to your computer and use it in GitHub Desktop.
Save hyunbinseo/0bf2469b9853a00ec1d9270cf1e94660 to your computer and use it in GitHub Desktop.
Download ZIP
Setup SSH (macOS, YubiKey FIDO)
Raw
ssh.bash
# Moved to https://github.com/hyunbinseo/blog/blob/master/posts/setup-ssh.md
### Preparation ###############################################################
# macOS bundled OpenSSH does not support FIDO.
# https://developer.apple.com/forums/thread/698683
# https://github.com/apple-oss-distributions/OpenSSH/pull/1
brew install openssh
ssh -V
# OpenSSH_9.3p1, OpenSSL 1.1.1t 7 Feb 2023
which ssh
# /opt/homebrew/bin/ssh
### Should You Set a Passphrase ###############################################
# SSH agent - which can store the key's passphrase - is not persistent.
# Therefore, on every boot, the keys should be re-added to the agent.
# The SSH agent included in the macOS 13 does support passphrase saving.
# However, it is not compatible with *-sk type keys. (e.g. ed25519-sk)
which ssh-agent
# /opt/homebrew/bin/ssh-agent
# The homebrew SSH agent does not support passphrase saving in macOS.
# The passphrase is required every time the key is added to the agent.
# To avoid this, do not set passphrase when generating a new SSH key.
### Generate New Key ##########################################################
# Paste the text below, substituting in your GitHub email address.
# https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent
ssh-keygen -t ed25519-sk -C "[email protected]"
# Generating public/private ed25519-sk key pair.
# You may need to touch your authenticator to authorize key generation.
# Enter PIN for authenticator:
# You may need to touch your authenticator again to authorize key generation.
# Enter file in which to save the key
# Enter passphrase (empty for no passphrase):
# Enter same passphrase again:
# Your identification has been saved in /Users/?/.ssh/id_ed25519_sk
# Your public key has been saved in /Users/?/.ssh/id_ed25519_sk.pub
### Add Keys to Local SSH Agent ###############################################
eval "$(ssh-agent -s)"
# > Agent pid 59566
ssh-add ~/.ssh/id_ed25519_sk # Should match the filename printed above.
# Enter passphrase for /Users/?/.ssh/id_ed25519_sk:
# Identity added: /Users/?/.ssh/id_ed25519_sk (?)
# The following error can occur if the SSH agent is not running.
# Could not add identity "/Users/?/.ssh/id_ed25519_sk": agent refused operation
ssh-add -l
# 256 SHA256:? ? (ED25519-SK) # Should match the entered type. (-t flag)
### Add Authorized Public Keys to the Server ##################################
# Option 1: On a local machine
ssh-copy-id username@host
# Option 2: On the server
nano ~/.ssh/authorized_keys
# Disable password authentication
sudo nano /etc/ssh/sshd_config
# Set password authentication to no.
# Remove the leading # if exists.
# PasswordAuthentication no
### Access the Server Using the SSH Agent #####################################
ssh username@host # Touch the blinking YubiKey.
# When there are multiple authorized keys in the server,
# and if the first public key's YubiKey is not connected,
# the following error can be shown. It can be ignored.
# sign_and_send_pubkey: signing failed for ED25519-SK "?" from agent: agent refused operation
### Check the Server's ED25519 Key Fingerprint ################################
# On a local machine
ssh username@host
# The authenticity of host 'host (100.x.y.z)' can't be established.
# ED25519 key fingerprint is SHA256:?.
# On the server
ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub
# 256 SHA256:? root@host (ED25519)
# Check if the two values are identical.
@hyunbinseo
Copy link
Author

hyunbinseo commented May 9, 2023
edited
Loading

Use Keychain to achieve the following on initial shell load.

  • start SSH agent
  • add specified key(s)
  • be prompted to enter passphrase (if set)
brew install keychain

Usage

Add the following line to the ~/.zprofile file. The following code adds 2 keys.

  • id_ed25519_sk
  • id_ed25519
eval `keychain --eval --agents ssh id_ed25519_sk id_ed25519`

Logs

Initial zsh shell load

 * keychain 2.8.5 ~ http://www.funtoo.org
 * Starting ssh-agent...
 * Adding  2 ssh key(s): /Users/?/.ssh/id_ed25519_sk /Users/?/.ssh/id_ed25519

Enter passphrase for /Users/?/.ssh/id_ed25519_sk: 
Enter passphrase for /Users/?/.ssh/id_ed25519: 

 * ssh-add: Identities added: /Users/?/.ssh/id_ed25519_sk /Users/?/.ssh/id_ed25519

Non-initial zsh shell load

* keychain 2.8.5 ~ http://www.funtoo.org
 * Found existing ssh-agent: 33487
 * Known ssh key: /Users/?/.ssh/id_ed25519_sk
 * Known ssh key: /Users/?/.ssh/id_ed25519

Notes

If an error occurs,

  1. Stop all agents
  2. Close all terminals
  3. Re-open terminal
keychain -k all

 * keychain 2.8.5 ~ http://www.funtoo.org
 * All ? ssh-agents stopped: 1942 3277

@hyunbinseo
Copy link
Author

Moved to https://github.com/hyunbinseo/blog/blob/master/posts/setup-ssh.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment