Having difficulty to get SSH with a Yubikey working with macOS monterey

About

Asked 29/7, 2021 at 9:29 Answered 2/10, 2021 at 10:47

I'm following the FIDO U2F instructions on https://developers.yubico.com/SSH/ on macOS Monterey with openSSH 8.6 and run into the following issue:

~ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Key enrollment failed: unknown or unsupported key type

Anyone know what I'm missing here?

Outmoded answered 29/7, 2021 at 9:29 Comment(1)

I was only able to get it working on OpenSSH from Homebrew (OpenSSH_8.7p1, OpenSSL 1.1.1). OpenSSH from Apple (OpenSSH_8.6p1, LibreSSL 2.7.3) may not be compiled with the yubikey options. – Tunnage 31/8, 2021 at 16:42

Use Homebrew's OpenSSH

$ brew install openssh

Once installed, you have to override the one in your PATH by putting the openssh folder at the beginning of your PATH in your rc file like this

$ export PATH=$(brew --prefix openssh)/bin:$PATH

Once you've done that and you've sourced your rc file you should be able to generate your key

Tested on macOS Monterey and OpenSSH_8.8p1, OpenSSL 1.1.1l

Trichloroethylene answered 2/10, 2021 at 10:47 Comment(3)

I'm baffled why Apple would do this. Do you know if it's something expected to always stay like this, or do they usually fix such (IMO) bugs? – Temple 17/12, 2021 at 21:2

It's not a bug, it just uses a different ssh version that doesn't support YubiKeys – Trichloroethylene 18/12, 2021 at 22:19

OpenSSH version 8.2p1 supports it, but Apple is specifically disables it with a --disable-security-key compile flag. github.com/apple-oss-distributions/OpenSSH/pull/1 – Stereochrome 7/6, 2022 at 19:53

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags