I largely followed Florin's blog post, but have a few notes to add regarding issues I encountered:
Basic setup notes
Sep 26, 2019 Now you must import the copied SSH key to the portal. After you copy the SSH key to the clipboard, return to your account page. Choose to Import Public Key and paste your SSH key into the Public Key field. In the Key Name field, provide a name for the key. Note: although providing a key name is optional, it is a best practice for ease of.
- I used a YubiKey 4, while the blog describes using a YubiKey NEO. I'm sure a YubiKey 5 would also work. I'm also running macOS 10.13.6.
- I installed GPGTools as recommended. However, as I'll note later, it seems that
gpg-agentonly automatically starts when gpg is used; for ssh, you'll need to ensure it's running. - Before generating your keys, decide what key size you want to use. If you run the
listcommand insidegpg --edit-card, look for theKey attributesline to see what is currently selected. On my YubiKey 4, it defaulted to 2048 bits for all keys:
These correspond to the signature key, encryption key, and authentication key. (I believe only the authentication key is used for ssh.)
Running the key-attr admin subcommand lets you change these:
(Note that the OpenPGP applet only works with RSA, not ECC, so don't choose that.)
- After generating keys,
ssh-add -Lmay not initially show anything:
This is because gpg-agent changed how it works a few years ago, removing some options such as write-env-file (per this comment, which Florin's instructions use.
To get gpg-agent and ssh-agent to work together, you can use a simplified /.gnupg/gpg-agent.conf:
and then kill any running gpg-agent process so that it picks up the new configuration.
Since the .gpg-agent-info file is no longer created by gpg-agent, you must also change your .bash_profile to use the GPG agent ssh socket directly. I also added a line here to ensure that the gpg-agent is running:
(This is taken from @drduh's YubiKey guide.)
After updating this, launch a new shell, and ssh-add -L should now show you your public key, and you can follow the rest of the directions provided.
Requiring touch
I wanted to require a touch any time I tried to use my YubiKey for ssh authentication to prevent rogue processes from using the key while it's plugged in.
You can use the YubiKey Manager CLI to require this; I installed it via Homebrew.
After installed, use the ykman openpgp touch subcommand to configure the touch settings:
(Again, you control the three keys separately.)
Mac Generate Ssh Key Pair
Problems with certain versions of the YubiKey 4
I attempted to add my SSH public key to my GitHub account and came across this perplexing error:
Key is weak. GitHub recommends using ssh-keygen to generate a RSA key of at least 2048 bits.
I'd initially used a 2048-bit RSA key, so using the key-attr subcommand I described above, I tried generating a 4096-bit key, but GitHub gave the same error message.
After some searching, I came across this issue. Basically, due to a security issue in certain versions of the YubiKey 4 (4.2.6-4.3.4), GitHub rejects keys generated on these YubiKeys as weak. There are basically two workarounds:
- Generate a keypair off of the card and then load it onto the YubiKey.
- Replace the YubiKey with a newer one. Thankfully, Yubico will replace your affected YubiKey 4 for free.
Even more details
Mac Create Ssh Key 4096
@drduh's YubiKey Guide is a great reference, going into even more detail and best practices.