I largely followed Florin's blog post, but have a few notes to add regarding issues I encountered:
Basic setup notes
Add Ssh Key Github Mac
3 days ago Tweet If you’re a developer, on devops or a system admin you probably use an SSH key to log into remote servers. I am typically on multiple projects at one time and some organizations require I generate a unique SSH key in order to work with them.
- I used a YubiKey 4, while the blog describes using a YubiKey NEO. I'm sure a YubiKey 5 would also work. I'm also running macOS 10.13.6.
- I installed GPGTools as recommended. However, as I'll note later, it seems that
gpg-agentonly automatically starts when gpg is used; for ssh, you'll need to ensure it's running. - Before generating your keys, decide what key size you want to use. If you run the
listcommand insidegpg --edit-card, look for theKey attributesline to see what is currently selected. On my YubiKey 4, it defaulted to 2048 bits for all keys:
These correspond to the signature key, encryption key, and authentication key. (I believe only the authentication key is used for ssh.)
Running the key-attr admin subcommand lets you change these:
(Note that the OpenPGP applet only works with RSA, not ECC, so don't choose that.)
- After generating keys,
ssh-add -Lmay not initially show anything:
This is because gpg-agent changed how it works a few years ago, removing some options such as write-env-file (per this comment, which Florin's instructions use.
To get gpg-agent and ssh-agent to work together, you can use a simplified /.gnupg/gpg-agent.conf:
and then kill any running gpg-agent process so that it picks up the new configuration.
Generate Ssh Key Github
Since the .gpg-agent-info file is no longer created by gpg-agent, you must also change your .bash_profile to use the GPG agent ssh socket directly. I also added a line here to ensure that the gpg-agent is running:
(This is taken from @drduh's YubiKey guide.)
After updating this, launch a new shell, and ssh-add -L should now show you your public key, and you can follow the rest of the directions provided.
Requiring touch
Generate Ssh Key Putty
I wanted to require a touch any time I tried to use my YubiKey for ssh authentication to prevent rogue processes from using the key while it's plugged in.
You can use the YubiKey Manager CLI to require this; I installed it via Homebrew.
After installed, use the ykman openpgp touch subcommand to configure the touch settings:
(Again, you control the three keys separately.)
Problems with certain versions of the YubiKey 4
I attempted to add my SSH public key to my GitHub account and came across this perplexing error:
Key is weak. GitHub recommends using ssh-keygen to generate a RSA key of at least 2048 bits.
I'd initially used a 2048-bit RSA key, so using the key-attr subcommand I described above, I tried generating a 4096-bit key, but GitHub gave the same error message.
After some searching, I came across this issue. Basically, due to a security issue in certain versions of the YubiKey 4 (4.2.6-4.3.4), GitHub rejects keys generated on these YubiKeys as weak. There are basically two workarounds:
- Generate a keypair off of the card and then load it onto the YubiKey.
- Replace the YubiKey with a newer one. Thankfully, Yubico will replace your affected YubiKey 4 for free.
Even more details
@drduh's YubiKey Guide is a great reference, going into even more detail and best practices.