OpenSSH 8.2 introduced a new feature allowing “native” usage of FIDO authentication devices for SSH key storage.
Though macos does not have the required shared library for FIDO security key provider (SecurityKeyProvider).
Requirements:
- Security Key app installed on Ledger Nano S/S+/X
- Build env for building the Security key provider
- Bundled OpenSSH
Full Build example
# 0. Create temp dir
cd && mkdir -p tmp && cd tmp
# 1. Install X code command line tools
xcode-select --install
# 2. Install HomeBrew for building.
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# 3. Build the keyprovider
curl curl -fsSL https://gist.githubusercontent.com/BertanT/9d222da115ca2d1274ef34735c4260cf/raw/da16776e1dc4a81ac3210218d2ba20425d5c5fa0/macskeyinstaller.sh | bash
...
* Copying the Security Key Provider library to /usr/local/lib.
We need root privileges to modify system files.
Password:
* Configuring the ~/.zshenv for the System SSH use the Security Key Provider we just built
* Added SSH_SK_PROVIDER to ~/.zshenv.
* Exiting the directory and deleting the repository we cloned. We don't need it anymore
* That's it! After restarting your terminal session, you can plug in your hardware security key and test the installation using:
ssh-keygen -t ed25519-sk -O resident -O verify-required -C "Your Comment"
Have a nice day! :)
...Example usage
# 0. Check prereg
[ -z "$SSH_SK_PROVIDER" ] && export SSH_SK_PROVIDER="/usr/local/lib/sk-libfido2.dylib"
# 1. Generate key into the default `~/.ssh/id_ed25519_sk{,.pub}` keypair
# KEEP IN MIND the id_ed25519_sk is not a real private key but a public reference.
ssh-keygen -t ed25519-sk -O no-touch-required -O user=<selecte_username> -O application=ssh:<selected_appname>
# 2. Add the generated pub key into the ~/.ssh/authorized_keys
# `no-touch-required` prefix is required when the key was generated with the `no-touch-required`
echo "no-touch-required sk-ssh-ed25519@openssh.com AAAAG..........S1kdXM= 'Your Comment'" >> ~/.ssh/authorized_keys
# 3. If your ssh is hardened then add sk-ssh-ed25519@openssh.com for the accepted key types e.g.
vi /etc/ssh/sshd_config
PubkeyAcceptedKeyTypes ...,sk-ssh-ed25519@openssh.com
# Restart service
sudo service ssh restart
# 4. Usage
# 4.1 The Ledger Nano S/S+/X must be unlocked and the Security Key app started.
# It won't prompt for anything as it's already verified e.g. the ledger is unlocked.
# So, it will automatically generate a cert for the local (id_ed25519_sk) and the stored (registered key by name and app)
# for authentication
# 4.2 Run a simple ssh
ssh usename@host
# 4.3 Optional params
# -i <priv key if different than the default e.g. ~/.ssh/id_ed25519_sk`
# -o SecurityKeyProvider=/usr/local/lib/sk-libfido2.dylyb on macos
Requirements
- SSH/PGP App installed in Exp mode # DEPRECATED
- MacOS 26.3.1
# 1. Create venv
python3 -m venv .ledger
source .ledger/bin/activate
# 2. Install libagent 0.15.0 as ledger support is dropped above.
pip install libagent==0.15.0
pip install ledger_agent
pip install ledgerblue
# 3. Fix pkg_resources issues
curl https://bootstrap.pypa.io/ez_setup.py | python
# 4. Add ledger-agent to the PATH env variable.
export PATH="${PATH}:/Users/xxx/.ledger/bin/