Using Yubikey Discoverable Credentials on macOS

01 Oct 2023 · Updated 20 Nov 2023 | #unix

This is not an exhaustive guide, just some field notes for future reference.

OpenSSH 8.2p1 introduced the ability to create, store and load discoverable credentials (previously known as resident keys) on a compatible FIDO authenticator. Yubico implemented the support for such feature on their Yubikeys starting with firmware 5.2.3

Unfortunately, macOS (even the latest Sonoma version), comes with an OpenSSH version that does not support this feature.

brew install openssh

Make sure that ‘ssh-agent’ is loaded. Adding the following to ‘~/.zprofile’ is how I handle it

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# SSH Agent Initialization
# Source: https://stackoverflow.com/questions/18880024/start-ssh-agent-on-login
SSH_ENV="$HOME/.ssh/agent-environment"
function start_agent {
  echo "Initialising new SSH agent..."
  ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
  chmod 600 "${SSH_ENV}"
  . "${SSH_ENV}" > /dev/null
  ssh-add;
}
if [ -f "${SSH_ENV}" ]; then
  . "${SSH_ENV}" > /dev/null
  if ! (ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null); then
    start_agent;
  else
    echo "Reusing existing SSH agent..."
  fi
else
  start_agent;
fi

Create / Store new key

ssh-keygen -t ed25519-sk -O resident

Load existing key

ssh-add -K

Using keychain

Again, as for the SSH Agent, macOS (even the latest Sonoma version) keychain does not support discoverable credentials.

brew install keychain

Make sure that ‘keychain’ is loaded. Adding the following to ‘~/.zprofile’ is how I handle it

eval $(keychain --eval --noinherit -q)