Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
With the latest version of macOS Monterey (12.0.1) Apple have bundled a newer version of OpenSSH (OpenSSH_8.6p1, LibreSSL 2.8.3) but seem to have compiled it without --with-security-key-builtin. This is disappointing, but makes sense, as it would be unlikely that Apple would redistribute libfido2. However even though the bundled version man pages indicate that it should support creating ecdsa-sk and ed25519-sk key types it doesn't work.
I saw that in version 1.3.0 libfido2 used to compile the helper library sk-libfido2 which would connect OpenSSH to a Yubikey by specifying SSH_SK_PROVIDER or passing it as a command line parameter to ssh-add, ssh-keygen, or ssh. This was removed in 1.3.1 as it was picked up by the OpenSSH codebase:
So, I'm proposing that we add the helper library back in to libfido2, so that Yubikey users can create ecdsa-sk and ed25519-sk with yubikeys using the bundled versions of OpenSSH in macOS. That way a user can do: