It turns out that MacOS Tahoe can generate and use secure-enclave supported SSH keys! It replaces projects like https://github.com/maxgoedjen/secretive
have a shared library /usr/lib/ssh-keychain.dylib which has traditionally been used to add smartcard support to ssh by implementing PKCS11Provider interface. Although recently it has also been implemented SecurityKeyProivder
Which supports loading keys directly from the secure enclave!
recording.mov
Look man sc_auth And man ssh-keychain for all options
To create a Secure Enclave supported key that requires biometrics, run the following command and press TouchID:
% sc_auth create-ctk-identity -l ssh -k p-256-ne -t bio
You can confirm that the key was created with list-ctk-identities Permission:
arian@Mac ssh-keychain % sc_auth list-ctk-identities
Key Type Public Key Hash Prot Label Common Name Email Address Valid To Valid
p-256-ne A71277F0BC5825A7B3576D014F31282A866EF3BC bio ssh ssh 23.11.26, 17:09 YES
It also supports listing the ssh key fingerprint instead:
% sc_auth list-ctk-identities -t ssh
Key Type Public Key Hash Prot Label Common Name Email Address Valid To Valid
p-256-ne SHA256:vs4ByYo+T9M3V8iiDYONMSvx2k5Fj2ujVBWt1j6yzis bio ssh ssh 23.11.26, 17:09 YES
keys can be removed
% sc_auth delete-ctk-identity -h
You can “download” the public/private keypair from the secure enclave using the following command:
% ssh-keygen -w /usr/lib/ssh-keychain.dylib -K -N ""
Enter PIN for authenticator:
You may need to touch your authenticator to authorize key download.
Saved ECDSA-SK key to id_ecdsa_sk_rk
% cat id_ecdsa_sk_rk.pub
sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBKiHAiAZhcsZ95n85dkNGs9GnbDt0aNOia2gnuknYV2wKL3y0u+d3QrE9cFkmWXIymHZMglL+uJA+6mShY8SeykAAAAEc3NoOg== ssh:
You can use only empty string for PIN. for some reason openssh Always asks for it even if the authenticator in question uses biometrics and not PIN. Note that the “private” key here is just a reference to the FIDO credential. It does not contain any secret key material. So I am specifying -N "" To omit the encryption passphrase.
Now if you copy this public key into your authorized key file, it will work!
% ssh-copy-id -i id_ecdsa_sk_rk localhost
% ssh -o SecurityKeyProvider=/usr/lib/ssh-keychain.dylib localhost
Instead of downloading the public/private key pair to a file, you can also provide the keys directly ssh-agentFor this you can use the following commands:
% ssh-add -K -S /usr/lib/ssh-keychain.dylib
Enter PIN for authenticator:
Resident identity added: ECDSA-SK SHA256:vs4ByYo+T9M3V8iiDYONMSvx2k5Fj2ujVBWt1j6yzis
% ssh-add -L
sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBKiHAiAZhcsZ95n85dkNGs9GnbDt0aNOia2gnuknYV2wKL3y0u+d3QrE9cFkmWXIymHZMglL+uJA+6mShY8SeykAAAAEc3NoOg==
% ssh-copy-id localhost
% ssh -o SecurityKeyProvider=/usr/lib/ssh-keychain.dylib localhost
Using SecurityKeyProvider by default
SecurityKeyProvider can be configured in .ssh/config But I recommend setting
export SSH_SK_PROVIDER=/usr/lib/ssh-keychain.dylib in your .zprofile Instead as soon as that environment variable is raised ssh, ssh-add And ssh-keygen,
This means you can simply:
ssh-add -K
ssh my-server
Or
ssh-keygen -K
ssh -i id_ecdsa_rk_sk my-server
to ssh into your server
<a href