yevshev yevshev

Native Secure Enclave backed ssh keys on MacOS

It turns out that MacOS Tahoe can generate and use secure-enclave backed SSH keys! This replaces projects like https://github.com/maxgoedjen/secretive

There is a shared library /usr/lib/ssh-keychain.dylib that traditionally has been used to add smartcard support to ssh by implementing PKCS11Provider interface. However since recently it also implements SecurityKeyProivder which supports loading keys directly from the secure enclave! SecurityKeyProvider is what is normally used to talk to FIDO2 devices (e.g. libfido2 can be used to talk to your Yubikey). However you can now use it to talk to your Secure Enclave instead!

Overview

How to configure FreeBSD and applicable applications to work with Yubikey for authentication. This serves as my work-in-progress documentation of the configuration knobs needed to make this work properly.

FreeBSD ssh with piv smartcard slot on Yubikey (pkcs11 via libykcs11.so)
FreeBSD ssh with fido support on Yubikey
FreeBSD Firefox/Chromium with fido + webauthn support on Yubikey
FreeBSD local console and gdm authentication using pam on Yubikey
FreeBSD official YubiKey tools

Latest Tested FreeBSD versions

FreeBSD 13.2 Testing (Aug 2023)
FreeBSD stable/13 Testing (Aug 2023) with OpenSSH_9.3p2

YubiKey 4 series GPG and SSH setup guide

Written for fairly adept technical users, preferably of Debian GNU/Linux, not for absolute beginners.

You'll probably be working with a single smartcard, so you'll want only one primary key (1. Sign & Certify) and two associated subkeys (2. Encrypt, 3. Authenticate). I've published a Bash function which automates this slightly special key generation process.

Firefox bullshit removal

Updated: Just use qutebrowser (and disable javascript). The web is done for.

There are certain files created by particular editors, IDEs, operating systems, etc., that do not belong in a repository. But adding system-specific files to the repo's .gitignore is considered a poor practice. This file should only exclude files and directories that are a part of the package that should not be versioned (such as the node_modules directory) as well as files that are generated (and regenerated) as artifacts of a build process.

All other files should be in your own global gitignore file:

Create a file called .gitignore in your home directory and add any filepath patterns you want to ignore.
Tell git where your global gitignore file is.

Note: The specific name and path you choose aren't important as long as you configure git to find it, as shown below. You could substitute .config/git/ignore for .gitignore in your home directory, if you prefer.

	#!/usr/bin/env bash

	set -e

	arch=$(uname -m)
	os=$(uname -s \| tr '[:upper:]' '[:lower:]')
	double="$arch-$os"

	if [[ $1 == "dev" ]]; then
	wget -q --show-progress https://ziglang.org/builds/zig-linux-x86_64-$1.tar.xz

	# Gawk version
	# Remote
	grep -v "rem_address" /proc/net/tcp \| awk '{x=strtonum("0x"substr($3,index($3,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($3,i,2))}{print x":"strtonum("0x"substr($3,index($3,":")+1,4))}'

	# Local
	grep -v "rem_address" /proc/net/tcp \| awk '{x=strtonum("0x"substr($2,index($2,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($2,i,2))}{print x":"strtonum("0x"substr($2,index($2,":")+1,4))}'

	# No Gawk
	# Local
	grep -v "rem_address" /proc/net/tcp \| awk 'function hextodec(str,ret,n,i,k,c){

	* LFCS Domains 2015.02
	Note - the domains will change somewhat in March 2015. SW RAID
	with mdadm will be removed

	** The Command Line
	*** Editing text files on the CLI
	Covers the use of the basic text editors nano and gedit as well
	as the advanced editors _vi_ and _emacs_
	- nano
	simple CLI-based text editor