This is a collection of scripts that we use to provision new YubiKeys according to our security guidelines -> Sicherheitskonzept German only
- Clone this repository to your local machine
- Check prerequisites: homebrew installed on your machine
- run
./installOrUpdateDependencies.shlocally in the cloned folder - OPTIONAL run
./resetAndProvisionYubiKey.shto RESET and setup your YubiKey
- Clone this repository to your local machine
- Check prerequisites: homebrew installed on your machine
- run
./installOrUpdateDependencies.shlocally in the cloned folder - run
./extractPublicKey.shto reuse the already existing key pair of your YubiKey - make sure you have these lines in your ~/.ssh/config to use your YubiKey for SSH connections:
Host *
IdentityAgent $brewPrefix/var/run/yubikey-agent.sock
A goal was to automate the recurring task of setting up a new YubiKey and avoiding pitfalls through manually running commands.
- not using a correct PIN and PUK (invalid characters, invalid length)
- more interactive explanations on what to enter and what to expect
- improved public ssh-key generation
- no recurring prompts for management key, PIN or PUK
- easy install and upgrade of dependencies
For new setups we use a custom fork of FiloSottile/yubikey-agent. This is a great project which makes using the YubiKey with SSH really fun. It just works ;)
For us this is also a documentation that is executable :)
Can be run to install or upgrade needed dependencies. Does not do anything to the YubiKey.
(in the project directory) run ./installOrUpdateDependencies.sh
IMPORTANT: This will reset your YubiKey to factory defaults.
(in your local project directory) run ./resetAndProvisionYubiKey.sh
(in your local project directory) run ./installOrUpdateDependencies.sh
Read the script output and follow the steps to complete the YubiKey setup. You may need to set up your ssh config again. In ~/.ssh/config
For M1 Macs brew is installed in /opt/homebrew
Host *
IdentityAgent /opt/homebrew/var/run/yubikey-agent.sock For Intel Macs brew is installed in /usr/local
Host *
IdentityAgent /usr/local/var/run/yubikey-agent.sock Sometimes it might be useful to extract the public when you are on a new machine, after disaster recovery or if you
simply misplaced it.
In that case you can run ./extractPublicKey.sh. Which extracts and saves the public key to your ~/.ssh directory.
The file will be named .yubikey.pub. If such a file already exists, you will be asked if you want to
replace it.
You do not need to mess with the $SSH_AUTH_SOCK variable, because the IdentityAgent setting from above
works at least in the following tools:
- Command Line
- IntelliJ
- Fork
- SourceTree
- Visual Studio Code
We again use a forked version of yubikey-agent, because we need to be able to hotfix things if things go wrong.
-
To migrate to the hotfixed version, do:
brew services stop yubikey-agent brew uninstall yubikey-agent brew install sandstorm/tap/sandstorm-yubikey-agent brew services start sandstorm/tap/sandstorm-yubikey-agent -
Please ensure that the
~/.ssh/configfile exists (you may need to create it) and contains the following contents:for Intel Macs
Host * IdentityAgent /usr/local/var/run/yubikey-agent.sockfor M1 Macs
Host * IdentityAgent /opt/homebrew/var/run/yubikey-agent.sock -
Additionally, also check that the SSH_AUTH_SOCK is not manipulated in ~/.zshrc:
# the following line should NOT OUTPUT ANYTHING cat ~/.zshrc | grep SSH_AUTH_SOCK
In case the above output shows anything, edit the file and remove that section completely.
The above steps has been tested on Mac OS 12.0 on an M1 Mac with:
- Command Line
- IntelliJ
- Fork
- SourceTree
- Visual Studio Code
Problem
- Running
./resetAndProvisionYubiKey.shfails with a trace ending with something likeUnable to connect with protocol: T0 or T1. Sharing violation.
Solution
- Unplug and plug in your YubiKey again and retry running the script. Something has blocked the Key to be accessed by the YubiKey manager.