Due to recent updates to OpenSSH there is now a much simpler and easier way to use hardware tokens for SSH access.
Start by inserting your Yubikey into your Mac.
Create a new key
ecdsa-sk which will reside on your machine but require your hardware token:
ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk -C “email@example.com”
It’ll ask you to enter a password to protect your key, then if touch compatible you’ll need to press the light when asked.
Copy the contents of
~/.ssh/id_ecdsa_sk.pub to the
.ssh/authorized_keys file on your remote server and then you’re ready to test the connection works, login using your new identity:
ssh -i ~/.ssh/id_ecdsa_sk firstname.lastname@example.org
You’ll then be protected for your key password, then prompted to authorise the connection request by touching your hardware key:
It makes it easier to store the identity file in your
.ssh/config file so you don’t have to type it out each time, use a configuration like this:
This now means that you can just type
ssh servername and it’ll automatically use the right user, hostname, port and key.
…and without the hardware key?
If you don’t have your hardware key plugged in to you machine when you try to connect, then you’ll get this error: