20

I'm following the FIDO U2F instructions on https://developers.yubico.com/SSH/ on macOS Monterey with openSSH 8.6 and run into the following issue:

~ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Key enrollment failed: unknown or unsupported key type

Anyone know what I'm missing here?

Narsail
  • 735
  • 1
  • 8
  • 12
  • 1
    I was only able to get it working on OpenSSH from Homebrew (OpenSSH_8.7p1, OpenSSL 1.1.1). OpenSSH from Apple (OpenSSH_8.6p1, LibreSSL 2.7.3) may not be compiled with the yubikey options. – jdloft Aug 31 '21 at 16:42

1 Answers1

23

Use Homebrew's OpenSSH

$ brew install openssh

Once installed, you have to override the one in your PATH by putting the openssh folder at the beginning of your PATH in your rc file like this

$ export PATH=$(brew --prefix openssh)/bin:$PATH

Once you've done that and you've sourced your rc file you should be able to generate your key

Tested on macOS Monterey and OpenSSH_8.8p1, OpenSSL 1.1.1l

Mattia Righetti
  • 1,265
  • 1
  • 18
  • 31
  • 1
    I'm baffled why Apple would do this. Do you know if it's something expected to always stay like this, or do they usually fix such (IMO) bugs? – iustin Dec 17 '21 at 21:02
  • It's not a bug, it just uses a different ssh version that doesn't support YubiKeys – Mattia Righetti Dec 18 '21 at 22:19
  • 5
    OpenSSH version 8.2p1 supports it, but Apple is specifically disables it with a `--disable-security-key` compile flag. https://github.com/apple-oss-distributions/OpenSSH/pull/1 – Collin Anderson Jun 07 '22 at 19:53