I wanted to use my YubiKey for SSH authentication, however, to implement FIDO2 credential support, I needed OpenSSH 8.2 or newer. Unfortunately, macOS Big Sur ships with OpenSSH 8.1.
To solve this problem, I used Homebrew to install a newer version
of OpenSSH, version 9.2 at the time of writing:
brew install openssh. After the
installation completed, I disabled macOS' default
launchctl disable user/$UID/com.openssh.ssh-agent
Next, I added my own launch agent at
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.hkamran.ssh_agent</string> <key>ProgramArguments</key> <array> <string>sh</string> <string>-c</string> <string>/usr/local/bin/ssh-agent -D -a ~/.ssh/agent</string> </array> <key>RunAtLoad</key> <true/> </dict> </plist>
-D option passed to
ssh-agent prevents it from forking, and the
ssh-agent to bind to
I also added the following line to my
.zshrc file, which ensures that the bind
address is set to
Finally, either open a new shell (new tab, new window, etc.) or type
which relaunches the shell. Run
ssh -V or
which ssh to check that you are using
the new version from Homebrew.
If you'd like to read about how to use FIDO2 SSH keys, I've written a companion article on the topic.
If you have any questions or need any help, feel free to contact me on Twitter or Mastodon.
If you have any improvements to any of my articles or notes, please submit a pull request.
Thank you for reading!