Provides a `libsk-libfido2.dylib` usable in the nix environment.
== Why?
Currently (macOS Sonoma), macOS does not provide support for security keys (Yubikey, etc) in their bundled OpenSSH installation. It requires you to build, install and setup properly an external provider from the OpenSSH sources.
There is a Homebrew package ready to provide this file, but nothing if you prefer to use the Nix environment. This flake fills up this gap.
Then, we need to tinker a bit with the macOS built-in SSH agent. By default, it only allows to use providers that are located in `/usr/lib*/` or `/usr/local/lib*/` (once symlinks are resolved), but ours currently resides in `/nix/store/...`.
The most simple way to resolve this is to just copy the `.dylib` from the store to the `/usr/local/lib` directory and use that as a path. It works, but you have to remember to copy it again if you update the flake.
Once copied, you need to modify your shell init script (e.g. `~/.zshenv`) to add an environment variable:
You should now be able to use `ssh-add -K` to load resident keys from your security key.
There is a longer method, but once it is setup, it should continue to work even if you update the flake. We need to eclipse the default SSH agent with one that will accept the library from the nix store.
I provided in this repository an agent file (`com.openssh.user-ssh-agent.plist`) for this. You can see in its definition that it sets the allowed paths for providers to allow loading from the Nix Store, which will let it pick up this dylib.
You need to copy it to your local agents folder and enable it:
Some `ssh-askpass` mac implementations will ask you to include their own agent to modify the SSH agent environment. This is not needed in this case as we have our agent we can directly modify (and that would not pickup the variables from the generic modification anyway).