= nix-libsk-libfido2 Provides a `libsk-libfido2.dylib` usable in the nix environment. == Why? Currently (macOS Sonoma), macOS does not provide support for security keys (Yubikey, etc) in their bundled OpenSSH installation. It requires you to build, install and setup properly an external provider from the OpenSSH sources. There is a Homebrew package ready to provide this file, but nothing if you prefer to use the Nix environment. This flake fills up this gap. == How to use First, install the flake into your profile: ---- nix profile install 'git+https://gitea.adaedra.eu/adaedra/nix-libsk-libfido2.git' ---- Then, we need to tinker a bit with the macOS built-in SSH agent. By default, it only allows to use providers that are located in `/usr/lib*/` or `/usr/local/lib*/` (once symlinks are resolved), but ours currently resides in `/nix/store/...`. The most simple way to resolve this is to just copy the `.dylib` from the store to the `/usr/local/lib` directory and use that as a path. It works, but you have to remember to copy it again if you update the flake. Once copied, you need to modify your shell init script (e.g. `~/.zshenv`) to add an environment variable: [,sh] ---- export SSH_SK_PROVIDER=/usr/local/lib/libsk-libfido2.dylib ---- You also need to include it in your SSH configuration (`~/.ssh/config`): ---- SecurityKeyProvider /usr/local/lib/libsk-libfido2.dylib ---- You should now be able to use `ssh-add -K` to load resident keys from your security key. There is a longer method, but once it is setup, it should continue to work even if you update the flake. We need to eclipse the default SSH agent with one that will accept the library from the nix store. I provided in this repository an agent file (`com.openssh.user-ssh-agent.plist`) for this. You can see in its definition that it sets the allowed paths for providers to allow loading from the Nix Store, which will let it pick up this dylib. You need to copy it to your local agents folder and enable it: [,sh] ---- cp com.openssh.user-ssh-agent.plist ~/Library/LaunchAgents launchctl enable user/$UID/com.openssh.user-ssh-agent ---- At this point, you will need to relaunch your session or reboot. You can check that the new agent is launched by checking its own environment variable: [,sh] ---- echo $USER_SSH_AUTH_SOCK ---- You now need to setup your shell to setup things properly and shadow the "normal" SSH agent. In your shell init (e.g. `~/.zshenv`): [,sh] ---- export SSH_SK_PROVIDER=$(realpath $HOME/.local/state/nix/profiles/profile/libexec/libsk-libfido2.dylib) test -n "$USER_SSH_AUTH_SOCK" && SSH_AUTH_SOCK="$USER_SSH_AUTH_SOCK" ---- Lastly, you should also update your ssh configuration: (`~/.ssh/config`): ---- SecurityKeyProvider /Users/[user]/.local/state/nix/profiles/profile/libexec/libsk-libfido2.dylib ---- Relaunch a shell, and you should be able to `ssh-add -K`.