How to generate an SSH key on the YubiKey for GitHub

# [[How to generate an SSH key on the YubiKey for GitHub]] ![[How to generate an SSH key on the YubiKey.svg]] Here are instructions on how to generate an [[SSH]] key on the [[YubiKey]] security key-- specifically, a YubiKey 5C Nano. These instructions are for Macs and for use with [[GitHub]], but can be repurposed if necessary. ## Prerequisites - A YubiKey security key - A GitHub account - [[Homebrew]] - `libfido2`: library for [[FIDO2]] support - `openssh`: newer SSH version that supports [[Security key|security keys]] - `ykman`: YubiKey Manager CLI You can install the last three using Brew: ``` brew install libfido2 openssh ykman ``` ## Generate a FIDO2 SSH key on the YubiKey Plug in the YubiKey. Then run the following to generate a new ECDSA FIDO2 SSH key: ```bash /opt/homebrew/bin/ssh-keygen -t ecdsa-sk -C "[email protected]" ``` > [!QUESTION]- Why didn't I use `ed25519-sk`? > I tried to use `ed25519-sk` instead of ECDSA, but my YubiKey didn't seem to support that mode. The command above generates two files: - `~/.ssh/id_ecdsa_sk`: this *would* typically be the private key, but in this case this is just a stub file that points to the YubiKey - `~/.ssh/id_ecdsa_sk.pub`: This is the public key for the SSH key ## Add SSH key to GitHub Go to GitHub > Settings > SSH and GPG Keys and click Add new SSH key. Copy the contents of the `id_ecdsa_sk.pub` into the field and click Save. ## Fix SSH configuration Open the file `~/.ssh/config`. This is the config file for SSH keys. Add this to the file: ``` Host github.com HostName github.com User git IdentityFile ~/.ssh/id_ecdsa_sk IdentitiesOnly yes ``` > [!tip]- If you have `UseKeychain yes` on your config file > ... then remove it, because Homebrew's OpenSSH doesn't support it. Then, in the terminal, run this command to tell Git to use Homebrew's SSH: ```bash git config --global core.sshCommand "/opt/homebrew/bin/ssh" ``` ## Test the connection Run this command: ``` /opt/homebrew/bin/ssh -T [email protected] ``` You should be prompted to touch your YubiKey. Do so, and you'll get a message like this: ``` Hi nicolevanderhoeven! You've successfully authenticated, but GitHub does not provide shell access. ``` ## (Optional) Passphrases and PINs There are two optional ways to further secure this setup: - a passphrase on the stub file (`~/.ssh/ic_ecdsa_sk`) - a PIN on the YubiKey Having both is the most secure option, but also a little redundant. In my case, I chose to have a PIN on my YubiKey (so that I can use it on other devices securely) but no passphrase on the stub file (since I already password-protect my laptop and I don't share it with anyone). - [[Setting a PIN on YubiKey]] %% # Excalidraw Data ## Text Elements ## Drawing ```json { "type": "excalidraw", "version": 2, "source": "https://github.com/zsviczian/obsidian-excalidraw-plugin/releases/tag/2.1.4", "elements": [ { "id": "4y8R7iOA", "type": "text", "x": 118.49495565891266, "y": -333.44393157958984, "width": 3.8599853515625, "height": 24, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", "fillStyle": "solid", "strokeWidth": 2, "strokeStyle": "solid", "roughness": 1, "opacity": 100, "groupIds": [], "frameId": null, "roundness": null, "seed": 967149026, "version": 2, "versionNonce": 939059582, "isDeleted": true, "boundElements": null, "updated": 1713723615080, "link": null, "locked": false, "text": "", "rawText": "", "fontSize": 20, "fontFamily": 4, "textAlign": "left", "verticalAlign": "top", "containerId": null, "originalText": "", "lineHeight": 1.2 } ], "appState": { "theme": "dark", "viewBackgroundColor": "#ffffff", "currentItemStrokeColor": "#1e1e1e", "currentItemBackgroundColor": "transparent", "currentItemFillStyle": "solid", "currentItemStrokeWidth": 2, "currentItemStrokeStyle": "solid", "currentItemRoughness": 1, "currentItemOpacity": 100, "currentItemFontFamily": 4, "currentItemFontSize": 20, "currentItemTextAlign": "left", "currentItemStartArrowhead": null, "currentItemEndArrowhead": "arrow", "scrollX": 583.2388916015625, "scrollY": 573.6323852539062, "zoom": { "value": 1 }, "currentItemRoundness": "round", "gridSize": null, "gridColor": { "Bold": "#C9C9C9FF", "Regular": "#EDEDEDFF" }, "currentStrokeOptions": null, "previousGridSize": null, "frameRendering": { "enabled": true, "clip": true, "name": true, "outline": true } }, "files": {} } ``` %%