I'm trying to generate ed25519-sk ssh key with ssh-keygen and yubikey on Mac. It fails like this:
$ ssh-keygen -t ed25519-sk -f ed25519-sk -vvv
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=62321
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/libexec/ssh-sk-helper
debug1: sshsk_enroll: provider "", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
No FIDO SecurityKeyProvider specified
debug1: ssh-sk-helper: Enrollment failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=62321
Key enrollment failed: invalid format
What am I missing?
Here are additional information:
My ssh version is:
$ ssh -V
OpenSSH_9.7p1, OpenSSL 3.3.0 9 Apr 2024
I tried to install libfido2 using brew:
$ brew info libfido2
==> libfido2: stable 1.14.0 (bottled)
Provides library functionality for FIDO U2F & FIDO 2.0, including USB
https://developers.yubico.com/libfido2/
Installed
/usr/local/Cellar/libfido2/1.14.0_1 (553 files, 1.2MB) *
Poured from bottle using the formulae.brew.sh API on 2024-05-07 at 11:47:50
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/lib/libfido2.rb
License: BSD-2-Clause
==> Dependencies
Build: cmake ✘, mandoc ✘, pkg-config ✔
Required: libcbor ✔, openssl@3 ✔
==> Analytics
install: 31,572 (30 days), 116,359 (90 days), 382,831 (365 days)
install-on-request: 20,242 (30 days), 70,197 (90 days), 187,156 (365 days)
build-error: 22 (30 days)
And also specify it during the key generation:
$ SSH_SK_PROVIDER=/usr/local/lib/libfido2.dylib ssh-keygen -t ed25519-sk -f ~/.ssh/ed25519-sk -vvv
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=62422
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/libexec/ssh-sk-helper
debug1: sshsk_enroll: provider "/usr/local/lib/libfido2.dylib", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
lib_contains_symbol: /usr/local/lib/libfido2.dylib does not contain expected string sk_api_version
provider /usr/local/lib/libfido2.dylib is not an OpenSSH FIDO library
debug1: ssh-sk-helper: Enrollment failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=62422
Key enrollment failed: invalid format
YubiKey info:
$ ykman info
Device type: YubiKey 5C NFC
Serial number: 23843986
Firmware version: 5.4.3
Form factor: Keychain (USB-C)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled
Applications USB NFC
Yubico OTP Enabled Enabled
FIDO U2F Enabled Enabled
FIDO2 Enabled Enabled
OATH Enabled Enabled
PIV Enabled Enabled
OpenPGP Enabled Enabled
YubiHSM Auth Enabled Enabled
I also tried to set up pin for fido2 and got no difference in output.
In the end the problem was in wrong path pointing to the ssh-keygen binary.
Mac built-in binary located at /usr/bin/ssh-keygen was first in the path, but it fails to generate a key.
The correct binary from the brew OpenSSH installation should be /usr/local/bin/ssh-keygen -> ../Cellar/openssh/9.7p1/bin/ssh-keygen