Native Secure Enclave backed ssh keys on MacOS
It turns out that MacOS Tahoe can generate and use secure-enclave backed SSH keys! This replaces projects like https://github.com/maxgoedjen/secretive
There is a shared library /usr/lib/ssh-keychain.dylib that traditionally has been used to add smartcard support to ssh by implementing PKCS11Provider interface. However since recently it also implements SecurityKeyProivder which supports loading keys directly from the secure enclave! SecurityKeyProvider is what is normally used to talk to FIDO2 devices (e.g. libfido2 can be used to talk to your Yubikey). However you can now use it to talk to your Secure Enclave instead!
recording.mov
Key setup
See man sc_auth and man ssh-keychain for all the options
To create a Secure Enclave backed key that requires biometrics, run the following command and press TouchID:
% sc_auth create-ctk-identity -l ssh -k p-256-ne -t bio
You can confirm that the key was create with the list-ctk-identities command:
arian@Mac ssh-keychain % sc_auth list-ctk-identities Key Type Public Key Hash Prot Label Common Name Email Address Valid To Valid p-256-ne A71277F0BC5825A7B3576D014F31282A866EF3BC bio ssh ssh 23.11.26, 17:09 YES
... continue reading