I’m trying to setup SSH access using a hardware backed security key. IE My private key is a ed25519-sk key requiring FIDO2 interaction with my yubikey 5 series.
I’m looking for a way to get an SSH agent running automatically that can be used by GUI apps including GitKraken that can work with a ed25519-sk. I believe the fundamental issue is that the ssh-agent hits an error while trying to interact with the FIDO2 device because it needs user interaction, and without an “ask pass” available, it can’t interact with the user.
There’s a lot of blogs and instructions which either point to setting environment variables on the inbuilt ssh-agent, or disabling it entirely and replacing it with OpenSSH.
Apparently this whole technique no-longer works (certainly not in MacOS 15.3) because recent security hardening has made it impossible to modify or disable the inbuilt ssh-agent.
Polite hint: If you know how to modify the inbuilt agent’s behaviour, please test before answering as recent security hardening may have changed the OS behaviour. A lot of articles on google will be incorrect for this reason.
What I can do is install an ssh-askpass through brew, install openssh with brew, and then in a shell setup an openssh ssh-agent configured to use ssh-askpass.
But this is only good for that shell. Other tools, including GitKraken can’t find the ssh-agent, and I can’t find a way to direct GUI tools at the ssh-agent started in the shell.
Certainly I’m looking for an automatic solution, not one I have to work through a litany of commands every session.
This is actually a very basic question for a narrow domain. Almost anyone using a FIDO2 device for SSH on MacOS is likely to have hit this problem.
However, the signal/noise ratio on Google is currently very poor in this domain due to the vast majority of blogs, how-to guides, etc. using a technique that no-longer works as of a few months ago.
I’m not looking for someone to google this for me, I’m hoping someone with specific domain knowledge of the topic may already have an answer.
So in short I’m simply looking for a way to get ssh-agent (inbuilt) to use an ask-pass program when it needs interaction from the user.
