You bought a yubikey - now what?

The PIV integration with macOS does not allow you to “require” a YubiKey when logging in. To specify this requirement, we recommend that you use the Mac OS.

The goal is to outline the steps to configure your yubikey in a sane methodand to use it to maximize your security.

This guide is for users who are comfortable with the command line and varioustechnical jargon.

This is highly opinionated on how you should and should not use your yubikeybut is organized well enough that you should be able to modify if you have aneed.

The instructions have been tested on macOS 10.12 (Sierra) with a Yubikey 4.

To perform these instructions, the Yubikey should be plugged into your computer's USB port.

Setup GPG Key

Before you being, you'll need to install GPGTools GPG Suite. As you do this, here are a few notes about it:

  • Stash the DMG somewhere if you ever need to uninstall it, as an uninstaller is in the DMG package
  • After installation completes, you don't need to do anything via the GPG Keychain GUI
  • Benefits (versus CLI-only apps): Launches gpg-agent automatically, has a GUI for management and PIN entry, doesn't require Yubikey modes to be changed during GPG setup, still installs the CLI apps

Now, generate the keys. Start a Terminal session, then issue the following commands and options:

The Yubikey will flash as it's creating the key. Mine took about 5 minutes.When complete, it will say something like

You should change your PIN and Admin PIN. You can do that here with passwd commandat the gpg --card-editgpg/card> prompt while in admin mode (i.e. where we left off from the prior step):

(Optional) Other GPG Setup

Wmv plugin for adobe mac. Little nightmares mac torrent. While you're here:

You can see the configuration by typing list on the gpg/card> prompt.

SSH Login

Before you can do this, you have to do the Setup GPG Key section.

You'll be using GPG keys as SSH keys, and we'll start by configuring GPG agent by adding the following block into .gnupg/gpg-agent.conf:

and the below block into ~/.bash_profile:

Not sure if you have to logout/login or not here, to ensure GPG Tools can pickup the new config. I did just in case. You probably just have to restart GPG Agent and Bash.

Now, we'll convert your GPG public key to a SSH public key and add it to a server.

Yubikey For Macos
  1. > gpg2 --card-edit
  2. From the text that gets displayed (either automatically, or via the gpg/card> list command, grab the last 8 digits of the Authentication key hex code (let's say they are EEEE FFFF for the example)
  3. gpg-card> quit
  4. gpgkey2ssh EEEEFFFF
  5. Copy the public key and add it to the machine you want to SSH into
  6. Attempt to login to the machine via SSH

macOS Login / PIV Login

  1. Follow Yubico's PIV pairing instructions
  2. Follow Yubico's Login Guide with the suggested sections:
    • Configuring YubiKeys with the YubiKey Personalization Tool
    • Installing Yubico Pluggable Authentication Module (PAM)
    • Configuring Yubico Pluggable Authentication Module (PAM) (including all subsections in the chapter)

Thanks to the following people for instructions and help:

  • Yubico's own documentation (referenced inline in the instructions where used)
  • The original version of this doc by David Chiang
  • Instructions by florin
  • Debugging help from Weaver