Macos, KeepassXC, SSH, dan Yubikey

Bingung judulnya mau gimana. Jadi pagi ini, setup ssh client di macbook odong-odong.

• SSH Key tersimpan di Vault KeepassXC
• SSH Key merupakan type -SK non resident

Jadi flownya Unlock vault -> add ssh key ke ssh-agent -> ssh client akan meminta kita untuk sentuh Yubikey.

Masalahnya, ssh client bawaan MacOS Sequoia gak bisa di step 3.

Solusinya:

1. Install openssh-client dan ssh-askpass dari brew

brew install openssh

2. Disable ssh-agent bawaan macos

launchctl disable user/$(id -u)/com.openssh.ssh-agent
pkill ssh-agent

3. Bikin LaunchAgent plist

nvim ~/Library/LaunchAgents/com.user.ssh-agent.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.user.ssh-agent</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/ssh-agent</string>
        <string>-D</string>
        <string>-a</string>
        <string>/Users/sumar/.ssh/agent.sock</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>KeepAlive</key>
    <true/>
    <key>EnvironmentVariables</key>
    <dict>
        <key>SSH_AUTH_SOCK</key>
        <string>/Users/sumar/.ssh/agent.sock</string>
    </dict>
    <key>StandardOutPath</key>
    <string>/tmp/ssh-agent.out</string>
    <key>StandardErrorPath</key>
    <string>/tmp/ssh-agent.err</string>
</dict>
</plist>

launchctl load ~/Library/LaunchAgents/com.user.ssh-agent.plist
launchctl list | grep ssh-agent

5. Set env var untuk ssh socket dan ssh ask pass

set -gx SSH_AUTH_SOCK '/Users/sumar/.ssh/agent.sock'
set -gx SSH_ASKPASS '/usr/local/bin/ssh-askpass'

6. Setting KeepassXC

ssh agent override, isi dengan /Users/sumar/.ssh/agent.sock

Ribet, tapi sekarang lancar ssh dengan non resident key.