Minseo Kim kimminss0

Native Secure Enclave backed ssh keys on MacOS

It turns out that MacOS Tahoe can generate and use secure-enclave backed SSH keys! This replaces projects like https://github.com/maxgoedjen/secretive

There is a shared library /usr/lib/ssh-keychain.dylib that traditionally has been used to add smartcard support to ssh by implementing PKCS11Provider interface. However since recently it also implements SecurityKeyProivder which supports loading keys directly from the secure enclave! SecurityKeyProvider is what is normally used to talk to FIDO2 devices (e.g. libfido2 can be used to talk to your Yubikey). However you can now use it to talk to your Secure Enclave instead!

🔐 macOS OpenSSH Patcher for Hardware Security Keys

Supports ED25519-SK with Yubikey and other FIDO2 hardware security keys!

🤔 Discussion

Despite being compiled to support hardware security keys that take advantage of the FIDO2 protocol, the built-in OpenSSH client on macOS Sonoma and above lacks the middleware/library to support these devices. To keep using the built-in client - which is often the most stable and secure method for SSH connections - we need to compile the Security Key Provider from OpenSSH source and tell the macOS client about it ourselves.

This script does all of that for you on both Apple Silicon and Intel Mac computers!

The script installs openssl and libfido2 along with the required build tools from Homebrew. It then clones the latest main branch of OpenSSH Portable and builds from it the Security Key Provider library: sk-libfido2.dylib. It finally moves the built library to /usr/local/lib/, modifies ~/.zshenv to expor

Overview

How to configure FreeBSD and applicable applications to work with Yubikey for authentication. This serves as my work-in-progress documentation of the configuration knobs needed to make this work properly.

FreeBSD ssh with piv smartcard slot on Yubikey (pkcs11 via libykcs11.so)
FreeBSD ssh with fido support on Yubikey
FreeBSD Firefox/Chromium with fido + webauthn support on Yubikey
FreeBSD local console and gdm authentication using pam on Yubikey
FreeBSD official YubiKey tools

Latest Tested FreeBSD versions

FreeBSD 13.2 Testing (Aug 2023)
FreeBSD stable/13 Testing (Aug 2023) with OpenSSH_9.3p2

Apple runs a fleet of stratum 1 NTP servers at time.apple.com. In my experience, ntpd/chronyd are very happy with them.

It looks like, instead of doing anycast, they maybe use DNS to steer you to the closest one.

time.apple.com is a CNAME for time-osx.g.aaplimg.com. Querying a handful of DNS servers, I've identified the following locations:

IP	Hostname	Location
17.253.2.125	usdal4-ntp-001.aaplimg.com.	Dallas

Built-in

diskutil erasevolume HFS+ 'RAM Disk' `hdiutil attach -nobrowse -nomount ram://XXXXX`

where XXXXX is the size of the RAM disk in terms of memory blocks.

Notes:

Conventional Commit Messages

See how a minor change to your commit message style can make a difference.

git commit -m"<type>(<optional scope>): <description>" \
  -m"<optional body>" \
  -m"<optional footer>"

The Y Combinator

The Y Combinator is a classic lambda calculus construct that many people find baffling. Here's my attempt to explain it as clearly as possible (no promises!). Familiarity with Haskell syntax is assumed.

The problem we're trying to solve is how to write an anonymous function (a "lambda") that is recursive. Normally, if you want to write a recursive function, it looks like this:

fac n = if n == 0 then 1
        else n * fac (n-1)

	2024-12-05: I have moved this information to a git repo which includes BIOS screenshots.

	Please go here for all future updates:
	https://github.com/theodric/kvm-vfio-notes

	---------------------
	Notes on getting KVM VFIO working on my hardware:
	- CPU: Ryzen 7 5700G
	- MB: Biostar B550T-SILVER
	- Host GFX: Ryzen 7 5700G iGPU