% ykman piv info
PIV version: 5.4.3
WARNING: Using default PIN!
PIN tries remaining: 3/3
WARNING: Using default Management key!
Management key algorithm: TDES
CHUID: No data available.
CCC: No data available.
% ykman piv info
PIV version: 5.4.3
PIN tries remaining: 3/3
Management key algorithm: AES256
Management key is stored on the YubiKey, protected by PIN.
CHUID: No data available.
CCC: No data available.
% ssh-add -s /opt/homebrew/opt/opensc/lib/opensc-pkcs11.so
Enter passphrase for PKCS#11:
Could not add card "/opt/homebrew/opt/opensc/lib/opensc-pkcs11.so": agent refused operation
→ 登録失敗
% ykman fido info
PIN is not set.
% ykman fido access verify-pin
Error: This feature requires having a PIN. Set a PIN first.
% ykman fido credentials list
Error: Credential Management requires having a PIN. Set a PIN first.
% ykman fido info
PIN is set, with 8 attempt(s) remaining.
% ykman fido access verify-pin
Enter your PIN:
PIN verified.
% ykman fido credentials list
Enter your PIN:
% ssh-keygen -t ed25519-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation
Key enrollment failed: unknown or unsupported key type
失敗しました。 “不明もしくはサポートされていない鍵タイプ” だそうです。
Yubico のDeveloper 向けサイトに「Disabled by Apple on the bundled version of OpenSSH in MacOS as of the last update to this page」という記載が見つかりました。macOS にバンドルされているOpenSSH は“ecdsa-sk” と “ed25519-sk” が無効にされているみたいです。
% ssh-keygen -t ed25519-sk
→ 成功
% rm ~/.ssh/id_ed25519-sk*
→ 鍵を削除
% ssh-keygen -t ed25519-sk -O resident -O application=ssh:Capybara
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
→ ここでYubiKey をタッチ👆
Enter PIN for authenticator:
→ ここで登録したFIDO2のPIN を入力
Enter file in which to save the key (/Users/Capybara/.ssh/id_ed25519_sk):
→ ここで生成する鍵のファイル名を入力(何も入力せずEnterも可)
Enter passphrase (empty for no passphrase):
→ ここで生成する秘密鍵のパスフレーズを入力
Enter same passphrase again:
→ パスフレーズを再度入力
Your identification has been saved in /Users/Capybara/.ssh/id_ed25519_sk
Your public key has been saved in /Users/Capybara/.ssh/id_ed25519_sk.pub
The key fingerprint is:
SHA256:z0xxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxd0 [email protected]
The key's randomart image is:
+[ED25519-SK 256]-+
| ...... |
| ...... |
| ...... |
+----[SHA256]-----+
% ls -l ~/.ssh
-rw------- 1 Capybara staff 525 5 29 16:31 id_ed25519_sk
-rw-r--r-- 1 Capybara staff 159 5 29 16:31 id_ed25519_sk.pub
% ssh [email protected]
Enter passphrase for key '/Users/Capybara/.ssh/id_ed25519_sk':
→ パスフレーズを入力
Confirm user presence for key ED25519-SK SHA256:z0xxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxd0
→ YubiKey をタッチ👆
User presence confirmed
% ssh [email protected]
Enter passphrase for key '/Users/Capybara/.ssh/id_ed25519_sk':
→ パスフレーズを入力
Confirm user presence for key ED25519-SK SHA256:z0xxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxd0
sign_and_send_pubkey: signing failed for ED25519-SK "/Users/Capybara/.ssh/id_ed25519_sk": device not found
[email protected]: Permission denied (publickey).
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.sendgrid.net"
gitlab_rails['smtp_port'] = 587
gitlab_rails['smtp_user_name'] = "apikey"
gitlab_rails['smtp_password'] = "the_api_key_you_created"
gitlab_rails['smtp_domain'] = "smtp.sendgrid.net"
gitlab_rails['smtp_authentication'] = "plain"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = false
# If use Single Sender Verification You must configure from. If not fail
# 550 The from address does not match a verified Sender Identity. Mail cannot be sent until this error is resolved.
# Visit https://sendgrid.com/docs/for-developers/sending-email/sender-identity/ to see the Sender Identity requirements
gitlab_rails['gitlab_email_from'] = 'email@sender_owner_api'
gitlab_rails['gitlab_email_reply_to'] = 'email@sender_owner_reply_api'
ykman list --serials
→ 何も出力されない
ykman info
→ YubiKeyのデバイス情報が出力される
Device type: Security Key NFC
Firmware version: 5.1.2
Form factor: Keychain (USB-A)
Enabled USB interfaces: FIDO
NFC transport is enabled.
Applications USB NFC
FIDO2 Enabled Enabled
OTP Not available Not available
FIDO U2F Enabled Enabled
OATH Not available Not available
YubiHSM Auth Not available Not available
OpenPGP Not available Not available
PIV Not available Not available