Please note: solutions involving either disabling or modifying the inbuilt ssh-agent are unlikely to work. I've seen numerous people suggest this is due to recent changes in MacOS (I'm on 15.3), but can't prove that. Example: this doesn't work, the process /usr/bin/ssh-agent -l just keeps coming back. Feel free to prove me wrong.
My goal is to use a Yubikey 5 (FIDO2 device) for general SSH authentication on my Mac. I have generated my ed25519-sk type private key and can use it directly with SSH on the command-line (instructions).
But now I'm searching for ways to make this work more generally with other tools including GUIs like GitKraken. Normally the easy way to do it globally on a MacOS laptop is setup the key in an ssh-agent (eg: ssh-add) and then everything can just use the agent.
However on MacOS, ssh-agent can't handle *-sk type keys well out of the box. It is not setup with any kind of "ask password" (ssh-askpass) program out of the box. Every time the agent needs to use the private key, it must interact with the Yubikey (), but the Yubikey requires user interaction. The Yubikey first wants me to enter a pin and then touch a button on the device itself. Without an "ask password" program, ssh-agent just errors out and authentication fails.
As stated in the first paragraph, all of the answers I've hit so far do not work because they all point to disabling the inbuilt ssh-agent, and setting up something like openssh ssh-agent to replace it. But it seems that recent MacOS changes have made it impossible to simply disable it, thus disabling and replacing it is no-longer an option.
Eg: This seems to have no effect:
sudo launchctl disable system/com.openssh.ssh-agent
Feel free to prove me wrong.
I'm really looking for a solution that works system wide and not just for a specific shell session. I can obviously run an agent in a shell session, but I can't see a good way to gain access to that system wide, including GUI Apps.
