Hi,
I am on a transition from macOS to NixOS. One piece of the puzzle that I am missing is the use of my fido2 SSH keys. Both macOS and Nix are using SSH version 9.6p1.
On both devices, I insert the Yubikey, do ssh-keygen -K, it asks for the Yubikey PIN, asks to set the keypair password and the public/private keys are output accordingly.
Then, on macOS I will do ssh -i .ssh/id_ed25519_sk_rk_xxx username@hostname. I’m prompted for the ssh key passphrase, the yubikey PIN and requested to touch the yubikey to confirm ‘user presence’ and I’m logged in.
However, on NixOS I also do ssh -i .ssh/id_ed25519_sk_rk_xxx username@hostname where I’m prompted for the ssh key passphrase, however I am not prompted for the Yubikey PIN or to touch it but instead returned with the error:
sign_and_send_pubkey: signing failed for ED25519-SK "id_ed25519_sk_rk_xxx" from agent: agent refused operation
In my configuration.nix I have:
environment.systemPackages = with pkgs; [
...
pinentry-curses. #For GPG
x11_ssh_askpass
];
...
programs.ssh.askPassword = "";
services.pcscd.enable = true;
In home.nix:
programs.ssh = {
enable = true;
};
services.ssh-agent = {
enable = true;
};
Any suggestions would be greatly appreciated. Thanks