| 4 Dec 2023 |
 Ilan Joselevich (Kranzes) | lol | 15:12:48 |
 Lily Foster | so yeah i guess nix-darwin is gonna need support for running our openssh if we really wanted to support -sk keys. but the more i read, the more that sounds non-trivial..... | 15:13:42 |
| Ilan Joselevich (Kranzes) | can't find libsk-libfido2.dylib in nixpkgs | 15:13:58 |
| Lily Foster | does it not just need libfido2.dylib or is the libsk-libfido2 some special shared lib that's only needed on macos? | 15:15:14 |
| Lily Foster | our openssh is built with --with-security-key-builtin=yes and i can confirm that it does use libfido2.dylib | 15:15:37 |
| Lily Foster | or at least references it | 15:15:41 |
| Ilan Joselevich (Kranzes) | 
Download image.png | 15:16:28 |
| Lily Foster | ssh-sk-helper in the darwin openssh package from nixpkgs has /nix/store/16ccmy0kylpjgnplh0rkyx4az3gzy5rj-openssl-3.0.12/lib/libcrypto.3.dylib as LC_LOAD_DYLIB on the mach-o | 15:16:55 |
| Ilan Joselevich (Kranzes) | i tried using nix-locate | 15:17:25 |
| Lily Foster | * ssh-sk-helper in the darwin openssh package from nixpkgs has /nix/store/czcpqds7n8211xjbb1v6sdh8qizpmq6g-libfido2-1.13.0/lib/libfido2.1.dylib as LC_LOAD_DYLIB on the mach-o | 15:17:27 |
| Ilan Joselevich (Kranzes) | couldn't find libsk-libfido2 | 15:17:31 |
| Lily Foster | but what even is that. our openssh on linux doesn't have that either, so is it something darwin specific?? | 15:17:54 |
| Ilan Joselevich (Kranzes) | https://github.com/Yubico/libfido2/pull/65 | 15:18:14 |
| Lily Foster | either way, our openssh is built with the flag that is supposed to enable that support and the helper is successfully built. so i really don't see why it wouldn't work with it | 15:18:18 |
| Ilan Joselevich (Kranzes) | idk what to do anymore 😠| 15:19:26 |
| Ilan Joselevich (Kranzes) | so many different issues saying different things | 15:19:37 |
| Lily Foster | that was removed in https://github.com/Yubico/libfido2/commit/2ba6c6afe5f2d1717bf366da043ccb515fbed8de | 15:19:48 |
| Lily Foster | so ssh-sk-helper is the equivalent to that lib now | 15:20:08 |
| Lily Foster | and is what we build | 15:20:10 |
| Lily Foster | we just don't have a way currently to use nixpkgs openssh's sshd instead of macOS's | 15:20:28 |
| Ilan Joselevich (Kranzes) | can we just use SK_PROVIDER thing for now? | 15:21:41 |
| Ilan Joselevich (Kranzes) | to test it out | 15:21:43 |
| Lily Foster | what, with apple's openssh? | 15:21:54 |
| Ilan Joselevich (Kranzes) | yeah | 15:22:07 |
| Ilan Joselevich (Kranzes) | I don't think I can't do that from my Linux system | 15:24:32 |
| Ilan Joselevich (Kranzes) | and not even sure if it works on Ventura | 15:24:43 |
| Lily Foster | that might work? it looks like you can set SSH_SK_PROVIDER in the env even if it was not compiled with support and have it dlopen the provider | 15:27:05 |
| Ilan Joselevich (Kranzes) | In reply to @lily:lily.flowers
lily@darwin03> sw_vers
ProductName: macOS
ProductVersion: 13.6.1
BuildVersion: 22G313
someone says it's fixed in macOS 13.2 RC (22D49) | 15:27:05 |
| Lily Foster | if it's a recent enough openssh version | 15:27:14 |
| Ilan Joselevich (Kranzes) | In reply to @kranzes:matrix.org
someone says it's fixed in macOS 13.2 RC (22D49) clearly not then, because we're on 13.6 | 15:27:26 |
