[jlgaddis]

I've been using this every day for about 2.5 years on each of the three machines that I use daily (each with its own Yubikey).

I sign anywhere from zero to 20 commits a day (providing my -- very long -- PIN each time) and open probably 200+ SSH sessions every day.

Once I've configured it on a new machine (e.g., I recently moved from Arch Linux to Fedora on these three machines), I have zero problems with it. There is no "unstable" issue for me at all.

Judging from my experiences as well as those of my siblings here, I have to wonder if perhaps "you're holding it wrong".

ETA: You will almost certainly run into trouble if you use Gnome (or, more specifically, gnome-keyring). I use XFCE everywhere, though.

[jopsen]

> providing my -- very long -- PIN each time

Have you considered unlocking it once, leaving it unlocked and just require a touch for each operation :)

> ETA: You will almost certainly run into trouble if you use Gnome (or, more specifically, gnome-keyring)

Yes, google: "gnome keyring disable ssh agent" and you'll find: https://wiki.archlinux.org/index.php/GNOME/Keyring#Disable_k...

[Shoothe]

That's my experience too (using gpg for ssh). While I remember that gpg agent can die once in a while it's very rare and the benefit of having keys in a separate device and using them on any machine instantaneously is certainly worth it. Not to mention U2F and built in TOTP. I can easily login in on a friend's machine without sharing any private/secret keys.

[bascule]

I suppose one notable delta between our environments: OS X (me) versus Linux (you, ostensibly)

[igneo676]

I definitely noticed the same thing on my MacOS computers vs my linux. What _seemed_ to be the solution for me was that ssh-agent gets auto started by Mac. My crazy workaround was editting that service with root permissions and have it launch gpg-agent instead

There's probably a better solution, but, that's what worked for me

[jlgaddis]

FWIW, I have a MacBook Pro here that I've used it on as well. That was the primary machine I used all day every day until I built this workstation about a year ago. Nowadays I don't use the MBP very often at all, but I did just go check and, yep, it still works on there too.

[bascule]

"Works" in a one-off trial or with daily use? What I'm talking about is an unacceptable failure rate in the course of daily usage (by which I mean failures at least once or twice a day, sometimes considerably worse, over the course of establishing several dozen SSH connections daily)

If your OS X daily driver setup is truly stable, can you share all of the details? What OS X version? Yubikey model? GPG version? OpenSSH version?

I know at least a dozen people who have shared my experience so if there is a magic path to stabilizing it, I'm all ears.

[jlgaddis]

> "Works" in a one-off trial or with daily use?

It worked with daily usage from the time I set it up (shortly after buying that particular MacBook Pro, in October 2016) until the time I quit using that machine all-day every day (c. December 2017). In addition, it worked on the previous MacBook Pro I had as well.

It still worked when I spent five minutes on it earlier today. Obviously, that's not any extensive testing but I have no reason to believe it has somehow broken itself in the time it's been sitting on a shelf, turned off.

I'll grant you that it's certainly not the easiest thing to get up and running... but I also know that it can be done and that it can work quite well. TBQH, if it had been that much of a pain in the ass, I wouldn't have bothered.

FWIW, this is a mid-/late-2016 MacBook Pro, running 10.12.something (never updated it to High Sierra), with a Yubikey Neo. GPG came from homebrew, IIRC, and SSH as shipped with the OS. I'm on mobile at the moment but I'll try to remember to go back and check all the version numbers and such later, if you're truly interested in them.

It sucks that you experienced so many issues with this but I think there's enough anecdotal evidence here to show that this can all be made to work -- and work reliably.

[kerneis]

You may want to try resetting the SMC: https://support.apple.com/en-us/HT201295

My keys repeatedly failed to register touches until I did that, now it works flawlessly.

[ryukafalz]

Anecdotally, I can confirm that this is probably the deciding factor. I use a Yubikey daily on both macOS and Linux - Linux smartcard support is rock solid, but it's really spotty on macOS.

[xur17]

I have noticed the same thing - on OSX I have to kill gpg-agent once or twice a week, and smartcard operations take noticeably longer.

[na85]

Could you kindly share your config/setup?

[jlgaddis]

Sure. Let me go back through my notes from the installation and I'll add the relevant parts here. Note that my Yubikeys were already all set up, though (i.e., the GPG keys -- and "derived" SSH key -- were already present on them).

---

ETA: I've posted my "first attempt" at remembering/including everything in a gist [0]. It's very likely that I've forgotten something, though. Apologies for the formatting and such, I was hurrying.

[0]: https://gist.github.com/jlgaddis/c52d6dea9aab4fa7e184d78c354...