[This post has been updated for Yosemite and now mentions bugs in Apple’s version of
ssh-add. Thanks to Fredrik Pettai for letting me know.]
I don’t feel at ease with private keys and other sensitive files floating around on multiple machines and backups. They are of course encrypted, but not accounted for, so it is impossible to “take them back” if ever something goes wrong with a passphrase.
Smart tokens are an attractive solution, because they combine something you know (the PIN) with something you have in the actual, physical sense. Sensitive files are still mobile, but bound to the token.
However, smart tokens are still not mainstream. None of the products I encountered comes from a well known hardware manufacturer. And the software functionality is distributed over several open source projects, which makes it necessary to assemble scattered documentation to see the big picture.
After crawling outdated forum posts on GOOZE and sourcing hardware from an obscure Hungarian web shop (with good service!), I did get token based authentication running with fewer obstacles than I expected. Once you know where to look, it’s actually quite simple.
So here is a mini guide to manage SSH private keys with the Feitian ePass2003 in Mavericks and Yosemite.