macOS
brew install yubikey-agentlocal Homebrew formula metadata
brew
Seamless ssh-agent for YubiKeys and other PIV tokens. Version 0.1.6 via Homebrew; verified 2026-06-06.
install
brew install yubikey-agentlocal Homebrew formula metadata
sudo apk add yubikey-agentAlpine Linux edge package indexes · yubikey-agent · source: dl-cdn.alpinelinux.org
sudo apt install yubikey-agentDebian stable package indexes · yubikey-agent · source: deb.debian.org
nix profile install nixpkgs#yubikey-agentnixpkgs package indexes · pkgs/by-name/yu/yubikey-agent/package.nix · source: api.github.com
overview
Seamless ssh-agent for YubiKeys and other PIV tokens
history
yubikey-agent is Filippo Valsorda’s Go ssh-agent for YubiKeys and other PIV tokens, packaged because it makes hardware-backed SSH keys feel like a normal SSH_AUTH_SOCK workflow.
The project appeared publicly in 2020, in the same period when OpenSSH 8.2 introduced native FIDO/U2F security-key support. yubikey-agent chose a different compatibility path: use the YubiKey PIV applet to present ordinary SSH public keys through an agent interface, so existing servers did not need support for the newer `-sk` SSH key types.
The README emphasizes three design goals that shaped its history: one-command setup, resilience across unplugging and sleep, and keys generated on the YubiKey so private material cannot be extracted. It is written in Go and built on go-piv/piv-go plus Go’s SSH libraries.
Its documentation also candidly records the tradeoffs: keeping a persistent PIV transaction helps PIN caching and UX, but can conflict with gpg-agent, YubiKey Manager, and other tools that want the same PIV applet.
Early adoption came from security-conscious developers who wanted hardware-backed SSH without the fragility of gpg-agent, manual PKCS#11 loading, or server-side FIDO2 support. A Hacker News launch discussion in May 2020 framed it as a friendly way to plug in a key and SSH securely with minimal setup.
Packaging spread through Homebrew, AUR/Arch-style packaging, NixOS modules, FreeBSD ports, Alpine testing, Debian, and Ubuntu. The README’s install instructions are package-manager first, which helped the tool become a normal service rather than a custom local build.
Users install the package, start the service, run `yubikey-agent -setup` to generate a key on the YubiKey, and point `SSH_AUTH_SOCK` or per-host `IdentityAgent` settings at the agent socket. After that, SSH sees an ordinary agent while the YubiKey enforces PIN and touch policy.
The tool is commonly compared with OpenSSH FIDO2 keys, gpg-agent with the OpenPGP applet, raw ssh-agent PKCS#11 loading, pivy-agent, and macOS Secure Enclave tools such as Secretive. Its niche is the compatibility and UX middle ground: hardware-backed keys with ordinary SSH public-key compatibility.
yubikey-agent is a package-nerd favorite because it collapses a historically fiddly stack into one daemon and one socket. It is not the only hardware-backed SSH route, but it is one of the cleanest examples of wrapping smart-card behavior in a familiar Unix interface.
It also tells a packaging story about defaults: Homebrew services, systemd user units, NixOS services, pcscd, and SSH_AUTH_SOCK all matter as much as the binary itself.
security posture
broad file, network, media, or database tool signal. formula declares a Homebrew service.
orange risk · medium confidence · infrastructure
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
yubikey-agent | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/FiloSottile/yubikey-agent
install metadata
| Package key | brew:yubikey-agent |
|---|---|
| Version | 0.1.6 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/yubikey-agent |
| Homepage | https://github.com/FiloSottile/yubikey-agent |
| Repository | https://github.com/FiloSottile/yubikey-agent |
| Upstream docs | https://github.com/FiloSottile/yubikey-agent#readme |
| License | BSD-3-Clause |
| Source archive | https://github.com/FiloSottile/yubikey-agent/archive/refs/tags/v0.1.6.tar.gz |
| Last updated | 2026-06-06T11:29:14Z |
| Pulse | updated |
| Build dependencies | go, pkgconf |
| Uses from macOS | pcsc-lite |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | declared |
| Caveats | To use this SSH agent, set this variable in your ~/.zshrc and/or ~/.bashrc: export SSH_AUTH_SOCK="$HOMEBREW_PREFIX/var/run/yubikey-agent.sock" |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | yubikey-agent |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
yubikey-agent 0.1.4-2+b19
seamless ssh agent for YubiKeys
https://github.com/FiloSottile/yubikey-agent
sudo apt install yubikey-agentyubikey-agent
nix profile install nixpkgs#yubikey-agentyubikey-agent 0.1.4-2build1
seamless ssh agent for YubiKeys
https://github.com/FiloSottile/yubikey-agent
sudo apt install yubikey-agentyubikey-agent 0.1.6-r22
Seamless ssh-agent for YubiKeys
https://github.com/FiloSottile/yubikey-agent
sudo apk add yubikey-agentsource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.