Public bug reported:
I am having trouble setting up FIDO2 ssh keys with my yubikey 5C NFC if
I want to enable user verification (user presence works fine).
Steps to reproduce:
= Prep work =
Client (kinetic):
* generate a key that requires user verification:
$ ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_verify_sk -O verify-required
-C "this key requires UV"
[provide your authenticator PIN, touch it, and add an encryption password]
Server (jammy):
* add id_ed25519_verify_sk.pub to authorized_keys
= Symptoms =
Shell 1 (w/ssh agent):
$ eval $(ssh-agent)
Agent pid 3279738
$ ssh-add ~/.ssh/id_ed25519_verify_sk
Enter passphrase for /home/aieri/.ssh/id_ed25519_verify_sk:
Identity added: /home/aieri/.ssh/id_ed25519_verify_sk (this key requires UV)
$ ssh ubuntu@10.35.202.231 -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 fails\!"
sign_and_send_pubkey: signing failed for ED25519-SK
"/home/aieri/.ssh/id_ed25519_verify_sk" from agent: agent refused operation
ubuntu@10.35.202.231: Permission denied (publickey).
[note that the above is printed immediately, and that the yubikey does
not light up]
Shell 2 (no ssh agent):
$ ssh ubuntu@10.35.202.231 -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 works\!"
Enter passphrase for key '/home/aieri/.ssh/id_ed25519_verify_sk':
Enter PIN for ED25519-SK key /home/aieri/.ssh/id_ed25519_verify_sk:
Confirm user presence for key ED25519-SK
SHA256:nhgS4c2rGtE7XKeez3rAsofrjJvsL6rmBLShZxfTXIY
User presence confirmed
FIDO2 works!
NOTE:
* user _presence_ can be validated correctly with or without the ssh-agent:
keys generated without `-O verify-required` work as expected (aside from bug
1869897)
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2000276
Title:
FIDO2 user verification impossible when using the ssh agent
Status in openssh package in Ubuntu:
New
Bug description:
I am having trouble setting up FIDO2 ssh keys with my yubikey 5C NFC
if I want to enable user verification (user presence works fine).
Steps to reproduce:
= Prep work =
Client (kinetic):
* generate a key that requires user verification:
$ ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_verify_sk -O
verify-required -C "this key requires UV"
[provide your authenticator PIN, touch it, and add an encryption password]
Server (jammy):
* add id_ed25519_verify_sk.pub to authorized_keys
= Symptoms =
Shell 1 (w/ssh agent):
$ eval $(ssh-agent)
Agent pid 3279738
$ ssh-add ~/.ssh/id_ed25519_verify_sk
Enter passphrase for /home/aieri/.ssh/id_ed25519_verify_sk:
Identity added: /home/aieri/.ssh/id_ed25519_verify_sk (this key requires UV)
$ ssh ubuntu@10.35.202.231 -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 fails\!"
sign_and_send_pubkey: signing failed for ED25519-SK
"/home/aieri/.ssh/id_ed25519_verify_sk" from agent: agent refused operation
ubuntu@10.35.202.231: Permission denied (publickey).
[note that the above is printed immediately, and that the yubikey does
not light up]
Shell 2 (no ssh agent):
$ ssh ubuntu@10.35.202.231 -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 works\!"
Enter passphrase for key '/home/aieri/.ssh/id_ed25519_verify_sk':
Enter PIN for ED25519-SK key /home/aieri/.ssh/id_ed25519_verify_sk:
Confirm user presence for key ED25519-SK
SHA256:nhgS4c2rGtE7XKeez3rAsofrjJvsL6rmBLShZxfTXIY
User presence confirmed
FIDO2 works!
NOTE:
* user _presence_ can be validated correctly with or without the ssh-agent:
keys generated without `-O verify-required` work as expected (aside from bug
1869897)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2000276/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
