[Touch-packages] [Bug 2000276] Re: FIDO2 user verification impossible when using the ssh agent

Tue, 03 Jan 2023 13:05:26 -0800 

Thank you for submitting this report. I attempted to verify on a fresh
install of Kinetic as a client and Jammy as a server using a Yubikey
Bio. ssh login worked for me both with and without ssh-agent active. I
unfortunately don't have a 5c to test with and the issue may lie
specifically with that. Have you tried this with multiple new ssh keys
to confirm the issue?

** Changed in: openssh (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2000276

Title:
  FIDO2 user verification impossible when using the ssh agent

Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  I am having trouble setting up FIDO2 ssh keys with my yubikey 5C NFC
  if I want to enable user verification (user presence works fine).

  
  Steps to reproduce:

  = Prep work =

  Client (kinetic):
  * generate a key that requires user verification:
    $ ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_verify_sk -O 
verify-required -C "this key requires UV"
    [provide your authenticator PIN, touch it, and add an encryption password]

  Server (jammy):
  * add id_ed25519_verify_sk.pub to authorized_keys

  = Symptoms =

  Shell 1 (w/ssh agent):

  $ eval $(ssh-agent)
  Agent pid 3279738

  $ ssh-add ~/.ssh/id_ed25519_verify_sk
  Enter passphrase for /home/aieri/.ssh/id_ed25519_verify_sk: 
  Identity added: /home/aieri/.ssh/id_ed25519_verify_sk (this key requires UV)

  $ ssh [email protected] -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 fails\!"
  sign_and_send_pubkey: signing failed for ED25519-SK 
"/home/aieri/.ssh/id_ed25519_verify_sk" from agent: agent refused operation
  [email protected]: Permission denied (publickey).

  [note that the above is printed immediately, and that the yubikey does
  not light up]

  Shell 2 (no ssh agent):

  $ ssh [email protected] -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 works\!"
  Enter passphrase for key '/home/aieri/.ssh/id_ed25519_verify_sk': 
  Enter PIN for ED25519-SK key /home/aieri/.ssh/id_ed25519_verify_sk: 
  Confirm user presence for key ED25519-SK 
SHA256:nhgS4c2rGtE7XKeez3rAsofrjJvsL6rmBLShZxfTXIY
  User presence confirmed
  FIDO2 works!


  NOTE: 
  * user _presence_ can be validated correctly with or without the ssh-agent: 
keys generated without `-O verify-required` work as expected (aside from bug 
1869897)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2000276/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to