[Bug 3366] SSH should skip sk-* keys that don't match the connected security key

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Dec 3 10:28:53 AEDT 2021


https://bugzilla.mindrot.org/show_bug.cgi?id=3366

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
>From Pedro, who knows way more about this than me:

> Reverting b969072c would break the "uv handled by token" logic implemented in
> f3c34df8. (I am including links to both commits at the bottom of this message).
> 
> With f3c34df8, -O verify-required credentials without a corresponding PIN/UV
> gesture and a credential unknown to the token (#3366) are indistinguishable to
> the middleware: an attempt to sign results in ERR_NO_CREDENTIALS and
> SSH_SK_USER_VERIFICATION_REQD is clear.
> 
> Reverting both commits would address #3366 but break builtin UV (f3c34df8). A
> best-effort compromise would be to attempt to sign if a) there's only one token;
> b) the token supports builtin UV (so we can't tell whether the credential exists
> on the token without asking the user to complete UV, i.e. supply a PIN or
> perform UV gesture):
> 
> -       if (skvcnt == 1) {
> +       if (skvcnt == 1 && fido_dev_has_uv(skv[0]->dev)) {
> 
> b969072c: https://github.com/openssh/openssh-portable/commit/b969072c
> f3c34df8: https://github.com/openssh/openssh-portable/commit/f3c34df8

I've committed a version of this as
https://github.com/openssh/openssh-portable/commit/b560120214 but it
will only improve matters for biometric keys. I don't think this can be
avoidable in the general case.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list