[Bug 3366] SSH should skip sk-* keys that don't match the connected security key

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Nov 22 19:31:25 AEDT 2021


https://bugzilla.mindrot.org/show_bug.cgi?id=3366

--- Comment #4 from Erik Jensen <businesscorrespondence+openssh at rkjnsn.net> ---
They are both standard YubiKey 5 NFC. I've attached two logs. The first
is with plain OpenSSH_8.6p1, which requires two touches. The second is
with OpenSSH patched to revert
https://anongit.mindrot.org/openssh.git/commit/?id=b969072cc3d62d05cb41bc6d6f3c22c764ed932f,
which only requires one touch. Because it's not otherwise obvious from
the log output, I added "*** WAITS FOR SK TOUCH HERE ***" lines to the
logs at the points where ssh stopped and waited for a touch.

As you can see, the patched version still prints out "Confirm user
presence for key ECDSA-SK SHA256:…" for both keys, but only *actually*
waits for the key associated with the connected token. The unpatched
version waits for a touch for both keys.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list