[Bug 3572] ssh-agent refused operation when using FIDO2 with -O verify-required

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Aug 26 02:48:35 AEST 2023


--- Comment #8 from bluebird090909 at proton.me ---
The path /usr/libexec/ does not exist on arch linux but
/usr/lib/ssh/x11-ssh-askpass is available 

However I did manage to get the pin entry to work on arch using the
x11-ssh-askpass package on a fresh arch installation.

Your instructions also worked on a fresh Debian Bookworm after
installing the ssh-askpass-gnome package and I can use the agent with
the fido2 key and pin verification.

In both cases I had to define SSH_ASKPASS first.

Eventually I found out that the reason ssh-askpass didn't work
initially on my arch setup was because I had this set in my bashrc:

export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"

while I also had this systemd service:

Description=SSH key agent

ExecStart=/usr/bin/ssh-agent -D -t 1h -a $SSH_AUTH_SOCK


Removing this export from my bashrc results in ssh-askpass successfully
requesting the pin. (And I'm very confused why that is)
Note that SSH_AUTH_SOCK is available as environment variable in both
cases, but setting it in bashrc seems to prevent askpass from working
for some reason.

To conclude, setting SSH_ASKPASS allows the agent to successfully
request the pin when using fido2 keys with verify-required

You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list