[Bug 3572] ssh-agent refused operation when using FIDO2 with -O verify-required
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Aug 26 02:48:35 AEST 2023
https://bugzilla.mindrot.org/show_bug.cgi?id=3572
--- Comment #8 from bluebird090909 at proton.me ---
The path /usr/libexec/ does not exist on arch linux but
/usr/lib/ssh/x11-ssh-askpass is available
However I did manage to get the pin entry to work on arch using the
x11-ssh-askpass package on a fresh arch installation.
Your instructions also worked on a fresh Debian Bookworm after
installing the ssh-askpass-gnome package and I can use the agent with
the fido2 key and pin verification.
In both cases I had to define SSH_ASKPASS first.
Eventually I found out that the reason ssh-askpass didn't work
initially on my arch setup was because I had this set in my bashrc:
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"
while I also had this systemd service:
[Unit]
Description=SSH key agent
[Service]
Type=simple
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -D -t 1h -a $SSH_AUTH_SOCK
[Install]
WantedBy=default.target
Removing this export from my bashrc results in ssh-askpass successfully
requesting the pin. (And I'm very confused why that is)
Note that SSH_AUTH_SOCK is available as environment variable in both
cases, but setting it in bashrc seems to prevent askpass from working
for some reason.
To conclude, setting SSH_ASKPASS allows the agent to successfully
request the pin when using fido2 keys with verify-required
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list