[Bug 3572] ssh-agent refused operation when using FIDO2 with -O verify-required

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Aug 30 20:17:35 AEST 2023


--- Comment #9 from xspielinbox+mindrot at protonmail.com ---
(In reply to Damien Miller from comment #5)
> This looks like it is a problem with how Fedora is
> running/configuring ssh-agent. You can test this using something
> like:
> sudo yum install openssh-askpass
> env SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass ssh-agent
> $SHELL -l
> ssh-add ~/.ssh/id_ed25519_sk
> ssh-add -T ~/.ssh/id_ed25519_sk.pub

Sorry, for the delay. I did quite some testing:

I first tried the test as is without openssh-askpass installed:

When just running $ ssh-add -T ~/.ssh/id_ed25519_sk-pin.pub
I get a (gnome-builtin) graphical dialog prompting for the
password/passphrase of the key, then have to tap the authenticator and
the shell prompt returns (so it is successful).
When testing it again, it has remembered the passphrase, and I only
have to tap the authenticator.
$ ssh-add -T ~/.ssh/id_ed25519_sk-pin.pub
results in the same graphical dialog for the password/passphrase, but
after that it just fails with:
"Agent signature failed for [full path of key]: agent refused
One never get's the opportunity to tap the authenticator or enter the
pin for user verification. The authenticator also never lights up to
indicate that user interaction is required.

When adding the keys to the ssh-agent:
$ ssh-add ~/.ssh/id_ed25519_sk-pin
Enter passphrase for [full path of key]: 
Identity added: [full path of key] (pin)
$ ssh-add ~/.ssh/id_ed25519_sk-verify-pin
Enter passphrase for [full path of key]: 
Identity added: [full path of key] (verify-pin)

I always get the prompt for the passphrase in the terminal and also
have to enter it, even if I already entered it in the graphical dialog
or ran ssh-add already before. When after that testing the signatures
again with ssh-add -T nothing has changed. I still have to enter the
password/passphrase in the graphical dialog, when I ran ssh-add -D or
killing the ssh-agent before adding the the keys to the ssh-agent.
Verification succeeds for the key with the pin, but not for the one,
with verify-required.

After installing the openssh-askpass package, echo $SSH_ASKPASS
This binary also does indeed exist.

After running env SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
ssh-agent $SHELL -l
there is an additional process running: ssh-agent /bin/bash -l
For every time, I run this command, an additional process get's

When row running: ssh-add -T ~/.ssh/id_ed25519_sk-pin.pub or ssh-add -T
I get: "Agent signature failed for [full path of key]: agent refused
It does not prompt me for the passphrase anymore.

$ ssh-add -L
returns: "The agent has no identities.", whereas the default agent has
all identities from the hard disk preloaded, even when the first
ssh-add command I enter is ssh-add -L. When opening a new terminal
windows, it again defaults to the default agent and I have to manually
execute above command again to enable openssh-askpass.

I first have to add the keys to the agent with ssh-add as above and
when then running $ ssh-add -T ~/.ssh/id_ed25519_sk-pin.pub
after a tap on the authenticator the shell prompt returns (so it is
But $ ssh-add -T ~/.ssh/id_ed25519_sk-verify-pin.pub
still fails with:
"Agent signature failed for [full path of key]: agent refused
When checking with ssh-add -L, one can see that the latter key also was
not added to the agent, despite the ssh-add command not giving an error
(though also not asking for the pin, as it should have).

Also: when running ssh-add ~/.ssh/id_ed25519_sk-pin or ssh-add
just hitting enter directly and not entering any passphrase seems to
abort it the same way as doing a keyboard interrupt. It does not show
the message of a bad passphrase, and there is no new key shown in
ssh-add -L

When then running ssh-add after killing the ssh-agent I receive "Error
connecting to agent: No such file or directory". I have to rerun env
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass ssh-agent $SHELL -l
before the error goes away. When opening a new terminal window or
exiting the new login shell, the command creates, this error disappears

After some wild testing in different terminal tabs, I somehow then got
to a point, that now, when running ssh-add
~/.ssh/id_ed25519_sk-verify-pin it adds the key to the ssh-agent, even
though it did not prompt for a pin.
When having added the key to the ssh-agent and then running the
signature test, it now shows a (gnome-builtin) graphical dialog, that
openssh-askpass wants to inhibit shortcuts. When allowing that, I get
to see a new application window "openssh" that asks me to confirm user
presence for the respective key and in case of the verfiy-pin key also
asks me to enter the PIN.
For the pin key, it succeeds after taping the authenticator, but for
the verify-pin key no matter what I enter as the pin (the actual FIDO2
pin of the authenticator, something completely wrong, nothing or the
passphrase of the key), it immediately fails with "Agent signature
failed for [full path of key]: agent refused operation", not even
giving me any chance to confirm my user presence. trying to confirm the
user presence before entering the pin also does not work. In fact, the
autenticator never lights up the light to indicate, that interaction is

I don't have anything SSH-related in my ~/.bashrc, /etc/bashrc,
/etc/profile or ~/.bash_profile.
There also isn't any ssh-askpass or ssh-agent related systemd service
on Fedora.

You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list