[Bug 3572] New: ssh-agent refused operation when using FIDO2 with -O verify-required
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon May 15 00:14:59 AEST 2023
https://bugzilla.mindrot.org/show_bug.cgi?id=3572
Bug ID: 3572
Summary: ssh-agent refused operation when using FIDO2 with -O
verify-required
Product: Portable OpenSSH
Version: 9.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: minor
Priority: P5
Component: ssh-agent
Assignee: unassigned-bugs at mindrot.org
Reporter: bluebird090909 at proton.me
When using FIDO2 keys in combination with the option verify-required,
using ssh-agent will fail with the error message:
sign_and_send_pubkey: signing failed for ED25519-SK
"/home/user/.ssh/id_ed25519_sk" from agent: agent refused operation
When the ssh-agent is not used or the key has not yet been cached, the
login operation works as expected, asking the passphrase for the local
identity key, followed by the FIDO2 device PIN, followed by a request
to touch the device.
running ssh-add -l will list the key as expected as well.
After closing the ssh connection and connecting again (with ssh-agent
running) the operation will fail with the following:
...
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/id_ed25519_sk ED25519-SK
SHA256:nHEA..................... explicit authenticator agent
debug1: Server accepts key: /home/user/.ssh/id_ed25519_sk ED25519-SK
SHA256:nHEA..................... explicit authenticator agent
sign_and_send_pubkey: signing failed for ED25519-SK
"/home/user/.ssh/id_ed25519_sk" from agent: agent refused operation
debug1: No more authentication methods to try.
root at testhost: Permission denied (publickey)
To reproduce:
1. ssh-keygen -t ed25519-sk -O application=ssh:mytestkey -O
verify-required
2. copy public key to authorized_keys
3. login: ssh -i ~/.ssh/id_ed25519_sk root at testhost (config has
AddKeysToAgent yes)
4. exit ssh shell
5. login again
When using Fido2 keys generated without -O verify-required, ssh-agent
works as expected, asking only for touch verification when the local
passphrase has been cached.
Expected behavior:
ssh-agent should ask for the Fido2 device Pin to be entered when the
local identity key is already cached
Tested with Nitrokey 3, running firmware 1.4.0 and libfido2 1.13.0
OS: Arch Linux, OpenSSH_9.3p1, OpenSSL 3.0.8 7 Feb 2023
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list