[Bug 3911] New: sk_select_by_cred doesn't detect internal_uv device when multiple devices are connected

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Jan 15 17:11:30 AEDT 2026 

https://bugzilla.mindrot.org/show_bug.cgi?id=3911

            Bug ID: 3911
           Summary: sk_select_by_cred doesn't detect internal_uv device
                    when multiple devices are connected
           Product: Portable OpenSSH
           Version: 10.2p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jonathan.underwood4649 at gmail.com

How to reproduce:

1. Generate a resident key on a FIDO-only Yubikey BIO (with fingerprint
sensor).
2. Try to authenticate with a server using the identity file explicitly
(I have it set up on .ssh/config to use identities only for this host)
3. When the BIO is the only Yubikey plugged in, the auth proceeds as
expected.
4. When a second Yubikey (or other device, really) is plugged in,
suddenly SSH fails instantly with the following error logs:

Confirm user presence for key ED25519-SK SHA256:xxxxxxxxx
debug3: start_helper: started pid=107727
debug3: ssh_msg_send: type 5 len 457
debug3: ssh_msg_send: done
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/lib/ssh/ssh-sk-helper
debug1: process_sign: ready to sign with key ED25519-SK, provider
internal: msg len 278, compat 0x4000000
debug1: sshsk_sign: provider "internal", key ED25519-SK, flags 0x21
debug1: sk_probe: 2 device(s) detected
debug1: sk_probe: selecting sk by cred
debug1: sk_try: fido_dev_get_assert: FIDO_ERR_NO_CREDENTIALS
debug1: sk_try: fido_dev_get_assert: FIDO_ERR_NO_CREDENTIALS
debug1: ssh_sk_sign: failed to find sk
debug1: sshsk_sign: sk_sign failed with code -4
debug1: ssh-sk-helper: Signing failed: device not found

I have narrowed it down to this area (L486-501 in sk-usbhid.c) where
check_sk_options is called in the case of 1 device and sk_try is called
in a loop if multiple devices.

BIO passes the internal_uv check after the check_sk_options call when
the count of devices is 1.

sk_try on the other hand is very strict and will fail if r != FIDO_OK,
and it seems like the r value is being set weirdly in the case of
"internal_uv" and needs a special case similar to the special case at
the end for FIDO_ERR_USER_PRESENCE_REQUIRED.

I can help provide extra information upon request.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list