[Bug 3938] FIDO2 verify-required keys fail to sign on non-biometric tokens ("option uv is unknown")

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Mar 28 01:19:00 AEDT 2026 

https://bugzilla.mindrot.org/show_bug.cgi?id=3938

--- Comment #2 from hello at niklaas.eu ---
Hey Damien, thanks for taking a look.

> > SSH signing with ED25519-SK keys created with `-O verify-required` 
> > fails on non-biometric FIDO2 tokens (e.g. YubiKey 5 series).
> 
> I just tested this with a Yubikey 5 (non-biometric) and a Feitian
> key running OpenSK and was able to create a verify-required key and
> use it with PIN.
> 
> $ ssh-keygen -t ecdsa-sk -O verify-required -N '' -f /tmp/k
> $ env SSH_AUTH_SOCK= ./ssh -Snone -i /tmp/k testvm

Ha, I can indeed confirm that it also works for me without an
SSH_AUTH_SOCK. I'm asked for the PIN:

❯ env SSH_AUTH_SOCK= ssh -v -i ~/.ssh/strix_sk git at github.com
debug1: OpenSSH_10.2p1, OpenSSL 3.6.1 27 Jan 2026
debug1: Reading configuration data /Users/niklaas/.ssh/config
debug1: Reading configuration data /Users/niklaas/.orbstack/ssh/config
debug1: Reading configuration data /opt/homebrew/etc/ssh/ssh_config
debug1: Connecting to github.com [140.82.121.4] port 22.
debug1: Connection established.
debug1: loaded pubkey from /Users/niklaas/.ssh/strix_sk: ED25519-SK
SHA256:f2KlQwGWNw3Hv6cS5
VkyvNkmZYHWkNKxliDdB998nK0
debug1: identity file /Users/niklaas/.ssh/strix_sk type 8
debug1: no identity pubkey loaded from /Users/niklaas/.ssh/strix_sk
debug1: Local version string SSH-2.0-OpenSSH_10.2
debug1: Remote protocol version 2.0, remote software version 9ee1b2f
debug1: compat_banner: no match: 9ee1b2f
debug1: Authenticating to github.com:22 as 'git'
debug1: load_hostkeys: fopen /Users/niklaas/.ssh/known_hosts2: No such
file or directory
debug1: load_hostkeys: fopen /opt/homebrew/etc/ssh/ssh_known_hosts: No
such file or director
y
debug1: load_hostkeys: fopen /opt/homebrew/etc/ssh/ssh_known_hosts2: No
such file or directo
ry
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: sntrup761x25519-sha512
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compressio
n: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compressio
n: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519
SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU
debug1: load_hostkeys: fopen /Users/niklaas/.ssh/known_hosts2: No such
file or directory
debug1: load_hostkeys: fopen /opt/homebrew/etc/ssh/ssh_known_hosts: No
such file or director
y
debug1: load_hostkeys: fopen /opt/homebrew/etc/ssh/ssh_known_hosts2: No
such file or directo
ry
debug1: Host 'github.com' is known and matches the ED25519 host key.
debug1: Found key in /Users/niklaas/.ssh/known_hosts:1
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse:
server-sig-algs=<ssh-ed25519-cert-v01 at openssh.com,ecdsa-s
ha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp2
56-cert-v01 at openssh.com,sk-ssh-ed25519-cert-v01 at openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@
openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at openssh.com,ssh-rsa-cert
-v01 at openssh.com,sk-ssh-ed25519 at openssh.com,sk-ecdsa-sha2-nistp256 at openssh.com,ssh-ed25519,e
cdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa
>
debug1: kex_ext_info_check_ver: publickey-hostbound at openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Will attempt key: /Users/niklaas/.ssh/strix_sk ED25519-SK
SHA256:f2KlQwGWNw3Hv6cS5Vk
yvNkmZYHWkNKxliDdB998nK0 explicit authenticator
debug1: Offering public key: /Users/niklaas/.ssh/strix_sk ED25519-SK
SHA256:f2KlQwGWNw3Hv6cS
5VkyvNkmZYHWkNKxliDdB998nK0 explicit authenticator
debug1: Server accepts key: /Users/niklaas/.ssh/strix_sk ED25519-SK
SHA256:f2KlQwGWNw3Hv6cS5
VkyvNkmZYHWkNKxliDdB998nK0 explicit authenticator
Confirm user presence for key ED25519-SK
SHA256:f2KlQwGWNw3Hv6cS5VkyvNkmZYHWkNKxliDdB998nK0
debug1: start_helper: starting
/opt/homebrew/Cellar/openssh/10.2p1/libexec/ssh-sk-helper 
debug1: process_sign: ready to sign with key ED25519-SK, provider
internal: msg len 297, com
pat 0x0
debug1: sshsk_sign: provider "internal", key ED25519-SK, flags 0x25
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by touch
debug1: check_sk_options: option uv is unknown
debug1: ssh_sk_sign: check_sk_options uv
debug1: sshsk_sign: sk_sign failed with code -3
debug1: ssh-sk-helper: Signing failed: incorrect passphrase supplied to
decrypt private key
debug1: main: reply len 8
debug1: client_converse: helper returned error -43
debug1: identity_sign: sshkey_sign: incorrect passphrase supplied to
decrypt private key
Enter PIN for ED25519-SK key /Users/niklaas/.ssh/strix_sk: 
Confirm user presence for key ED25519-SK
SHA256:f2KlQwGWNw3Hv6cS5VkyvNkmZYHWkNKxliDdB998nK0
debug1: start_helper: starting
/opt/homebrew/Cellar/openssh/10.2p1/libexec/ssh-sk-helper 
debug1: process_sign: ready to sign with key ED25519-SK, provider
internal: msg len 297, com
pat 0x0
debug1: sshsk_sign: provider "internal", key ED25519-SK, flags 0x25
with-pin
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by touch
debug1: main: reply len 111
User presence confirmed
Authenticated to github.com ([140.82.121.4]:22) using "publickey".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype hostkeys-00 at openssh.com
want_reply 0
debug1: client_input_hostkeys: searching
/Users/niklaas/.ssh/known_hosts for github.com / (n
one)
debug1: client_input_hostkeys: searching
/Users/niklaas/.ssh/known_hosts2 for github.com / (
none)
debug1: client_input_hostkeys: hostkeys file
/Users/niklaas/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: no new or deprecated keys from server
debug1: pledge: fork
PTY allocation request failed on channel 0
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
Hi niklaas! You've successfully authenticated, but GitHub does not
provide shell access.
debug1: channel 0: free: client-session, nchannels 1
Connection to github.com closed.
Transferred: sent 3828, received 3796 bytes, in 0.2 seconds
Bytes per second: sent 18531.9, received 18377.0
debug1: Exit status 1

> Please attach a full debug log from ssh, maybe that will help figure
> out what is actually happening here.

Yes, sure. The following is what I get if the same key is added to the
agent and the agent is used:

❯ echo $SSH_AUTH_SOCK
/Users/niklaas/.ssh/agent/s.yVREo4zlSI.agent.nOIH2YRFFw

❯ ssh-add ~/.ssh/strix_sk      
Identity added: /Users/niklaas/.ssh/strix_sk (Strix)

❯ ssh-add -l                             
256 SHA256:f2KlQwGWNw3Hv6cS5VkyvNkmZYHWkNKxliDdB998nK0 Strix
(ED25519-SK)

❯ ssh -v git at github.com
debug1: OpenSSH_10.2p1, OpenSSL 3.6.1 27 Jan 2026
debug1: Reading configuration data /Users/niklaas/.ssh/config
debug1: Reading configuration data /Users/niklaas/.orbstack/ssh/config
debug1: Reading configuration data /opt/homebrew/etc/ssh/ssh_config
debug1: Connecting to github.com [140.82.121.4] port 22.
debug1: Connection established.
debug1: no pubkey loaded from /Users/niklaas/.ssh/id_rsa
debug1: identity file /Users/niklaas/.ssh/id_rsa type -1
debug1: no identity pubkey loaded from /Users/niklaas/.ssh/id_rsa
debug1: no pubkey loaded from /Users/niklaas/.ssh/id_ecdsa
debug1: identity file /Users/niklaas/.ssh/id_ecdsa type -1
debug1: no identity pubkey loaded from /Users/niklaas/.ssh/id_ecdsa
debug1: no pubkey loaded from /Users/niklaas/.ssh/id_ecdsa_sk
debug1: identity file /Users/niklaas/.ssh/id_ecdsa_sk type -1
debug1: no identity pubkey loaded from /Users/niklaas/.ssh/id_ecdsa_sk
debug1: loaded pubkey from /Users/niklaas/.ssh/id_ed25519: ED25519
SHA256:Gopl8qFXTLU7uzVzKK
65wsApIUpR/dScXaLsR40t5RY
debug1: identity file /Users/niklaas/.ssh/id_ed25519 type 2
debug1: no identity pubkey loaded from /Users/niklaas/.ssh/id_ed25519
debug1: no pubkey loaded from /Users/niklaas/.ssh/id_ed25519_sk
debug1: identity file /Users/niklaas/.ssh/id_ed25519_sk type -1
debug1: no identity pubkey loaded from
/Users/niklaas/.ssh/id_ed25519_sk
debug1: Local version string SSH-2.0-OpenSSH_10.2
debug1: Remote protocol version 2.0, remote software version 9ee1b2f
debug1: compat_banner: no match: 9ee1b2f
debug1: Authenticating to github.com:22 as 'git'
debug1: load_hostkeys: fopen /Users/niklaas/.ssh/known_hosts2: No such
file or directory
debug1: load_hostkeys: fopen /opt/homebrew/etc/ssh/ssh_known_hosts: No
such file or director
y
debug1: load_hostkeys: fopen /opt/homebrew/etc/ssh/ssh_known_hosts2: No
such file or directo
ry
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: sntrup761x25519-sha512
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compressio
n: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compressio
n: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519
SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU
debug1: load_hostkeys: fopen /Users/niklaas/.ssh/known_hosts2: No such
file or directory
debug1: load_hostkeys: fopen /opt/homebrew/etc/ssh/ssh_known_hosts: No
such file or director
y
debug1: load_hostkeys: fopen /opt/homebrew/etc/ssh/ssh_known_hosts2: No
such file or directo
ry
debug1: Host 'github.com' is known and matches the ED25519 host key.
debug1: Found key in /Users/niklaas/.ssh/known_hosts:1
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse:
server-sig-algs=<ssh-ed25519-cert-v01 at openssh.com,ecdsa-s
ha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp2
56-cert-v01 at openssh.com,sk-ssh-ed25519-cert-v01 at openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@
openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at openssh.com,ssh-rsa-cert
-v01 at openssh.com,sk-ssh-ed25519 at openssh.com,sk-ecdsa-sha2-nistp256 at openssh.com,ssh-ed25519,e
cdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa
>
debug1: kex_ext_info_check_ver: publickey-hostbound at openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: Strix ED25519-SK
SHA256:f2KlQwGWNw3Hv6cS5VkyvNkmZYHWkNKxliDdB998nK
0 authenticator agent
debug1: Will attempt key: /Users/niklaas/.ssh/id_rsa 
debug1: Will attempt key: /Users/niklaas/.ssh/id_ecdsa 
debug1: Will attempt key: /Users/niklaas/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /Users/niklaas/.ssh/id_ed25519 ED25519
SHA256:Gopl8qFXTLU7uzVzKK65
wsApIUpR/dScXaLsR40t5RY
debug1: Will attempt key: /Users/niklaas/.ssh/id_ed25519_sk 
debug1: Offering public key: Strix ED25519-SK
SHA256:f2KlQwGWNw3Hv6cS5VkyvNkmZYHWkNKxliDdB99
8nK0 authenticator agent
debug1: Server accepts key: Strix ED25519-SK
SHA256:f2KlQwGWNw3Hv6cS5VkyvNkmZYHWkNKxliDdB998
nK0 authenticator agent
sign_and_send_pubkey: signing failed for ED25519-SK "Strix" from agent:
agent refused operat
ion
debug1: Trying private key: /Users/niklaas/.ssh/id_rsa
debug1: Trying private key: /Users/niklaas/.ssh/id_ecdsa
debug1: Trying private key: /Users/niklaas/.ssh/id_ecdsa_sk
debug1: Offering public key: /Users/niklaas/.ssh/id_ed25519 ED25519
SHA256:Gopl8qFXTLU7uzVzK
K65wsApIUpR/dScXaLsR40t5RY
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/niklaas/.ssh/id_ed25519_sk
debug1: No more authentication methods to try.
git at github.com: Permission denied (publickey).

Does that help?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list