[Bug 3938] FIDO2 verify-required keys fail to sign on non-biometric tokens ("option uv is unknown")

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Mar 28 21:39:19 AEDT 2026 

https://bugzilla.mindrot.org/show_bug.cgi?id=3938

--- Comment #4 from hello at niklaas.eu ---
The following is the output of `ssh-agent -d` when trying to use a key
that requires user verification. This is what `$SSH_ASKPASS` is set to:

❯ echo $SSH_ASKPASS
/opt/homebrew/bin/pinentry-mac

❯ ssh-agent -d
debug2: fd 4 setting O_NONBLOCK
debug1: socket_is_stale: socket
/Users/niklaas/.ssh/agent/s.yVREo4zlSI.agent.bpikabT9Zu seems still
active
debug2: fd 4 setting O_NONBLOCK
debug1: socket_is_stale: socket
/Users/niklaas/.ssh/agent/s.yVREo4zlSI.agent.nOIH2YRFFw seems still
active
debug1: unix_listener_tmp: trying path
"/Users/niklaas/.ssh/agent/s.yVREo4zlSI.agent.HQ5nwWUYZQ"
debug3: unix_listener_tmp: listening on unix socket
"/Users/niklaas/.ssh/agent/s.yVREo4zlSI.agent.HQ5nwWUYZQ" as fd=3
SSH_AUTH_SOCK=/Users/niklaas/.ssh/agent/s.yVREo4zlSI.agent.HQ5nwWUYZQ;
export SSH_AUTH_SOCK;
echo Agent pid 990;
debug1: new_socket: type = SOCKET
debug2: fd 3 setting O_NONBLOCK
debug1: new_socket: type = CONNECTION
debug3: fd 4 is O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: process_request_identities: entering
debug2: process_request_identities: replying with 0 allowed of 0
available keys
debug1: new_socket: type = CONNECTION
debug3: fd 4 is O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 25
debug2: process_add_identity: entering
debug1: parse_key_constraint_extension: constraint ext
sk-provider at openssh.com
debug1: process_add_identity: internal provider
debug1: process_add_identity: add sk-ssh-ed25519 at openssh.com
SHA256:wO7vOiyoLeA96g74hgn2JNvljHjM3k9eBR+zD9YzvVM "Otus" (life: 0)
(confirm: 0) (provider: internal) (destination constraints: 0)
debug1: new_socket: type = CONNECTION
debug3: fd 4 is O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 27
debug2: process_extension: entering
debug2: process_ext_session_bind: entering
debug1: process_ext_session_bind: recorded ED25519
SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU (slot 0 of 16)
debug1: process_message: socket 1 (fd=4) type 11
debug2: process_request_identities: entering
debug1: process_request_identities: key 0 / 1:
sk-ssh-ed25519 at openssh.com
SHA256:wO7vOiyoLeA96g74hgn2JNvljHjM3k9eBR+zD9YzvVM
debug3: identity_permitted: entering: key ED25519-SK comment "Otus", 1
socket bindings, 0 constraints
debug2: process_request_identities: replying with 1 allowed of 1
available keys
debug1: process_message: socket 1 (fd=4) type 13
debug1: process_sign_request2: entering
Confirm user presence for key ED25519-SK
SHA256:wO7vOiyoLeA96g74hgn2JNvljHjM3k9eBR+zD9YzvVM
debug3: start_helper: started pid=3193
debug3: ssh_msg_send: type 5 len 469
debug3: ssh_msg_send: done
debug3: ssh_msg_recv entering
debug1: start_helper: starting
/opt/homebrew/Cellar/openssh/10.2p1/libexec/ssh-sk-helper
debug1: process_sign: ready to sign with key ED25519-SK, provider
internal: msg len 297, compat 0x0
debug1: sshsk_sign: provider "internal", key ED25519-SK, flags 0x25
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by touch
debug1: check_sk_options: option uv is unknown
debug1: ssh_sk_sign: check_sk_options uv
debug1: sshsk_sign: sk_sign failed with code -3
debug1: ssh-sk-helper: Signing failed: incorrect passphrase supplied to
decrypt private key
debug1: main: reply len 8
debug3: ssh_msg_send: type 5 len 8
debug3: ssh_msg_send: done
debug1: client_converse: helper returned error -43
debug3: reap_helper: pid=3193
debug1: process_sign_request2: sshkey_sign: incorrect passphrase
supplied to decrypt private key
debug3: start_helper: started pid=3195
debug3: ssh_msg_send: type 5 len 469
debug3: ssh_msg_send: done
debug3: ssh_msg_recv entering
debug1: start_helper: starting
/opt/homebrew/Cellar/openssh/10.2p1/libexec/ssh-sk-helper
debug1: process_sign: ready to sign with key ED25519-SK, provider
internal: msg len 297, compat 0x0
debug1: sshsk_sign: provider "internal", key ED25519-SK, flags 0x25
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by touch
debug1: check_sk_options: option uv is unknown
debug1: ssh_sk_sign: check_sk_options uv
debug1: sshsk_sign: sk_sign failed with code -3
debug1: ssh-sk-helper: Signing failed: incorrect passphrase supplied to
decrypt private key
debug1: main: reply len 8
debug3: ssh_msg_send: type 5 len 8
debug3: ssh_msg_send: done
debug1: client_converse: helper returned error -43
debug3: reap_helper: pid=3195
debug1: process_sign_request2: sshkey_sign: incorrect passphrase
supplied to decrypt private key
process_sign_request2: sshkey_sign: incorrect passphrase supplied to
decrypt private key


P.S.: I tried to attach (instead of inline) the output but got a 500
internal server error.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list