U2F support in OpenSSH HEAD

Michael Forney mforney at mforney.org
Fri Nov 15 13:47:36 AEDT 2019

On 2019-11-14, Damien Miller <djm at mindrot.org> wrote:
> Thanks for testing this!
> Does this patch help? If you're able to test multiple U2F-only keys in
> a host then that would be ideal - you'll be able to see whether ssh is
> trying each device if you run it in verbose mode (i.e. ssh -vvv ...)

Yep, this patch works too:

	debug1: skdebug: found 1 device(s)
	debug1: skdebug: trying device 0: /dev/hidraw0
	debug1: skdebug: fido_dev_get_assert: FIDO_ERR_USER_PRESENCE_REQUIRED
	debug1: skdebug: found key
	debug1: Authentication succeeded (publickey).
	Authenticated to localhost ([::1]:22).

and without the key plugged in:

	debug1: skdebug: found 0 device(s)
	debug1: skdebug: couldn't find device for key handle
	debug1: sshsk_sign: sk_sign failed with code -1
	debug1: identity_sign: sshkey_sign: unexpected internal error
	sign_and_send_pubkey: signing failed: unexpected internal error

Unfortunately I only have the one key to test with.

> Basically, I want to make sure that FIDO_ERR_USER_PRESENCE_REQUIRED is
> returned only when a token actually claims a key handle, and not all the
> time...

Yeah, this crossed my mind after I sent the diff. Your patch looks good :)

More information about the openssh-unix-dev mailing list