U2F support in OpenSSH HEAD
Michael Forney
mforney at mforney.org
Fri Nov 15 13:47:36 AEDT 2019
On 2019-11-14, Damien Miller <djm at mindrot.org> wrote:
> Thanks for testing this!
>
> Does this patch help? If you're able to test multiple U2F-only keys in
> a host then that would be ideal - you'll be able to see whether ssh is
> trying each device if you run it in verbose mode (i.e. ssh -vvv ...)
Yep, this patch works too:
debug1: skdebug: found 1 device(s)
debug1: skdebug: trying device 0: /dev/hidraw0
debug1: skdebug: fido_dev_get_assert: FIDO_ERR_USER_PRESENCE_REQUIRED
debug1: skdebug: found key
debug1: Authentication succeeded (publickey).
Authenticated to localhost ([::1]:22).
and without the key plugged in:
debug1: skdebug: found 0 device(s)
debug1: skdebug: couldn't find device for key handle
debug1: sshsk_sign: sk_sign failed with code -1
debug1: identity_sign: sshkey_sign: unexpected internal error
sign_and_send_pubkey: signing failed: unexpected internal error
Unfortunately I only have the one key to test with.
> Basically, I want to make sure that FIDO_ERR_USER_PRESENCE_REQUIRED is
> returned only when a token actually claims a key handle, and not all the
> time...
Yeah, this crossed my mind after I sent the diff. Your patch looks good :)
More information about the openssh-unix-dev
mailing list