U2F support in OpenSSH HEAD
Damien Miller
djm at mindrot.org
Fri Nov 15 15:15:00 AEDT 2019
On Thu, 13 Nov 2019, Michael Forney wrote:
> On 2019-11-14, Damien Miller <djm at mindrot.org> wrote:
> > Thanks for testing this!
> >
> > Does this patch help? If you're able to test multiple U2F-only keys in
> > a host then that would be ideal - you'll be able to see whether ssh is
> > trying each device if you run it in verbose mode (i.e. ssh -vvv ...)
>
> Yep, this patch works too:
>
> debug1: skdebug: found 1 device(s)
> debug1: skdebug: trying device 0: /dev/hidraw0
> debug1: skdebug: fido_dev_get_assert: FIDO_ERR_USER_PRESENCE_REQUIRED
> debug1: skdebug: found key
> debug1: Authentication succeeded (publickey).
> Authenticated to localhost ([::1]:22).
>
> and without the key plugged in:
>
> debug1: skdebug: found 0 device(s)
> debug1: skdebug: couldn't find device for key handle
> debug1: sshsk_sign: sk_sign failed with code -1
> debug1: identity_sign: sshkey_sign: unexpected internal error
> sign_and_send_pubkey: signing failed: unexpected internal error
>
> Unfortunately I only have the one key to test with.
>
> > Basically, I want to make sure that FIDO_ERR_USER_PRESENCE_REQUIRED is
> > returned only when a token actually claims a key handle, and not all the
> > time...
>
> Yeah, this crossed my mind after I sent the diff. Your patch looks good :)
Thanks to my compulsive hoarding of technology that I should have disposed
of, I found an old U2F security key and managed to test it. U2F tokens
(well, mine anyway) return FIDO_ERR_NO_CREDENTIALS as expected.
I'll commit the patch.
-d
More information about the openssh-unix-dev
mailing list