U2F support in OpenSSH HEAD

Damien Miller djm at mindrot.org
Fri Nov 15 15:15:00 AEDT 2019

On Thu, 13 Nov 2019, Michael Forney wrote:

> On 2019-11-14, Damien Miller <djm at mindrot.org> wrote:
> > Thanks for testing this!
> >
> > Does this patch help? If you're able to test multiple U2F-only keys in
> > a host then that would be ideal - you'll be able to see whether ssh is
> > trying each device if you run it in verbose mode (i.e. ssh -vvv ...)
> Yep, this patch works too:
> 	debug1: skdebug: found 1 device(s)
> 	debug1: skdebug: trying device 0: /dev/hidraw0
> 	debug1: skdebug: fido_dev_get_assert: FIDO_ERR_USER_PRESENCE_REQUIRED
> 	debug1: skdebug: found key
> 	debug1: Authentication succeeded (publickey).
> 	Authenticated to localhost ([::1]:22).
> and without the key plugged in:
> 	debug1: skdebug: found 0 device(s)
> 	debug1: skdebug: couldn't find device for key handle
> 	debug1: sshsk_sign: sk_sign failed with code -1
> 	debug1: identity_sign: sshkey_sign: unexpected internal error
> 	sign_and_send_pubkey: signing failed: unexpected internal error
> Unfortunately I only have the one key to test with.
> > Basically, I want to make sure that FIDO_ERR_USER_PRESENCE_REQUIRED is
> > returned only when a token actually claims a key handle, and not all the
> > time...
> Yeah, this crossed my mind after I sent the diff. Your patch looks good :)

Thanks to my compulsive hoarding of technology that I should have disposed
of, I found an old U2F security key and managed to test it. U2F tokens
(well, mine anyway) return FIDO_ERR_NO_CREDENTIALS as expected.

I'll commit the patch.


More information about the openssh-unix-dev mailing list