Call for testing: OpenSSH 8.2

Phil Pennock phil.pennock at
Thu Feb 6 17:03:44 AEDT 2020

On 2020-02-06 at 10:29 +1100, Damien Miller wrote:
> Generating a FIDO key requires the token be attached, and will usually
> require the user tap the token to confirm the operation:

Pretending first that I didn't have Damien's original post to the list,
to debug this as a non-subscriber would ...

ssh-keygen doesn't document SecurityKeyProvider, only $SSH_SK_PROVIDER,
and when people search for that variable in the public docs there's
nothing much.

SecurityKeyProvider has better text and a pointer to the entry in
ssh_config(5) might help.

I found one line in (nit: "dependenciesi" has an extra "i"
there) and doesn't mention --with-security-key-builtin (or is this not
needed now?)

Nothing outside of Damien's post seems to mention; the
libfido2 git log shows that the middleware moved into OpenSSH instead.
I'm guessing this is where --with-security-key-builtin comes from.
With libfido2 having removed the anchor, should the build even be
succeeding to create SK stuff without the --with-security-key-builtin
flag passed to configure?

Builds with PKG_CONFIG_PATH set for picking up libfido2.pc don't
propagate paths into DT_RUNPATH, but I guess folks using non-standard
install locations for custom stuff get what they deserve.  :)  Adjusting
to pass -Wl,-R through, it works.

When an ECDSA-SK handle has been loaded into ssh-agent, and you connect
to a host, there is no prompt to touch the token beyond a light on the
token starting to blink.

No ssh-agent:
  % ssh -p 24 fullerene
  Enter passphrase for key '/home/pdp/.ssh/id_ecdsa_sk':
  Confirm user presence for key ECDSA-SK SHA256:Agweaa0e8uWR2UAqW/0ETHTPvawOdR1mu0DAk2r27Dw

  % ssh-add ~/.ssh/id_ecdsa_sk
  Enter passphrase for /home/pdp/.ssh/id_ecdsa_sk: 
  Identity added: /home/pdp/.ssh/id_ecdsa_sk (pdp at fullerene)
  % ssh -p 24 fullerene
  [hangs, no output]

Can that "Confirm user presence" nudge be made to happen with the agent
in play too?  It's nice.

Thanks for the wonderful work on supporting FIDO and everything else in
OpenSSH.  I hope this snapshot testing helps.


More information about the openssh-unix-dev mailing list