Call for testing: OpenSSH 8.2

Damien Miller djm at
Fri Feb 7 15:21:04 AEDT 2020

On Thu, 6 Feb 2020, Phil Pennock wrote:

> On 2020-02-06 at 10:29 +1100, Damien Miller wrote:
> > Generating a FIDO key requires the token be attached, and will usually
> > require the user tap the token to confirm the operation:
> Pretending first that I didn't have Damien's original post to the list,
> to debug this as a non-subscriber would ...
> ssh-keygen doesn't document SecurityKeyProvider, only $SSH_SK_PROVIDER,
> and when people search for that variable in the public docs there's
> nothing much.

I'll mention $SSH_SK_PROVIDER in the release notes for ssh-keygen(1).
Naturally ssh-keygen doesn't use SecurityKeyProvider as it doesn't 
read any config files.

> SecurityKeyProvider has better text and a pointer to the entry in
> ssh_config(5) might help.

I've synced the manual page text for $SSH_SK_PROVIDER in ssh-keygen.1
and ssh-add.1 to match SecurityKeyProvider in ssh_config.5, thanks.

> I found one line in (nit: "dependenciesi" has an extra "i"
> there) and doesn't mention --with-security-key-builtin (or is this not
> needed now?)

Fixed - thanks.

> Nothing outside of Damien's post seems to mention; the
> libfido2 git log shows that the middleware moved into OpenSSH instead.
> I'm guessing this is where --with-security-key-builtin comes from.
> With libfido2 having removed the anchor, should the build even be
> succeeding to create SK stuff without the --with-security-key-builtin
> flag passed to configure?

Yes, the motivation is that users might want to supply their own FIDO
middleware instead of the built-in one.

> Builds with PKG_CONFIG_PATH set for picking up libfido2.pc don't
> propagate paths into DT_RUNPATH, but I guess folks using non-standard
> install locations for custom stuff get what they deserve.  :)  Adjusting
> to pass -Wl,-R through, it works.

AFAIK that might be a bug in the generated libfido2.pc

> When an ECDSA-SK handle has been loaded into ssh-agent, and you connect
> to a host, there is no prompt to touch the token beyond a light on the
> token starting to blink.
> No ssh-agent:
>   % ssh -p 24 fullerene
>   Enter passphrase for key '/home/pdp/.ssh/id_ecdsa_sk':
>   Confirm user presence for key ECDSA-SK SHA256:Agweaa0e8uWR2UAqW/0ETHTPvawOdR1mu0DAk2r27Dw
> Agent:
>   % ssh-add ~/.ssh/id_ecdsa_sk
>   Enter passphrase for /home/pdp/.ssh/id_ecdsa_sk: 
>   Identity added: /home/pdp/.ssh/id_ecdsa_sk (pdp at fullerene)
> Later:
>   % ssh -p 24 fullerene
>   [hangs, no output]
> Can that "Confirm user presence" nudge be made to happen with the agent
> in play too?  It's nice.

So, that should work if the agent has $DISPLAY set and access to
SSH_ASKPASS - it should pop up a confirmation box that will go away
as soon as you touch the key.


More information about the openssh-unix-dev mailing list