Resident keys?

Ron Frederick ronf at timeheart.net
Tue Feb 18 19:06:40 AEDT 2020 

On Feb 17, 2020, at 9:45 PM, Damien Miller <djm at mindrot.org> wrote:
> On Mon, 17 Feb 2020, Ron Frederick wrote:
>> I’m trying out the “resident key” functionality in OpenSSH 8.2, and
>> I’m having trouble getting it to find keys that I’ve created.
>> 
>> I’m trying to create a new resident key using:
>> 
>>    ssh-keygen -O resident -t ed25519-sk -f <filename>
>> 
>> This creates a key, but I’m not actually sure it is creating a
>> “resident” key, as when I try to dump out the resident keys with
>> either “ssh-keygen -K” or “ssh-add -K”, it doesn’t seem to find
>> anything, reporting back “No keys to download” in ssh-keygen and
>> silently failing in ssh-add (without loading any keys).
>> 
>> I also noticed that I can enter pretty much anything at the PIN prompt
>> it gives me, and it doesn’t return an error or decrement the number of
>> available PIN retries when I view the key’s status.
>> 
>> I’m doing these tests against OpenSSH portable HEAD on a Mac with a
>> Yubikey 5 NFC (connected via USB).
>> 
>> Any thoughts on what I might be doing wrong?
> 
> You can try running "ssh-keygen -Kvvv" to see more detail on what is
> going wrong, but I suspect the problem is that your key's firmware
> has incomplete resident key support. Some of my older Yubikey 5 tokens
> allowed me to create resident keys but not retrieve them.


Here’s what I get back:

debug3: start_helper: started pid=96317
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/local/libexec/ssh-sk-helper 
debug1: sshsk_load_resident: provider "internal", have-pin
debug1: ssh_sk_load_resident_keys: trying IOService:/AppleACPIPlatformExpert/PCI0 at 0/AppleACPIPCI/XHC1 at 14/XHC1 at 14000000/HS08 at 14300000/USB2.0 Hub at 14300000/AppleUSB20Hub at 14300000/AppleUSB20HubPort at 14340000/USB2.0 Hub at 14340000/AppleUSB20Hub at 14340000/AppleUSB20HubPort at 14343000/YubiKey OTP+FIDO+CCID at 14343000/IOUSBHostInterface at 1/IOUSBHostHIDDevice at 14343000,1
debug1: read_rks: get metadata for IOService:/AppleACPIPlatformExpert/PCI0 at 0/AppleACPIPCI/XHC1 at 14/XHC1 at 14000000/HS08 at 14300000/USB2.0 Hub at 14300000/AppleUSB20Hub at 14300000/AppleUSB20HubPort at 14340000/USB2.0 Hub at 14340000/AppleUSB20Hub at 14340000/AppleUSB20HubPort at 14343000/YubiKey OTP+FIDO+CCID at 14343000/IOUSBHostInterface at 1/IOUSBHostHIDDevice at 14343000,1 failed: FIDO_ERR_PIN_NOT_SET
debug1: ssh_sk_load_resident_keys: read_rks failed for IOService:/AppleACPIPlatformExpert/PCI0 at 0/AppleACPIPCI/XHC1 at 14/XHC1 at 14000000/HS08 at 14300000/USB2.0 Hub at 14300000/AppleUSB20Hub at 14300000/AppleUSB20HubPort at 14340000/USB2.0 Hub at 14340000/AppleUSB20Hub at 14340000/AppleUSB20HubPort at 14343000/YubiKey OTP+FIDO+CCID at 14343000/IOUSBHostInterface at 1/IOUSBHostHIDDevice at 14343000,1
debug1: ssh-sk-helper: reply len 4
debug3: ssh_msg_send: type 5
debug3: reap_helper: pid=96317
No keys to download

I tried using “change-pin” in yubico-piv-tool, but that didn’t seem to make a difference. I still got the same error after successfully changing the PIN.

This is a recently purchased YubiKey 5 NFC (within the last month or so), reporting version 5.2.4 in “yubico-piv-tool -a status”.
-- 
Ron Frederick
ronf at timeheart.net

More information about the openssh-unix-dev mailing list