ssh-keygen and multiple resident keys on a FIDO device

David Härdeman david at hardeman.nu
Sun Aug 8 23:51:07 AEST 2021 

Hi,

I'm using a Yubikey 5 NFC key to store two resident keys at the moment, and using "ssh-keygen -K"
to download them to a host is not a very ergonomic experience at the moment (I've tried with
OpenSSH 8.4p1-5 in Debian Unstable, I've also read the changelogs of 8.5 and 8.6 but seen no hint
that this behavior has changed in later versions).

~/.ssh$ ykman fido credentials list
Enter your PIN: <PIN>
ssh: <usernameA in hex> openssh
ssh: <usernameB in hex> openssh
~/.ssh$ ls id_ed*
ls: cannot access 'id_ed*': No such file or directory
~/.ssh$ ssh-keygen -K
Enter PIN for authenticator: <PIN>
You may need to touch your authenticator to authorize key download.
Enter passphrase (empty for no passphrase): <enter>
Enter same passphrase again: <enter>
Saved ED25519-SK key to id_ed25519_sk_rk
id_ed25519_sk_rk already exists.
<in a separate terminal window, "mv -i id_ed25519_sk_rk id_ed25519_sk_tmp; mv -i
id_ed22519_sk_rk.pub id_ed2259_sk_tmp.pub">
Overwrite (y/n)? y
Saved ED25519-SK key to id_ed25519_sk_rk
~/.ssh$ cat id_ed2259*.pub
sk-ssh-ed25519 at openssh.com <pubkeyA> ssh:
sk-ssh-ed25519 at openssh.com <pubkeyB> ssh:

As far as I can tell, there are two issues here:

a) ssh-keygen -K wants to overwrite the first key with the second key rather than using an
alternative path (or prompting the user to provide an alternative path)

b) unless a custom application string has been set when the keys were created, it is not easy to
distinguish the two keys that are downloaded from the security key and written to the current
directory, it would perhaps be better if the pubkeys would include the username (passed with "-O
user=foobar" when the keys were initially created) in the comment field?

and, some minor things:

c) it appears impossible to set different passphrases for different keys

d) the man page for the "-O user" and "-O application" options doesn't make it clear that they take
an option (so the man page should read e.g. "user=name" and "application=name", like it does for "challenge=path" and
"write-attestation=path")

e) The description of the OpenSSH mailing lists indicate that openssh-unix-dev list is open to non-subscribers. That does not seem to be the case (I got an error message when sending as a non-subscriber). See e.g.:
https://www.openssh.com/list.html
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


Cheers,
David

More information about the openssh-unix-dev mailing list