How to set/specify an SK Device (Path) in ssh_config?

Bernd Naumann bernd at kr217.de
Mon Dec 18 00:28:55 AEDT 2023


Hey *,

I have more then one {Security Key,HSM}-FIDO2 device attached to my
Linux machine (Arch Linux).

With
```
# fido2-token -L
/dev/hidraw7: vendor=0x1d50, product=0x60fc (CRYPTOTRUST ONLYKEY)
/dev/hidraw5: vendor=0x20a0, product=0x42b2 (Nitrokey Nitrokey 3)
```
I am able to get the device paths of both SK,
which I can use to generate an `ecdsa-sk` on a specific device:
```
$ ssh-keygen \
  -t ecdsa-sk \
  -f /tmp/TEST-id_ed25519-sk \
  -N '' \
  -O device=/dev/hidraw5 \
  -O resident \
  -O verify-required
...
The key fingerprint is:
SHA256:HixXHmVbrCZRxWUXIDOZF50VAIf/cVESDcBZsKSWcro bernd
```

I can confirm generation on the SK with
```
# fido2-token -L -r /dev/hidraw5
Enter PIN for /dev/hidraw5:
00: 4wYQ6KFiEVlg/h7CI+ZSnJ9LboAgDcteXDIcivHisb8= ssh:
```
(But I have no clue what kind of identifier
"4wYQ6KFiEVlg/h7CI+ZSnJ9LboAgDcteXDIcivHisb8=" actually is?)

I can use this key just fine:
```
ssh -vv -F /dev/null -i /tmp/TEST-id_ed25519-sk localhost
```

But: How do I specify the "SK HANDLER" via ssh_config?
Nowhere I do see a reference.

>From `-vv` I only see:
```
debug1: Offering public key: /tmp/TEST-id_ed25519-sk ECDSA-SK
SHA256:HixXHmVbrCZRxWUXIDOZF50VAIf/cVESDcBZsKSWcro explicit authenticator
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: /tmp/TEST-id_ed25519-sk ECDSA-SK
SHA256:HixXHmVbrCZRxWUXIDOZF50VAIf/cVESDcBZsKSWcro explicit authenticator
Confirm user presence for key ECDSA-SK
SHA256:HixXHmVbrCZRxWUXIDOZF50VAIf/cVESDcBZsKSWcro
debug1: start_helper: starting /usr/lib/ssh/ssh-sk-helper
debug1: process_sign: ready to sign with key ECDSA-SK, provider
internal: msg len 360, compat 0x4000000
debug1: sshsk_sign: provider "internal", key ECDSA-SK, flags 0x25
debug1: sk_probe: 2 device(s) detected
debug1: sk_probe: selecting sk by touch
debug1: sk_touch_poll: polling /dev/hidraw7
debug1: sk_touch_poll: polling /dev/hidraw5
...
debug1: sk_touch_poll: polling /dev/hidraw7
debug1: sk_touch_poll: polling /dev/hidraw5
debug1: check_sk_options: option uv is unknown
debug1: ssh_sk_sign: check_sk_options uv
debug1: sshsk_sign: sk_sign failed with code -3
debug1: ssh-sk-helper: Signing failed: incorrect passphrase supplied to
decrypt private key
debug1: main: reply len 8
debug1: client_converse: helper returned error -43
debug1: identity_sign: sshkey_sign: incorrect passphrase supplied to
decrypt private key
Enter PIN for ECDSA-SK key /tmp/TEST-id_ed25519-sk:
Confirm user presence for key ECDSA-SK
SHA256:HixXHmVbrCZRxWUXIDOZF50VAIf/cVESDcBZsKSWcro
debug1: start_helper: starting /usr/lib/ssh/ssh-sk-helper
debug1: process_sign: ready to sign with key ECDSA-SK, provider
internal: msg len 360, compat 0x4000000
debug1: sshsk_sign: provider "internal", key ECDSA-SK, flags 0x25 with-pin
debug1: sk_probe: 2 device(s) detected
debug1: sk_probe: selecting sk by touch
debug1: sk_touch_poll: polling /dev/hidraw7
debug1: sk_touch_poll: polling /dev/hidraw5
...
debug1: sk_touch_poll: polling /dev/hidraw7
debug1: sk_touch_poll: polling /dev/hidraw5
debug1: main: reply len 129
User presence confirmed
Authenticated to localhost ([::1]:22) using "publickey".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug2: channel 0: send open
debug1: Requesting no-more-sessions at openssh.com
debug1: Entering interactive session.
```

So at first I have to 'touch confirm' which SK to use;
Then I can enter its FIDO2 PIN;
Then the policy(?) requires again the User Presents.
I would like to specify which SK to be used from the `ssh_config`.


To extent my question:
Why does `ssh-sk-helper` iterates over both SK the second time even it
should be clear(?) which SK I wanted to use?


If there is no way yet to specify the SK device via `ssh_config`, I
would like to make a feature request out of it. But I already see some
issues here :/
SK like the "Onlykey" do not have a "serial (number)" because the device
is kinda generic and the user can update its firmware and the
device/firmware offers backup and restore of its configuration including
its secrets. So a Onlykey is not unique. You can create a clone just
fine. (While writing this mail, I should make a test if I'm really able
to make also a backup of credentials within the FIDO2 of the Onlykey...)
But there is no way AFAIK to identify one out of many Onlykeys.

Furthermore, I'm not (yet) too deep in the material to understand how to
get the various serials or identifier of the various
modules/functions/cards on a HSM. AFAIU i.e. a Nitrokey 3 or Yubikey has
a serial, but the PGP SmartCard, the PIV module, and the FIDO2 chip(?)
have its own ID, correct?
I'm also not sure if it would be possible and reliable to configure
Linux udev rules to enforce a certain static `/dev/hidrawN` path for a SK.

Thanks for pointers and hints and explanations.
Best,
Bernd


More information about the openssh-unix-dev mailing list