[Touch-packages] [Bug 2000276] Re: FIDO2 user verification impossible when using the ssh agent
** Changed in: openssh (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2000276 Title: FIDO2 user verification impossible when using the ssh agent Status in openssh package in Ubuntu: Triaged Bug description: I am having trouble setting up FIDO2 ssh keys with my yubikey 5C NFC if I want to enable user verification (user presence works fine). Steps to reproduce: = Prep work = Client (kinetic): * generate a key that requires user verification: $ ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_verify_sk -O verify-required -C "this key requires UV" [provide your authenticator PIN, touch it, and add an encryption password] Server (jammy): * add id_ed25519_verify_sk.pub to authorized_keys = Symptoms = Shell 1 (w/ssh agent): $ eval $(ssh-agent) Agent pid 3279738 $ ssh-add ~/.ssh/id_ed25519_verify_sk Enter passphrase for /home/aieri/.ssh/id_ed25519_verify_sk: Identity added: /home/aieri/.ssh/id_ed25519_verify_sk (this key requires UV) $ ssh ubuntu@10.35.202.231 -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 fails\!" sign_and_send_pubkey: signing failed for ED25519-SK "/home/aieri/.ssh/id_ed25519_verify_sk" from agent: agent refused operation ubuntu@10.35.202.231: Permission denied (publickey). [note that the above is printed immediately, and that the yubikey does not light up] Shell 2 (no ssh agent): $ ssh ubuntu@10.35.202.231 -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 works\!" Enter passphrase for key '/home/aieri/.ssh/id_ed25519_verify_sk': Enter PIN for ED25519-SK key /home/aieri/.ssh/id_ed25519_verify_sk: Confirm user presence for key ED25519-SK SHA256:nhgS4c2rGtE7XKeez3rAsofrjJvsL6rmBLShZxfTXIY User presence confirmed FIDO2 works! NOTE: * user _presence_ can be validated correctly with or without the ssh-agent: keys generated without `-O verify-required` work as expected (aside from bug 1869897) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2000276/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000276] Re: FIDO2 user verification impossible when using the ssh agent
Just a note that the pin prompt works under Ubuntu 23.04 after installing ssh-askpass-gnome. Yubico - Security Key C NFC used. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2000276 Title: FIDO2 user verification impossible when using the ssh agent Status in openssh package in Ubuntu: New Bug description: I am having trouble setting up FIDO2 ssh keys with my yubikey 5C NFC if I want to enable user verification (user presence works fine). Steps to reproduce: = Prep work = Client (kinetic): * generate a key that requires user verification: $ ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_verify_sk -O verify-required -C "this key requires UV" [provide your authenticator PIN, touch it, and add an encryption password] Server (jammy): * add id_ed25519_verify_sk.pub to authorized_keys = Symptoms = Shell 1 (w/ssh agent): $ eval $(ssh-agent) Agent pid 3279738 $ ssh-add ~/.ssh/id_ed25519_verify_sk Enter passphrase for /home/aieri/.ssh/id_ed25519_verify_sk: Identity added: /home/aieri/.ssh/id_ed25519_verify_sk (this key requires UV) $ ssh ubuntu@10.35.202.231 -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 fails\!" sign_and_send_pubkey: signing failed for ED25519-SK "/home/aieri/.ssh/id_ed25519_verify_sk" from agent: agent refused operation ubuntu@10.35.202.231: Permission denied (publickey). [note that the above is printed immediately, and that the yubikey does not light up] Shell 2 (no ssh agent): $ ssh ubuntu@10.35.202.231 -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 works\!" Enter passphrase for key '/home/aieri/.ssh/id_ed25519_verify_sk': Enter PIN for ED25519-SK key /home/aieri/.ssh/id_ed25519_verify_sk: Confirm user presence for key ED25519-SK SHA256:nhgS4c2rGtE7XKeez3rAsofrjJvsL6rmBLShZxfTXIY User presence confirmed FIDO2 works! NOTE: * user _presence_ can be validated correctly with or without the ssh-agent: keys generated without `-O verify-required` work as expected (aside from bug 1869897) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2000276/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000276] Re: FIDO2 user verification impossible when using the ssh agent
Some references I found back then: https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/101 https://github.com/openssh/openssh- portable/commit/39d17e189f8e72c34c722579d8d4e701fa5132da >From my chat messages: plain ssh-agent on kinetic worked with verify-required keys but I had to install ssh-askpass (ugly X11 interface) without it, it fails gnome-keyring's ssh-agent doesn't seem to support PIN entry for verify-required keys that's a lot of exceptions to list in the docs: a) newer openssh-client; b) ssh-askpass-gnome installed; c) use ssh-agent, not gnome-keyring (gnome-keyring is our default) So IIRC, it worked with kinetic's openssh ssh-agent, not ssh-agent from elsewhere (that would be the gnome-keyring bug linked above). ** Bug watch added: gitlab.gnome.org/GNOME/gnome-keyring/-/issues #101 https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/101 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2000276 Title: FIDO2 user verification impossible when using the ssh agent Status in openssh package in Ubuntu: New Bug description: I am having trouble setting up FIDO2 ssh keys with my yubikey 5C NFC if I want to enable user verification (user presence works fine). Steps to reproduce: = Prep work = Client (kinetic): * generate a key that requires user verification: $ ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_verify_sk -O verify-required -C "this key requires UV" [provide your authenticator PIN, touch it, and add an encryption password] Server (jammy): * add id_ed25519_verify_sk.pub to authorized_keys = Symptoms = Shell 1 (w/ssh agent): $ eval $(ssh-agent) Agent pid 3279738 $ ssh-add ~/.ssh/id_ed25519_verify_sk Enter passphrase for /home/aieri/.ssh/id_ed25519_verify_sk: Identity added: /home/aieri/.ssh/id_ed25519_verify_sk (this key requires UV) $ ssh ubuntu@10.35.202.231 -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 fails\!" sign_and_send_pubkey: signing failed for ED25519-SK "/home/aieri/.ssh/id_ed25519_verify_sk" from agent: agent refused operation ubuntu@10.35.202.231: Permission denied (publickey). [note that the above is printed immediately, and that the yubikey does not light up] Shell 2 (no ssh agent): $ ssh ubuntu@10.35.202.231 -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 works\!" Enter passphrase for key '/home/aieri/.ssh/id_ed25519_verify_sk': Enter PIN for ED25519-SK key /home/aieri/.ssh/id_ed25519_verify_sk: Confirm user presence for key ED25519-SK SHA256:nhgS4c2rGtE7XKeez3rAsofrjJvsL6rmBLShZxfTXIY User presence confirmed FIDO2 works! NOTE: * user _presence_ can be validated correctly with or without the ssh-agent: keys generated without `-O verify-required` work as expected (aside from bug 1869897) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2000276/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000276] Re: FIDO2 user verification impossible when using the ssh agent
I believe this issue is correct. I noticed this when writing up the documentation[1] on how to use openssh with fido2 resident keys: """ NOTE If you used the -O verify-required option when generating the keys, or if that option is set on the SSH server via /etc/ssh/sshd_config’s PubkeyAuthOptions verify-required, then using the agent currently in Ubuntu 22.04 LTS won’t work. """ I remember I found an upstream bug about this, but it is a bit muddy because there is ssh-agent from ssh, and there is one from gnome (and I think from gpg-agent as well; again, muddy). If I find those pointers again, I'll post them here. 1. https://ubuntu.com/server/docs/service-openssh -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2000276 Title: FIDO2 user verification impossible when using the ssh agent Status in openssh package in Ubuntu: New Bug description: I am having trouble setting up FIDO2 ssh keys with my yubikey 5C NFC if I want to enable user verification (user presence works fine). Steps to reproduce: = Prep work = Client (kinetic): * generate a key that requires user verification: $ ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_verify_sk -O verify-required -C "this key requires UV" [provide your authenticator PIN, touch it, and add an encryption password] Server (jammy): * add id_ed25519_verify_sk.pub to authorized_keys = Symptoms = Shell 1 (w/ssh agent): $ eval $(ssh-agent) Agent pid 3279738 $ ssh-add ~/.ssh/id_ed25519_verify_sk Enter passphrase for /home/aieri/.ssh/id_ed25519_verify_sk: Identity added: /home/aieri/.ssh/id_ed25519_verify_sk (this key requires UV) $ ssh ubuntu@10.35.202.231 -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 fails\!" sign_and_send_pubkey: signing failed for ED25519-SK "/home/aieri/.ssh/id_ed25519_verify_sk" from agent: agent refused operation ubuntu@10.35.202.231: Permission denied (publickey). [note that the above is printed immediately, and that the yubikey does not light up] Shell 2 (no ssh agent): $ ssh ubuntu@10.35.202.231 -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 works\!" Enter passphrase for key '/home/aieri/.ssh/id_ed25519_verify_sk': Enter PIN for ED25519-SK key /home/aieri/.ssh/id_ed25519_verify_sk: Confirm user presence for key ED25519-SK SHA256:nhgS4c2rGtE7XKeez3rAsofrjJvsL6rmBLShZxfTXIY User presence confirmed FIDO2 works! NOTE: * user _presence_ can be validated correctly with or without the ssh-agent: keys generated without `-O verify-required` work as expected (aside from bug 1869897) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2000276/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000276] Re: FIDO2 user verification impossible when using the ssh agent
hi Lena, actually yes, I can reproduce the same issue with a nitrokey 3A NFC. I also have an older yubikey 5A but I cannot test with it as its firmware does not support user verification, only user presence. ** Changed in: openssh (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2000276 Title: FIDO2 user verification impossible when using the ssh agent Status in openssh package in Ubuntu: New Bug description: I am having trouble setting up FIDO2 ssh keys with my yubikey 5C NFC if I want to enable user verification (user presence works fine). Steps to reproduce: = Prep work = Client (kinetic): * generate a key that requires user verification: $ ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_verify_sk -O verify-required -C "this key requires UV" [provide your authenticator PIN, touch it, and add an encryption password] Server (jammy): * add id_ed25519_verify_sk.pub to authorized_keys = Symptoms = Shell 1 (w/ssh agent): $ eval $(ssh-agent) Agent pid 3279738 $ ssh-add ~/.ssh/id_ed25519_verify_sk Enter passphrase for /home/aieri/.ssh/id_ed25519_verify_sk: Identity added: /home/aieri/.ssh/id_ed25519_verify_sk (this key requires UV) $ ssh ubuntu@10.35.202.231 -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 fails\!" sign_and_send_pubkey: signing failed for ED25519-SK "/home/aieri/.ssh/id_ed25519_verify_sk" from agent: agent refused operation ubuntu@10.35.202.231: Permission denied (publickey). [note that the above is printed immediately, and that the yubikey does not light up] Shell 2 (no ssh agent): $ ssh ubuntu@10.35.202.231 -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 works\!" Enter passphrase for key '/home/aieri/.ssh/id_ed25519_verify_sk': Enter PIN for ED25519-SK key /home/aieri/.ssh/id_ed25519_verify_sk: Confirm user presence for key ED25519-SK SHA256:nhgS4c2rGtE7XKeez3rAsofrjJvsL6rmBLShZxfTXIY User presence confirmed FIDO2 works! NOTE: * user _presence_ can be validated correctly with or without the ssh-agent: keys generated without `-O verify-required` work as expected (aside from bug 1869897) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2000276/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000276] Re: FIDO2 user verification impossible when using the ssh agent
Thank you for submitting this report. I attempted to verify on a fresh install of Kinetic as a client and Jammy as a server using a Yubikey Bio. ssh login worked for me both with and without ssh-agent active. I unfortunately don't have a 5c to test with and the issue may lie specifically with that. Have you tried this with multiple new ssh keys to confirm the issue? ** Changed in: openssh (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2000276 Title: FIDO2 user verification impossible when using the ssh agent Status in openssh package in Ubuntu: Incomplete Bug description: I am having trouble setting up FIDO2 ssh keys with my yubikey 5C NFC if I want to enable user verification (user presence works fine). Steps to reproduce: = Prep work = Client (kinetic): * generate a key that requires user verification: $ ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_verify_sk -O verify-required -C "this key requires UV" [provide your authenticator PIN, touch it, and add an encryption password] Server (jammy): * add id_ed25519_verify_sk.pub to authorized_keys = Symptoms = Shell 1 (w/ssh agent): $ eval $(ssh-agent) Agent pid 3279738 $ ssh-add ~/.ssh/id_ed25519_verify_sk Enter passphrase for /home/aieri/.ssh/id_ed25519_verify_sk: Identity added: /home/aieri/.ssh/id_ed25519_verify_sk (this key requires UV) $ ssh ubuntu@10.35.202.231 -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 fails\!" sign_and_send_pubkey: signing failed for ED25519-SK "/home/aieri/.ssh/id_ed25519_verify_sk" from agent: agent refused operation ubuntu@10.35.202.231: Permission denied (publickey). [note that the above is printed immediately, and that the yubikey does not light up] Shell 2 (no ssh agent): $ ssh ubuntu@10.35.202.231 -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 works\!" Enter passphrase for key '/home/aieri/.ssh/id_ed25519_verify_sk': Enter PIN for ED25519-SK key /home/aieri/.ssh/id_ed25519_verify_sk: Confirm user presence for key ED25519-SK SHA256:nhgS4c2rGtE7XKeez3rAsofrjJvsL6rmBLShZxfTXIY User presence confirmed FIDO2 works! NOTE: * user _presence_ can be validated correctly with or without the ssh-agent: keys generated without `-O verify-required` work as expected (aside from bug 1869897) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2000276/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp