Closed virtual-light closed 2 years ago
I also had tried verify-required
option with -O resident
but it has had unstable behavior: sometimes it had worked (verify-required functionality had worked as expected) until the first reboot (ssh-add -K
or ssh-keygen -K
haven't helped), sometimes it had not worked even from the beginning.
Hi,
I believe ssh-agent
will require ssh-askpass
for credentials with verify-required
. Do you have such a program installed on your system (e.g. ssh-askpass
, ssh-askpass-gnome
, or similar)?
Ludvig.
Hi, @LDVG
I had installed both ssh-askpass
and ssh-askpass-gnome
it hasn't helped.
Are they require some additional configuration?
Are they require some additional configuration?
Not to my knowledge. Would you mind providing the output of ssh-agent
in debug mode (with FIDO_DEBUG=1)?
For example,
$ FIDO_DEBUG=1 ssh-agent -d -a /tmp/ssh.sock
then in another console
$ SSH_AUTH_SOCK=/tmp/ssh.sock ssh-add ~/.ssh/id_ed25519_sk
$ SSH_AUTH_SOCK=/tmp/ssh.sock FIDO_DEBUG=1 ssh -vvvT git@github.com
It works as expected with your commands. Also looks like a form that asked me to enter a PIN is ssh-askpass-gnome form.
But what can be the reason that it doesn't work with a binding to a default socket?
I am an idiot! I've forgotten to start ssh-agent in the beginning. With ssh-agent running everything works as expected. Sorry for taking your time. Thank you!
Problem solved.
Happy to hear that it's working!
What version of libfido2 are you using?
What operating system are you running?
What application are you using in conjunction with libfido2?
ssh-keygen
,ssh-add
How does the problem manifest itself?
when using SSH key that has been generated with
verify-required
option enabled.Keys generated in the same manner without
verify-required
work as expected.Is the problem reproducible? Yes
What are the steps that lead to the problem?
Steps with
-O verify-required
(fails)Generate a new key with the
verify-required
option enabled$ FIDO_DEBUG=1 ssh-keygen -t ed25519-sk -C "test" -O verify-required
Add the generated SSH key to a ssh-agent
Add the generated pub key to a GH account
Try to authorize with the key
FIDO_DEBUG=1 ssh -vT git@github.com
Same stepts without
-O verify-required
(works):Generate a new key without the
verify-required
option$ FIDO_DEBUG=1 ssh-keygen -t ed25519-sk -C "test"
Add the generated SSH key to a ssh-agent
Add the generated pub key to a GH account
Try to authorize with the key
FIDO_DEBUG=1 ssh -vT git@github.com
Does the problem happen with different authenticators? No
Please include the output of
fido2-token -L
.fido2-token -L
Please include the output of
fido2-token -I
.fido2-token -I