Using Fork with a Yubikey / `ed25519_sk` ssh keys

[rslobodian]

Hello,

I'm using Fork alongside an ed25519_sk which requires my Yubikey to be touched every time a remote operation is done. Fork doesn't seem to support that operation very well.

Every time I run a remote operation in Fork with that key, I get the following prompt parallel to my yubikey start flashing

If I touch the yubikey, I can see that the operation completes successfully in Fork behing the password prompt, but the prompt doesn't disappear. If I press OK without typing anything it goes away.

Any chance this UX can be improved?

Thanks!

[DanPristupov]

Well, something in your configuration requests password (probably using ask_pass) and Fork shows the prompt.

So, most likely the solution for the problem is not to fix Fork, but to find out what in your configuration requests the password.

Every time I run a remote operation in Fork with that key,

What happens when you do that in command line?

[rslobodian]

In the command line I get the prompt Confirm user presence for key ED25519-SK SHA256:<hash>, and the Yubikey starts flashing.

Once I touch it, it says User presence confirmed, and the command executes.

Example below

I don't know what the ask_pass setting is or where it's set. Are you talking about a git setting in my machine? Or is that an ssh-agent setting? I'm not familiar with that, and I didn't set it up explicitly. The setup I did was following this guide: https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key-for-a-hardware-security-key

[DanPristupov]

ASKPASS is a way to configure the application which prompts a password. It's configurable using the SSH_ASKPASS environment variable so ssh agent could ask the user required information in convenient way (for example, Fork passes itself as SSH_ASKPASS). Usually, ssh agent runs ASK_PASS when ssh key requires the passphrase. It seems that it shouldn't be run in your case, but we can't be sure.

https://git-scm.com/docs/gitcredentials

I think I had an YubiKey 4C Nano somewhere. I need to find it (it's very small and I have no idea where it is ;) ) and try to reproduce the problem.

[DanPristupov]

The setup I did was following this guide:

Have you replaced the default OpenSSH on macOS?

[rslobodian]

Oh yeah, I did that, yes. The default openssh didn't allow me to generate keys of type ed25519_sk. So I installed a new version by doing brew install openssh.

[rslobodian]

@DanPristupov do you think that the different openssh version is an issue?

[rslobodian]

bump

[DanPristupov]

I don't know why that happens and I don't want to replace OpenSSH on my machine.

When I have a time one day, I will setup a virtual machine and try.

[flit]

@DanPristupov You can always uninstall openssh as easily as installing with homebrew, so there should be no concern about installing it to test. You can also install with --no-binaries to prevent linking into /usr/local/*, such that you have to modify env variables to make it visible.

[msnelling]

I have this exact same issue.

[joaopgrassi]

I have also a ed25519_sk on my Yubikey 5 that I created with -O verify-required. I also had to update OpenSSH on my mac. When I use from the cmd line, I get asked for the PIN + touch. All works nicely. I'm using FIDO2 SSH Keys with GH

I just tried now with Fork, it asked me for the password first (same dialog as shown in the description), then I saw the yubikey flashing. I touched it, the dialog showed again, I entered the PIN and it disappeared and the commit was pushed. It's not a solution to anything, but I thought of posting it here as well :)

[rslobodian]

Pinging @DanPristupov again, it's been a while, same behaviour still occurs on latest Fork.

[rslobodian]

bumping this again