When creating a resident ssh key with the below command
ssh-keygen -t ed25519-sk -O resident -O application=ssh:solo2 -O verify-required
The key becomes unable to authenticate with the server with the warning message typically
sign_and_send_pubkey: signing failed for ED25519-SK "user@source" from agent: agent refused operation
this is the same for ecdsa-sk and ed25519-sk
resident keys function correctly without he verify-required flag (but lack the PIN verification that the verify-required key enforces)
if either or both server and ssh key specify the verify-required flag then the authentication fails.
this occurs on windows 10 (10.0.19044 Build 19044) and ubuntu 22.04.
Server openssh v8.9
client openssh v8.9
Below is a log excerpt of an ssh session with both the key and sever setting verify-required flags.
OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
debug1: Connection established.
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3
debug1: get_agent_identities: bound agent to hostkey
debug1: Will attempt key: /home/user/.ssh/id_ed25519 ED25519 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx agent
debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering public key: /home/user/.ssh/id_ed25519 ED25519 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering public key: /home/user/.ssh/id_ed25519_sk ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /home/user/.ssh/id_ed25519_sk ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug3: sign_and_send_pubkey: using publickey-hostbound-v00@openssh.com with ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
debug3: sign_and_send_pubkey: signing using sk-ssh-ed25519@openssh.com SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
sign_and_send_pubkey: signing failed for ED25519-SK "/home/user/.ssh/id_ed25519_sk" from agent: agent refused operation
debug1: Server accepts key: user@source ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug3: sign_and_send_pubkey: using publickey-hostbound-v00@openssh.com with ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
debug3: sign_and_send_pubkey: signing using sk-ssh-ed25519@openssh.com SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
sign_and_send_pubkey: signing failed for ED25519-SK "user@source" from agent: agent refused operation
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
user@remote.lan: Permission denied (publickey).
similar if the key specifies the flag but not the server
debug1: Server accepts key: /home/user/.ssh/id_ed25519_sk ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug3: sign_and_send_pubkey: using publickey-hostbound-v00@openssh.com with ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
debug3: sign_and_send_pubkey: signing using sk-ssh-ed25519@openssh.com SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
sign_and_send_pubkey: signing failed for ED25519-SK "/home/user/.ssh/id_ed25519_sk" from agent: agent refused operation
debug1: Offering public key: user@source ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug1: Server accepts key: user@source ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug3: sign_and_send_pubkey: using publickey-hostbound-v00@openssh.com with ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
debug3: sign_and_send_pubkey: signing using sk-ssh-ed25519@openssh.com SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
sign_and_send_pubkey: signing failed for ED25519-SK "user@source" from agent: agent refused operation
if the server has the flag but the key was created without it then the key flashes blue and the session hangs here until terminated
debug1: Server accepts key: user@source ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug3: sign_and_send_pubkey: using publickey-hostbound-v00@openssh.com with ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
debug3: sign_and_send_pubkey: signing using sk-ssh-ed25519@openssh.com SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
and an except of a successful auth with neither flag set
debug1: Offering public key: user@source ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: user@source ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug3: sign_and_send_pubkey: using publickey-hostbound-v00@openssh.com with ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
debug3: sign_and_send_pubkey: signing using sk-ssh-ed25519@openssh.com SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
debug3: send packet: type 50
debug3: receive packet: type 52
Authenticated to server.lan ([192.168.0.22]:22) using "publickey".
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
needs-coffee
commented
2 years ago
When creating a resident ssh key with the below command
ssh-keygen -t ed25519-sk -O resident -O application=ssh:solo2 -O verify-requiredThe key becomes unable to authenticate with the server with the warning message typically
sign_and_send_pubkey: signing failed for ED25519-SK "user@source" from agent: agent refused operationthis is the same for ecdsa-sk and ed25519-sk resident keys function correctly without he verify-required flag (but lack the PIN verification that the
verify-requiredkey enforces) if either or both server and ssh key specify theverify-requiredflag then the authentication fails. this occurs on windows 10 (10.0.19044 Build 19044) and ubuntu 22.04. Server openssh v8.9 client openssh v8.9Below is a log excerpt of an ssh session with both the key and sever setting
verify-requiredflags.similar if the key specifies the flag but not the server
if the server has the flag but the key was created without it then the key flashes blue and the session hangs here until terminated
and an except of a successful auth with neither flag set
This issue looks to be similar to that posted in discussion 108 by @darses