Package: openssh-client Version: 1:8.4p1-3 Severity: normal File: /usr/bin/ssh-keygen
Dear Maintainer, Running "ssh-keygen -t ecdsa-sk" consistently fails, without waiting for touch confirmation on the security key, a YubiKey 5 NFC: % ssh-keygen -vvv -t ecdsa-sk Generating public/private ecdsa-sk key pair. You may need to touch your authenticator to authorize key generation. debug3: start_helper: started pid=14355 debug3: ssh_msg_send: type 5 debug3: ssh_msg_recv entering debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0 debug1: sshsk_enroll: using random challenge debug1: sk_probe: 1 device(s) detected debug1: sk_probe: selecting sk by touch debug1: ssh_sk_enroll: using device /dev/hidraw2 debug1: ssh_sk_enroll: fido_dev_make_cred: FIDO_ERR_PIN_REQUIRED debug1: sshsk_enroll: provider "internal" returned failure -3 debug1: ssh-sk-helper: Enrollment failed: incorrect passphrase supplied to decrypt private key debug1: ssh-sk-helper: reply len 8 debug3: ssh_msg_send: type 5 debug1: client_converse: helper returned error -43 debug3: reap_helper: pid=14355 Enter PIN for authenticator: You may need to touch your authenticator (again) to authorize key generation. debug3: start_helper: started pid=14356 debug3: ssh_msg_send: type 5 debug3: ssh_msg_recv entering debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0 with-pin debug1: sshsk_enroll: using random challenge debug1: sk_probe: 1 device(s) detected debug1: sk_probe: selecting sk by touch debug1: ssh_sk_enroll: using device /dev/hidraw2 debug1: ssh_sk_enroll: fido_dev_make_cred: FIDO_ERR_PIN_AUTH_BLOCKED debug1: sshsk_enroll: provider "internal" returned failure -1 debug1: ssh-sk-helper: Enrollment failed: invalid format debug1: ssh-sk-helper: reply len 8 debug3: ssh_msg_send: type 5 debug1: client_converse: helper returned error -4 debug3: reap_helper: pid=14356 Key enrollment failed: invalid format My key's firmware is too old to support ed25519-sk, so that fails with "requested feature not supported" instead. A better diagnostic would be helpful in understanding what format is invalid, or what FIDO_ERR_PIN_AUTH_BLOCKED signifies. -- System Information: Debian Release: bullseye/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-1-amd64 (SMP w/48 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssh-client depends on: ii adduser 3.118 ii dpkg 1.20.7.1 ii libc6 2.31-9 ii libedit2 3.1-20191231-2+b1 ii libfido2-1 1.5.0-2 ii libgssapi-krb5-2 1.18.3-4 ii libselinux1 3.1-2+b2 ii libssl1.1 1.1.1i-1 ii passwd 1:4.8.1-1 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages openssh-client recommends: ii xauth 1:1.1-1 Versions of packages openssh-client suggests: pn keychain <none> pn libpam-ssh <none> pn monkeysphere <none> ii ssh-askpass-gnome [ssh-askpass] 1:8.4p1-3 -- no debconf information
