Public bug reported:
I can't exactly pinpoint which gnome package is responsible for this. It
might be gnome-keyring. Let's go with gnome-shell first.
TL;DR openssh 8.2p1 in focal has support for U2F authentication. This is
a new feature we will highlight in the release notes and a blog post.
You can create a keypair and the authentication only succeeds if you
have the u2f hardware device plugged in, and touch it at the moment of
authentication.
In a console only env, it works like this:
"""
andreas@nsnx:~$ env|grep SSH
andreas@nsnx:~$ ssh -i .ssh/id_ecdsa_sk 10.0.100.75
Confirm user presence for key ECDSA-SK
SHA256:bS6vX6b+Bp8Xu/LF4Gw10dV0Y6AkjFPjPoO5q0A546M
Welcome to Ubuntu Focal Fossa (development branch) (GNU/Linux 5.4.0-21-generic
x86_64)
...
Last login: Tue Mar 31 13:35:44 2020 from 10.0.100.1
"""
The "Confirm" prompt is asking the user to touch the hardware device (a
yubikey in this case).
If I use openssh's ssh-agent, it still works as expected and I see that
prompt:
"""
andreas@nsnx:~$ env|grep SSH
andreas@nsnx:~$ eval $(ssh-agent)
Agent pid 68267
andreas@nsnx:~$ env|grep SSH
SSH_AUTH_SOCK=/tmp/ssh-75OwXd9gR6tq/agent.68252
SSH_AGENT_PID=68267
andreas@nsnx:~$ ssh -i .ssh/id_ecdsa_sk 10.0.100.75
Warning: Permanently added '10.0.100.75' (ECDSA) to the list of known hosts.
Confirm user presence for key ECDSA-SK
SHA256:bS6vX6b+Bp8Xu/LF4Gw10dV0Y6AkjFPjPoO5q0A546M
Welcome to Ubuntu Focal Fossa (development branch) (GNU/Linux 5.4.0-21-generic
x86_64)
(...)
Last login: Tue Mar 31 14:33:18 2020 from 10.0.100.1
"""
But with "gnome's ssh-agent" (I'm waving my hands here a bit), it just
stalls. The prompt is swallowed by something. Here I opened a new gnome
terminal in my existing focal desktop session:
"""
andreas@nsnx:~$ env|grep SSH
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
SSH_AGENT_PID=4655
andreas@nsnx:~$ ssh -i .ssh/id_ecdsa_sk 10.0.100.75
<hangs here, and the yubikey starts flashing>
"""
It only moves forward if I touch the device, which is expected. But the
"Confirm user presence" prompt is nowhere to be seen.
I'm not sure how gnome-keyring interacts with ssh-agent. I see it is spawned by
gnome-keyring-daemon:
4556 ? Sl 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
6449 ? S 0:00 \_ /usr/bin/ssh-agent -D -a
/run/user/1000/keyring/.ssh
But the PID referenced by the SSH_AGENT_PID shell variable above points to
another copy, spawned by gnome-session-binary:
4583 tty3 Sl+ 0:00 \_ /usr/libexec/gnome-session-binary
--systemd --systemd --session=ubuntu
4655 ? Ss 0:00 \_ /usr/bin/ssh-agent
/usr/bin/im-launch env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session
--systemd --session=ubuntu
In any case, the actual prompt "Confirm user presence for key" comes from
openssh code:
./ssh-agent.c: "Confirm user presence for key %s %s",
./sshconnect2.c: "Confirm user presence for key %s
%s",
My guess is that the gnome wrapper, whatever it is, is not expecting
that prompt.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: gnome-shell 3.36.0-2ubuntu2
ProcVersionSignature: Ubuntu 5.4.0-21.25-generic 5.4.27
Uname: Linux 5.4.0-21-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Tue Mar 31 11:29:06 2020
DisplayManager: gdm3
InstallationDate: Installed on 2019-10-13 (169 days ago)
InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Beta amd64 (20191010)
RelatedPackageVersions: mutter-common 3.36.0-2ubuntu1
SourcePackage: gnome-shell
UpgradeStatus: Upgraded to focal on 2020-01-30 (60 days ago)
** Affects: gnome-shell (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug champagne focal
** Description changed:
I can't exactly pinpoint which gnome package is responsible for this. It
might be gnome-keyring. Let's go with gnome-shell first.
- TL;DR openssh 8.2p1 in focal has support for U2F authentication. You can
- create a keypair and the authentication only succeeds if you have the
- u2f hardware device plugged in, and touch it at the moment of
+ TL;DR openssh 8.2p1 in focal has support for U2F authentication. This is
+ a new feature we will highlight in the release notes and a blog post.
+
+ You can create a keypair and the authentication only succeeds if you
+ have the u2f hardware device plugged in, and touch it at the moment of
authentication.
In a console only env, it works like this:
"""
andreas@nsnx:~$ env|grep SSH
andreas@nsnx:~$ ssh -i .ssh/id_ecdsa_sk 10.0.100.75
Confirm user presence for key ECDSA-SK
SHA256:bS6vX6b+Bp8Xu/LF4Gw10dV0Y6AkjFPjPoO5q0A546M
Welcome to Ubuntu Focal Fossa (development branch) (GNU/Linux
5.4.0-21-generic x86_64)
...
Last login: Tue Mar 31 13:35:44 2020 from 10.0.100.1
"""
The "Confirm" prompt is asking the user to touch the hardware device (a
yubikey in this case).
-
- If I use openssh's ssh-agent, it still works as expected and I see that
prompt:
+ If I use openssh's ssh-agent, it still works as expected and I see that
+ prompt:
"""
andreas@nsnx:~$ env|grep SSH
andreas@nsnx:~$ eval $(ssh-agent)
Agent pid 68267
andreas@nsnx:~$ env|grep SSH
SSH_AUTH_SOCK=/tmp/ssh-75OwXd9gR6tq/agent.68252
SSH_AGENT_PID=68267
andreas@nsnx:~$ ssh -i .ssh/id_ecdsa_sk 10.0.100.75
Warning: Permanently added '10.0.100.75' (ECDSA) to the list of known hosts.
Confirm user presence for key ECDSA-SK
SHA256:bS6vX6b+Bp8Xu/LF4Gw10dV0Y6AkjFPjPoO5q0A546M
Welcome to Ubuntu Focal Fossa (development branch) (GNU/Linux
5.4.0-21-generic x86_64)
(...)
Last login: Tue Mar 31 14:33:18 2020 from 10.0.100.1
"""
-
- But with "gnome's ssh-agent" (I'm waving my hands here a bit), it just
stalls. The prompt is swallowed by something. Here I opened a new gnome
terminal in my existing focal desktop session:
+ But with "gnome's ssh-agent" (I'm waving my hands here a bit), it just
+ stalls. The prompt is swallowed by something. Here I opened a new gnome
+ terminal in my existing focal desktop session:
"""
andreas@nsnx:~$ env|grep SSH
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
SSH_AGENT_PID=4655
andreas@nsnx:~$ ssh -i .ssh/id_ecdsa_sk 10.0.100.75
<hangs here, and the yubikey starts flashing>
"""
It only moves forward if I touch the device, which is expected. But the
"Confirm user presence" prompt is nowhere to be seen.
I'm not sure how gnome-keyring interacts with ssh-agent. I see it is spawned
by gnome-keyring-daemon:
- 4556 ? Sl 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
- 6449 ? S 0:00 \_ /usr/bin/ssh-agent -D -a
/run/user/1000/keyring/.ssh
-
+ 4556 ? Sl 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
+ 6449 ? S 0:00 \_ /usr/bin/ssh-agent -D -a
/run/user/1000/keyring/.ssh
But the PID referenced by the SSH_AGENT_PID shell variable above points to
another copy, spawned by gnome-session-binary:
- 4583 tty3 Sl+ 0:00 \_ /usr/libexec/gnome-session-binary
--systemd --systemd --session=ubuntu
- 4655 ? Ss 0:00 \_ /usr/bin/ssh-agent
/usr/bin/im-launch env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session
--systemd --session=ubuntu
+ 4583 tty3 Sl+ 0:00 \_ /usr/libexec/gnome-session-binary
--systemd --systemd --session=ubuntu
+ 4655 ? Ss 0:00 \_ /usr/bin/ssh-agent
/usr/bin/im-launch env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session
--systemd --session=ubuntu
In any case, the actual prompt "Confirm user presence for key" comes from
openssh code:
./ssh-agent.c: "Confirm user presence for key %s %s",
./sshconnect2.c: "Confirm user presence for key %s
%s",
My guess is that the gnome wrapper, whatever it is, is not expecting
that prompt.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: gnome-shell 3.36.0-2ubuntu2
ProcVersionSignature: Ubuntu 5.4.0-21.25-generic 5.4.27
Uname: Linux 5.4.0-21-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Tue Mar 31 11:29:06 2020
DisplayManager: gdm3
InstallationDate: Installed on 2019-10-13 (169 days ago)
InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Beta amd64 (20191010)
RelatedPackageVersions: mutter-common 3.36.0-2ubuntu1
SourcePackage: gnome-shell
UpgradeStatus: Upgraded to focal on 2020-01-30 (60 days ago)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-shell in Ubuntu.
https://bugs.launchpad.net/bugs/1869897
Title:
missing ssh prompt to touch yubikey device when using gnome
Status in gnome-shell package in Ubuntu:
New
Bug description:
I can't exactly pinpoint which gnome package is responsible for this.
It might be gnome-keyring. Let's go with gnome-shell first.
TL;DR openssh 8.2p1 in focal has support for U2F authentication. This
is a new feature we will highlight in the release notes and a blog
post.
You can create a keypair and the authentication only succeeds if you
have the u2f hardware device plugged in, and touch it at the moment of
authentication.
In a console only env, it works like this:
"""
andreas@nsnx:~$ env|grep SSH
andreas@nsnx:~$ ssh -i .ssh/id_ecdsa_sk 10.0.100.75
Confirm user presence for key ECDSA-SK
SHA256:bS6vX6b+Bp8Xu/LF4Gw10dV0Y6AkjFPjPoO5q0A546M
Welcome to Ubuntu Focal Fossa (development branch) (GNU/Linux
5.4.0-21-generic x86_64)
...
Last login: Tue Mar 31 13:35:44 2020 from 10.0.100.1
"""
The "Confirm" prompt is asking the user to touch the hardware device
(a yubikey in this case).
If I use openssh's ssh-agent, it still works as expected and I see
that prompt:
"""
andreas@nsnx:~$ env|grep SSH
andreas@nsnx:~$ eval $(ssh-agent)
Agent pid 68267
andreas@nsnx:~$ env|grep SSH
SSH_AUTH_SOCK=/tmp/ssh-75OwXd9gR6tq/agent.68252
SSH_AGENT_PID=68267
andreas@nsnx:~$ ssh -i .ssh/id_ecdsa_sk 10.0.100.75
Warning: Permanently added '10.0.100.75' (ECDSA) to the list of known hosts.
Confirm user presence for key ECDSA-SK
SHA256:bS6vX6b+Bp8Xu/LF4Gw10dV0Y6AkjFPjPoO5q0A546M
Welcome to Ubuntu Focal Fossa (development branch) (GNU/Linux
5.4.0-21-generic x86_64)
(...)
Last login: Tue Mar 31 14:33:18 2020 from 10.0.100.1
"""
But with "gnome's ssh-agent" (I'm waving my hands here a bit), it just
stalls. The prompt is swallowed by something. Here I opened a new
gnome terminal in my existing focal desktop session:
"""
andreas@nsnx:~$ env|grep SSH
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
SSH_AGENT_PID=4655
andreas@nsnx:~$ ssh -i .ssh/id_ecdsa_sk 10.0.100.75
<hangs here, and the yubikey starts flashing>
"""
It only moves forward if I touch the device, which is expected. But
the "Confirm user presence" prompt is nowhere to be seen.
I'm not sure how gnome-keyring interacts with ssh-agent. I see it is spawned
by gnome-keyring-daemon:
4556 ? Sl 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
6449 ? S 0:00 \_ /usr/bin/ssh-agent -D -a
/run/user/1000/keyring/.ssh
But the PID referenced by the SSH_AGENT_PID shell variable above points to
another copy, spawned by gnome-session-binary:
4583 tty3 Sl+ 0:00 \_ /usr/libexec/gnome-session-binary
--systemd --systemd --session=ubuntu
4655 ? Ss 0:00 \_ /usr/bin/ssh-agent
/usr/bin/im-launch env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session
--systemd --session=ubuntu
In any case, the actual prompt "Confirm user presence for key" comes from
openssh code:
./ssh-agent.c: "Confirm user presence for key %s %s",
./sshconnect2.c: "Confirm user presence for key %s
%s",
My guess is that the gnome wrapper, whatever it is, is not expecting
that prompt.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: gnome-shell 3.36.0-2ubuntu2
ProcVersionSignature: Ubuntu 5.4.0-21.25-generic 5.4.27
Uname: Linux 5.4.0-21-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Tue Mar 31 11:29:06 2020
DisplayManager: gdm3
InstallationDate: Installed on 2019-10-13 (169 days ago)
InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Beta amd64 (20191010)
RelatedPackageVersions: mutter-common 3.36.0-2ubuntu1
SourcePackage: gnome-shell
UpgradeStatus: Upgraded to focal on 2020-01-30 (60 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/1869897/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
