https://bugzilla.mindrot.org/show_bug.cgi?id=3572
xspielinbox+mind...@protonmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |xspielinbox+mindrot@protonm
| |ail.com
--- Comment #1 from xspielinbox+mind...@protonmail.com ---
I came across the same issue using Fedora Linux 38 with OpenSSH_9.0p1,
OpenSSL 3.0.9 and a YubiKey 5 NFC with firmware version 5.2.7 and
libfido2 1.12.0-3.fc38
When creating the ssh-key of type ed25519-sk (regardless of the options
given) it asks for the FIDO pin of the security key.
In the default config (which uses an ssh-agent) it does never
thereafter again ask for the FIDO pin of the security key, no matter
how it has been created (resident or not; with verify-required or not).
When explicitly running ssh with an invalid ssh-agent socket, it does
correctly ask for the pin, if the key has been created with
verify-required, but not if it hasn't:
$ SSH_AUTH_SOCK=/tmp/ssh.sock ssh user@host -i id_ed25519_sk_verify
Enter PIN for ED25519-SK key id_ed25519_sk_verify:
Confirm user presence for key ED25519-SK SHA256:[...]
$ SSH_AUTH_SOCK=/tmp/ssh.sock ssh user@host -i id_ed25519_sk
Confirm user presence for key ED25519-SK SHA256:[...]
When using a key without verify-required with the default ssh-agent
config and specifying verify-required in the authorized_keys of the
target system, it does correctly deny the key with 'debug3: receive
packet: type 51', though this is an pretty ambiguous failure message...
All in all, I can reproduce the reproduce the reported issue. To an
user at first it seems like the verify-required option is useless or
broken, as is does not change anything.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
