https://bugzilla.mindrot.org/show_bug.cgi?id=3572
--- Comment #9 from xspielinbox+mind...@protonmail.com --- (In reply to Damien Miller from comment #5) > This looks like it is a problem with how Fedora is > running/configuring ssh-agent. You can test this using something > like: > > sudo yum install openssh-askpass > env SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass ssh-agent > $SHELL -l > ssh-add ~/.ssh/id_ed25519_sk > ssh-add -T ~/.ssh/id_ed25519_sk.pub Sorry, for the delay. I did quite some testing: I first tried the test as is without openssh-askpass installed: When just running $ ssh-add -T ~/.ssh/id_ed25519_sk-pin.pub I get a (gnome-builtin) graphical dialog prompting for the password/passphrase of the key, then have to tap the authenticator and the shell prompt returns (so it is successful). When testing it again, it has remembered the passphrase, and I only have to tap the authenticator. $ ssh-add -T ~/.ssh/id_ed25519_sk-pin.pub results in the same graphical dialog for the password/passphrase, but after that it just fails with: "Agent signature failed for [full path of key]: agent refused operation" One never get's the opportunity to tap the authenticator or enter the pin for user verification. The authenticator also never lights up to indicate that user interaction is required. When adding the keys to the ssh-agent: $ ssh-add ~/.ssh/id_ed25519_sk-pin Enter passphrase for [full path of key]: Identity added: [full path of key] (pin) $ ssh-add ~/.ssh/id_ed25519_sk-verify-pin Enter passphrase for [full path of key]: Identity added: [full path of key] (verify-pin) I always get the prompt for the passphrase in the terminal and also have to enter it, even if I already entered it in the graphical dialog or ran ssh-add already before. When after that testing the signatures again with ssh-add -T nothing has changed. I still have to enter the password/passphrase in the graphical dialog, when I ran ssh-add -D or killing the ssh-agent before adding the the keys to the ssh-agent. Verification succeeds for the key with the pin, but not for the one, with verify-required. After installing the openssh-askpass package, echo $SSH_ASKPASS returns: /usr/libexec/openssh/gnome-ssh-askpass This binary also does indeed exist. After running env SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass ssh-agent $SHELL -l there is an additional process running: ssh-agent /bin/bash -l For every time, I run this command, an additional process get's created. When row running: ssh-add -T ~/.ssh/id_ed25519_sk-pin.pub or ssh-add -T ~/.ssh/id_ed25519_sk-verify-pin.pub I get: "Agent signature failed for [full path of key]: agent refused operation" It does not prompt me for the passphrase anymore. $ ssh-add -L returns: "The agent has no identities.", whereas the default agent has all identities from the hard disk preloaded, even when the first ssh-add command I enter is ssh-add -L. When opening a new terminal windows, it again defaults to the default agent and I have to manually execute above command again to enable openssh-askpass. I first have to add the keys to the agent with ssh-add as above and when then running $ ssh-add -T ~/.ssh/id_ed25519_sk-pin.pub after a tap on the authenticator the shell prompt returns (so it is successful). But $ ssh-add -T ~/.ssh/id_ed25519_sk-verify-pin.pub still fails with: "Agent signature failed for [full path of key]: agent refused operation" When checking with ssh-add -L, one can see that the latter key also was not added to the agent, despite the ssh-add command not giving an error (though also not asking for the pin, as it should have). Also: when running ssh-add ~/.ssh/id_ed25519_sk-pin or ssh-add ~/.ssh/id_ed25519_sk-verify-pin just hitting enter directly and not entering any passphrase seems to abort it the same way as doing a keyboard interrupt. It does not show the message of a bad passphrase, and there is no new key shown in ssh-add -L When then running ssh-add after killing the ssh-agent I receive "Error connecting to agent: No such file or directory". I have to rerun env SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass ssh-agent $SHELL -l before the error goes away. When opening a new terminal window or exiting the new login shell, the command creates, this error disappears too. After some wild testing in different terminal tabs, I somehow then got to a point, that now, when running ssh-add ~/.ssh/id_ed25519_sk-verify-pin it adds the key to the ssh-agent, even though it did not prompt for a pin. When having added the key to the ssh-agent and then running the signature test, it now shows a (gnome-builtin) graphical dialog, that openssh-askpass wants to inhibit shortcuts. When allowing that, I get to see a new application window "openssh" that asks me to confirm user presence for the respective key and in case of the verfiy-pin key also asks me to enter the PIN. For the pin key, it succeeds after taping the authenticator, but for the verify-pin key no matter what I enter as the pin (the actual FIDO2 pin of the authenticator, something completely wrong, nothing or the passphrase of the key), it immediately fails with "Agent signature failed for [full path of key]: agent refused operation", not even giving me any chance to confirm my user presence. trying to confirm the user presence before entering the pin also does not work. In fact, the autenticator never lights up the light to indicate, that interaction is required. I don't have anything SSH-related in my ~/.bashrc, /etc/bashrc, /etc/profile or ~/.bash_profile. There also isn't any ssh-askpass or ssh-agent related systemd service on Fedora. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
