Re: tramp (2.6.0.29.1 nil/nil); Tramp crashes when trying to authenticate ssh with yubikey resident-key that requires user to enter FIDO2 PIN

2024-02-13 Thread Michael Albinus 
coder.nov...@mailbox.org writes:

Hi,

> I have a Yubikey 5 NFC with the USBA port. And the error message now
> as I was trying to test for it again suddenly is just gone
> now.. unsure why but it works fine now! And no problem, glad I was
> able to help get the bug fixed!

Good! As said in the other message, the yubikey and Tramp have different
timeouts. Likely you've entered a Tramp timeout, which is not an error
but intended.

Best regards, Michael.

Re: tramp (2.6.0.29.1 nil/nil); Tramp crashes when trying to authenticate ssh with yubikey resident-key that requires user to enter FIDO2 PIN

2024-02-09 Thread Michael Albinus 
coder.nov...@mailbox.org writes:

Hi,

> I tested it today and it does let me authenticate the key! But while it's 
> asking me to touch the key, it does display the following text in the buffer
> ```
> File error: [[Regexp ‘^^M*User presence confirmed[
> ^M]*\|^^M*\(Enter PIN for .*\)[
> ^M]*\|^^M*sign_and_send_pubkey: signing failed for .*[
> ^M]*’ not found in 0 secs]]
> ```
> However, once I touch the key, it does let me access the files on the remote 
> machine. So it does seem to be functional other than that!

Thanks for the feedback. Since you are able to access the remote machine
with you PIN-protected yubikey, I've pushed the patch to the
repositories. Will be available on GNU ELPA later this month, as Tramp 2.6.2.2.

The error message ... hmm, it isn't clear to me. One possible reason is
that Tramp has reached a timeout, that means you have waited for a while
until entering the PIN.

Another possibility is that your yubikey shows slightly different
messages while using it. Which yubikey do you use? I have taken a
"YubiKey 5C NFC" for my tests.

Anyway, if the error message persists, pls run the test with
tramp-verbose set to 10, and show the Tramp debug buffer.
 
Best regards, Michael.

Re: tramp (2.6.0.29.1 nil/nil); Tramp crashes when trying to authenticate ssh with yubikey resident-key that requires user to enter FIDO2 PIN

2024-02-03 Thread Michael Albinus 
Michael Albinus  writes:

Hi,

>> Also here's the traces attached as a file.
>
> Thanks. Unfortunately, you haven't send the full traces, so I cannot see
> whether the messages "Confirm user presence for key ...:" and "Enter
> PIN:" disturb each other. Hmm.

That was the problem, indeed. Please remove the patch I've sent
before. The appended patch works in my local environment, could you pls check?

Best regards, Michael.

diff --git a/lisp/tramp-sh.el b/lisp/tramp-sh.el
index 44c0bdc7..3e6fb384 100644
--- a/lisp/tramp-sh.el
+++ b/lisp/tramp-sh.el
@@ -544,6 +544,7 @@ shell from reading its init file."
 (tramp-terminal-prompt-regexp tramp-action-terminal)
 (tramp-antispoof-regexp tramp-action-confirm-message)
 (tramp-security-key-confirm-regexp tramp-action-show-and-confirm-message)
+(tramp-security-key-pin-regexp tramp-action-otp-password)
 (tramp-process-alive-regexp tramp-action-process-alive))
   "List of pattern/action pairs.
 Whenever a pattern matches, the corresponding action is performed.
@@ -563,6 +564,7 @@ corresponding PATTERN matches, the ACTION function is called.")
 (tramp-wrong-passwd-regexp tramp-action-permission-denied)
 (tramp-copy-failed-regexp tramp-action-permission-denied)
 (tramp-security-key-confirm-regexp tramp-action-show-and-confirm-message)
+(tramp-security-key-pin-regexp tramp-action-otp-password)
 (tramp-process-alive-regexp tramp-action-out-of-band))
   "List of pattern/action pairs.
 This list is used for copying/renaming with out-of-band methods.
diff --git a/lisp/tramp.el b/lisp/tramp.el
index 61f51272..f3da56e7 100644
--- a/lisp/tramp.el
+++ b/lisp/tramp.el
@@ -788,6 +788,13 @@ The regexp should match at end of buffer."
   :version "28.1"
   :type 'regexp)

+(defcustom tramp-security-key-pin-regexp
+  (rx bol (* "\r") (group "Enter PIN for " (* nonl)) (* (any "\r\n")))
+  "Regular expression matching security key PIN prompt.
+The regexp should match at end of buffer."
+  :version "29.3"
+  :type 'regexp)
+
 (defcustom tramp-operation-not-permitted-regexp
   (rx (| (: "preserving times" (* nonl)) "set mode") ":" (* blank)
   "Operation not permitted")
@@ -5589,7 +5596,7 @@ of."
 	  prompt)
   (goto-char (point-min))
   (tramp-check-for-regexp proc tramp-process-action-regexp)
-  (setq prompt (concat (match-string 1) " "))
+  (setq prompt (concat (string-trim (match-string 1)) " "))
   (tramp-message vec 3 "Sending %s" (match-string 1))
   ;; We don't call `tramp-send-string' in order to hide the
   ;; password from the debug buffer and the traces.
@@ -5665,14 +5672,17 @@ Wait, until the connection buffer changes."
   (ignore set-message-function clear-message-function)
   (tramp-message vec 6 "\n%s" (buffer-string))
   (tramp-check-for-regexp proc tramp-process-action-regexp)
-  (with-temp-message
-	  (replace-regexp-in-string (rx (any "\r\n")) "" (match-string 0))
+  (with-temp-message (concat (string-trim (match-string 0)) " ")
 	;; Hide message in buffer.
 	(narrow-to-region (point-max) (point-max))
 	;; Wait for new output.
 	(while (not (tramp-compat-ignore-error file-error
 		  (tramp-wait-for-regexp
-		   proc 0.1 tramp-security-key-confirmed-regexp)))
+		   proc 0.1
+		   (tramp-compat-rx
+			(| (regexp tramp-security-key-confirmed-regexp)
+			   (regexp tramp-security-key-pin-regexp)
+			   (regexp tramp-security-key-timeout-regexp))
 	  (when (tramp-check-for-regexp proc tramp-security-key-timeout-regexp)
 	(throw 'tramp-action 'timeout))
 	  (redisplay 'force)))
@@ -6726,12 +6736,13 @@ Consults the auth-source package."
 		   (tramp-get-connection-property key "login-as")))
 	 (host (tramp-file-name-host-port vec))
 	 (pw-prompt
-	  (or prompt
-	  (with-current-buffer (process-buffer proc)
-		(tramp-check-for-regexp proc tramp-password-prompt-regexp)
-		(if (string-match-p "passphrase" (match-string 1))
-		(match-string 0)
-		  (format "%s for %s " (capitalize (match-string 1)) key)
+	  (string-trim-left
+	   (or prompt
+	   (with-current-buffer (process-buffer proc)
+		 (tramp-check-for-regexp proc tramp-password-prompt-regexp)
+		 (if (string-match-p "passphrase" (match-string 1))
+		 (match-string 0)
+		   (format "%s for %s " (capitalize (match-string 1)) key))
 	 (auth-source-creation-prompts `((secret . ,pw-prompt)))
 	 ;; Use connection-local value.
 	 (auth-sources (buffer-local-value 'auth-sources (process-buffer proc)))

Re: tramp (2.6.0.29.1 nil/nil); Tramp crashes when trying to authenticate ssh with yubikey resident-key that requires user to enter FIDO2 PIN

2024-01-30 Thread Michael Albinus 

Von meinem iPad gesendet

> Am 30.01.2024 um 16:08 schrieb coder.nov...@mailbox.org:
> Also to add, if I disable x11-sshaskpass, because of that error still 
> showing in the buffer, I am unable to enter the pin and it makes Tramp and 
> Emacs lock up
> 
>> On 01/30/2024 8:21 AM CST coder.nov...@mailbox.org wrote:
>> Hey, I'm so sorry for the delay again! It took me a bit to get the patch 
>> added (since I'm using NixOS along with Doom Emacs, had to update Emacs to 
>> 29.2 and such). I gave it a test and it still says that error in the 
>> messenger buffer; but it allows me to enter the PIN (I have x11-sshaskpass) 
>> and then after I enter the pin and touch the key, Tramp is able to enter 
>> into the remote filesystem like it's suppose to!

Please send me traces with verbosity 10. It might take time to reply, I‘m ill  
these days.

Best regards, Michael.

Re: tramp (2.6.0.29.1 nil/nil); Tramp crashes when trying to authenticate ssh with yubikey resident-key that requires user to enter FIDO2 PIN

2024-01-28 Thread Michael Albinus 
coder.nov...@mailbox.org writes:

> Sorry for the delay! Here's the output
>
> ssh server ...

Thanks, that helps.

Tramp 2.6.2 (Emacs 29.2) supports already OTP input, as it would be
appropriate for the PIN. However, it doesn't know the PIN prompt as used
by Yubikey yet.

Could you pls install first Tramp 2.6.2.0 from GNU ELPA? This is a
little bit problematic, because Emacs 29.1 has a bug which prevents
installation of Tramp from GNU ELPA. See 

for mitigation instructions.

On top, pls install this patch:

diff --git a/lisp/tramp.el b/lisp/tramp.el
index bd556753..a97d8e37 100644
--- a/lisp/tramp.el
+++ b/lisp/tramp.el
@@ -688,7 +688,7 @@ The `sudo' program appears to insert a `^@' character into the prompt."
 (defcustom tramp-otp-password-prompt-regexp
   (rx bol (* nonl)
   ;; JumpCloud.
-  (group (| "Verification code"))
+  (group (| "Verification code" "Enter PIN"))
   (* nonl) (any "::៖") (* blank))
   "Regexp matching one-time password prompts.
 The regexp should match at end of buffer."

After recompilation of tramp.el, it should work. Unfortunately, I cannot
test locally, so I'm waiting for your response.

Best regards, Michael.

Re: tramp (2.6.0.29.1 nil/nil); Tramp crashes when trying to authenticate ssh with yubikey resident-key that requires user to enter FIDO2 PIN

2024-01-28 Thread Michael Albinus 
coder.nov...@mailbox.org writes:

Hi,

> I'm using my Yubikey 5 to authenticate ssh on my server. The resident
> key I created for it requires both the FIDO2 PIN and touching the key
> to authenticate it. When I try to log into the server with Tramp, the
> program immediately crashes with `File error: [[Regexp '^^M*User
> presence confirmed [^M]*' not found in 0 secs]]`; and Emacs also
> completely locks up as a result of Tramps failing. My computer's
> running NixOS and I have Doom Emacs installed.

Tramp supports already the Yubikey presence message, but it doesn't
support the Yubikey PIN input. Must be added.

Could you, pls, run ssh in a terminal, and show all messages which
happen there (except the PIN value, of course)?

Best regards, Michael.