Package: openssh-client Version: 1:8.0p1-3 Severity: normal Dear Maintainer,
I have a Yubikey ("Yubikey 5 NFC") with my (RSA-2048) SSH key on it. This connects to OpenSSH via OpenSC, through the line PKCS11Provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so which I have in my $HOME/.ssh/config. The key is configured to require a PIN and a button press in order to sign. In 7.9p1, I was able to add the PIN to the SSH agent for the current session with ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so and then, upon ssh'ing into a host, only touch the key to sign in. This behavior no longer works in 8.0p1. Instead, I now have to enter the PIN for every single sign-in attempt, even if adding the key to the agent succeeds. Simply downgrading openssh-client (while leaving the same agent running) restores the prior behavior, so a workaround exists for now. But it would be fantastic if this (convenient) function could be restored. Here are logs of what occurs with ssh -v in each case: ------------------------------------------------------------------------------- 8.0p1: (bad) ------------------------------------------------------------------------------- $ ssh -v marten OpenSSH_8.0p1 Debian-3, OpenSSL 1.1.1c 28 May 2019 debug1: Reading configuration data /home/andreas/.ssh/config debug1: /home/andreas/.ssh/config line 7: Deprecated option "useroaming" debug1: /home/andreas/.ssh/config line 173: Applying options for marten debug1: /home/andreas/.ssh/config line 189: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to marten.tiker.net [2a01:4f8:191:73ea::2] port 22. debug1: Connection established. debug1: provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so: manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC smartcard framework> libraryVersion 0.19 debug1: provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so slot 0: label <SSH key> manufacturerID <piv_II> model <PKCS#15 emulate> serial <7ecd62c148f8bee> flags 0x40d Enter PIN for 'SSH key': ------------------------------------------------------------------------------- 7.9p1: (good) ------------------------------------------------------------------------------- $ ssh -v marten OpenSSH_7.9p1 Debian-10, OpenSSL 1.1.1c 28 May 2019 debug1: Reading configuration data /home/andreas/.ssh/config debug1: /home/andreas/.ssh/config line 7: Deprecated option "useroaming" debug1: /home/andreas/.ssh/config line 173: Applying options for marten debug1: /home/andreas/.ssh/config line 189: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to marten.tiker.net [2a01:4f8:191:73ea::2] port 22. debug1: Connection established. debug1: provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so: manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC smartcard framework> libraryVersion 0.19 debug1: provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so slot 0: label <SSH key> manufacturerID <piv_II> model <PKCS#15 emulate> serial <7ecd62c148f8bee> flags 0x40d debug1: have 1 keys debug1: pkcs11_provider_unref: 0x556a2fafabb0 refcount 2 debug1: identity file /home/andreas/.ssh/id_rsa type 0 debug1: identity file /home/andreas/.ssh/id_rsa-cert type -1 debug1: identity file /home/andreas/.ssh/id_dsa type -1 debug1: identity file /home/andreas/.ssh/id_dsa-cert type -1 debug1: identity file /home/andreas/.ssh/id_ecdsa type -1 debug1: identity file /home/andreas/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/andreas/.ssh/id_ed25519 type 3 debug1: identity file /home/andreas/.ssh/id_ed25519-cert type -1 debug1: identity file /home/andreas/.ssh/id_xmss type -1 debug1: identity file /home/andreas/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-10 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10 debug1: match: OpenSSH_7.9p1 Debian-10 pat OpenSSH* compat 0x04000000 debug1: Authenticating to marten.tiker.net:22 as 'akadmin' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: <implicit> compression: none debug0: expecting SSH2_MSG_KEX_ECDH_REPLY [snip] ------------------------------------------------------------------------------- Thanks, Andreas -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'unstable'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_USER, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssh-client depends on: ii adduser 3.118 ii dpkg 1.19.7 ii libc6 2.28-10 ii libedit2 3.1-20190324-1 ii libgssapi-krb5-2 1.17-3 ii libselinux1 2.8-1+b1 ii libssl1.1 1.1.1c-1 ii passwd 1:4.7-1 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages openssh-client recommends: ii xauth 1:1.0.10-1 Versions of packages openssh-client suggests: pn keychain <none> ii ksshaskpass [ssh-askpass] 4:5.14.5-1 pn libpam-ssh <none> pn monkeysphere <none> ii ssh-askpass-gnome [ssh-askpass] 1:8.0p1-3 -- no debconf information