https://bugzilla.mindrot.org/show_bug.cgi?id=3572
Bug ID: 3572 Summary: ssh-agent refused operation when using FIDO2 with -O verify-required Product: Portable OpenSSH Version: 9.3p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: ssh-agent Assignee: unassigned-b...@mindrot.org Reporter: bluebird090...@proton.me When using FIDO2 keys in combination with the option verify-required, using ssh-agent will fail with the error message: sign_and_send_pubkey: signing failed for ED25519-SK "/home/user/.ssh/id_ed25519_sk" from agent: agent refused operation When the ssh-agent is not used or the key has not yet been cached, the login operation works as expected, asking the passphrase for the local identity key, followed by the FIDO2 device PIN, followed by a request to touch the device. running ssh-add -l will list the key as expected as well. After closing the ssh connection and connecting again (with ssh-agent running) the operation will fail with the following: ... debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/user/.ssh/id_ed25519_sk ED25519-SK SHA256:nHEA..................... explicit authenticator agent debug1: Server accepts key: /home/user/.ssh/id_ed25519_sk ED25519-SK SHA256:nHEA..................... explicit authenticator agent sign_and_send_pubkey: signing failed for ED25519-SK "/home/user/.ssh/id_ed25519_sk" from agent: agent refused operation debug1: No more authentication methods to try. root@testhost: Permission denied (publickey) To reproduce: 1. ssh-keygen -t ed25519-sk -O application=ssh:mytestkey -O verify-required 2. copy public key to authorized_keys 3. login: ssh -i ~/.ssh/id_ed25519_sk root@testhost (config has AddKeysToAgent yes) 4. exit ssh shell 5. login again When using Fido2 keys generated without -O verify-required, ssh-agent works as expected, asking only for touch verification when the local passphrase has been cached. Expected behavior: ssh-agent should ask for the Fido2 device Pin to be entered when the local identity key is already cached Tested with Nitrokey 3, running firmware 1.4.0 and libfido2 1.13.0 OS: Arch Linux, OpenSSH_9.3p1, OpenSSL 3.0.8 7 Feb 2023 -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs