Ubuntu
openssh package

FIDO2 user verification impossible when using the ssh agent

Bug #2000276 reported by Andrea Ieri
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Triaged
Undecided
Unassigned

Bug Description

I am having trouble setting up FIDO2 ssh keys with my yubikey 5C NFC if I want to enable user verification (user presence works fine).

Steps to reproduce:

= Prep work =

Client (kinetic):
* generate a key that requires user verification:
  $ ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_verify_sk -O verify-required -C "this key requires UV"
  [provide your authenticator PIN, touch it, and add an encryption password]

Server (jammy):
* add id_ed25519_verify_sk.pub to authorized_keys

= Symptoms =

Shell 1 (w/ssh agent):

$ eval $(ssh-agent)
Agent pid 3279738

$ ssh-add ~/.ssh/id_ed25519_verify_sk
Enter passphrase for /home/aieri/.ssh/id_ed25519_verify_sk:
Identity added: /home/aieri/.ssh/id_ed25519_verify_sk (this key requires UV)

$ ssh ubuntu@10.35.202.231 -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 fails\!"
sign_and_send_pubkey: signing failed for ED25519-SK "/home/aieri/.ssh/id_ed25519_verify_sk" from agent: agent refused operation
ubuntu@10.35.202.231: Permission denied (publickey).

[note that the above is printed immediately, and that the yubikey does not light up]

Shell 2 (no ssh agent):

$ ssh ubuntu@10.35.202.231 -i ~/.ssh/id_ed25519_verify_sk "echo FIDO2 works\!"
Enter passphrase for key '/home/aieri/.ssh/id_ed25519_verify_sk':
Enter PIN for ED25519-SK key /home/aieri/.ssh/id_ed25519_verify_sk:
Confirm user presence for key ED25519-SK SHA256:nhgS4c2rGtE7XKeez3rAsofrjJvsL6rmBLShZxfTXIY
User presence confirmed
FIDO2 works!

NOTE:
* user _presence_ can be validated correctly with or without the ssh-agent: keys generated without `-O verify-required` work as expected (aside from bug 1869897)

Revision history for this message
Lena Voytek (lvoytek) wrote :

Thank you for submitting this report. I attempted to verify on a fresh install of Kinetic as a client and Jammy as a server using a Yubikey Bio. ssh login worked for me both with and without ssh-agent active. I unfortunately don't have a 5c to test with and the issue may lie specifically with that. Have you tried this with multiple new ssh keys to confirm the issue?

Changed in openssh (Ubuntu):
status: New → Incomplete
Revision history for this message
Andrea Ieri (aieri) wrote :

hi Lena, actually yes, I can reproduce the same issue with a nitrokey 3A NFC. I also have an older yubikey 5A but I cannot test with it as its firmware does not support user verification, only user presence.

Changed in openssh (Ubuntu):
status: Incomplete → New
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I believe this issue is correct. I noticed this when writing up the documentation[1] on how to use openssh with fido2 resident keys:

"""
NOTE
If you used the -O verify-required option when generating the keys, or if that option is set on the SSH server via /etc/ssh/sshd_config’s PubkeyAuthOptions verify-required, then using the agent currently in Ubuntu 22.04 LTS won’t work.
"""

I remember I found an upstream bug about this, but it is a bit muddy because there is ssh-agent from ssh, and there is one from gnome (and I think from gpg-agent as well; again, muddy).

If I find those pointers again, I'll post them here.

1. https://ubuntu.com/server/docs/service-openssh

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Some references I found back then:

https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/101

https://github.com/openssh/openssh-portable/commit/39d17e189f8e72c34c722579d8d4e701fa5132da

From my chat messages:
plain ssh-agent on kinetic worked with verify-required keys
but I had to install ssh-askpass (ugly X11 interface)
without it, it fails
gnome-keyring's ssh-agent doesn't seem to support PIN entry for verify-required keys
that's a lot of exceptions to list in the docs: a) newer openssh-client; b) ssh-askpass-gnome installed; c) use ssh-agent, not gnome-keyring (gnome-keyring is our default)

So IIRC, it worked with kinetic's openssh ssh-agent, not ssh-agent from elsewhere (that would be the gnome-keyring bug linked above).

Revision history for this message
denos (shane-systemnexus) wrote :

Just a note that the pin prompt works under Ubuntu 23.04 after installing ssh-askpass-gnome. Yubico - Security Key C NFC used.

Athos Ribeiro (athos-ribeiro)
Changed in openssh (Ubuntu):
status: New → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.