FIDO2 user verification impossible when using the ssh agent
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Triaged
|
Undecided
|
Unassigned |
Bug Description
I am having trouble setting up FIDO2 ssh keys with my yubikey 5C NFC if I want to enable user verification (user presence works fine).
Steps to reproduce:
= Prep work =
Client (kinetic):
* generate a key that requires user verification:
$ ssh-keygen -t ed25519-sk -f ~/.ssh/
[provide your authenticator PIN, touch it, and add an encryption password]
Server (jammy):
* add id_ed25519_
= Symptoms =
Shell 1 (w/ssh agent):
$ eval $(ssh-agent)
Agent pid 3279738
$ ssh-add ~/.ssh/
Enter passphrase for /home/aieri/
Identity added: /home/aieri/
$ ssh ubuntu@
sign_and_
ubuntu@
[note that the above is printed immediately, and that the yubikey does not light up]
Shell 2 (no ssh agent):
$ ssh ubuntu@
Enter passphrase for key '/home/
Enter PIN for ED25519-SK key /home/aieri/
Confirm user presence for key ED25519-SK SHA256:
User presence confirmed
FIDO2 works!
NOTE:
* user _presence_ can be validated correctly with or without the ssh-agent: keys generated without `-O verify-required` work as expected (aside from bug 1869897)
Changed in openssh (Ubuntu): | |
status: | New → Triaged |
Thank you for submitting this report. I attempted to verify on a fresh install of Kinetic as a client and Jammy as a server using a Yubikey Bio. ssh login worked for me both with and without ssh-agent active. I unfortunately don't have a 5c to test with and the issue may lie specifically with that. Have you tried this with multiple new ssh keys to confirm the issue?