Can't setup OnlyKey as 2fa device with SSH Keys

Hello,
I’m trying to setup my onlykey as a 2fa device for a new ssh key (as in OpenSSH | Docs), but I always get a “Key enrollment failed: invalid format” error immediately.

Moreover, my onlykey doesn’t even blink - it stays green all the time.

$ ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Key enrollment failed: invalid format
gerlos@lithium:~$ ssh-keygen -t ed25519-sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Key enrollment failed: invalid format

What can I do? I’m on Ubuntu 22.04, with openssh 8.9, onlykey 3.0.4, desktop app 5.5 (installed from deb package).

Thanks in advance,
Gerlos

PS Not sure if it helps, here’s the verbose output from ssh-keygen:

$ ssh-keygen -vvvv -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=17507
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper 
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by touch
debug1: ssh_sk_enroll: using device /dev/hidraw6
debug1: ssh_sk_enroll: fido_dev_make_cred: FIDO_ERR_PIN_BLOCKED
debug1: sshsk_enroll: provider "internal" failure -1
debug1: ssh-sk-helper: Enrollment failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=17507
Key enrollment failed: invalid format
1 Like

Have you set a FIDO2 pin?
onlykey-cli set-pin

ssh-with-fido2-how-to-set-up-which-pin-code

@donquijote wrote a good HowTo

Thanks for your answer. I admit I didn’t understand FIDO2 PINs so far - only recently have I read a bit more docs, and perhaps I have a clearer understanding now.

I guess I entered the wrong PIN too much times:

$ onlykey-cli set-pin
Please enter new pin: 
Please confirm new pin: 
CTAP error: 0x32 - PIN_BLOCKED
$ onlykey-cli change-pin
Please enter old pin: 
Please enter new pin: 
Please confirm new pin: 
CTAP error: 0x32 - PIN_BLOCKED

So I guess I need to reset FIDO2 credentials - right?

You can try that. But be careful, onlykey-cli reset deletes all FIDO2 credentials. Also from website logins, if you have them. Backup beforehand. In general, always register 2 keys with 2FA or register an OTP app.