Error when using fido2 keys

donquijote · March 1, 2023, 3:39pm

Hi,

If I create resident keys like this, it just asks me to touch the key and if I can ssh into my server:

ssh-keygen -t ed25519-sk -O resident -O application=ssh:test2 -f ~/.ssh/test2 -P “”

But if I add “-O verify-required”, when I use the key it gives me an error.

ssh-keygen -t ed25519-sk -O resident -O application=ssh:test2 -O verify-required -f ~/.ssh/test2 -P “”

The error:

Confirm user presence for key ED25519-SK SHA256:P7lEnbk29qZwzTo1KW9QfUUBD9n9wxtT8L4DlWqTbRA
sign_and_send_pubkey: signing failed for ED25519-SK “/home/donquijote/.ssh/id_ed25519_sk_rk_test2”: device not found
[mtde7vpi473ga9r@5.72.118.71](mailto:mtde7vpi473ga9r@5.72.118.71): Permission denied (publickey,password).

Adding “-O verify-required” is the only way to ask to enter the pin. What I can do?

Thanks

Mango_Mungo · June 3, 2023, 3:44pm

Good question, I’m also trying to force the PIN query. But just to try it. For a productive FIDO2 U2F OpenSSH authentication, the OnlyKey PIN + one-time FIDO2 PIN entry at ssh-add -K to ssh-agent + touching an OnlyKey button at each SSH login is enough for me.

As suggested here, I tried both options on the server (remote system).

Appended: verify-required in ~/.ssh/authorized_keys
sk-ssh-ed25519@openssh.com <EntryID> verify-required
and added
PubkeyAuthOptions verify-required
in sshd_config file on the remote system + reload sshd afterwards.

The FIDO2 PIN is only required once if the key is added to the ssh-agent with ssh-add -K. After that, touching the OnlyKey is all that is required for each SSH login on the servers.
Hint: If I have an OnlyKey and YubiKey in the laptop at the same time, I can’t use cli. (onlykey-cli and ykman)

By the way: YubiKey sucks!
Doesn’t belong here but shows the advantages of open source OnlyKeys and NitroKeys. The firmware on my Yubi 5 can’t generate non-discoverable ed25519-sk keys and discoverable (resident) ed25519-sk or ecdsa-sk keys. Because Yubikey can’t upgrade the firmware, I would have to buy new ones again YubiKey NEO couldn’t do FIDO2, then bought a Yubi 5 that can’t do FIDO2 SSH-auth now. I’ll never buy a YubiKey again.

spaceotter · February 8, 2024, 10:02pm

I’m seeing this problem, but only if the key is downloaded from the device (ssh-keygen -K).

Mango_Mungo · February 15, 2024, 10:07pm

What problem do you mean exactly?

ssh-add -K
or
ssh-keygen -K

works as expected = asks for FIDO2 PIN

By the way, adding FIDO/U2F support is one of the nicest features of OpenSSH.
OpenSSH 8.2 FIDO/U2F Support

I misunderstood something above on the Yubikey page.
The FIDO2 PIN is required when creating a new key or adding it to the SSH agent using ssh-add -K. After that, every SSH login to the servers only requires touching the OnlyKey. That’s intentional.

Topic		Replies	Views
Ssh with FIDO2 - how to set up? which PIN code? SSH, OpenPGP, GPG	3	606	July 5, 2022
I have published an article on how to configure Onlykey with fido2 for use with servers and github SSH, OpenPGP, GPG	2	437	March 2, 2023
FIDO key enroll without touch Two Factor Authentication	1	41	July 30, 2024
I have created an interactive script to create a fido key in onlykey and push it to github SSH, OpenPGP, GPG	1	130	September 26, 2023
Ssh-keygen on linux without the agent SSH, OpenPGP, GPG	4	510	July 6, 2022

Error when using fido2 keys

Related topics