Error when using fido2 keys


If I create resident keys like this, it just asks me to touch the key and if I can ssh into my server:

ssh-keygen -t ed25519-sk -O resident -O application=ssh:test2 -f ~/.ssh/test2 -P “”

But if I add “-O verify-required”, when I use the key it gives me an error.

ssh-keygen -t ed25519-sk -O resident -O application=ssh:test2 -O verify-required -f ~/.ssh/test2 -P “”

The error:

Confirm user presence for key ED25519-SK SHA256:P7lEnbk29qZwzTo1KW9QfUUBD9n9wxtT8L4DlWqTbRA
sign_and_send_pubkey: signing failed for ED25519-SK “/home/donquijote/.ssh/id_ed25519_sk_rk_test2”: device not found
[mtde7vpi473ga9r@](mailto:mtde7vpi473ga9r@ Permission denied (publickey,password).

Adding “-O verify-required” is the only way to ask to enter the pin. What I can do?


Good question, I’m also trying to force the PIN query. But just to try it. For a productive FIDO2 U2F OpenSSH authentication, the OnlyKey PIN + one-time FIDO2 PIN entry at ssh-add -K to ssh-agent + touching an OnlyKey button at each SSH login is enough for me.

As suggested here, I tried both options on the server (remote system).

  • Appended: verify-required in ~/.ssh/authorized_keys <EntryID> verify-required
  • and added
    PubkeyAuthOptions verify-required
    in sshd_config file on the remote system + reload sshd afterwards.

The FIDO2 PIN is only required once if the key is added to the ssh-agent with ssh-add -K. After that, touching the OnlyKey is all that is required for each SSH login on the servers.
Hint: If I have an OnlyKey and YubiKey in the laptop at the same time, I can’t use cli. (onlykey-cli and ykman)

By the way: YubiKey sucks!
Doesn’t belong here but shows the advantages of open source OnlyKeys and NitroKeys. The firmware on my Yubi 5 can’t generate non-discoverable ed25519-sk keys and discoverable (resident) ed25519-sk or ecdsa-sk keys. Because Yubikey can’t upgrade the firmware, I would have to buy new ones again :frowning: YubiKey NEO couldn’t do FIDO2, then bought a Yubi 5 that can’t do FIDO2 SSH-auth now. I’ll never buy a YubiKey again.

I’m seeing this problem, but only if the key is downloaded from the device (ssh-keygen -K).

What problem do you mean exactly?

ssh-add -K
ssh-keygen -K

works as expected = asks for FIDO2 PIN

By the way, adding FIDO/U2F support is one of the nicest features of OpenSSH. :grinning:
OpenSSH 8.2 FIDO/U2F Support

I misunderstood something above on the Yubikey page.
The FIDO2 PIN is required when creating a new key or adding it to the SSH agent using ssh-add -K. After that, every SSH login to the servers only requires touching the OnlyKey. That’s intentional.