Error when using fido2 keys

SSH, OpenPGP, GPG
1

Hi,

If I create resident keys like this, it just asks me to touch the key and if I can ssh into my server:

ssh-keygen -t ed25519-sk -O resident -O application=ssh:test2 -f ~/.ssh/test2 -P “”

But if I add “-O verify-required”, when I use the key it gives me an error.

ssh-keygen -t ed25519-sk -O resident -O application=ssh:test2 -O verify-required -f ~/.ssh/test2 -P “”

The error:

Confirm user presence for key ED25519-SK SHA256:P7lEnbk29qZwzTo1KW9QfUUBD9n9wxtT8L4DlWqTbRA
sign_and_send_pubkey: signing failed for ED25519-SK “/home/donquijote/.ssh/id_ed25519_sk_rk_test2”: device not found
[mtde7vpi473ga9r@5.72.118.71](mailto:mtde7vpi473ga9r@5.72.118.71): Permission denied (publickey,password).

Adding “-O verify-required” is the only way to ask to enter the pin. What I can do?

Thanks

2

Good question, I’m also trying to force the PIN query. But just to try it. For a productive FIDO2 U2F OpenSSH authentication, the OnlyKey PIN + one-time FIDO2 PIN entry at ssh-add -K to ssh-agent + touching an OnlyKey button at each SSH login is enough for me.

As suggested here, I tried both options on the server (remote system).

  • Appended: verify-required in ~/.ssh/authorized_keys
    sk-ssh-ed25519@openssh.com <EntryID> verify-required
  • and added
    PubkeyAuthOptions verify-required
    in sshd_config file on the remote system + reload sshd afterwards.

The FIDO2 PIN is only required once if the key is added to the ssh-agent with ssh-add -K. After that, touching the OnlyKey is all that is required for each SSH login on the servers.
Hint: If I have an OnlyKey and YubiKey in the laptop at the same time, I can’t use cli. (onlykey-cli and ykman)

By the way: YubiKey sucks!
Doesn’t belong here but shows the advantages of open source OnlyKeys and NitroKeys. The firmware on my Yubi 5 can’t generate non-discoverable ed25519-sk keys and discoverable (resident) ed25519-sk or ecdsa-sk keys. Because Yubikey can’t upgrade the firmware, I would have to buy new ones again :frowning: YubiKey NEO couldn’t do FIDO2, then bought a Yubi 5 that can’t do FIDO2 SSH-auth now. I’ll never buy a YubiKey again.