Error when using fido2 keys

donquijote · March 1, 2023, 3:39pm

Hi,

If I create resident keys like this, it just asks me to touch the key and if I can ssh into my server:

ssh-keygen -t ed25519-sk -O resident -O application=ssh:test2 -f ~/.ssh/test2 -P “”

But if I add “-O verify-required”, when I use the key it gives me an error.

ssh-keygen -t ed25519-sk -O resident -O application=ssh:test2 -O verify-required -f ~/.ssh/test2 -P “”

The error:

Confirm user presence for key ED25519-SK SHA256:P7lEnbk29qZwzTo1KW9QfUUBD9n9wxtT8L4DlWqTbRA
sign_and_send_pubkey: signing failed for ED25519-SK “/home/donquijote/.ssh/id_ed25519_sk_rk_test2”: device not found
[mtde7vpi473ga9r@5.72.118.71](mailto:mtde7vpi473ga9r@5.72.118.71): Permission denied (publickey,password).

Adding “-O verify-required” is the only way to ask to enter the pin. What I can do?

Thanks

Mango_Mungo · June 3, 2023, 3:44pm

Good question, I’m also trying to force the PIN query. But just to try it. For a productive FIDO2 U2F OpenSSH authentication, the OnlyKey PIN + one-time FIDO2 PIN entry at ssh-add -K to ssh-agent + touching an OnlyKey button at each SSH login is enough for me.

As suggested here, I tried both options on the server (remote system).

Appended: verify-required in ~/.ssh/authorized_keys
sk-ssh-ed25519@openssh.com <EntryID> verify-required
and added
PubkeyAuthOptions verify-required
in sshd_config file on the remote system + reload sshd afterwards.

The FIDO2 PIN is only required once if the key is added to the ssh-agent with ssh-add -K. After that, touching the OnlyKey is all that is required for each SSH login on the servers.
Hint: If I have an OnlyKey and YubiKey in the laptop at the same time, I can’t use cli. (onlykey-cli and ykman)

By the way: YubiKey sucks!
Doesn’t belong here but shows the advantages of open source OnlyKeys and NitroKeys. The firmware on my Yubi 5 can’t generate non-discoverable ed25519-sk keys and discoverable (resident) ed25519-sk or ecdsa-sk keys. Because Yubikey can’t upgrade the firmware, I would have to buy new ones again YubiKey NEO couldn’t do FIDO2, then bought a Yubi 5 that can’t do FIDO2 SSH-auth now. I’ll never buy a YubiKey again.

spaceotter · February 8, 2024, 10:02pm

I’m seeing this problem, but only if the key is downloaded from the device (ssh-keygen -K).

Mango_Mungo · February 15, 2024, 10:07pm

What problem do you mean exactly?

ssh-add -K
or
ssh-keygen -K

works as expected = asks for FIDO2 PIN

By the way, adding FIDO/U2F support is one of the nicest features of OpenSSH.
OpenSSH 8.2 FIDO/U2F Support

I misunderstood something above on the Yubikey page.
The FIDO2 PIN is required when creating a new key or adding it to the SSH agent using ssh-add -K. After that, every SSH login to the servers only requires touching the OnlyKey. That’s intentional.

Topic		Replies	Views
Ssh with FIDO2 - how to set up? which PIN code? SSH, OpenPGP, GPG	3	447	July 5, 2022
I have published an article on how to configure Onlykey with fido2 for use with servers and github SSH, OpenPGP, GPG	2	329	March 2, 2023
I have created an interactive script to create a fido key in onlykey and push it to github SSH, OpenPGP, GPG	1	85	September 26, 2023
Unable to list credentials and set FIDO2 PIN in CLI Two Factor Authentication	15	1040	June 7, 2021
Windows claims "You've entered incorrect pin too many times" Two Factor Authentication	3	451	May 23, 2022

Error when using fido2 keys

Related Topics