SSH/PGP: Stored keys can't be confirmed in button press mode


I noticed that I can’t use my stored keys when in Button Press mode. Upgraded OK firmware to latest 3.0.2 - still no change.

Derived keys seem to work fine both for Button Press and Challenge-Response.

The authentication process goes like this:

 ✘ lion@lionpc  ~  SHELL=/bin/bash onlykey-agent -sk ECC2 lion@localhost -c
Host key fingerprint is SHA256:X+dcj7NmIOh50Qj/WPBmtAa0zq+fSHCOkM7EZk3eDi0
+--[ED25519 256]--+
|                 |
|          .      |
|        .. .     |
|     . =.o+ .    |
|      B E*+B... .|
|     * ..XB.X+ o.|
|      o...=@ .= .|
|        o.o.o.oo |
|         .oooo.  |
2022-11-04 15:06:26,339 WARNING      unparsed blob: b'\x00\x00\x003\x00\x00\x00\x0bssh-ed25519\x00\x00\x00 \x90\x9c\xff9\x07\xd8\xd6pK\xd6\xca\x86j\x12\x1a\xd9D\x03#\xd6\nOX\xd2\xa4)\x02\x898\x8des' []
Enter the 3 digit challenge code on OnlyKey to authorize <ssh://lion@localhost|ed25519>
2 1 4

and then it just hangs despite me trying to get to the keys. Notice how the agent still asks for a challenge-response PIN even though I’m trying to do button-press.

PS. It does this with derived keys too – shows the PIN but the challenge gets signed as soon as I press any key on the OnlyKey.

Here’s my version info:

$ onlykey-agent --version
onlykey-agent=1.1.14 lib-agent=1.0.5

$ onlykey-cli version
OnlyKey CLI v1.2.10

 $ onlykey-cli fwversion

OpenSSH version: openssh 9.0p1-1

Running Manjaro Linux.

After I recreated my stored keys with gpg2 as described here, I was able to use them normally with the GPG/SSH agent. Guess it works now :slight_smile:

Derived keys seem to work fine both for Button Press and Challenge-Response.

There are separate settings for derived and stored key challenge mode so if one worked and not the other the only thing I could think of is the stored challenge mode setting was not set on OnlyKey for some reason.

The problem is, that I have definitely set both of these options to ‘button press only’. However, for me, stored keys with SSH didn’t work reliably, hanging at the 3-digit PIN prompt every time.

Stored keys work fine for PGP (requiring only a button press), and derived keys work fine also.

Also I think, the agent outputs ‘Enter a three-digit pin, <> <> <*>’ even when in Button press mode – which I do find more than mildly confusing, if cosmetic, defect.

1 Like