Domenico Andreoli
2020-Jul-20 00:01 UTC
OpenSSH not requesting touch on FIDO keys (was: OpenSSH not requesting PIN code for YubiKey)
On Mon, Jul 20, 2020 at 09:27:16AM +1000, Damien Miller wrote:> On Sun, 19 Jul 2020, Domenico Andreoli wrote: > > > On Mon, Jul 13, 2020 at 01:34:37PM +1000, Damien Miller wrote: > > > On Fri, 10 Jul 2020, Frank Sharkey wrote: > > > > > > > I set up the YubiKey with OpenSSH 8.2 (Ubuntu client and server) and it > > > > works. However, it does not do PIN enforcement at SSH login. It only > > > > requests the PIN during the set-up process (when the key is being > > > > generated). Is that the way it's supposed to work? > > > > > > Assuming you are using this device as a FIDO token (and not PKCS#11), > > > this is expected. OpenSSH doesn't yet support requiring PINs for keys > > > except for a couple of corner cases (e.g. resident keys). > > > > > > I hope to add this before OpenSSH 8.4. > > > > Somewhat related: touching the FIDO key to authorize the operation. > > > > The user is prompted to touch the FIDO key when generating an ssh key > > but later on (eg. ssh-add -T ...) this does not happen any more. > > > > I guess it's due to the agent server not having any means to call back > > the client for notifying that user action is required [0]. > > ssh-agent will prompt via $SSH_ASKPASS if you have it configured.Evidently my setup has some problem, I don't see any dialog. I'll investigate. Thanks. Dom -- rsa4096: 3B10 0CA1 8674 ACBA B4FE FCD2 CE5B CF17 9960 DE13 ed25519: FFB4 0CC3 7F2E 091D F7DA 356E CC79 2832 ED38 CB05
Damien Miller
2020-Jul-20 03:12 UTC
OpenSSH not requesting touch on FIDO keys (was: OpenSSH not requesting PIN code for YubiKey)
On Mon, 20 Jul 2020, Domenico Andreoli wrote:> > > I guess it's due to the agent server not having any means to call back > > > the client for notifying that user action is required [0]. > > > > ssh-agent will prompt via $SSH_ASKPASS if you have it configured. > > Evidently my setup has some problem, I don't see any dialog. I'll > investigate. Thanks.Common problems: 1) you might not be running OpenSSH's ssh-agent. Some desktop environments will silently start their own, with varying levels of compatibility 2) Not starting ssh-agent with $DISPLAY set 3) Not having an askpass program at the path that ssh-agent expects or not having $SSH_ASKPASS pointing (again, before starting the agent) -d
Domenico Andreoli
2020-Jul-20 08:26 UTC
OpenSSH not requesting touch on FIDO keys (was: OpenSSH not requesting PIN code for YubiKey)
On Mon, Jul 20, 2020 at 01:12:10PM +1000, Damien Miller wrote:> On Mon, 20 Jul 2020, Domenico Andreoli wrote: > > > > > I guess it's due to the agent server not having any means to call back > > > > the client for notifying that user action is required [0]. > > > > > > ssh-agent will prompt via $SSH_ASKPASS if you have it configured. > > > > Evidently my setup has some problem, I don't see any dialog. I'll > > investigate. Thanks. > > Common problems: > > 1) you might not be running OpenSSH's ssh-agent. Some desktop environments > will silently start their own, with varying levels of compatibility > > 2) Not starting ssh-agent with $DISPLAY set > > 3) Not having an askpass program at the path that ssh-agent expects > or not having $SSH_ASKPASS pointing (again, before starting the agent)Managed to make it work. Nice! Thanks again. Now, all the perfectly good use cases that do not have a running desktop are left without a screen notification. Any ideas for these? Another issue, the current ssh-askpass solution does not give any hint of which application is requesting the confirmation. It's then possible to race with a malicious application and get the confirmation first. Dom -- rsa4096: 3B10 0CA1 8674 ACBA B4FE FCD2 CE5B CF17 9960 DE13 ed25519: FFB4 0CC3 7F2E 091D F7DA 356E CC79 2832 ED38 CB05