openssh unix dev - Feb 2020 - Resident keys?

On Feb 17, 2020, at 9:45 PM, Damien Miller <djm at mindrot.org>
wrote:
> On Mon, 17 Feb 2020, Ron Frederick wrote:
>> I?m trying out the ?resident key? functionality in OpenSSH 8.2, and
>> I?m having trouble getting it to find keys that I?ve created.
>> 
>> I?m trying to create a new resident key using:
>> 
>>    ssh-keygen -O resident -t ed25519-sk -f <filename>
>> 
>> This creates a key, but I?m not actually sure it is creating a
>> ?resident? key, as when I try to dump out the resident keys with
>> either ?ssh-keygen -K? or ?ssh-add -K?, it doesn?t seem to find
>> anything, reporting back ?No keys to download? in ssh-keygen and
>> silently failing in ssh-add (without loading any keys).
>> 
>> I also noticed that I can enter pretty much anything at the PIN prompt
>> it gives me, and it doesn?t return an error or decrement the number of
>> available PIN retries when I view the key?s status.
>> 
>> I?m doing these tests against OpenSSH portable HEAD on a Mac with a
>> Yubikey 5 NFC (connected via USB).
>> 
>> Any thoughts on what I might be doing wrong?
> 
> You can try running "ssh-keygen -Kvvv" to see more detail on what
is
> going wrong, but I suspect the problem is that your key's firmware
> has incomplete resident key support. Some of my older Yubikey 5 tokens
> allowed me to create resident keys but not retrieve them.

Here?s what I get back:

debug3: start_helper: started pid=96317
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/local/libexec/ssh-sk-helper 
debug1: sshsk_load_resident: provider "internal", have-pin
debug1: ssh_sk_load_resident_keys: trying
IOService:/AppleACPIPlatformExpert/PCI0 at 0/AppleACPIPCI/XHC1 at 14/XHC1 at
14000000/HS08 at 14300000/USB2.0 Hub at 14300000/AppleUSB20Hub at
14300000/AppleUSB20HubPort at 14340000/USB2.0 Hub at 14340000/AppleUSB20Hub at
14340000/AppleUSB20HubPort at 14343000/YubiKey OTP+FIDO+CCID at
14343000/IOUSBHostInterface at 1/IOUSBHostHIDDevice at 14343000,1
debug1: read_rks: get metadata for IOService:/AppleACPIPlatformExpert/PCI0 at
0/AppleACPIPCI/XHC1 at 14/XHC1 at 14000000/HS08 at 14300000/USB2.0 Hub at
14300000/AppleUSB20Hub at 14300000/AppleUSB20HubPort at 14340000/USB2.0 Hub at
14340000/AppleUSB20Hub at 14340000/AppleUSB20HubPort at 14343000/YubiKey
OTP+FIDO+CCID at 14343000/IOUSBHostInterface at 1/IOUSBHostHIDDevice at
14343000,1 failed: FIDO_ERR_PIN_NOT_SET
debug1: ssh_sk_load_resident_keys: read_rks failed for
IOService:/AppleACPIPlatformExpert/PCI0 at 0/AppleACPIPCI/XHC1 at 14/XHC1 at
14000000/HS08 at 14300000/USB2.0 Hub at 14300000/AppleUSB20Hub at
14300000/AppleUSB20HubPort at 14340000/USB2.0 Hub at 14340000/AppleUSB20Hub at
14340000/AppleUSB20HubPort at 14343000/YubiKey OTP+FIDO+CCID at
14343000/IOUSBHostInterface at 1/IOUSBHostHIDDevice at 14343000,1
debug1: ssh-sk-helper: reply len 4
debug3: ssh_msg_send: type 5
debug3: reap_helper: pid=96317
No keys to download

I tried using ?change-pin? in yubico-piv-tool, but that didn?t seem to make a
difference. I still got the same error after successfully changing the PIN.

This is a recently purchased YubiKey 5 NFC (within the last month or so),
reporting version 5.2.4 in ?yubico-piv-tool -a status?.
-- 
Ron Frederick
ronf at timeheart.net

Ron Frederick <ronf at timeheart.net> writes:
>
> Here?s what I get back:
[ ... ]
> debug1: ssh_sk_load_resident_keys: trying
> IOService:/AppleACPIPlatformExpert/PCI0 at 0/AppleACPIPCI/XHC1 at 14/XHC1
at 14000000/HS08 at 14300000/USB2.0
> debug1: read_rks: get metadata for
> IOService:/AppleACPIPlatformExpert/PCI0 at 0/AppleACPIPCI/XHC1 at 14/XHC1
at 14000000/HS08 at 14300000/USB2.0
[ ... ]
> failed: FIDO_ERR_PIN_NOT_SET
> debug1: ssh_sk_load_resident_keys: read_rks failed for
[ .. ]
> No keys to download
>
> I tried using ?change-pin? in yubico-piv-tool, but that didn?t seem to
> make a difference. I still got the same error after successfully
> changing the PIN.
That PIN is for the PIV application on the yubikey.

Use "ykman fido set-pin" instead using the Yubikey Manager.

/gabriel

On Feb 18, 2020, at 12:46 AM, Gabriel Kihlman <gk at b0rk.org>
wrote:
>> I tried using ?change-pin? in yubico-piv-tool, but that didn?t seem to
>> make a difference. I still got the same error after successfully
>> changing the PIN.
> 
> That PIN is for the PIV application on the yubikey.
> 
> Use "ykman fido set-pin" instead using the Yubikey Manager.

Ah - that was it, thanks very much!

After setting the PIN this way, I was able to get ?ssh-keygen -K? and ?ssh-add
-K? to work, and was also about to use ?ykman fido list? to see the list of
installed resident keys.

With OpenSSH, is there a way to use a resident key without actually reading it
out of the token if you provide the username and application to identify which
key you want to use, or do you need to actually provide the PIN every time? I
understand you can use ssh-agent to mitigate this and only provide the PIN when
loading the keys into the agent, but generally that would still mean providing
the PIN every time you signed on to the machine running the SSH client. I?m just
wondering if there are any options to be able to use  a key with only physical
access to it.
-- 
Ron Frederick
ronf at timeheart.net