I set up the YubiKey with OpenSSH 8.2 (Ubuntu client and server) and it works. However, it does not do PIN enforcement at SSH login. It only requests the PIN during the set-up process (when the key is being generated). Is that the way it's supposed to work? Frank
You did not says what method you are using. https://developers.yubico.com/SSH/ lists 4 different ways to use the Yubikey: PIV, PGP, FIDO U2F and OTP. In PIV section: https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html It says: "If you have followed these steps to the letter, you will not be asked for the PIV PIN, but your YubiKey will start blinking, waiting for touch." Note the "--pin-policy=never --touch-policy=always" On 7/10/2020 3:38 PM, Frank Sharkey wrote:> I set up the YubiKey with OpenSSH 8.2 (Ubuntu client and server) and it > works. However, it does not do PIN enforcement at SSH login. It only > requests the PIN during the set-up process (when the key is being > generated). Is that the way it's supposed to work? > > Frank > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >-- Douglas E. Engert <DEEngert at gmail.com>
On Fri, 10 Jul 2020, Frank Sharkey wrote:> I set up the YubiKey with OpenSSH 8.2 (Ubuntu client and server) and it > works. However, it does not do PIN enforcement at SSH login. It only > requests the PIN during the set-up process (when the key is being > generated). Is that the way it's supposed to work?Assuming you are using this device as a FIDO token (and not PKCS#11), this is expected. OpenSSH doesn't yet support requiring PINs for keys except for a couple of corner cases (e.g. resident keys). I hope to add this before OpenSSH 8.4. -d
Domenico Andreoli
2020-Jul-19 11:08 UTC
OpenSSH not requesting touch on FIDO keys (was: OpenSSH not requesting PIN code for YubiKey)
On Mon, Jul 13, 2020 at 01:34:37PM +1000, Damien Miller wrote:> On Fri, 10 Jul 2020, Frank Sharkey wrote: > > > I set up the YubiKey with OpenSSH 8.2 (Ubuntu client and server) and it > > works. However, it does not do PIN enforcement at SSH login. It only > > requests the PIN during the set-up process (when the key is being > > generated). Is that the way it's supposed to work? > > Assuming you are using this device as a FIDO token (and not PKCS#11), > this is expected. OpenSSH doesn't yet support requiring PINs for keys > except for a couple of corner cases (e.g. resident keys). > > I hope to add this before OpenSSH 8.4.Somewhat related: touching the FIDO key to authorize the operation. The user is prompted to touch the FIDO key when generating an ssh key but later on (eg. ssh-add -T ...) this does not happen any more. I guess it's due to the agent server not having any means to call back the client for notifying that user action is required [0]. Is it maybe an idea to add some 'touch required' constraint to such ssh keys? If the client could query for such constraint (via some protocol extension yet to be implemented), then it would show a prompt just before requesting the operation to the agent server. Dom [0] https://tools.ietf.org/html/draft-miller-ssh-agent-04 -- rsa4096: 3B10 0CA1 8674 ACBA B4FE FCD2 CE5B CF17 9960 DE13 ed25519: FFB4 0CC3 7F2E 091D F7DA 356E CC79 2832 ED38 CB05
Reasonably Related Threads
- OpenSSH not requesting touch on FIDO keys (was: OpenSSH not requesting PIN code for YubiKey)
- OpenSSH not requesting PIN code for YubiKey
- [RFC PATCH 0/4] PAM module for ssh-agent user authentication
- [RFC PATCH 0/4] PAM module for ssh-agent user authentication
- [Bug 3188] New: Problems creating a second ecdsa-sk key for a second Yubikey