David Härdeman
2021-Aug-08 13:51 UTC
ssh-keygen and multiple resident keys on a FIDO device
Hi, I'm using a Yubikey 5 NFC key to store two resident keys at the moment, and using "ssh-keygen -K" to download them to a host is not a very ergonomic experience at the moment (I've tried with OpenSSH 8.4p1-5 in Debian Unstable, I've also read the changelogs of 8.5 and 8.6 but seen no hint that this behavior has changed in later versions). ~/.ssh$ ykman fido credentials list Enter your PIN: <PIN> ssh: <usernameA in hex> openssh ssh: <usernameB in hex> openssh ~/.ssh$ ls id_ed* ls: cannot access 'id_ed*': No such file or directory ~/.ssh$ ssh-keygen -K Enter PIN for authenticator: <PIN> You may need to touch your authenticator to authorize key download. Enter passphrase (empty for no passphrase): <enter> Enter same passphrase again: <enter> Saved ED25519-SK key to id_ed25519_sk_rk id_ed25519_sk_rk already exists. <in a separate terminal window, "mv -i id_ed25519_sk_rk id_ed25519_sk_tmp; mv -i id_ed22519_sk_rk.pub id_ed2259_sk_tmp.pub"> Overwrite (y/n)? y Saved ED25519-SK key to id_ed25519_sk_rk ~/.ssh$ cat id_ed2259*.pub sk-ssh-ed25519 at openssh.com <pubkeyA> ssh: sk-ssh-ed25519 at openssh.com <pubkeyB> ssh: As far as I can tell, there are two issues here: a) ssh-keygen -K wants to overwrite the first key with the second key rather than using an alternative path (or prompting the user to provide an alternative path) b) unless a custom application string has been set when the keys were created, it is not easy to distinguish the two keys that are downloaded from the security key and written to the current directory, it would perhaps be better if the pubkeys would include the username (passed with "-O user=foobar" when the keys were initially created) in the comment field? and, some minor things: c) it appears impossible to set different passphrases for different keys d) the man page for the "-O user" and "-O application" options doesn't make it clear that they take an option (so the man page should read e.g. "user=name" and "application=name", like it does for "challenge=path" and "write-attestation=path") e) The description of the OpenSSH mailing lists indicate that openssh-unix-dev list is open to non-subscribers. That does not seem to be the case (I got an error message when sending as a non-subscriber). See e.g.: https://www.openssh.com/list.html https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev Cheers, David
David Härdeman
2021-Aug-08 14:10 UTC
ssh-keygen and multiple resident keys on a FIDO device
August 8, 2021 3:52 PM, "David H?rdeman" <david at hardeman.nu> wrote:> I'm using a Yubikey 5 NFC key to store two resident keys at the moment, and using "ssh-keygen -K" > to download them to a host is not a very ergonomic experience at the moment (I've tried with > OpenSSH 8.4p1-5 in Debian Unstable, I've also read the changelogs of 8.5 and 8.6 but seen no hint > that this behavior has changed in later versions)....> a) ssh-keygen -K wants to overwrite the first key with the second key rather than using an > alternative path (or prompting the user to provide an alternative path) > > b) unless a custom application string has been set when the keys were created, it is not easy to > distinguish the two keys that are downloaded from the security key and written to the current > directory, it would perhaps be better if the pubkeys would include the username (passed with "-O > user=foobar" when the keys were initially created) in the comment field?Ok, now I've tested with two keys generated with different "-O application=" values ("-O application=ssh:userA", "-O application=ssh:userB"), and the user experience is much better. Keys get written out with different suffixes and the userA/userB part gets included in the *.pub file comments. Perhaps this should be clarified in the man page...but I still think the "-O user=*" input should also be reflected in the files created by "ssh-keygen -K".