On 2019-11-14, Damien Miller <djm@xxxxxxxxxxx> wrote: > Thanks for testing this! > > Does this patch help? If you're able to test multiple U2F-only keys in > a host then that would be ideal - you'll be able to see whether ssh is > trying each device if you run it in verbose mode (i.e. ssh -vvv ...) Yep, this patch works too: debug1: skdebug: found 1 device(s) debug1: skdebug: trying device 0: /dev/hidraw0 debug1: skdebug: fido_dev_get_assert: FIDO_ERR_USER_PRESENCE_REQUIRED debug1: skdebug: found key debug1: Authentication succeeded (publickey). Authenticated to localhost ([::1]:22). and without the key plugged in: debug1: skdebug: found 0 device(s) debug1: skdebug: couldn't find device for key handle debug1: sshsk_sign: sk_sign failed with code -1 debug1: identity_sign: sshkey_sign: unexpected internal error sign_and_send_pubkey: signing failed: unexpected internal error Unfortunately I only have the one key to test with. > Basically, I want to make sure that FIDO_ERR_USER_PRESENCE_REQUIRED is > returned only when a token actually claims a key handle, and not all the > time... Yeah, this crossed my mind after I sent the diff. Your patch looks good :) _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
