On Thu, 13 Nov 2019, Michael Forney wrote: > On 2019-11-14, Damien Miller <djm@xxxxxxxxxxx> wrote: > > Thanks for testing this! > > > > Does this patch help? If you're able to test multiple U2F-only keys in > > a host then that would be ideal - you'll be able to see whether ssh is > > trying each device if you run it in verbose mode (i.e. ssh -vvv ...) > > Yep, this patch works too: > > debug1: skdebug: found 1 device(s) > debug1: skdebug: trying device 0: /dev/hidraw0 > debug1: skdebug: fido_dev_get_assert: FIDO_ERR_USER_PRESENCE_REQUIRED > debug1: skdebug: found key > debug1: Authentication succeeded (publickey). > Authenticated to localhost ([::1]:22). > > and without the key plugged in: > > debug1: skdebug: found 0 device(s) > debug1: skdebug: couldn't find device for key handle > debug1: sshsk_sign: sk_sign failed with code -1 > debug1: identity_sign: sshkey_sign: unexpected internal error > sign_and_send_pubkey: signing failed: unexpected internal error > > Unfortunately I only have the one key to test with. > > > Basically, I want to make sure that FIDO_ERR_USER_PRESENCE_REQUIRED is > > returned only when a token actually claims a key handle, and not all the > > time... > > Yeah, this crossed my mind after I sent the diff. Your patch looks good :) Thanks to my compulsive hoarding of technology that I should have disposed of, I found an old U2F security key and managed to test it. U2F tokens (well, mine anyway) return FIDO_ERR_NO_CREDENTIALS as expected. I'll commit the patch. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
