On 2020-02-06 at 10:29 +1100, Damien Miller wrote: > Generating a FIDO key requires the token be attached, and will usually > require the user tap the token to confirm the operation: Pretending first that I didn't have Damien's original post to the list, to debug this as a non-subscriber would ... ssh-keygen doesn't document SecurityKeyProvider, only $SSH_SK_PROVIDER, and when people search for that variable in the public docs there's nothing much. SecurityKeyProvider has better text and a pointer to the entry in ssh_config(5) might help. I found one line in README.md (nit: "dependenciesi" has an extra "i" there) and doesn't mention --with-security-key-builtin (or is this not needed now?) Nothing outside of Damien's post seems to mention libsk-libfido2.so; the libfido2 git log shows that the middleware moved into OpenSSH instead. I'm guessing this is where --with-security-key-builtin comes from. With libfido2 having removed the anchor, should the build even be succeeding to create SK stuff without the --with-security-key-builtin flag passed to configure? Builds with PKG_CONFIG_PATH set for picking up libfido2.pc don't propagate paths into DT_RUNPATH, but I guess folks using non-standard install locations for custom stuff get what they deserve. :) Adjusting to pass -Wl,-R through, it works. When an ECDSA-SK handle has been loaded into ssh-agent, and you connect to a host, there is no prompt to touch the token beyond a light on the token starting to blink. No ssh-agent: % ssh -p 24 fullerene Enter passphrase for key '/home/pdp/.ssh/id_ecdsa_sk': Confirm user presence for key ECDSA-SK SHA256:Agweaa0e8uWR2UAqW/0ETHTPvawOdR1mu0DAk2r27Dw Agent: % ssh-add ~/.ssh/id_ecdsa_sk Enter passphrase for /home/pdp/.ssh/id_ecdsa_sk: Identity added: /home/pdp/.ssh/id_ecdsa_sk (pdp@fullerene) Later: % ssh -p 24 fullerene [hangs, no output] Can that "Confirm user presence" nudge be made to happen with the agent in play too? It's nice. Thanks for the wonderful work on supporting FIDO and everything else in OpenSSH. I hope this snapshot testing helps. Regards, -Phil _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
