On Thu, 6 Feb 2020, Phil Pennock wrote: > On 2020-02-06 at 10:29 +1100, Damien Miller wrote: > > Generating a FIDO key requires the token be attached, and will usually > > require the user tap the token to confirm the operation: > > Pretending first that I didn't have Damien's original post to the list, > to debug this as a non-subscriber would ... > > ssh-keygen doesn't document SecurityKeyProvider, only $SSH_SK_PROVIDER, > and when people search for that variable in the public docs there's > nothing much. I'll mention $SSH_SK_PROVIDER in the release notes for ssh-keygen(1). Naturally ssh-keygen doesn't use SecurityKeyProvider as it doesn't read any config files. > SecurityKeyProvider has better text and a pointer to the entry in > ssh_config(5) might help. I've synced the manual page text for $SSH_SK_PROVIDER in ssh-keygen.1 and ssh-add.1 to match SecurityKeyProvider in ssh_config.5, thanks. > I found one line in README.md (nit: "dependenciesi" has an extra "i" > there) and doesn't mention --with-security-key-builtin (or is this not > needed now?) Fixed - thanks. > Nothing outside of Damien's post seems to mention libsk-libfido2.so; the > libfido2 git log shows that the middleware moved into OpenSSH instead. > I'm guessing this is where --with-security-key-builtin comes from. > With libfido2 having removed the anchor, should the build even be > succeeding to create SK stuff without the --with-security-key-builtin > flag passed to configure? Yes, the motivation is that users might want to supply their own FIDO middleware instead of the built-in one. > Builds with PKG_CONFIG_PATH set for picking up libfido2.pc don't > propagate paths into DT_RUNPATH, but I guess folks using non-standard > install locations for custom stuff get what they deserve. :) Adjusting > to pass -Wl,-R through, it works. AFAIK that might be a bug in the generated libfido2.pc > When an ECDSA-SK handle has been loaded into ssh-agent, and you connect > to a host, there is no prompt to touch the token beyond a light on the > token starting to blink. > > No ssh-agent: > % ssh -p 24 fullerene > Enter passphrase for key '/home/pdp/.ssh/id_ecdsa_sk': > Confirm user presence for key ECDSA-SK SHA256:Agweaa0e8uWR2UAqW/0ETHTPvawOdR1mu0DAk2r27Dw > > Agent: > % ssh-add ~/.ssh/id_ecdsa_sk > Enter passphrase for /home/pdp/.ssh/id_ecdsa_sk: > Identity added: /home/pdp/.ssh/id_ecdsa_sk (pdp@fullerene) > Later: > % ssh -p 24 fullerene > [hangs, no output] > > Can that "Confirm user presence" nudge be made to happen with the agent > in play too? It's nice. So, that should work if the agent has $DISPLAY set and access to SSH_ASKPASS - it should pop up a confirmation box that will go away as soon as you touch the key. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
