Re: Resident keys?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Feb 17, 2020, at 9:45 PM, Damien Miller <djm@xxxxxxxxxxx> wrote:
> On Mon, 17 Feb 2020, Ron Frederick wrote:
>> I’m trying out the “resident key” functionality in OpenSSH 8.2, and
>> I’m having trouble getting it to find keys that I’ve created.
>> 
>> I’m trying to create a new resident key using:
>> 
>>    ssh-keygen -O resident -t ed25519-sk -f <filename>
>> 
>> This creates a key, but I’m not actually sure it is creating a
>> “resident” key, as when I try to dump out the resident keys with
>> either “ssh-keygen -K” or “ssh-add -K”, it doesn’t seem to find
>> anything, reporting back “No keys to download” in ssh-keygen and
>> silently failing in ssh-add (without loading any keys).
>> 
>> I also noticed that I can enter pretty much anything at the PIN prompt
>> it gives me, and it doesn’t return an error or decrement the number of
>> available PIN retries when I view the key’s status.
>> 
>> I’m doing these tests against OpenSSH portable HEAD on a Mac with a
>> Yubikey 5 NFC (connected via USB).
>> 
>> Any thoughts on what I might be doing wrong?
> 
> You can try running "ssh-keygen -Kvvv" to see more detail on what is
> going wrong, but I suspect the problem is that your key's firmware
> has incomplete resident key support. Some of my older Yubikey 5 tokens
> allowed me to create resident keys but not retrieve them.


Here’s what I get back:

debug3: start_helper: started pid=96317
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/local/libexec/ssh-sk-helper 
debug1: sshsk_load_resident: provider "internal", have-pin
debug1: ssh_sk_load_resident_keys: trying IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/XHC1@14/XHC1@14000000/HS08@14300000/USB2.0 Hub@14300000/AppleUSB20Hub@14300000/AppleUSB20HubPort@14340000/USB2.0 Hub@14340000/AppleUSB20Hub@14340000/AppleUSB20HubPort@14343000/YubiKey OTP+FIDO+CCID@14343000/IOUSBHostInterface@1/IOUSBHostHIDDevice@14343000,1
debug1: read_rks: get metadata for IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/XHC1@14/XHC1@14000000/HS08@14300000/USB2.0 Hub@14300000/AppleUSB20Hub@14300000/AppleUSB20HubPort@14340000/USB2.0 Hub@14340000/AppleUSB20Hub@14340000/AppleUSB20HubPort@14343000/YubiKey OTP+FIDO+CCID@14343000/IOUSBHostInterface@1/IOUSBHostHIDDevice@14343000,1 failed: FIDO_ERR_PIN_NOT_SET
debug1: ssh_sk_load_resident_keys: read_rks failed for IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/XHC1@14/XHC1@14000000/HS08@14300000/USB2.0 Hub@14300000/AppleUSB20Hub@14300000/AppleUSB20HubPort@14340000/USB2.0 Hub@14340000/AppleUSB20Hub@14340000/AppleUSB20HubPort@14343000/YubiKey OTP+FIDO+CCID@14343000/IOUSBHostInterface@1/IOUSBHostHIDDevice@14343000,1
debug1: ssh-sk-helper: reply len 4
debug3: ssh_msg_send: type 5
debug3: reap_helper: pid=96317
No keys to download

I tried using “change-pin” in yubico-piv-tool, but that didn’t seem to make a difference. I still got the same error after successfully changing the PIN.

This is a recently purchased YubiKey 5 NFC (within the last month or so), reporting version 5.2.4 in “yubico-piv-tool -a status”.
-- 
Ron Frederick
ronf@xxxxxxxxxxxxx



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux