On Feb 17, 2020, at 9:45 PM, Damien Miller <djm@xxxxxxxxxxx> wrote: > On Mon, 17 Feb 2020, Ron Frederick wrote: >> I’m trying out the “resident key” functionality in OpenSSH 8.2, and >> I’m having trouble getting it to find keys that I’ve created. >> >> I’m trying to create a new resident key using: >> >> ssh-keygen -O resident -t ed25519-sk -f <filename> >> >> This creates a key, but I’m not actually sure it is creating a >> “resident” key, as when I try to dump out the resident keys with >> either “ssh-keygen -K” or “ssh-add -K”, it doesn’t seem to find >> anything, reporting back “No keys to download” in ssh-keygen and >> silently failing in ssh-add (without loading any keys). >> >> I also noticed that I can enter pretty much anything at the PIN prompt >> it gives me, and it doesn’t return an error or decrement the number of >> available PIN retries when I view the key’s status. >> >> I’m doing these tests against OpenSSH portable HEAD on a Mac with a >> Yubikey 5 NFC (connected via USB). >> >> Any thoughts on what I might be doing wrong? > > You can try running "ssh-keygen -Kvvv" to see more detail on what is > going wrong, but I suspect the problem is that your key's firmware > has incomplete resident key support. Some of my older Yubikey 5 tokens > allowed me to create resident keys but not retrieve them. Here’s what I get back: debug3: start_helper: started pid=96317 debug3: ssh_msg_send: type 5 debug3: ssh_msg_recv entering debug1: start_helper: starting /usr/local/libexec/ssh-sk-helper debug1: sshsk_load_resident: provider "internal", have-pin debug1: ssh_sk_load_resident_keys: trying IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/XHC1@14/XHC1@14000000/HS08@14300000/USB2.0 Hub@14300000/AppleUSB20Hub@14300000/AppleUSB20HubPort@14340000/USB2.0 Hub@14340000/AppleUSB20Hub@14340000/AppleUSB20HubPort@14343000/YubiKey OTP+FIDO+CCID@14343000/IOUSBHostInterface@1/IOUSBHostHIDDevice@14343000,1 debug1: read_rks: get metadata for IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/XHC1@14/XHC1@14000000/HS08@14300000/USB2.0 Hub@14300000/AppleUSB20Hub@14300000/AppleUSB20HubPort@14340000/USB2.0 Hub@14340000/AppleUSB20Hub@14340000/AppleUSB20HubPort@14343000/YubiKey OTP+FIDO+CCID@14343000/IOUSBHostInterface@1/IOUSBHostHIDDevice@14343000,1 failed: FIDO_ERR_PIN_NOT_SET debug1: ssh_sk_load_resident_keys: read_rks failed for IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/XHC1@14/XHC1@14000000/HS08@14300000/USB2.0 Hub@14300000/AppleUSB20Hub@14300000/AppleUSB20HubPort@14340000/USB2.0 Hub@14340000/AppleUSB20Hub@14340000/AppleUSB20HubPort@14343000/YubiKey OTP+FIDO+CCID@14343000/IOUSBHostInterface@1/IOUSBHostHIDDevice@14343000,1 debug1: ssh-sk-helper: reply len 4 debug3: ssh_msg_send: type 5 debug3: reap_helper: pid=96317 No keys to download I tried using “change-pin” in yubico-piv-tool, but that didn’t seem to make a difference. I still got the same error after successfully changing the PIN. This is a recently purchased YubiKey 5 NFC (within the last month or so), reporting version 5.2.4 in “yubico-piv-tool -a status”. -- Ron Frederick ronf@xxxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
