Re: OpenSSH not requesting touch on FIDO keys (was: OpenSSH not requesting PIN code for YubiKey)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, Jul 20, 2020 at 09:27:16AM +1000, Damien Miller wrote:
> On Sun, 19 Jul 2020, Domenico Andreoli wrote:
> 
> > On Mon, Jul 13, 2020 at 01:34:37PM +1000, Damien Miller wrote:
> > > On Fri, 10 Jul 2020, Frank Sharkey wrote:
> > > 
> > > > I set up the YubiKey with OpenSSH 8.2 (Ubuntu client and server) and it
> > > > works. However, it does not do PIN enforcement at SSH login.  It only
> > > > requests the PIN during the set-up process (when the key is being
> > > > generated). Is that the way it's supposed to work?
> > > 
> > > Assuming you are using this device as a FIDO token (and not PKCS#11),
> > > this is expected. OpenSSH doesn't yet support requiring PINs for keys
> > > except for a couple of corner cases (e.g. resident keys).
> > > 
> > > I hope to add this before OpenSSH 8.4.
> > 
> > Somewhat related: touching the FIDO key to authorize the operation.
> > 
> > The user is prompted to touch the FIDO key when generating an ssh key
> > but later on (eg. ssh-add -T ...) this does not happen any more.
> > 
> > I guess it's due to the agent server not having any means to call back
> > the client for notifying that user action is required [0].
> 
> ssh-agent will prompt via $SSH_ASKPASS if you have it configured.

Evidently my setup has some problem, I don't see any dialog. I'll
investigate. Thanks.

Dom

-- 
rsa4096: 3B10 0CA1 8674 ACBA B4FE  FCD2 CE5B CF17 9960 DE13
ed25519: FFB4 0CC3 7F2E 091D F7DA  356E CC79 2832 ED38 CB05
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux