ssh-keygen and multiple resident keys on a FIDO device

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,

I'm using a Yubikey 5 NFC key to store two resident keys at the moment, and using "ssh-keygen -K"
to download them to a host is not a very ergonomic experience at the moment (I've tried with
OpenSSH 8.4p1-5 in Debian Unstable, I've also read the changelogs of 8.5 and 8.6 but seen no hint
that this behavior has changed in later versions).

~/.ssh$ ykman fido credentials list
Enter your PIN: <PIN>
ssh: <usernameA in hex> openssh
ssh: <usernameB in hex> openssh
~/.ssh$ ls id_ed*
ls: cannot access 'id_ed*': No such file or directory
~/.ssh$ ssh-keygen -K
Enter PIN for authenticator: <PIN>
You may need to touch your authenticator to authorize key download.
Enter passphrase (empty for no passphrase): <enter>
Enter same passphrase again: <enter>
Saved ED25519-SK key to id_ed25519_sk_rk
id_ed25519_sk_rk already exists.
<in a separate terminal window, "mv -i id_ed25519_sk_rk id_ed25519_sk_tmp; mv -i
id_ed22519_sk_rk.pub id_ed2259_sk_tmp.pub">
Overwrite (y/n)? y
Saved ED25519-SK key to id_ed25519_sk_rk
~/.ssh$ cat id_ed2259*.pub
sk-ssh-ed25519@xxxxxxxxxxx <pubkeyA> ssh:
sk-ssh-ed25519@xxxxxxxxxxx <pubkeyB> ssh:

As far as I can tell, there are two issues here:

a) ssh-keygen -K wants to overwrite the first key with the second key rather than using an
alternative path (or prompting the user to provide an alternative path)

b) unless a custom application string has been set when the keys were created, it is not easy to
distinguish the two keys that are downloaded from the security key and written to the current
directory, it would perhaps be better if the pubkeys would include the username (passed with "-O
user=foobar" when the keys were initially created) in the comment field?

and, some minor things:

c) it appears impossible to set different passphrases for different keys

d) the man page for the "-O user" and "-O application" options doesn't make it clear that they take
an option (so the man page should read e.g. "user=name" and "application=name", like it does for "challenge=path" and
"write-attestation=path")

e) The description of the OpenSSH mailing lists indicate that openssh-unix-dev list is open to non-subscribers. That does not seem to be the case (I got an error message when sending as a non-subscriber). See e.g.:
https://www.openssh.com/list.html
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


Cheers,
David
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux