Hey *, I have more then one {Security Key,HSM}-FIDO2 device attached to my Linux machine (Arch Linux). With ``` # fido2-token -L /dev/hidraw7: vendor=0x1d50, product=0x60fc (CRYPTOTRUST ONLYKEY) /dev/hidraw5: vendor=0x20a0, product=0x42b2 (Nitrokey Nitrokey 3) ``` I am able to get the device paths of both SK, which I can use to generate an `ecdsa-sk` on a specific device: ``` $ ssh-keygen \ -t ecdsa-sk \ -f /tmp/TEST-id_ed25519-sk \ -N '' \ -O device=/dev/hidraw5 \ -O resident \ -O verify-required ... The key fingerprint is: SHA256:HixXHmVbrCZRxWUXIDOZF50VAIf/cVESDcBZsKSWcro bernd ``` I can confirm generation on the SK with ``` # fido2-token -L -r /dev/hidraw5 Enter PIN for /dev/hidraw5: 00: 4wYQ6KFiEVlg/h7CI+ZSnJ9LboAgDcteXDIcivHisb8= ssh: ``` (But I have no clue what kind of identifier "4wYQ6KFiEVlg/h7CI+ZSnJ9LboAgDcteXDIcivHisb8=" actually is?) I can use this key just fine: ``` ssh -vv -F /dev/null -i /tmp/TEST-id_ed25519-sk localhost ``` But: How do I specify the "SK HANDLER" via ssh_config? Nowhere I do see a reference. >From `-vv` I only see: ``` debug1: Offering public key: /tmp/TEST-id_ed25519-sk ECDSA-SK SHA256:HixXHmVbrCZRxWUXIDOZF50VAIf/cVESDcBZsKSWcro explicit authenticator debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: /tmp/TEST-id_ed25519-sk ECDSA-SK SHA256:HixXHmVbrCZRxWUXIDOZF50VAIf/cVESDcBZsKSWcro explicit authenticator Confirm user presence for key ECDSA-SK SHA256:HixXHmVbrCZRxWUXIDOZF50VAIf/cVESDcBZsKSWcro debug1: start_helper: starting /usr/lib/ssh/ssh-sk-helper debug1: process_sign: ready to sign with key ECDSA-SK, provider internal: msg len 360, compat 0x4000000 debug1: sshsk_sign: provider "internal", key ECDSA-SK, flags 0x25 debug1: sk_probe: 2 device(s) detected debug1: sk_probe: selecting sk by touch debug1: sk_touch_poll: polling /dev/hidraw7 debug1: sk_touch_poll: polling /dev/hidraw5 ... debug1: sk_touch_poll: polling /dev/hidraw7 debug1: sk_touch_poll: polling /dev/hidraw5 debug1: check_sk_options: option uv is unknown debug1: ssh_sk_sign: check_sk_options uv debug1: sshsk_sign: sk_sign failed with code -3 debug1: ssh-sk-helper: Signing failed: incorrect passphrase supplied to decrypt private key debug1: main: reply len 8 debug1: client_converse: helper returned error -43 debug1: identity_sign: sshkey_sign: incorrect passphrase supplied to decrypt private key Enter PIN for ECDSA-SK key /tmp/TEST-id_ed25519-sk: Confirm user presence for key ECDSA-SK SHA256:HixXHmVbrCZRxWUXIDOZF50VAIf/cVESDcBZsKSWcro debug1: start_helper: starting /usr/lib/ssh/ssh-sk-helper debug1: process_sign: ready to sign with key ECDSA-SK, provider internal: msg len 360, compat 0x4000000 debug1: sshsk_sign: provider "internal", key ECDSA-SK, flags 0x25 with-pin debug1: sk_probe: 2 device(s) detected debug1: sk_probe: selecting sk by touch debug1: sk_touch_poll: polling /dev/hidraw7 debug1: sk_touch_poll: polling /dev/hidraw5 ... debug1: sk_touch_poll: polling /dev/hidraw7 debug1: sk_touch_poll: polling /dev/hidraw5 debug1: main: reply len 129 User presence confirmed Authenticated to localhost ([::1]:22) using "publickey". debug1: channel 0: new session [client-session] (inactive timeout: 0) debug2: channel 0: send open debug1: Requesting no-more-sessions@xxxxxxxxxxx debug1: Entering interactive session. ``` So at first I have to 'touch confirm' which SK to use; Then I can enter its FIDO2 PIN; Then the policy(?) requires again the User Presents. I would like to specify which SK to be used from the `ssh_config`. To extent my question: Why does `ssh-sk-helper` iterates over both SK the second time even it should be clear(?) which SK I wanted to use? If there is no way yet to specify the SK device via `ssh_config`, I would like to make a feature request out of it. But I already see some issues here :/ SK like the "Onlykey" do not have a "serial (number)" because the device is kinda generic and the user can update its firmware and the device/firmware offers backup and restore of its configuration including its secrets. So a Onlykey is not unique. You can create a clone just fine. (While writing this mail, I should make a test if I'm really able to make also a backup of credentials within the FIDO2 of the Onlykey...) But there is no way AFAIK to identify one out of many Onlykeys. Furthermore, I'm not (yet) too deep in the material to understand how to get the various serials or identifier of the various modules/functions/cards on a HSM. AFAIU i.e. a Nitrokey 3 or Yubikey has a serial, but the PGP SmartCard, the PIV module, and the FIDO2 chip(?) have its own ID, correct? I'm also not sure if it would be possible and reliable to configure Linux udev rules to enforce a certain static `/dev/hidrawN` path for a SK. Thanks for pointers and hints and explanations. Best, Bernd _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev