Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 3572] ssh-agent refused operation when using FIDO2 with -O verify-required
bugzilla-daemon at mindrot
Dec 23, 2023, 5:45 AM
Post #1 of 9 (207 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3572

personal@ilanjoselevich.com changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |personal@ilanjoselevich.com

--- Comment #10 from personal@ilanjoselevich.com ---
Created attachment 3778
--> https://bugzilla.mindrot.org/attachment.cgi?id=3778&action=edit
two terminals running ssh and ssh-agent

I really want to use ssh-agent with my FIDO2 (PIN) protected ssh key
but it seems that it requires you to use a GUI SSH_ASKPASS. I played
around with it a bit and figured out that the reason why it needs a GUI
SSH_ASKPASS is because it executes it inside the ssh-agent's process
and tty, meaning that it will just fail once it asks for a password on
the terminal because it is non-interactive.

I wonder if it's possible for ssh to run the SSH_ASKPASS on the
client's terminal rather than on the agent and pass the output back to
the agent.

I attached an image of the two terminals to the side, one running the
agent, and one running `ssh`.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3572] ssh-agent refused operation when using FIDO2 with -O verify-required [ In reply to ]
bugzilla-daemon at mindrot
Dec 27, 2023, 1:56 AM
Post #2 of 9 (201 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3572

chn@chn.moe changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |chn@chn.moe

--- Comment #11 from chn@chn.moe ---
(In reply to personal from comment #10)
> Created attachment 3778 [details]
> two terminals running ssh and ssh-agent
>
> I really want to use ssh-agent with my FIDO2 (PIN) protected ssh key
> but it seems that it requires you to use a GUI SSH_ASKPASS. I played
> around with it a bit and figured out that the reason why it needs a
> GUI SSH_ASKPASS is because it executes it inside the ssh-agent's
> process and tty, meaning that it will just fail once it asks for a
> password on the terminal because it is non-interactive.
>
> I wonder if it's possible for ssh to run the SSH_ASKPASS on the
> client's terminal rather than on the agent and pass the output back
> to the agent.
>
> I attached an image of the two terminals to the side, one running
> the agent, and one running `ssh`.

Have you finally made it works? It seems you are using NixOS, would you
mind to share the corresponding configs?

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3572] ssh-agent refused operation when using FIDO2 with -O verify-required [ In reply to ]
bugzilla-daemon at mindrot
Dec 27, 2023, 5:16 AM
Post #3 of 9 (201 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3572

--- Comment #12 from personal@ilanjoselevich.com ---
(In reply to chn from comment #11)
> Have you finally made it works? It seems you are using NixOS, would
> you mind to share the corresponding configs?

I have managed to make it work with a GUI based SSH_ASKPASS, are you
interested in seeing the config?

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3572] ssh-agent refused operation when using FIDO2 with -O verify-required [ In reply to ]
bugzilla-daemon at mindrot
Dec 27, 2023, 7:21 PM
Post #4 of 9 (201 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3572

--- Comment #13 from chn@chn.moe ---
(In reply to personal from comment #12)
> (In reply to chn from comment #11)
> > Have you finally made it works? It seems you are using NixOS, would
> > you mind to share the corresponding configs?
>
> I have managed to make it work with a GUI based SSH_ASKPASS, are you
> interested in seeing the config?

Yes of course, it will be great if you share you config. Thank you very
much!

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3572] ssh-agent refused operation when using FIDO2 with -O verify-required [ In reply to ]
bugzilla-daemon at mindrot
Dec 28, 2023, 12:04 PM
Post #5 of 9 (201 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3572

--- Comment #14 from personal@ilanjoselevich.com ---
(In reply to chn from comment #13)
> Yes of course, it will be great if you share you config. Thank you
> very much!

```
programs.ssh = {
startAgent = true;
enableAskPassword = true;
askPassword =
"${pkgs.gnome.seahorse}/libexec/seahorse/ssh-askpass";
};
```

That's all I needed, besides forwardAgent and addKeysToAgent on the
client.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3572] ssh-agent refused operation when using FIDO2 with -O verify-required [ In reply to ]
bugzilla-daemon at mindrot
Dec 29, 2023, 4:27 AM
Post #6 of 9 (201 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3572

--- Comment #15 from chn@chn.moe ---
(In reply to personal from comment #14)
> (In reply to chn from comment #13)
> > Yes of course, it will be great if you share you config. Thank you
> > very much!
>
> ```
> programs.ssh = {
> startAgent = true;
> enableAskPassword = true;
> askPassword =
> "${pkgs.gnome.seahorse}/libexec/seahorse/ssh-askpass";
> };
> ```
>
> That's all I needed, besides forwardAgent and addKeysToAgent on the
> client.

Thank you, I tried it and it works. I also tried
`systemd-ask-password`, it works too.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3572] ssh-agent refused operation when using FIDO2 with -O verify-required [ In reply to ]
bugzilla-daemon at mindrot
Dec 31, 2023, 5:12 AM
Post #7 of 9 (195 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3572

--- Comment #16 from personal@ilanjoselevich.com ---
(In reply to chn from comment #15)
> Thank you, I tried it and it works. I also tried
> `systemd-ask-password`, it works too.

So you have ssh-agent running in a systemd service and it asks you for
the password using systemd-ask-password on the terminal executing
`ssh`?
This is exactly what I want but I could never get it to work. Can you
show me your config?

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3572] ssh-agent refused operation when using FIDO2 with -O verify-required [ In reply to ]
bugzilla-daemon at mindrot
Jan 2, 2024, 12:39 AM
Post #8 of 9 (187 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3572

--- Comment #17 from chn@chn.moe ---
(In reply to personal from comment #16)
> (In reply to chn from comment #15)
> > Thank you, I tried it and it works. I also tried
> > `systemd-ask-password`, it works too.
>
> So you have ssh-agent running in a systemd service and it asks you
> for the password using systemd-ask-password on the terminal
> executing `ssh`?
> This is exactly what I want but I could never get it to work. Can
> you show me your config?

Sorry for the late response, I have not check my email during holiday.
Happy new year!

I am not sure if my ssh-agent was running in a systemd service or not.
I am using ed25519-sk with discoverable (resident) credentials without
`verify-required` (everytime I use my ssh key, I need to tap the metal
thing on my Yubikey 5 NFC, but do not need to enter PIN code). Here is
my config, hope it is useful.

https://github.com/CHN-beta/nixos/blob/d3f38c3b55676e5a746666a5d07c6d137759066b/modules/packages/server/ssh/default.nix#L103

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3572] ssh-agent refused operation when using FIDO2 with -O verify-required [ In reply to ]
bugzilla-daemon at mindrot
Jan 2, 2024, 4:06 AM
Post #9 of 9 (187 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3572

--- Comment #18 from personal@ilanjoselevich.com ---
(In reply to chn from comment #17)
> I am not sure if my ssh-agent was running in a systemd service or
> not. I am using ed25519-sk with discoverable (resident) credentials
> without `verify-required` (everytime I use my ssh key, I need to tap
> the metal thing on my Yubikey 5 NFC, but do not need to enter PIN
> code). Here is my config, hope it is useful.
>
> https://github.com/CHN-beta/nixos/blob/
> d3f38c3b55676e5a746666a5d07c6d137759066b/modules/packages/server/ssh/
> default.nix#L103

It is running inside a systemd service. Since you are not using a FIDO2
PIN you don't need an askpass, I do use a FIDO2 PIN, which is why I
can't get systemd-ask-password to work since it's a terminal-based
askpass and it gets executed in the systemd service as I've previously.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal