Mailing List Archive

On Mon, 17 Feb 2020, Ron Frederick wrote:

> Hello,
>
> I’m trying out the “resident key” functionality in OpenSSH 8.2, and
> I’m having trouble getting it to find keys that I’ve created.
>
> I’m trying to create a new resident key using:
>
> ssh-keygen -O resident -t ed25519-sk -f <filename>
>
> This creates a key, but I’m not actually sure it is creating a
> “resident” key, as when I try to dump out the resident keys with
> either “ssh-keygen -K” or “ssh-add -K”, it doesn’t seem to find
> anything, reporting back “No keys to download” in ssh-keygen and
> silently failing in ssh-add (without loading any keys).
>
> I also noticed that I can enter pretty much anything at the PIN prompt
> it gives me, and it doesn’t return an error or decrement the number of
> available PIN retries when I view the key’s status.
>
> I’m doing these tests against OpenSSH portable HEAD on a Mac with a
> Yubikey 5 NFC (connected via USB).
>
> Any thoughts on what I might be doing wrong?

You can try running "ssh-keygen -Kvvv" to see more detail on what is
going wrong, but I suspect the problem is that your key's firmware
has incomplete resident key support. Some of my older Yubikey 5 tokens
allowed me to create resident keys but not retrieve them.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Feb 17, 2020, at 9:45 PM, Damien Miller <djm@mindrot.org> wrote:
> On Mon, 17 Feb 2020, Ron Frederick wrote:
>> I’m trying out the “resident key” functionality in OpenSSH 8.2, and
>> I’m having trouble getting it to find keys that I’ve created.
>>
>> I’m trying to create a new resident key using:
>>
>> ssh-keygen -O resident -t ed25519-sk -f <filename>
>>
>> This creates a key, but I’m not actually sure it is creating a
>> “resident” key, as when I try to dump out the resident keys with
>> either “ssh-keygen -K” or “ssh-add -K”, it doesn’t seem to find
>> anything, reporting back “No keys to download” in ssh-keygen and
>> silently failing in ssh-add (without loading any keys).
>>
>> I also noticed that I can enter pretty much anything at the PIN prompt
>> it gives me, and it doesn’t return an error or decrement the number of
>> available PIN retries when I view the key’s status.
>>
>> I’m doing these tests against OpenSSH portable HEAD on a Mac with a
>> Yubikey 5 NFC (connected via USB).
>>
>> Any thoughts on what I might be doing wrong?
>
> You can try running "ssh-keygen -Kvvv" to see more detail on what is
> going wrong, but I suspect the problem is that your key's firmware
> has incomplete resident key support. Some of my older Yubikey 5 tokens
> allowed me to create resident keys but not retrieve them.


Here’s what I get back:

debug3: start_helper: started pid=96317
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/local/libexec/ssh-sk-helper
debug1: sshsk_load_resident: provider "internal", have-pin
debug1: ssh_sk_load_resident_keys: trying IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/XHC1@14/XHC1@14000000/HS08@14300000/USB2.0 Hub@14300000/AppleUSB20Hub@14300000/AppleUSB20HubPort@14340000/USB2.0 Hub@14340000/AppleUSB20Hub@14340000/AppleUSB20HubPort@14343000/YubiKey OTP+FIDO+CCID@14343000/IOUSBHostInterface@1/IOUSBHostHIDDevice@14343000,1
debug1: read_rks: get metadata for IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/XHC1@14/XHC1@14000000/HS08@14300000/USB2.0 Hub@14300000/AppleUSB20Hub@14300000/AppleUSB20HubPort@14340000/USB2.0 Hub@14340000/AppleUSB20Hub@14340000/AppleUSB20HubPort@14343000/YubiKey OTP+FIDO+CCID@14343000/IOUSBHostInterface@1/IOUSBHostHIDDevice@14343000,1 failed: FIDO_ERR_PIN_NOT_SET
debug1: ssh_sk_load_resident_keys: read_rks failed for IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/XHC1@14/XHC1@14000000/HS08@14300000/USB2.0 Hub@14300000/AppleUSB20Hub@14300000/AppleUSB20HubPort@14340000/USB2.0 Hub@14340000/AppleUSB20Hub@14340000/AppleUSB20HubPort@14343000/YubiKey OTP+FIDO+CCID@14343000/IOUSBHostInterface@1/IOUSBHostHIDDevice@14343000,1
debug1: ssh-sk-helper: reply len 4
debug3: ssh_msg_send: type 5
debug3: reap_helper: pid=96317
No keys to download

I tried using “change-pin” in yubico-piv-tool, but that didn’t seem to make a difference. I still got the same error after successfully changing the PIN.

This is a recently purchased YubiKey 5 NFC (within the last month or so), reporting version 5.2.4 in “yubico-piv-tool -a status”.
--
Ron Frederick
ronf@timeheart.net



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Ron Frederick <ronf@timeheart.net> writes:
>
> Here’s what I get back:
[ ... ]
> debug1: ssh_sk_load_resident_keys: trying
> IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/XHC1@14/XHC1@14000000/HS08@14300000/USB2.0
> debug1: read_rks: get metadata for
> IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/XHC1@14/XHC1@14000000/HS08@14300000/USB2.0
[ ... ]
> failed: FIDO_ERR_PIN_NOT_SET
> debug1: ssh_sk_load_resident_keys: read_rks failed for
[ .. ]
> No keys to download
>
> I tried using “change-pin” in yubico-piv-tool, but that didn’t seem to
> make a difference. I still got the same error after successfully
> changing the PIN.

That PIN is for the PIV application on the yubikey.

Use "ykman fido set-pin" instead using the Yubikey Manager.

/gabriel

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Feb 18, 2020, at 12:46 AM, Gabriel Kihlman <gk@b0rk.org> wrote:
>> I tried using “change-pin” in yubico-piv-tool, but that didn’t seem to
>> make a difference. I still got the same error after successfully
>> changing the PIN.
>
> That PIN is for the PIV application on the yubikey.
>
> Use "ykman fido set-pin" instead using the Yubikey Manager.


Ah - that was it, thanks very much!

After setting the PIN this way, I was able to get “ssh-keygen -K” and “ssh-add -K” to work, and was also about to use “ykman fido list” to see the list of installed resident keys.

With OpenSSH, is there a way to use a resident key without actually reading it out of the token if you provide the username and application to identify which key you want to use, or do you need to actually provide the PIN every time? I understand you can use ssh-agent to mitigate this and only provide the PIN when loading the keys into the agent, but generally that would still mean providing the PIN every time you signed on to the machine running the SSH client. I’m just wondering if there are any options to be able to use a key with only physical access to it.
--
Ron Frederick
ronf@timeheart.net



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev