Mailing List Archive

OpenSSH not requesting touch on FIDO keys (was: OpenSSH not requesting PIN code for YubiKey)
On Mon, Jul 13, 2020 at 01:34:37PM +1000, Damien Miller wrote:
> On Fri, 10 Jul 2020, Frank Sharkey wrote:
>
> > I set up the YubiKey with OpenSSH 8.2 (Ubuntu client and server) and it
> > works. However, it does not do PIN enforcement at SSH login. It only
> > requests the PIN during the set-up process (when the key is being
> > generated). Is that the way it's supposed to work?
>
> Assuming you are using this device as a FIDO token (and not PKCS#11),
> this is expected. OpenSSH doesn't yet support requiring PINs for keys
> except for a couple of corner cases (e.g. resident keys).
>
> I hope to add this before OpenSSH 8.4.

Somewhat related: touching the FIDO key to authorize the operation.

The user is prompted to touch the FIDO key when generating an ssh key
but later on (eg. ssh-add -T ...) this does not happen any more.

I guess it's due to the agent server not having any means to call back
the client for notifying that user action is required [0].

Is it maybe an idea to add some 'touch required' constraint to such
ssh keys?

If the client could query for such constraint (via some protocol
extension yet to be implemented), then it would show a prompt just
before requesting the operation to the agent server.

Dom

[0] https://tools.ietf.org/html/draft-miller-ssh-agent-04

--
rsa4096: 3B10 0CA1 8674 ACBA B4FE FCD2 CE5B CF17 9960 DE13
ed25519: FFB4 0CC3 7F2E 091D F7DA 356E CC79 2832 ED38 CB05
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: OpenSSH not requesting touch on FIDO keys (was: OpenSSH not requesting PIN code for YubiKey) [ In reply to ]
On Sun, 19 Jul 2020, Domenico Andreoli wrote:

> On Mon, Jul 13, 2020 at 01:34:37PM +1000, Damien Miller wrote:
> > On Fri, 10 Jul 2020, Frank Sharkey wrote:
> >
> > > I set up the YubiKey with OpenSSH 8.2 (Ubuntu client and server) and it
> > > works. However, it does not do PIN enforcement at SSH login. It only
> > > requests the PIN during the set-up process (when the key is being
> > > generated). Is that the way it's supposed to work?
> >
> > Assuming you are using this device as a FIDO token (and not PKCS#11),
> > this is expected. OpenSSH doesn't yet support requiring PINs for keys
> > except for a couple of corner cases (e.g. resident keys).
> >
> > I hope to add this before OpenSSH 8.4.
>
> Somewhat related: touching the FIDO key to authorize the operation.
>
> The user is prompted to touch the FIDO key when generating an ssh key
> but later on (eg. ssh-add -T ...) this does not happen any more.
>
> I guess it's due to the agent server not having any means to call back
> the client for notifying that user action is required [0].

ssh-agent will prompt via $SSH_ASKPASS if you have it configured.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: OpenSSH not requesting touch on FIDO keys (was: OpenSSH not requesting PIN code for YubiKey) [ In reply to ]
On Mon, Jul 20, 2020 at 09:27:16AM +1000, Damien Miller wrote:
> On Sun, 19 Jul 2020, Domenico Andreoli wrote:
>
> > On Mon, Jul 13, 2020 at 01:34:37PM +1000, Damien Miller wrote:
> > > On Fri, 10 Jul 2020, Frank Sharkey wrote:
> > >
> > > > I set up the YubiKey with OpenSSH 8.2 (Ubuntu client and server) and it
> > > > works. However, it does not do PIN enforcement at SSH login. It only
> > > > requests the PIN during the set-up process (when the key is being
> > > > generated). Is that the way it's supposed to work?
> > >
> > > Assuming you are using this device as a FIDO token (and not PKCS#11),
> > > this is expected. OpenSSH doesn't yet support requiring PINs for keys
> > > except for a couple of corner cases (e.g. resident keys).
> > >
> > > I hope to add this before OpenSSH 8.4.
> >
> > Somewhat related: touching the FIDO key to authorize the operation.
> >
> > The user is prompted to touch the FIDO key when generating an ssh key
> > but later on (eg. ssh-add -T ...) this does not happen any more.
> >
> > I guess it's due to the agent server not having any means to call back
> > the client for notifying that user action is required [0].
>
> ssh-agent will prompt via $SSH_ASKPASS if you have it configured.

Evidently my setup has some problem, I don't see any dialog. I'll
investigate. Thanks.

Dom

--
rsa4096: 3B10 0CA1 8674 ACBA B4FE FCD2 CE5B CF17 9960 DE13
ed25519: FFB4 0CC3 7F2E 091D F7DA 356E CC79 2832 ED38 CB05
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: OpenSSH not requesting touch on FIDO keys (was: OpenSSH not requesting PIN code for YubiKey) [ In reply to ]
On Mon, 20 Jul 2020, Domenico Andreoli wrote:

> > > I guess it's due to the agent server not having any means to call back
> > > the client for notifying that user action is required [0].
> >
> > ssh-agent will prompt via $SSH_ASKPASS if you have it configured.
>
> Evidently my setup has some problem, I don't see any dialog. I'll
> investigate. Thanks.

Common problems:

1) you might not be running OpenSSH's ssh-agent. Some desktop environments
will silently start their own, with varying levels of compatibility

2) Not starting ssh-agent with $DISPLAY set

3) Not having an askpass program at the path that ssh-agent expects
or not having $SSH_ASKPASS pointing (again, before starting the agent)

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: OpenSSH not requesting touch on FIDO keys (was: OpenSSH not requesting PIN code for YubiKey) [ In reply to ]
On Mon, Jul 20, 2020 at 01:12:10PM +1000, Damien Miller wrote:
> On Mon, 20 Jul 2020, Domenico Andreoli wrote:
>
> > > > I guess it's due to the agent server not having any means to call back
> > > > the client for notifying that user action is required [0].
> > >
> > > ssh-agent will prompt via $SSH_ASKPASS if you have it configured.
> >
> > Evidently my setup has some problem, I don't see any dialog. I'll
> > investigate. Thanks.
>
> Common problems:
>
> 1) you might not be running OpenSSH's ssh-agent. Some desktop environments
> will silently start their own, with varying levels of compatibility
>
> 2) Not starting ssh-agent with $DISPLAY set
>
> 3) Not having an askpass program at the path that ssh-agent expects
> or not having $SSH_ASKPASS pointing (again, before starting the agent)

Managed to make it work. Nice! Thanks again.

Now, all the perfectly good use cases that do not have a running desktop
are left without a screen notification. Any ideas for these?

Another issue, the current ssh-askpass solution does not give any hint
of which application is requesting the confirmation. It's then possible
to race with a malicious application and get the confirmation first.

Dom

--
rsa4096: 3B10 0CA1 8674 ACBA B4FE FCD2 CE5B CF17 9960 DE13
ed25519: FFB4 0CC3 7F2E 091D F7DA 356E CC79 2832 ED38 CB05
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev