Mailing List Archive: no-touch-required seems ignored in new and old clients

no-touch-required seems ignored in new and old clients

Apr 14, 2021, 1:08 AM

Post #1 of 3 (333 views)

It seems that touch is required with the both old and the new clients
regardless of whether no-touch-required is in place in authorized_keys
or not.

At least that the case when using ed25519-sk keys for authentication
because when I have a key in place in the server account's
~/.ssh/authorized_keys like this:

sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC...NzaDo=

I can connect using either old (e.g. 8.4p1-5ubuntu1) or new (e.g.
OpenSSH_8.5, LibreSSL 3.3.2) but have to touch the hardware token to
complete the authentication.

According to the manual page for sshd(8), "no-touch-required" should
eliminate the need to verify physical presence through touching the
hardware token. However if I set a key in place in the server account's
~/.ssh/authorized_keys like this:

no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC...NzaDo=

then the hardware token still blinks and yet I still cannot authenticate
without touching it. Perhaps I have overlooked something?

/Lars
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: no-touch-required seems ignored in new and old clients [ In reply to ]

pedro at ambientworks

Apr 14, 2021, 1:34 AM

Post #2 of 3 (333 views)

Permalink

>It seems that touch is required with the both old and the new clients
>regardless of whether no-touch-required is in place in authorized_keys
>or not.
>
>At least that the case when using ed25519-sk keys for authentication
>because when I have a key in place in the server account's
>~/.ssh/authorized_keys like this:
>
>sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC...NzaDo=
>
>I can connect using either old (e.g. 8.4p1-5ubuntu1) or new (e.g.
>OpenSSH_8.5, LibreSSL 3.3.2) but have to touch the hardware token to
>complete the authentication.
>
>According to the manual page for sshd(8), "no-touch-required" should
>eliminate the need to verify physical presence through touching the
>hardware token. However if I set a key in place in the server account's
>~/.ssh/authorized_keys like this:
>
>no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC...NzaDo=
>
>then the hardware token still blinks and yet I still cannot authenticate
>without touching it. Perhaps I have overlooked something?

In addition to "no-touch-required" in ~/.ssh/authorized_keys, the
key itself needs to be created with ssh-keygen -O no-touch-required.

-p.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: no-touch-required seems ignored in new and old clients [ In reply to ]

lars.nooden at gmx

Apr 14, 2021, 1:48 AM

Post #3 of 3 (333 views)

Permalink

On 4/14/21 11:34 AM, pedro martelletto wrote:
>> It seems that touch is required with the both old and the new clients
>> regardless of whether no-touch-required is in place in authorized_keys
>> or not.
[snip]> In addition to "no-touch-required" in ~/.ssh/authorized_keys,
the key
> itself needs to be created with ssh-keygen -O no-touch-required.

Thanks. That was it. Perhaps that part of the manual page for ssh(8)
could be appended something like this:

no-touch-required
Do not require demonstration of user presence for
signatures made using this key. This option only
makes sense for the FIDO authenticator algorithms
ecdsa-sk and ed25519-sk. Furthermore, a prerequisite
for this option is that the keys are created
with the -O no-touch-required option.

I notice that the converse problem also occurs: if the key was generated
with -O no-touch-required, it will not authenticate if no-touch-required
is not part of the key in authorized_keys.

/Lars
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev