Any news on this? When the key is created with '-o verify-required' the agent started by gcr will just fail with 'agent refused operation' because neither the request for the FIDO2 PIN not the user presence check will appear.
Killing it and restarting it manually with the SSH_ASKPASS variable set to an askpass program works ( like eval "$(ssh-agent -s; SSH_ASKPASS=/usr/bin/systemd-ask-password)") - but that is just a janky workaorund. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1869897 Title: missing ssh prompt to touch yubikey device when using gnome Status in GNOME Shell: New Status in gnome-shell package in Ubuntu: Triaged Bug description: I can't exactly pinpoint which gnome package is responsible for this. It might be gnome-keyring. Let's go with gnome-shell first. openssh 8.2p1[1] in focal has support for U2F authentication. This is a new feature we will highlight in the release notes and a blog post. You can create a keypair and the authentication only succeeds if you have the u2f hardware device plugged in, and touch it at the moment of authentication. In a console only env, it works like this: """ andreas@nsnx:~$ env|grep SSH andreas@nsnx:~$ ssh -i .ssh/id_ecdsa_sk 10.0.100.75 Confirm user presence for key ECDSA-SK SHA256:bS6vX6b+Bp8Xu/LF4Gw10dV0Y6AkjFPjPoO5q0A546M Welcome to Ubuntu Focal Fossa (development branch) (GNU/Linux 5.4.0-21-generic x86_64) ... Last login: Tue Mar 31 13:35:44 2020 from 10.0.100.1 """ The "Confirm" prompt is asking the user to touch the hardware device (a yubikey in this case). If I use openssh's ssh-agent, it still works as expected and I see that prompt: """ andreas@nsnx:~$ env|grep SSH andreas@nsnx:~$ eval $(ssh-agent) Agent pid 68267 andreas@nsnx:~$ env|grep SSH SSH_AUTH_SOCK=/tmp/ssh-75OwXd9gR6tq/agent.68252 SSH_AGENT_PID=68267 andreas@nsnx:~$ ssh -i .ssh/id_ecdsa_sk 10.0.100.75 Warning: Permanently added '10.0.100.75' (ECDSA) to the list of known hosts. Confirm user presence for key ECDSA-SK SHA256:bS6vX6b+Bp8Xu/LF4Gw10dV0Y6AkjFPjPoO5q0A546M Welcome to Ubuntu Focal Fossa (development branch) (GNU/Linux 5.4.0-21-generic x86_64) (...) Last login: Tue Mar 31 14:33:18 2020 from 10.0.100.1 """ But with "gnome's ssh-agent" (I'm waving my hands here a bit), it just stalls. The prompt is swallowed by something. Here I opened a new gnome terminal in my existing focal desktop session: """ andreas@nsnx:~$ env|grep SSH SSH_AUTH_SOCK=/run/user/1000/keyring/ssh SSH_AGENT_PID=4655 andreas@nsnx:~$ ssh -i .ssh/id_ecdsa_sk 10.0.100.75 <hangs here, and the yubikey starts flashing> """ It only moves forward if I touch the device, which is expected. But the "Confirm user presence" prompt is nowhere to be seen. I'm not sure how gnome-keyring interacts with ssh-agent. I see it is spawned by gnome-keyring-daemon: 4556 ? Sl 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login 6449 ? S 0:00 \_ /usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh But the PID referenced by the SSH_AGENT_PID shell variable above points to another copy, spawned by gnome-session-binary: 4583 tty3 Sl+ 0:00 \_ /usr/libexec/gnome-session-binary --systemd --systemd --session=ubuntu 4655 ? Ss 0:00 \_ /usr/bin/ssh-agent /usr/bin/im-launch env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --systemd --session=ubuntu In any case, the actual prompt "Confirm user presence for key" comes from openssh code: ./ssh-agent.c: "Confirm user presence for key %s %s", ./sshconnect2.c: "Confirm user presence for key %s %s", My guess is that the gnome wrapper, whatever it is, is not expecting that prompt. 1. https://www.openssh.com/txt/release-8.2 ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: gnome-shell 3.36.0-2ubuntu2 ProcVersionSignature: Ubuntu 5.4.0-21.25-generic 5.4.27 Uname: Linux 5.4.0-21-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu21 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Mar 31 11:29:06 2020 DisplayManager: gdm3 InstallationDate: Installed on 2019-10-13 (169 days ago) InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Beta amd64 (20191010) RelatedPackageVersions: mutter-common 3.36.0-2ubuntu1 SourcePackage: gnome-shell UpgradeStatus: Upgraded to focal on 2020-01-30 (60 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-shell/+bug/1869897/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
