I have a Yubikey (Security Key NFC by Yubico) that I'm trying to set up on a Linux machine for SSH authentication in Discoverable keys mode. I've followed this tutorial and created the keys with
ssh-keygen -t ecdsa-sk -O resident -O application=ssh:YourTextHere -O verify-required
After that, the pub key was copied to the destination server, and I can correctly login with
ssh -i /root/.ssh/YourTextHere server
However, when I try to connect loading the key on an agent, without using the certificate, I get the following error:
sign_and_send_pubkey: signing failed for ECDSA-SK "" from agent: agent refused operation
root@opnsense: Permission denied (publickey).
I load the ssh-agent with
eval "$(ssh-agent -s)"
and add the key from Yubikey with
ssh-add -K
I can correctly see the loaded key with a
ssh-add -L
It all points out to a signing problem with the agent, but I'm not sure how to move forward.I've already enabled all the signing algorithms in the destination server.
I'm trying to do the connection from a Debian 12, openssh version OpenSSH_9.2p1. The destination machine is an freebsd (opnsense firewall), openssh version OpenSSH_9.3p2 Is there something I'm missing?
EDIT: Solution found, see response from @Ramhound. I had to do an
apt-get install ssh-askpass
then
which ssh-askpass
will show you the path of the binary. After that I just need to do
eval "$(ssh-agent -s; SSH_ASKPASS=/usr/bin/ssh-askpass)"
and get prompted for your pin and presence. After that connection was successful.
ssh-keygen -K
, I can authenticate, but not using the agent itself. Logs on the server show a generic"2023-08-17T18:56:11 Error sshd error: PAM: Authentication error for root from 192.168.0.2"
, nothing useful