3

I have a Yubikey (Security Key NFC by Yubico) that I'm trying to set up on a Linux machine for SSH authentication in Discoverable keys mode. I've followed this tutorial and created the keys with

ssh-keygen -t ecdsa-sk -O resident -O application=ssh:YourTextHere -O verify-required

After that, the pub key was copied to the destination server, and I can correctly login with

ssh -i /root/.ssh/YourTextHere server

However, when I try to connect loading the key on an agent, without using the certificate, I get the following error:

sign_and_send_pubkey: signing failed for ECDSA-SK "" from agent: agent refused operation
root@opnsense: Permission denied (publickey).

I load the ssh-agent with

eval "$(ssh-agent -s)"

and add the key from Yubikey with

ssh-add -K

I can correctly see the loaded key with a

ssh-add -L

It all points out to a signing problem with the agent, but I'm not sure how to move forward.I've already enabled all the signing algorithms in the destination server.

I'm trying to do the connection from a Debian 12, openssh version OpenSSH_9.2p1. The destination machine is an freebsd (opnsense firewall), openssh version OpenSSH_9.3p2 Is there something I'm missing?

EDIT: Solution found, see response from @Ramhound. I had to do an

apt-get install ssh-askpass

then

which ssh-askpass

will show you the path of the binary. After that I just need to do

eval "$(ssh-agent -s; SSH_ASKPASS=/usr/bin/ssh-askpass)"

and get prompted for your pin and presence. After that connection was successful.

Improve this question
3
  • Why are you trying to load the key without the certificate? How about server logs at the time of the client connection?
    – Ramhound
    Commented Aug 18, 2023 at 10:29
  • I don't want the certificate to be written down to disk. If I re-generate it with ssh-keygen -K, I can authenticate, but not using the agent itself. Logs on the server show a generic "2023-08-17T18:56:11 Error sshd error: PAM: Authentication error for root from 192.168.0.2", nothing useful
    – user134167
    Commented Aug 18, 2023 at 17:16
  • The logs should indicate what authentication mode is being attempted right before the authentication fails.
    – Ramhound
    Commented Aug 18, 2023 at 20:03

2 Answers 2

Reset to default
4

verify-required requires a way for ssh-agent to actually prompt for verification (whether it's a "touch" request or a PIN input prompt). The agent protocol does not include any way for it to relay prompts back to the calling program, so ssh-agent needs to directly start the ssh-askpass prompter.

Make sure a version of ssh-askpass is installed (there are a few variants for different desktops, I think) and if necessary, set SSH_ASKPASS= to its path so that ssh-agent could find it.

Improve this answer
1
  • That was it! I'll update the solution on the main post, thank you so much!
    – user134167
    Commented Aug 20, 2023 at 12:03
0

Add this to your ~/.profile file:

if [ -S "$HOME/.gnupg/S.gpg-agent.ssh" ] ; then
        SSH_AUTH_SOCK="$HOME/.gnupg/S.gpg-agent.ssh"
        export SSH_AUTH_SOCK
        export GPG_TTY=$(tty)
        gpg-connect-agent updatestartuptty /bye
fi
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .