missing ssh prompt to touch yubikey device when using gnome
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| GNOME Shell |
New
|
Unknown
|
|||
| gnome-shell (Ubuntu) |
Triaged
|
Wishlist
|
Unassigned | ||
Bug Description
I can't exactly pinpoint which gnome package is responsible for this. It might be gnome-keyring. Let's go with gnome-shell first.
openssh 8.2p1[1] in focal has support for U2F authentication. This is a new feature we will highlight in the release notes and a blog post.
You can create a keypair and the authentication only succeeds if you have the u2f hardware device plugged in, and touch it at the moment of authentication.
In a console only env, it works like this:
"""
andreas@nsnx:~$ env|grep SSH
andreas@nsnx:~$ ssh -i .ssh/id_ecdsa_sk 10.0.100.75
Confirm user presence for key ECDSA-SK SHA256:
Welcome to Ubuntu Focal Fossa (development branch) (GNU/Linux 5.4.0-21-generic x86_64)
...
Last login: Tue Mar 31 13:35:44 2020 from 10.0.100.1
"""
The "Confirm" prompt is asking the user to touch the hardware device (a yubikey in this case).
If I use openssh's ssh-agent, it still works as expected and I see that prompt:
"""
andreas@nsnx:~$ env|grep SSH
andreas@nsnx:~$ eval $(ssh-agent)
Agent pid 68267
andreas@nsnx:~$ env|grep SSH
SSH_AUTH_
SSH_AGENT_PID=68267
andreas@nsnx:~$ ssh -i .ssh/id_ecdsa_sk 10.0.100.75
Warning: Permanently added '10.0.100.75' (ECDSA) to the list of known hosts.
Confirm user presence for key ECDSA-SK SHA256:
Welcome to Ubuntu Focal Fossa (development branch) (GNU/Linux 5.4.0-21-generic x86_64)
(...)
Last login: Tue Mar 31 14:33:18 2020 from 10.0.100.1
"""
But with "gnome's ssh-agent" (I'm waving my hands here a bit), it just stalls. The prompt is swallowed by something. Here I opened a new gnome terminal in my existing focal desktop session:
"""
andreas@nsnx:~$ env|grep SSH
SSH_AUTH_
SSH_AGENT_PID=4655
andreas@nsnx:~$ ssh -i .ssh/id_ecdsa_sk 10.0.100.75
<hangs here, and the yubikey starts flashing>
"""
It only moves forward if I touch the device, which is expected. But the "Confirm user presence" prompt is nowhere to be seen.
I'm not sure how gnome-keyring interacts with ssh-agent. I see it is spawned by gnome-keyring-
4556 ? Sl 0:00 /usr/bin/
6449 ? S 0:00 \_ /usr/bin/ssh-agent -D -a /run/user/
But the PID referenced by the SSH_AGENT_PID shell variable above points to another copy, spawned by gnome-session-
4583 tty3 Sl+ 0:00 \_ /usr/libexec/
4655 ? Ss 0:00 \_ /usr/bin/ssh-agent /usr/bin/im-launch env GNOME_SHELL_
In any case, the actual prompt "Confirm user presence for key" comes from openssh code:
./ssh-agent.c: "Confirm user presence for key %s %s",
./sshconnect2.c: "Confirm user presence for key %s %s",
My guess is that the gnome wrapper, whatever it is, is not expecting that prompt.
1. https:/
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: gnome-shell 3.36.0-2ubuntu2
ProcVersionSign
Uname: Linux 5.4.0-21-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Tue Mar 31 11:29:06 2020
DisplayManager: gdm3
InstallationDate: Installed on 2019-10-13 (169 days ago)
InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Beta amd64 (20191010)
RelatedPackageV
SourcePackage: gnome-shell
UpgradeStatus: Upgraded to focal on 2020-01-30 (60 days ago)
| description: | updated |
| Changed in gnome-shell (Ubuntu): | |
| importance: | Undecided → Wishlist |
| Sebastien Bacher (seb128) wrote | #2 |
| tags: |
added: rls-ff-notfixing removed: champagne |
| Changed in gnome-shell (Ubuntu): | |
| status: | New → Triaged |
| Davide Marchi (danjde) wrote | #4 |
| Changed in gnome-shell: | |
| status: | Unknown → New |
Thanks Andreas, could you report it upstream on https:/
It would be nice to have that working but we don't consider it as a rls blocker issue.