我最近收到了一份Yubico 的安全密钥(支持 FIDO/U2F)并且我正在使用此密钥测试 SSH 身份验证。
引用 OpenSSH 8.2 发行说明(自 OpenSSH 8.1 部分以来的更改):
在 OpenSSH 中,新的公钥类型“ecdsa-sk”和“ed25519-sk”支持 FIDO 设备 [...]
ecdsa-sk使用创建密钥ssh-keygen -t ecdsa-sk而不提供此(测试)密钥的密码短语后,我像往常一样将 的内容附加id_ecdsa_sk.pub到${HOME}/.ssh/authorized_keys远程主机上的文件中。
当我尝试创建与远程主机的 SSH 连接时,没有显示任何内容,但安全密钥设备闪烁,提示进行触摸输入。我一触摸设备,SSH 连接就会建立。
经过一些网络搜索(结果示例)我相信我应该收到这样的消息提示:
Confirm user presence for key ECDSA-SK SHA256:blah-blah-blah
我该如何解决这个问题?
请注意,对于 也观察到相同的行为ed25519-sk。
环境信息
- 本地和远程操作系统:
Linux Mint 20 Cinnamon - 本地和远程 OpenSSH:
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
答案1
The SSH agent is interacting with your security key, not ssh itself. In most configurations, the agent is not attached to your terminal. Which means that it can't print the message to your terminal. In Mint Cinnamon, GNOME Keyring is used as the SSH agent by default, but this also applies to ssh-agent.
You've got a couple options for getting this prompt.
Use ssh-askpass
If you're in X, then your agent can use the ssh-askpass to prompt you via a pop-up window. Most frequently used for prompting for passwords (hence the name), but it also works for presence confirmation prompts with both GNOME Keyring and ssh-agent. On a Debian-based distro like Mint, this should be as simple as apt install ssh-askpass-gnome. (There are other variants as well, such as the more-plain ssh-askpass.)
Remove the key from the agent
If you'd prefer to get the prompt in your terminal, then you can get ssh to prompt you by simply keeping id_ecdsa_sk out of the agent. ssh will first attempt to authenticate with the agent and then fall back to default key names in ~/.ssh.
With GNOME Keyring, all keys in ~/.ssh automatically get added to the agent. So to remove them, you need to move the keys out of the directory. E.g.,
mkdir ~/.ssh/noauto
mv ~/.ssh/id_ecdsa_sk* ~/.ssh/noauto/
Then add an IdentityFile option in ~/.ssh/config for hosts where you want to use this key:
Host remotename
IdentityFile ~/.ssh/noauto/id_ecdsa_sk
If you happen to be using ssh-agent instead of GNOME Keyring, then instead of moving the keys to a different directory, you can delete the key from your agent with ssh-add -d ~/.ssh/id_ecdsa_sk.
Alternatively, if you're using ssh-agent and have an easy way to pass options to ssh-agent, you could set -P to the empty string. I.e., run ssh-agent -P "". This would effectively blacklist loading all PKCS#11 and FIDO based keys into your agent.
Note that removing id_ecdsa_sk from ssh-agent may affect the ordering of the keys tried. If you have a security key based ssh key and a traditional ssh key configured on both client and server sides, this could mean you end up authenticating with the traditional key instead of the security key. Removing the key from the agent also means that you can't use the key on remote hosts with agent forwarding (ssh -A).