You are not logged in.

#1 2022-03-02 07:31:58

Spider.007
Member
Registered: 2004-06-20
Posts: 1,175

openssh 8.9p1 breaks yubikey client authentication

after upgrading to openssh 8.9p1-1 my ssh client is no longer able to authenticate using my yubikey. This used to work fine through gpg-agent. It fails saying:

sign_and_send_pubkey: signing failed for ED25519 "cardno:xxx" from agent: agent refused operation

and gpg-agent logs:

scdaemon[xxx]: app_auth failed: Invalid value
smartcard signing failed: Invalid value
ssh sign request failed: Invalid value <SCD>

I think this might be caused by https://www.openssh.com/agent-restrict.html but I'm not sure it's supposed to break existing setups

Offline

#2 2022-03-13 17:43:51

ssr
Member
Registered: 2022-03-13
Posts: 5

Re: openssh 8.9p1 breaks yubikey client authentication

Same here, but some servers can connect and some can't. I don't know how to do a detailed test.

Offline

#3 2022-04-09 20:41:10

heftig
Developer
From: Germany
Registered: 2010-04-19
Posts: 159

Re: openssh 8.9p1 breaks yubikey client authentication

This got worse with 9.0, see https://bugs.archlinux.org/task/74423.

Adding

KexAlgorithms -sntrup761x25519-sha512@openssh.com

to ssh_config works around it for me.

Offline

Board footer

Powered by FluxBB