yubikey-agent icon indicating copy to clipboard operation
yubikey-agent copied to clipboard

Published 20 hours ago verified publisher icon FiloSottile

IdentityAgent option has no effect

Open cedws opened this issue 2 years ago • 2 comments

The README recommends using IdentityAgent in your SSH client config.

So my SSH config would look like this:

IdentitiesOnly yes

Host github.com
	IdentityAgent /opt/homebrew/var/run/yubikey-agent.sock

Host *
	User ubuntu
	IdentityAgent /opt/homebrew/var/run/yubikey-agent.sock

But this doesn't work...

SSH client logs:

debug2: get_agent_identities: ssh_agent_bind_hostkey: agent refused operation
debug1: get_agent_identities: agent returned 1 keys
...
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
ubuntu@host: Permission denied (publickey).

yubikey-agent logs:

2022/04/27 14:33:40 Connecting to the YubiKey...
2022/04/27 14:33:50 agent 27: ssh: parse error in message type 27

Version:

$ ssh -V
OpenSSH_9.0p1, OpenSSL 1.1.1n  15 Mar 2022

Workaround

If I create a file containing the public key in the YubiKey and set my SSH config to this:

IdentitiesOnly yes

Host github.com
        IdentityFile ~/.ssh/id_yk.pub

Host *
        User          ubuntu
        IdentityFile ~/.ssh/id_yk.pub

I can successfully SSH to a server after touching my YubiKey.

debug2: get_agent_identities: ssh_agent_bind_hostkey: agent refused operation
debug1: get_agent_identities: agent returned 1 keys
...
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
...
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-1039-aws x86_64)

cedws avatar Apr 27 '22 13:04 cedws

@bguerout fyi maybe this workaround will work for you

cedws avatar Apr 27 '22 13:04 cedws

@cedws I had the same problem, it is because of IdentitiesOnly yes

From man ssh_config

 IdentityFile
         Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA
         authentication identity is read.  The default is ~/.ssh/id_rsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519,
         ~/.ssh/id_ed25519_sk and ~/.ssh/id_dsa.  Additionally, any identities represented by the authentication agent will be used for
         authentication unless IdentitiesOnly is set.  If no certificates have been explicitly specified by CertificateFile, ssh(1)
         will try to load certificate information from the filename obtained by appending -cert.pub to the path of a specified
         IdentityFile.

         Arguments to IdentityFile may use the tilde syntax to refer to a user's home directory or the tokens described in the TOKENS
         section.

         It is possible to have multiple identity files specified in configuration files; all these identities will be tried in
         sequence.  Multiple IdentityFile directives will add to the list of identities tried (this behaviour differs from that of
         other configuration directives).

         IdentityFile may be used in conjunction with IdentitiesOnly to select which identities in an agent are offered during
         authentication.  IdentityFile may also be used in conjunction with CertificateFile in order to provide any certificate also
         needed for authentication with the identity.

The significant bits are:

  • Additionally, any identities represented by the authentication agent will be used for authentication unless IdentitiesOnly is set.
  • IdentityFile may be used in conjunction with IdentitiesOnly to select which identities in an agent are offered during authentication

nolith avatar Feb 08 '23 16:02 nolith