Got "agent refused operation" (due to FIDO keys?)

[cuihaoleo]

Hi ssh-askpass stops to work lately. I guess it's probably because I changed to FIDO keys (with Yubikey) but I'm not 100% sure.

This is some environment information before I using ssh:

$ launchctl list | grep ssh
-	0	com.openssh.ssh-agent
-	0	homebrew.mxcl.ssh-askpass
$ echo $SSH_AUTH_SOCK
/private/tmp/com.apple.launchd.dk9s8NMHKf/Listeners
$ echo $SSH_ASKPASS
/opt/homebrew/opt/ssh-askpass/bin/ssh-askpass

When I do ssh <host> the first time, it asks me for the passphrase. I enter it and touch my yubikey to unlock it, and login successfully:

$ ssh <host>
Enter passphrase for key '/Users/cuih7/.ssh/id_ed25519_sk':

The next time I login, the ssh-askpass GUI pops up. But after clicking on "OK", ssh complaints agent refused operation and fallbacks to password auth:

$ ssh <host>
sign_and_send_pubkey: signing failed for ED25519-SK "/Users/cuih7/.ssh/id_ed25519_sk": agent refused operation
<host>'s password:

$ launchctl list | grep ssh
1073	0	com.openssh.ssh-agent
-	0	homebrew.mxcl.ssh-askpass
$ echo $SSH_AUTH_SOCK
/private/tmp/com.apple.launchd.dk9s8NMHKf/Listeners
$ echo $SSH_ASKPASS
/opt/homebrew/opt/ssh-askpass/bin/ssh-askpass

Any ideas? Thank you.

[simmel]

Which version are you running? Homebrew will know. On 2 May 2024, at 20:27, CUI Hao ***@***.***> wrote: Hi ssh-askpass stops to work lately. I guess it's probably because I changed to FIDO keys (with Yubikey) but I'm not 100% sure. This is some environment information before I using ssh: $ launchctl list | grep ssh - 0 com.openssh.ssh-agent - 0 homebrew.mxcl.ssh-askpass $ echo $SSH_AUTH_SOCK /private/tmp/com.apple.launchd.dk9s8NMHKf/Listeners $ echo $SSH_ASKPASS /opt/homebrew/opt/ssh-askpass/bin/ssh-askpass When I do ssh <host> the first time, it asks me for the passphrase. I enter it and touch my yubikey to unlock it, and login successfully: $ ssh <host> Enter passphrase for key '/Users/cuih7/.ssh/id_ed25519_sk': The next time I login, the ssh-askpass GUI pops up. But after clicking on "OK", ssh complaints agent refused operation and fallbacks to password auth: $ ssh <host> sign_and_send_pubkey: signing failed for ED25519-SK "/Users/cuih7/.ssh/id_ed25519_sk": agent refused operation <host>'s password: $ launchctl list | grep ssh 1073 0 com.openssh.ssh-agent - 0 homebrew.mxcl.ssh-askpass $ echo $SSH_AUTH_SOCK /private/tmp/com.apple.launchd.dk9s8NMHKf/Listeners $ echo $SSH_ASKPASS /opt/homebrew/opt/ssh-askpass/bin/ssh-askpass Any ideas? Thank you. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[cuihaoleo]

It's 1.5.0.

$ brew info ssh-askpass
==> theseal/ssh-askpass/ssh-askpass: stable 1.5.0
Passphrase dialog for use with OpenSSH in macOS
https://github.com/theseal/ssh-askpass/
Installed
/opt/homebrew/Cellar/ssh-askpass/1.5.0 (5 files, 7.4KB) *
  Built from source on 2024-02-08 at 11:44:00
From: https://github.com/theseal/homebrew-ssh-askpass/blob/HEAD/Formula/ssh-askpass.rb
==> Caveats
NOTE: You will need to run the following to load the SSH_ASKPASS environment variable:
  brew services start ssh-askpass

To restart theseal/ssh-askpass/ssh-askpass after an upgrade:
  brew services restart theseal/ssh-askpass/ssh-askpass

[edmundcraske]

Hi, I'm seeing much the same issue, but I'm not using FIDO keys, just a new ed25519 one which I created. I'm running macOS Sonoma 14.4.1, and using ssh-askpass 1.5.0 as above. Getting the same sign_and_send_pubkey: signing failed for ED25519 "foo" from agent: agent refused operation with confirm enabled for the key via ssh-add -c.

[simmel]

[...] just a new ed25519 one which I created. I'm running macOS Sonoma 14.4.1, and using ssh-askpass 1.5.0 as above.

Like with ssh-keygen -t ed25519?

[edmundcraske]

Like with ssh-keygen -t ed25519?Yes, exactly. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>

[simmel]

@edmundcraske Your problem is a seperate issue, let's take that in #53.

[simmel]

@cuihaoleo Which ssh-agent are you running? Verify with ps auxww | grep ssh-agent.

I just learned that FIDO2 keys doesn't work with macOS (I patched to 14.5 yesterday and it still doesn't work) built-in ssh-agent, see Yubico's documentation:

macOS does not currently support FIDO2 credentials in the bundled version of OpenSSH, but this feature may be enabled via installing OpenSSH via homebrew.

• So you need to either use ssh-agent from Homebrew
  or
• Use the SSH_SK_PROVIDER workaround mentioned in Bundled version of OpenSSH with macOS Monterey doesn't support FIDO2 yubikeys Yubico/libfido2#464

Looks like Apple will support FIDO2-keys when they upgrade OpenSSH, probably next OS X release. We can only hope.

[cuihaoleo]

You are right. Indeed I'm running /usr/bin/ssh-agent (via the default system service).

My ssh command recognizes FIDO keys because I actually installed openssh from Nix:

$ which ssh
/run/current-system/sw/bin/ssh
$ which ssh-agent
/run/current-system/sw/bin/ssh-agent

If I kill the system ssh-agent and bring the Nix's up, ssh-askpass works as expected:

$ sudo launchctl stop com.openssh.ssh-agent
$ eval $(ssh-agent)
$ ssh kronos.calit2.uci.edu
Enter passphrase for key '/Users/cuih7/.ssh/id_ed25519_sk':
Confirm user presence for key ED25519-SK SHA256:......
User presence confirmed
......
$ ssh kronos.calit2.uci.edu
(ssh-askpass first pops up asking for confirmation, then asks to confirm user presence by touching the key.)

Thank you very much for pointing this out. I think I'll just work it around by starting Nix's ssh-agent. Feel free to close the issue if you determine there is nothing ssh-askpass can do.

[simmel]

Nice, great job! Just out of curiosity: how/why does your nix put it in /run/current-system/sw/?

[cuihaoleo]

Nice, great job! Just out of curiosity: how/why does your nix put it in /run/current-system/sw/?

Oops, sorry for the late reply. That's because I use nix-darwin.

[kssjskkskidk]

Hi ssh-askpass stops to work lately. I guess it's probably because I changed to FIDO keys (with Yubikey) but I'm not 100% sure.

This is some environment information before I using ssh:

$ launchctl list | grep ssh
-	0	com.openssh.ssh-agent
-	0	homebrew.mxcl.ssh-askpass
$ echo $SSH_AUTH_SOCK
/private/tmp/com.apple.launchd.dk9s8NMHKf/Listeners
$ echo $SSH_ASKPASS
/opt/homebrew/opt/ssh-askpass/bin/ssh-askpass

When I do ssh <host> the first time, it asks me for the passphrase. I enter it and touch my yubikey to unlock it, and login successfully:

$ ssh <host>
Enter passphrase for key '/Users/cuih7/.ssh/id_ed25519_sk':

The next time I login, the ssh-askpass GUI pops up. But after clicking on "OK", ssh complaints agent refused operation and fallbacks to password auth:

$ ssh <host>
sign_and_send_pubkey: signing failed for ED25519-SK "/Users/cuih7/.ssh/id_ed25519_sk": agent refused operation
<host>'s password:

$ launchctl list | grep ssh
1073	0	com.openssh.ssh-agent
-	0	homebrew.mxcl.ssh-askpass
$ echo $SSH_AUTH_SOCK
/private/tmp/com.apple.launchd.dk9s8NMHKf/Listeners
$ echo $SSH_ASKPASS
/opt/homebrew/opt/ssh-askpass/bin/ssh-askpass

Any ideas? Thank you.