-
Notifications
You must be signed in to change notification settings - Fork 301
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failing authentication for jj git fetch ...
/ jj git clone ...
/ etc. with a FIDO2 (resident) key
#4591
Labels
🐛bug
Something isn't working
Comments
I'm experiencing almost the same behaviour on Arch Linux; I'm never prompted to touch the key and the error is slightly different. I do not have the PIN enabled, just touch. Versions:
|
Read around some more and realised this might be a duplicate of #2958. Switching to OpenSSH via #3191 fixed it!
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
I know, I might have encountered a very special and specific scenario.
Nevertheless, I can't get any git remote command to work properly.
For SSH authentication, I'm using a Yubikey using a FIDO2 resident key.
In particular, the key was generated using the following command
ssh-keygen -t ed25519-sk -O resident -O user=git -O application=ssh:git -O verify-required
.As I read on several occasions, the
verify-required
option can sometimes cause problems (it not only requires touch but also the entry of a PIN), so I also tried without:ssh-keygen -t ed25519-sk -O resident -O user=git -O application=ssh:git
.After that also didn't work, I tried a non-resident key with
ssh-keygen -t ed25519-sk -O user=git -O application=ssh:git
, still to no avail.In every scenario, the key was present at
~/.ssh/id_ed25519_sk
and present in thessh-agent
confirmed usingssh-add -L
.Each time I get prompted for touching the hardware token (or in case of
verify-required
also for the PIN) without issue but then it fails withOf course I also tried the mentioned command:
ssh -F /dev/null [email protected] -vv
without any issues.It should also go without saying that doing things like
git fetch
orgit pull
work without any issues.Executing
jj
with the--debug
flag produces the following outputAs everything works with
git
and even non-resident keys don't work withjj
I'm assuming that theed25519-sk
format might somehow be the culprit?It's weird as in my experience, a non-support of this SSH feature normally results in nothing working at all, but in this case, with
jj
the PIN entry opens, and I'm able to touch the key.I also researched in the
libssh2
repo, but every related issue I could find regarding FIDO2 and the key format has apparently been resolved and closed.It is probably also worth noting that signing with this kind of SSH key is apparently working fine, as
jj git init --colocate
prompted me for my PIN/touch a couple of times and then successfully completed.Thank you for your awesome work, I hope I will soon come to enjoy this remarkable piece of work.
Steps to Reproduce the Problem
ed25519-sk
key with a hardware security key usingssh-keygen
~/.ssh/
directory with the default name (id_ed25519_sk
/id_ed25519_sk.pub
)ssh-agent
usingssh-add
(ssh-add ~/.ssh/id_ed25519_sk
)id_ed25519_sk.pub
to your GitHub account as an Authentication keyjj git fetch
jj
failExpected Behavior
jj
should successfully authenticate against the git server (GitHub in this instance) and be able to push, pull and clone without issue.Actual Behavior
jj
fails without any hints of why it fails after the user already confirmed their presence.Locating the key in the
ssh-agent
, as well as the key file itself, seemed to be successful.Specifications
git
andopenssh
are installed seperately as thessh
version bundled withgit
on Windows is too outdated to properly support FIDO2)jj
version 0.22.0, both fromscoop
andcargo
with same resultThe text was updated successfully, but these errors were encountered: