Add official support/documentation for ed25519-sk/yubikey

[Hoeze]

Hi, I just setup my first ED25519-SK key and it works great on first login.
However, when I try to login the second time (i.e. after keychain has cached the key), I get the following error message:

sign_and_send_pubkey: signing failed for ED25519-SK "<key dir>/id_ed25519_sk" from agent: agent refused operation
<remote host>: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

It would be cool if keychain would cache the PIN but still wait for pressing the yubikey.
Would this be possible?

[Hoeze]

Workaround:
After some investigation, I realized that I can disable -O verify-required and instead encrypt the SSH key as usual. Then only a yubikey touch is required to login.

However, it still does not tell me that I need to touch the yubikey. The SSH command just blocks until I do so.
I assume, the underlying problem is that keychain was started in another terminal and cannot communicate with the terminal that requests the SSH key.

Is there a solution that allows the SSH command to forward STDIN/STDOUT of keychain?

[danielrobbins]

There is a lot of stuff going on in your bug report, and it's hard to tell if it's a bug report or a feature request, or troubleshooting, or a request for assistance (it appears to be all four?)

I am going to relabel this as a request for ed25519-sk/yubikey support in Keychain, which is not explicitly supported, and not covered in documentation, so we can't be sure it's working optimally, and the issue you opened seems to indicate it is not.

[Hoeze]

Please excuse my messy report. Yes, it is a bit of everything.
Let me summarize my current findings:

• FIDO2 resident keys do only work with Keychain if they are not requesting a PIN to unlock.
• If you do not require PIN verification, it works with touching the security device. However, there is no indication (beside the SSH command hanging) that a security device touch is necessary.
• Both issues most likely result from the fact that the Keychain SSH agent cannot send/request user input through the SSH client.
• My workaround is to create the FIDO2 key without PIN verification, but with a passphrase, and then run an application like yubikey-touch-detector that can send a notification if an application requests a security device touch.