I have a number of RPi client sites that I use to ssh into my server from. I want to use a TrustKey FIDO2 passkey to authenticate the ssh access rather than password or passwordless access - this is one way of achieving 2FA.
I have successfully created keypairs for the setup with: using one passkey and then swap passkeys and run on the second key - I run the process twice in order to have a spare passkey in case one gets lost. Both .pub keys are then loaded into ~/.ssh/authorized_keys on the server.
To use the system, I insert a passkey into the USB port on the client, the passkey flashes for 1-2 seconds the presents a steady light. I then type the string and the light on the passkey again flashes and the prompt is displayed on the screen to touch the sensitive touch pad on the passkey upon which the ssh session is successfully connected.
This works fine from my office client running RPi 4B, but when I try to run it from a client RPi 400 it doesn't even look at the passkey to find the private key and hence ssh fails to connect. I am assuming that the -O resident option to ssh-keygen has written a copy of the private key to the passkey as well as to the ~/.ssh folder. lsusb shows the passkey to have been found as added hardware, I suspect that there is some software missing from the RPi 400 that is causing the OS to ignore from searching the passkey, but what?
Just a thought - using the -v option to the ssh command shows that the search for private keys includes a search for ~/.ssh/id_ecdsa_sk Could it be that because these private keys have been named id_ecdsa_sk_1 and id_ecdsa_sk_2 be causing the problem; but on the other hand why does it find the private files on the passkey in my office but not on the same passkey when out on site. Is there another way to create a "clone" of a passkey?
TIA
I have successfully created keypairs for the setup with:
Code:
ssh-keygen -t ecdsa-sk -O resident -O application=ssh:howard@howard.id.au -f ~/.ssh/id_ecdsa_sk_1Code:
ssh-keygen -t ecdsa-sk -O resident -O application=ssh:howard@howard.id.au -f ~/.ssh/id_ecdsa_sk_2To use the system, I insert a passkey into the USB port on the client, the passkey flashes for 1-2 seconds the presents a steady light. I then type the string
Code:
ssh howard@howard.id.auThis works fine from my office client running RPi 4B, but when I try to run it from a client RPi 400 it doesn't even look at the passkey to find the private key and hence ssh fails to connect. I am assuming that the -O resident option to ssh-keygen has written a copy of the private key to the passkey as well as to the ~/.ssh folder. lsusb shows the passkey to have been found as added hardware, I suspect that there is some software missing from the RPi 400 that is causing the OS to ignore from searching the passkey, but what?
Just a thought - using the -v option to the ssh command shows that the search for private keys includes a search for ~/.ssh/id_ecdsa_sk Could it be that because these private keys have been named id_ecdsa_sk_1 and id_ecdsa_sk_2 be causing the problem; but on the other hand why does it find the private files on the passkey in my office but not on the same passkey when out on site. Is there another way to create a "clone" of a passkey?
TIA
Statistics: Posted by hfl — Fri May 03, 2024 8:58 am — Replies 0 — Views 34