Problem with storing multiple OpenSSH keys in ECC slots
schlomie opened this issue · 2 comments
Environment
Firmware: 2.1.1
OnlyKey App: 5.3.3
onlykey-cli: 1.2.6
onlykey-agent: 1.1.12
Issue
I don't know if this issue is related to
- The OnlyKey app (not updating/writing to slots)
- The firmware
- onlykey-agent not reading the right slot
... but I am happy to move this issue to the correct repo.
But this is the issue:
I've generated two different OpenSSH keys:
$ ssh-keygen -t ed25519 -f 101.key -C "ECC101"
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in 101.key
Your public key has been saved in 101.key.pub
The key fingerprint is:
SHA256:HNvgWIJ/egc4xOSWG/7Jrrab0Sekh8KhQJWAcjqIsK0 ECC101
The key's randomart image is:
+--[ED25519 256]--+
|..... . |
|+ o. = . |
|=* . O + |
|B . = X = |
|.o . B S . |
|E. o . @ o |
| . o = O o |
| ..* + |
| .=+. |
+----[SHA256]-----+
and
$ ssh-keygen -t ed25519 -f 102.key -C "ECC102"
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in 102.key
Your public key has been saved in 102.key.pub
The key fingerprint is:
SHA256:ePt+xoe+XZlNtJUAAOXPPbD/lYOc6cMLBpnPR27j21k ECC102
The key's randomart image is:
+--[ED25519 256]--+
| .oo.... |
| . . .|
| . . .o|
| . = + .o|
| . S+ + + ..|
| . .+ = =.=|
| . *.% =E|
| .. @+=.=|
| .o+oB=+ |
+----[SHA256]-----+
While in config mode, I "successfully" loaded 101.key and 102.key into their respected ECC slots. But when I go to use the keys stored in the slots, only 101.key is usable. In fact, it appears ALL slots return the same 101.key
$ cat 101.key.pub 102.key.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIXjkzBVWpexS1Ro9OC4MOj5ekAh2Veh+TpIkp371w79 ECC101
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETGE/eiAhPohk8KbJ/Go1MXZ74e6XSO5G7OI/CDqbH+ ECC102
$
$ onlykey-agent -sk ECC101 user@host
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIXjkzBVWpexS1Ro9OC4MOj5ekAh2Veh+TpIkp371w79 <ssh://user@host|ed25519>
$
$ onlykey-agent -sk ECC102 user@host
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIXjkzBVWpexS1Ro9OC4MOj5ekAh2Veh+TpIkp371w79 <ssh://user@host|ed25519>
$
$ onlykey-agent -sk ECC103 user@host
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIXjkzBVWpexS1Ro9OC4MOj5ekAh2Veh+TpIkp371w79 <ssh://user@host|ed25519>
$ onlykey-agent -sk ECC104 user@host
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIXjkzBVWpexS1Ro9OC4MOj5ekAh2Veh+TpIkp371w79 <ssh://user@host|ed25519>
$ onlykey-agent -sk ECC105 user@host
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIXjkzBVWpexS1Ro9OC4MOj5ekAh2Veh+TpIkp371w79 <ssh://user@host|ed25519>
...
$ onlykey-agent -sk ECC115 user@host
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIXjkzBVWpexS1Ro9OC4MOj5ekAh2Veh+TpIkp371w79 <ssh://user@host|ed25519>
$ onlykey-agent -sk ECC116 user@host
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIXjkzBVWpexS1Ro9OC4MOj5ekAh2Veh+TpIkp371w79 <ssh://user@host|ed25519>
Or, maybe I have entirely the wrong idea about storing multiple keys in select ECC slots?
@schlomie We used to use 101 - 116 for ECC keys but for simplicity this was changed to ECC1 - ECC16 so that both the OnlyKey Agent and App have the same naming:
https://docs.crp.to/onlykey-agent.html#stored-keys
onlykey-agent -sk ECC102 user@host
should be:
onlykey-agent -sk ECC2 user@host
onlykey-agent -sk ECC102 user@host
is actually read by the agent as onlykey-agent -sk ECC1 user@host because ECC102 is not a valid option. We should have an error thrown here though I will make a note to add an error when incorrect slot is selected.
Oh geez. I skipped right over that and certainly didn't grok it. Yeah, this makes so much more sense.
Thanks and apologies!