fix: gracefully decline signing requests for security keys (sk)#326
Closed
aldoborrero wants to merge 1 commit intodoy:mainfrom
Closed
fix: gracefully decline signing requests for security keys (sk)#326aldoborrero wants to merge 1 commit intodoy:mainfrom
aldoborrero wants to merge 1 commit intodoy:mainfrom
Conversation
The SSH agent cannot perform signing operations for FIDO2/security keys (ed25519-sk, ecdsa-sk) since these require physical hardware interaction (user presence/touch). Previously, the agent would attempt to find a matching private key and fail with an unhelpful error, which also caused issues with SSH agent multiplexers. Now the agent checks for sk key types early in the sign handler and returns SSH_AGENT_FAILURE immediately, allowing the SSH client to fall back to another agent or direct hardware access. Fixes doy#281
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ed25519-sk,ecdsa-sk) early in the SSH agent'ssignhandlerSkEd25519andSkEcdsaSha2NistP256key types and returnsSSH_AGENT_FAILUREimmediatelyMotivation
When
SSH_AUTH_SOCKpoints to rbw's agent (or an agent multiplexer that includes rbw), SSH connections using hardware security keys fail with "agent refused operation" instead of falling through to the hardware. This is because rbw's agent tries to handle the sign request instead of declining it, which prevents the SSH client from trying alternative signing methods.This is the same behavior as OpenSSH's
ssh-agent, which silently declines requests for key types it cannot handle.Test plan
ed25519-skkey) throughssh-agent-muxcombining system ssh-agent + rbw agentcargo checkpasses with no warningsFixes #281
🤖 Generated with Claude Code