Fail To Generate Resident Key At Yubikey 5 Nano On FreeBSD14.2 With Ssh-keygen (inspired By #232)

Apr 21, 2025 by ADMIN 98 views

Introduction

In this article, we will explore the issue of failing to generate a resident key at a YubiKey 5 Nano on FreeBSD 14.2 using the ssh-keygen command. This problem has been reported on multiple systems with the same library versions, and we will investigate the possible causes and solutions.

Problem Description

The problem occurs when trying to generate a resident key on a YubiKey 5 Nano using the following command:

FIDO_DEBUG=1 ssh-keygen -t ed25519-sk -O no-touch-required -O resident -O user=username -O device=/dev/hidraw4 -O application=ssh:test25519r -C "Strong SSH-resident keys for test"

The command hangs and does nothing, and touching the YubiKey prints YubiOTP (as set by default).

System Information

The system information is as follows:

FreeBSD version: 14.2-RELEASE releng/14.2-n269506
libfido2 version: 1.15.0
YubiKey model: YubiKey 5 Nano

Debug Output

The debug output is as follows:

% FIDO_DEBUG=1 ssh-keygen -t ed25519-sk -O no-touch-required -O resident -O user=username -O device=/dev/hidraw4 -O application=ssh:test25519r -C "Strong SSH-resident keys for test" 
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
fido_tx: dev=0x450908c21000, cmd=0x06
fido_tx: buf=0x450908c21000, len=8
0000: ad 6b c3 e2 93 cb c3 3b
fido_rx: dev=0x450908c21000, cmd=0x06, ms=-1
rx_preamble: buf=0x22ac92f61ed0, len=64
0000: ff ff ff ff 86 00 11 ad 6b c3 e2 93 cb c3 3b 94
0016: 35 01 40 02 05 04 03 05 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=17
fido_rx: buf=0x450908c21008, len=17
0000: ad 6b c3 e2 93 cb c3 3b 94 35 01 40 02 05 04 03
0016: 05
fido_dev_get_cbor_info_tx: dev=0x450908c21000
fido_tx: dev=0x450908c21000, cmd=0x10
fido_tx: buf=0x22ac92f61f0f, len=1
0000: 04
fido_dev_get_cbor_info_rx: dev=0x450908c210, ci=0x450908c1a300, ms=-1
fido_rx: dev=0x450908c21000, cmd=0x10, ms=-1
rx_preamble: buf=0x22ac92f61e80, len=64
0000: 94 35 01 40 90 00 c8 00 ac 01 83 66 55 32 46 5f
0016: 56 32 68 46 49 44 4f 5f 32 5f 30 6c 46 49 44 4f
0032: 5f 32 5f 31 5f 50 52 45 02 82 6b 63 72 65 64 50
0048: 72 6f 74 65 63 74 6b 68 6d 61 63 2d 73 65 63 72
rx: payload_len=200
rx: buf=0x22ac92f61e80, len=64
0000: 94 35 01 40 00 65 74 03 50 ee 88 28 79 72 1c 49
0016: 13 97 75 3d fc ce 97 07 2a 04 a5 62 72 6b f5 62
0032: 75 70 f5 64 70 6c 61 74 f4 69 63 6c 69 65 6e 74
0048: 50 69 6e f5 75 63 72 65 64 65 6e 74 69 61 6c 4d
rx: buf=0x22ac92f61e80, len=64
0000: 94 35 01 40 01 67 6d 74 50 72 65 76 69 65 77 f5
0016: 05 19 04 b0 06 82 02 01 07 08 08 18 80 09 81 63
0032: 75 73 62 0a 82 a2 63 61 6c 67 26 64 74 79 70 65
0048: 6a 70 75 62 6c 69 63 2d 6b 65 79 a2 63 61 6c 67
rx: buf=0x22ac92f61e80, len=64
0000: 94 35 01 40 02 27 64 74 79 70 65 6a 70 75 62 6c
0016: 69 63 2d 6b 65 79 0d 04 0e 1a 00 05 04 03 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
fido_rx: buf=0x450908c26000, len=200
0000: 00 ac 01 83 66 55 32 46 5f 56 32 68 46 49 44 4f
0016: 5f 32 f 30 6c 46 49 44 4f 5f 32 5f 31 5f 50 52
0032: 45 02 82 6b 63 72 65 64 50 72 6f 74 65 63 74 6b
0048: 68 6d 61 63 2d 73 65 63 72 65 74 03 50 ee 88 28
0064: 79 72 1c 49 13 97 75 3d fc ce 97 07 2a 04 a5 62
0080: 72 6b f5 62 75 70 f5 64 70 6c 61 74 f4 69 63 6c
0096: 69 65 6e 74 50 69 6e f5 75 63 72 65 64 65 6e 74
0112: 69 61 6c 4d 67 6d 74 50 72 65 76 69 65 77 f5 05
0128: 19 04 b0 06 82 02 01 07 08 08 18 80 09 81 63 75
0144: 73 62 0a 82 a2 63 61 6c 67 26 64 74 79 70 65 6a
0160: 70 75 62 6c 69 63 2d 6b 65 79 a2 63 61 6c 67 27
0176: 64 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65 79
0192: 0d 04 0e 1a 00 05 04 03
fido_dev_open_rx: FIDO_MAXMSG=2048, maxmsgsiz=1200
fido_dev_get_cbor_info_tx: dev=0x450908c21000
fido_tx: dev=0x450908c21000, cmd=0<br/>
# Q&A: Fail to generate resident key at YubiKey 5 Nano on FreeBSD 14.2 with ssh-keygen (inspired by #232)

## Q: What is the problem with generating a resident key at a YubiKey 5 Nano on FreeBSD 14.2 using ssh-keygen?

A: The problem occurs when trying to generate a resident key on a YubiKey 5 Nano using the `ssh-keygen` command with the `-t ed25519-sk` option. The command hangs and does nothing, and touching the YubiKey prints YubiOTP (as set by default).

## Q: What are the system requirements for this problem to occur?

A: The system requirements for this problem to occur are:
* FreeBSD version: 14.2-RELEASE releng/14.2-n269506
* libfido2 version: 1.15.0
* YubiKey model: YubiKey 5 Nano

## Q: What is the debug output for this problem?

A: The debug output for this problem is as follows:
```bash
% FIDO_DEBUG=1 ssh-keygen -t ed25519-sk -O no-touch-required -O resident -O user=username -O device=/dev/hidraw4 -O application=ssh:test25519r -C "Strong SSH-resident keys for test" 
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
fido_tx: dev=0x450908c21000, cmd=0x06
fido_tx: buf=0x450908c21000, len=8
0000: ad 6b c3 e2 93 cb c3 3b
fido_rx: dev=0x450908c21000, cmd=0x06, ms=-1
rx_preamble: buf=0x22ac92f61ed0, len=64
0000: ff ff ff ff 86 00 11 ad 6b c3 e2 93 cb c3 3b 94
0016: 35 01 40 02 05 04 03 05 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=17
fido_rx: buf=0x450908c21008, len=17
0000: ad 6b c3 e2 93 cb c3 3b 94 35 01 40 02 05 04 03
0016: 05
fido_dev_get_cbor_info_tx: dev=0x450908c21000
fido_tx: dev=0x450908c21000, cmd=0x10
fido_tx: buf=0x22ac92f61f0f, len=1
0000: 04
fido_dev_get_cbor_info_rx: dev=0x450908c210, ci=0x450908c1a300, ms=-1
fido_rx: dev=0x450908c21000, cmd=0x10, ms=-1
rx_preamble: buf=0x22ac92f61e80, len=64
000: 94 35 01 40 90 00 c8 00 ac 01 83 66 55 32 46 5f
0016: 56 32 68 46 49 44 4f 5f 32 5f 30 6c 46 49 44 4f
0032: 5f 32 5f 31 5f 50 52 45 02 82 6b 63 72 65 64 50
0048: 72 6f 74 65 63 74 6b 68 6d 61 63 2d 73 65 63 72
rx: payload_len=200
rx: buf=0x22ac92f61e80, len=64
0000: 94 35 01 40 00 65 74 03 50 ee 88 28 79 72 1c 49
0016: 13 97 75 3d fc ce 97 07 2a 04 a5 62 72 6b f5 62
0032: 75 70 f5 64 70 6c 61 74 f4 69 63 6c 69 65 6e 74
0048: 50 69 6e f5 75 63 72 65 64 65 6e 74 69 61 6c 4d
rx: buf=0x22ac92f61e80, len=64
0000: 94 35 01 40 01 67 6d 74 50 72 65 76 69 65 77 f5
0016: 05 19 04 b0 06 82 02 01 07 08 08 18 80 09 81 63
0032: 75 73 62 0a 82 a2 63 61 6c 67 26 64 74 79 70 65
0048: 6a 70 75 62 6c 69 63 2d 6b 65 79 a2 63 61 6c 67
rx: buf=0x22ac92f61e80, len=64
0000: 94 35 01 40 02 27 64 74 79 70 65 6a 70 75 62 6c
0016: 69 63 2d 6b 65 79 0d 04 0e 1a 00 05 04 03 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
fido_rx: buf=0x450908c26000, len=200
0000: 00 ac 01 83 66 55 32 46 5f 56 32 68 46 49 44 4f
0016: 5f 32 5f 30 6c 46 49 44 4f 5f 32 5f 31 5f 50 52
0032: 45 02 82 6b 63 72 65 64 50 72 6f 74  63 74 6b
0048: 68 6d 61 63 2d 73 65 63 72 65 74 03 50 ee 88 28
0064: 79 72 1c 49 13 97 75 3d fc ce 97 07 2a 04 a5 62
0080: 72 6b f5 62 75 70 f5 64 70 6c 61 74 f4 69 63 6c
0096: 69 65 6e 74 50 69 6e f5 75 63 72 65 64 65 6e 74
0112: 69 61 6c 4d 67 6d 74 50 72 65 76 69 65 77 f5 05
0128: 19 04 b0 06 82 02 01 07 08 08 18 80 09 81 63 75
0144: 73 62 0a 82 a2 63 61 6c 67 26 64 74 79 70 65 6a
0160: 70 75 62 6c 69 63 2d 6b 65 79 a2 63 61 6c 67 27
0176: 64 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65 79
0192: 0d 04 0e 1a 00 05 04 03
fido_dev_open_rx: FIDO_MAXMSG=2048, maxmsgsiz=1200
fido_dev_get_cbor_info_tx: dev=0x450908c21000
fido_tx: dev=0x450908c21000, cmd=0x10
fido_tx: buf=0x450908c9e300, len=59
0000: 02 a3 01 6e 73 73 68 3a 74 65 73 74 32