As mentioned earlier, I tried both USB and unix-hotplug.
Note that:
ssh-keygen -t ed25519-sk
works on the incus host. It just fails on the container. This is a YubiKey 5C.
Interestingly, the device shows but just doesn’t seem accessible.
Are there udev rules needed?
Should this work?
Is this a permission thing requiring some type of raw.id mapping?
ssh-keygen -t ed25519-sk -vvv
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=714
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: sk_probe: 0 device(s) detected
debug1: ssh_sk_enroll: failed to find sk
debug1: sshsk_enroll: provider "internal" failure -4
debug1: ssh-sk-helper: Enrollment failed: device not found
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -60
debug3: reap_helper: pid=714
Key enrollment failed: device not found
Apparently only root has permissions. I am completely unable to ssh to the container using the Yubikey. There is some subtle permissions error in all this.
ssh -i ~/.ssh/id_ecdsa_sk 172.16.1.195
sign_and_send_pubkey: signing failed for ECDSA-SK "/home/scott/.ssh/id_ecdsa_sk" from agent: agent refused operation
So, “unix-hotplug” works, but ONLY if the “ssh-keygen -t ed25519-sk” is performed with sudo which is self defeating since it is only on the root account. I tried:
raw.lxc="lxc.apparmor.profile=unconfined"
and
security.privileged=true
thinking those would provide access to the hardware correctly, but that did not work.
incus launch images:ubuntu/24.04 Test
incus config device add Test security-key unix-hotplug vendorid=1050 productid=0407
incus config device set Test security-key mode=0666
Device exists viewing from inside the container:
scott@Test:~$ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 058f:6366 Alcor Micro Corp. Multi Flash Reader
Bus 001 Device 003: ID 046d:0aaf Logitech, Inc. Yeti X
Bus 001 Device 004: ID 046d:0823 Logitech, Inc. HD Webcam B910
Bus 001 Device 006: ID 0764:0501 Cyber Power System, Inc. CP1500 AVR UPS
Bus 001 Device 007: ID 0bda:5411 Realtek Semiconductor Corp. RTS5411 Hub
Bus 001 Device 008: ID 046d:c016 Logitech, Inc. Optical Wheel Mouse
Bus 001 Device 009: ID 045e:0024 Microsoft Corp. Trackball Explorer
Bus 001 Device 010: ID 0c45:7603 Microdia USB Keyboard
Bus 001 Device 016: ID 1050:0407 Yubico.com Yubikey 4/5 OTP+U2F+CCID
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 002: ID 0bda:0411 Realtek Semiconductor Corp. Hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
However, it’s not reachable:
scott@Test:~$ ssh-keygen -t ed25519-sk -vvv
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=1088
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: sk_probe: 0 device(s) detected
debug1: ssh_sk_enroll: failed to find sk
debug1: sshsk_enroll: provider "internal" failure -4
debug1: ssh-sk-helper: Enrollment failed: device not found
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -60
debug3: reap_helper: pid=1088
Key enrollment failed: device not found
I performed the exact same commands (adjusting for my device ID 0407). When I get to the keygen, my device is not found as user ubuntu, only as user root and yes I have the mode=0666.
ubuntu@u1:~$ ssh-keygen -t ed25519-sk -vvv
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=367
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: sk_probe: 0 device(s) detected
debug1: ssh_sk_enroll: failed to find sk
debug1: sshsk_enroll: provider "internal" failure -4
debug1: ssh-sk-helper: Enrollment failed: device not found
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -60
debug3: reap_helper: pid=367
Key enrollment failed: device not found
ubuntu@u1:~$
Funny this works great as root. Could there be anything different on the Ubuntu Server at all? I am running the latest Incus 6.1.