Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unreliable output from onlykey-agent #496

Open
mavaa opened this issue Dec 12, 2024 · 5 comments
Open

Unreliable output from onlykey-agent #496

mavaa opened this issue Dec 12, 2024 · 5 comments

Comments

@mavaa
Copy link

mavaa commented Dec 12, 2024

I'm having an issue with my onlykey (duo) when using it as a ssh key provider:

ok_issue

(I've redacted what I hope I should to not leak any unwanted information about my device, but I'm willing to send a more complete output privately if needed)

In the picture, the first time I run onlykey-agent, I get the expected public key from the device, and can usually also sign with it for ssh and git operations. However, the next three times I try to run it, the "received=" and "Received Public Key" lines don't output the expected bytes, as you can also see in the final printed public key. This seems to happen more or less at random, and I haven't figured out any better pattern/workaround than to unplug/plug in my onlykey until it works reliably. It seems like once it goes "stable" enough, it works fine without failure until I unplug it again. Writing this now, I'm realizing it might be a hardware issue as well, but I still wanted to ask if there's an obvious issue at play here?

If it's relevant, I'm using the latest version from master, "installed" into a venv by using the following script:

#!/usr/bin/env bash

TZDIR="$HOME/src/tools/trezor-agent"
REPOURL="https://github.com/romanz/trezor-agent"
REPODIR="$TZDIR/repo"
VENVDIR="$TZDIR/venv"

if [[ ! -d $TZDIR ]]; then
    echo "Creating $TZDIR"
    mkdir -p $TZDIR
fi

if [[ ! -d $REPODIR ]]; then
    git clone $REPOURL $REPODIR
fi

if [[ -d $REPODIR ]]; then
    (cd $REPODIR && git pull)
fi

if [[ ! -d $VENVDIR ]]; then
    python -m venv $VENVDIR
fi

if [[ -d $VENVDIR ]]; then
    source $VENVDIR/bin/activate
    pip install --upgrade pip
    pip install --upgrade Cython hidapi
    pip install -e $REPODIR
    pip install -e $REPODIR/agents/trezor
    pip install -e $REPODIR/agents/onlykey
    pip install --upgrade pynvim
else
    echo "Something is wrong with the venv dir $VENVDIR"
fi
@mavaa
Copy link
Author

mavaa commented Dec 12, 2024

Probably/maybe not relevant, but I can still use my onlykey as 2-factor login device on github.com through my web browser, while it's in the "state" where onlykey-agent produce invalid public keys.

@mavaa
Copy link
Author

mavaa commented Dec 12, 2024

(Sorry for using this as my personal debugging space...)

I realized that the official documentation points to this package, so I installed that instead:

➜ onlykey-agent -v -e ed25519 [email protected]
2024-12-12 13:50:04,966 INFO         identity #0: <ssh://[email protected]|ed25519>                                                        [__init__.py:287]
2024-12-12 13:50:04,994 ERROR        failed to connect                                                                                    [client.py:279]
Traceback (most recent call last):
  File "/external/martin/src/tmpvenv/venv/lib/python3.12/site-packages/onlykey/client.py", line 270, in _connect
    self._hid.open_path(self.path)
  File "hid.pyx", line 158, in hid.device.open_path
OSError: open failed
2024-12-12 13:50:06,500 ERROR        failed to connect                                                                                    [client.py:279]
Traceback (most recent call last):
  File "/external/martin/src/tmpvenv/venv/lib/python3.12/site-packages/onlykey/client.py", line 270, in _connect
    self._hid.open_path(self.path)
  File "hid.pyx", line 158, in hid.device.open_path
OSError: open failed
2024-12-12 13:50:08,005 ERROR        failed to connect                                                                                    [client.py:279]
Traceback (most recent call last):
  File "/external/martin/src/tmpvenv/venv/lib/python3.12/site-packages/onlykey/client.py", line 270, in _connect
    self._hid.open_path(self.path)
  File "hid.pyx", line 158, in hid.device.open_path
OSError: open failed
2024-12-12 13:50:09,509 ERROR        failed to connect                                                                                    [client.py:279]
Traceback (most recent call last):
  File "/external/martin/src/tmpvenv/venv/lib/python3.12/site-packages/onlykey/client.py", line 270, in _connect
    self._hid.open_path(self.path)
  File "hid.pyx", line 158, in hid.device.open_path
OSError: open failed
2024-12-12 13:50:11,014 ERROR        failed to connect                                                                                    [client.py:279]
Traceback (most recent call last):
  File "/external/martin/src/tmpvenv/venv/lib/python3.12/site-packages/onlykey/client.py", line 270, in _connect
    self._hid.open_path(self.path)
  File "hid.pyx", line 158, in hid.device.open_path
OSError: open failed
2024-12-12 13:50:12,515 ERROR        Connection error (try unplugging and replugging your device): {} not connected: "{}"                 [__init__.py:187]

~/src/tmpvenv via tmpvenv took 7.8s …
➜ onlykey-agent -v -e ed25519 [email protected]
2024-12-12 13:50:16,057 INFO         identity #0: <ssh://[email protected]|ed25519>                                                        [__init__.py:287]
2024-12-12 13:50:16,093 INFO         Requesting public key from key slot =132                                                             [onlykey.py:164]
2024-12-12 13:50:16,093 INFO         Identity to hash =b'[email protected]'                                                                [onlykey.py:178]
2024-12-12 13:50:16,093 INFO         Identity hash =...                      [onlykey.py:182]
2024-12-12 13:50:16,094 INFO         curve name= 'ed25519'                                                                                [onlykey.py:198]
2024-12-12 13:50:16,402 INFO         received= [...] [onlykey.py:209]
2024-12-12 13:50:16,402 INFO         Received Public Key generated by OnlyKey= '...' [onlykey.py:216]
2024-12-12 13:50:16,402 INFO         vk= <nacl.signing.VerifyKey object at 0x...>                                                [onlykey.py:219]
2024-12-12 13:50:16,402 INFO         disconnected from OnlyKey                                                                            [onlykey.py:139]
[Correct key printed]

(Redacted some stuff here as well)

Once I've run the agent once with the repeated "failed to connect" error, I can rerun it, and everything works fine, and after this the agent from this repo also works fine. Judging from the open #303 issue, I'm assuming the onlykey support isn't fully in place yet? If so, I can live just fine with the other version, just having to go through the error before it works.

@mavaa
Copy link
Author

mavaa commented Dec 18, 2024

cc @onlykey , hope that's okay

@onlykey
Copy link
Contributor

onlykey commented Dec 18, 2024

@mavaa The version of onlykey-agent here just supports derived keys, we haven't had any reports of that not working. The version linked to in our docs also supports stored ECC and RSA keys.

@mavaa
Copy link
Author

mavaa commented Dec 20, 2024

Is onlykey-agent -v -e ed25519 [email protected] and onlykey-agent -v -e ed25519 [email protected] -- git pull not using derived keys?

The error output from my previous message with repeated OSError: open failed happens with your onlykey-agent version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mavaa @onlykey