I have SSH resident keys on my Nitrokeys, and I can admin them using Chrome. (Well. I can only remove them, but that’s sufficient for now.)
While nitropy now has a “secrets” subcommand for nk3, that is for OTP. There is not nk3 fido2 subcommand. nk3 secrets also asks me so set a pin. I already have a FIDO2 pin, so this seems to be completely separate, using different PINs.
nitropy fido2 list-credentials --pin 1234 falls on its face. Understandable. An NK3 is not a Nitrokey FIDO2 key.
I would like to be able to use nitropy to administer FIDO2. If this is a missing feature, I hope they get a round tuit soon 
If not, please enlighten me!
(Nitrokey 3NFC and Nitrokey 3A, both with firmware v1.4.0, nitropy 0.4.36)
nitropy fido2 list-credentials should also work for a Nitrokey 3. But there currently is an issue with keys generated by SSH because it does not set a name for the credential. We will fix this in the next pynitrokey release. You can install it from source if you want to give it a try:
$ pipx install --suffix=-git git+https://github.com/Nitrokey/pynitrokey.git
$ nitropy-git fido2 list-credentials
Thanks for the suggestion. I tried, but got this error:
× Getting requirements to build wheel did not run successfully.
│ exit code: 1
╰─> [20 lines of output]
/tmp/pip-build-env-2pjnnu8k/overlay/lib/python3.10/site-packages/setuptools/config/setupcfg.py:293: _DeprecatedConfig: Deprecated config in `setup.cfg`
!!
********************************************************************************
The license_file parameter is deprecated, use license_files instead.
By 2023-Oct-30, you need to update your project and remove deprecated calls
or your builds will no longer be supported.
See https://setuptools.pypa.io/en/latest/userguide/declarative_config.html for details.
********************************************************************************
!!
parsed = self.parsers.get(option_name, lambda x: x)(value)
running egg_info
writing lib3/PyYAML.egg-info/PKG-INFO
writing dependency_links to lib3/PyYAML.egg-info/dependency_links.txt
writing top-level names to lib3/PyYAML.egg-info/top_level.txt
failed to import Cython: /tmp/pip-build-env-2pjnnu8k/overlay/lib/python3.10/site-packages/Cython/Compiler/Scanning.cpython-310-x86_64-linux-gnu.so: failed to map segment from shared object
error: Cython does not appear to be installed
[end of output]
I never heard about Cython before. Looks like a Python compiler, judging from the name and the path. Running pipx install cython…
Same error. Please advise!
Found it. Some time ago, I decided to up the security on /tmp and /var/tmp by mounting them nosuid,nodev,noexec. This is what caused the problem.
nitropy-git is now running OK and nitropy-git fido2 list-credentials works.
OK, now that I can see the SSH keys, I wonder how I can see which sites have WebAuthn entries, e.g. Github. I thought WebAuthn is part of FIDO2, and that nitropy fido2 list-credentials would show them. But then, Chrome doesn’t, either.
This is not possible by design. Per default, FIDO2 credentials are non-discoverable. This means that the secret is stored on the server, not on the device (but encrypted with a key that is stored on the device). Only discoverable credentials (also called resident keys) are stored on the device and shown by list-credentials. These are typically used for password-less login, e. g. by Google or Microsoft.
This blog post goes into more detail regarding the different credential types: FIDO2, WebAuthn, Passkeys in 2022 and 2023 | Nitrokey
2 Likes
This is an answer like I like it and rarely get. Fast, concise and with a link to more information.
Thank you for that!
I had searched for an article that explains how WebAuthn works. I even found the article you linked to, but only scanned it roughly. I’ll now read it
