[fixed] NK3, nitropy, FIDO2, SSH resident keys?

I have SSH resident keys on my Nitrokeys, and I can admin them using Chrome. (Well. I can only remove them, but that’s sufficient for now.)

While nitropy now has a “secrets” subcommand for nk3, that is for OTP. There is not nk3 fido2 subcommand. nk3 secrets also asks me so set a pin. I already have a FIDO2 pin, so this seems to be completely separate, using different PINs.

nitropy fido2 list-credentials --pin 1234 falls on its face. Understandable. An NK3 is not a Nitrokey FIDO2 key.

I would like to be able to use nitropy to administer FIDO2. If this is a missing feature, I hope they get a round tuit soon :wink: If not, please enlighten me!

(Nitrokey 3NFC and Nitrokey 3A, both with firmware v1.4.0, nitropy 0.4.36)

nitropy fido2 list-credentials should also work for a Nitrokey 3. But there currently is an issue with keys generated by SSH because it does not set a name for the credential. We will fix this in the next pynitrokey release. You can install it from source if you want to give it a try:

$ pipx install --suffix=-git git+https://github.com/Nitrokey/pynitrokey.git
$ nitropy-git fido2 list-credentials

Thanks for the suggestion. I tried, but got this error:

        × Getting requirements to build wheel did not run successfully.
        │ exit code: 1
        ╰─> [20 lines of output]
            /tmp/pip-build-env-2pjnnu8k/overlay/lib/python3.10/site-packages/setuptools/config/setupcfg.py:293: _DeprecatedConfig: Deprecated config in `setup.cfg`
                    The license_file parameter is deprecated, use license_files instead.
                    By 2023-Oct-30, you need to update your project and remove deprecated calls
                    or your builds will no longer be supported.
                    See https://setuptools.pypa.io/en/latest/userguide/declarative_config.html for details.
              parsed = self.parsers.get(option_name, lambda x: x)(value)
            running egg_info
            writing lib3/PyYAML.egg-info/PKG-INFO
            writing dependency_links to lib3/PyYAML.egg-info/dependency_links.txt
            writing top-level names to lib3/PyYAML.egg-info/top_level.txt
            failed to import Cython: /tmp/pip-build-env-2pjnnu8k/overlay/lib/python3.10/site-packages/Cython/Compiler/Scanning.cpython-310-x86_64-linux-gnu.so: failed to map segment from shared object
            error: Cython does not appear to be installed
            [end of output]

I never heard about Cython before. Looks like a Python compiler, judging from the name and the path. Running pipx install cython

Same error. Please advise!
Found it. Some time ago, I decided to up the security on /tmp and /var/tmp by mounting them nosuid,nodev,noexec. This is what caused the problem.

nitropy-git is now running OK and nitropy-git fido2 list-credentials works.

OK, now that I can see the SSH keys, I wonder how I can see which sites have WebAuthn entries, e.g. Github. I thought WebAuthn is part of FIDO2, and that nitropy fido2 list-credentials would show them. But then, Chrome doesn’t, either.

This is not possible by design. Per default, FIDO2 credentials are non-discoverable. This means that the secret is stored on the server, not on the device (but encrypted with a key that is stored on the device). Only discoverable credentials (also called resident keys) are stored on the device and shown by list-credentials. These are typically used for password-less login, e. g. by Google or Microsoft.

This blog post goes into more detail regarding the different credential types: FIDO2, WebAuthn, Passkeys in 2022 and 2023 | Nitrokey


This is an answer like I like it and rarely get. Fast, concise and with a link to more information.

Thank you for that!

I had searched for an article that explains how WebAuthn works. I even found the article you linked to, but only scanned it roughly. I’ll now read it :wink: