mosh does not ask to confirm user presence when authenticating with a FIDO2 security key

[habur]

the components

Server:

• Gentoo Linux 2.17
• mosh 1.4.0 [build mosh 1.4.0]
• OpenSSH_10.0p2, OpenSSL 3.4.1 11 Feb 2025
• Linux 6.12.31-gentoo # 1 SMP PREEMPT_DYNAMIC Sun Jun 22 11:12:27 CEST 2025 x86_64 Intel(R) Core(TM) i5-9300H CPU @ 2.40GHz GenuineIntel GNU/Linux

Client:

• macOS 15.5 (24F74)
• mosh 1.4.0 [build mosh 1.4.0]
• OpenSSH_9.9p2, OpenSSL 3.5.0 8 Apr 2025
• Darwin 24.5.0 Darwin Kernel Version 24.5.0: Tue Apr 22 19:54:49 PDT 2025; root:xnu-11417.121.6~2/RELEASE_ARM64_T6000 arm64

Authentication method: ed25519-sk using a YubiKey 5C NFC FW 5.4.3

the setup

1. create a pseudo-keypair for a FIDO2 Security Key using ssh-keygen -t ed25519-sk
2. copy public key to host
3. (configure ssh to use said pseudo-private key if necessary; to test run ssh <host>)
4. run mosh <host>
5. (confirm presence by touching button on security key to make sure authentication itself works)

the problem

expected outcome: mosh asks to confirm user presence like ssh does: Confirm user presence for key ED25519-SK SHA256:<fingerprint>
actual outcome: nothing on the command line. Authentication still works if presence is confirmed anyhow.

Addenda

1. running the commands manually yields the expected results
2. the issue is not limited to the platforms mentioned above, the same thing happens with Gentoo as the client and Debian as the server platform.

[achernya]

Mosh just shells out to say for initial authentication. It shouldn't even be filtering the contents of what ssh prints. You should try manually running the same underlying commands that the mosh launcher perl script runs, and seeing if this reproduces.

[habur]

Mosh just shells out to say for initial authentication. It shouldn't even be filtering the contents of what ssh prints. You should try manually running the same underlying commands that the mosh launcher perl script runs, and seeing if this reproduces.

I added a line to print @exec_argv to the console, took the output (ssh -n -tt -S none -o ProxyCommand="./mosh --family=prefer-inet --fake-proxy -- %h %p" <hostname> -- mosh-server new -c 256 -s -l \'LC_CTYPE=UTF-8\'MOSH IP <ip addr>) and ran it.
Here's the (redacted) output:

Confirm user presence for key ED25519-SK SHA256:<fingerprint>
User presence confirmed


MOSH CONNECT 60001 <redacted>

mosh-server (mosh 1.4.0) [build mosh 1.4.0]
Copyright 2012 Keith Winstein <mosh-devel@mit.edu>
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

[mosh-server detached, pid = 224212]
Connection to <hostname> closed.

[achernya]

Good to see ssh is printing the expected lines. I do not see anything in the mosh runner script that would be consuming them. https://github.com/mobile-shell/mosh/blob/master/scripts/mosh.pl#L439 should be printing any lines that do not start with MOSH.