Does Neogit support FIDO2 SSH keys with pins?

[sophieforrest]

I currently use a YubiKey with a FIDO2 SSH key for SSH authentication (ED25519-SK).

Currently, when I try and run push or pull in Neogit without having previously authenticated (I have temporary credential caching set up for SSH using ControlMaster and ControlPersist), Neogit opens a terminal and "hangs" (I am not ever prompted to input my pin) with this message:

> git --no-pager --literal-pathspecs --no-optional-locks -c core.preloadindex=true -c color.ui=always push origin main

Confirm user presence for key ED25519-SK SHA256:PvwD+BplPvIFwAgKkc52OC02B9Jsk0vP8dWD/Wxrs6A

This problem can also be replicated within Neovim itself by running the command:

:!git --no-pager --literal-pathspecs --no-optional-locks -c core.preloadindex=true -c color.ui=always push origin main

but is resolved if I set the SSH_ASKPASS environment variable. Setting this variable does not resolve it within Neogit.

Here's how it looks when using the git cli:

git push
Confirm user presence for key ED25519-SK SHA256:PvwD+BplPvIFwAgKkc52OC02B9Jsk0vP8dWD/Wxrs6A
Enter PIN for ED25519-SK key /home/sophief/.ssh/fido-966: # I enter my pin here
Confirm user presence for key ED25519-SK SHA256:PvwD+BplPvIFwAgKkc52OC02B9Jsk0vP8dWD/Wxrs6A # I touch the key physically here
User presence confirmed
Everything up-to-date

After which Neogit will be able to push/pull until my SSH credentials expire. I suppose my question is more if I might be missing something that will allow Neogit to prompt for my PIN, or if this is a bug?

Although not much appears to be here, here is my Neogit log. Lines 63 and 64 may be of interest.

neogit.log

My configuration for Neogit is entirely stock, besides from enabling the diffview and fzf-lua integrations (if relevant). Also worth noting that Neogit can utilise the GPG key on my YubiKey just fine, and prompts for the pin when I set pinentry to loopback.

Thank you for your help. :)

[CKolkey]

Makes sense - the underlying git process is waiting for user input (stdin) which it doesn't get.

If you're up for it, check out the handlers here: https://github.com/NeogitOrg/neogit/blob/master/lua/neogit/lib/git/cli.lua#L871-L882 - thats the source of lines 63/64 that you noted. You'll want to add a handler that matches the lines and gets/writes the needed input. There's already a handler for GPG with loopback, which is why that works :)

I'm not entirely sure how it would work with the physical interaction required, but it might work fine.

Alternatively, you could check for the presence of the SSH_ASKPASS variable here and set it in this table. The table gets used to set the ENV for the child process that's actually interacting with the git CLI. I think the first method would probably work better, but it may require a combination of the two 🤷🏼

Lemme know if it works, and I'd be happy to merge support for this in :)

[sophieforrest]

Thanks! I'll have a look when I get some time!

[sophieforrest]

Got it working with the first method by simply using the password handler. I found adding an extra case for "Enter PIN for" seems to work great! The touch verification works fine after that, too.

I'll submit a PR for this shortly. :)

Thank you very much for pointing me in the right direction! Would be open to contributing to other YubiKey-related problems if they come up in the future.

[CKolkey]

Ah, wonderful, I really appreciate it.