Krypton turns your iOS device into a WebAuthn/U2F Authenticator: strong, unphishable 2FA.

Not sure what info you need but:

iPhone 7 iOS 10.3.3 Kryptonite v2.2.0

I set When to ask for approval? to never and Show approved notifications? to off but still get a constant stream of Approved request from ... SSH Login anytime I interact with my git repo.

I'm using the iOS app version 2.1.1, and these for the other apps:

$ kr --version
kr version 2.1.2

$ ssh -V
OpenSSH_7.3p1, LibreSSL 2.4.1

The issue I'm seeing is when I try to connect to an SSH destination through an intermediate "jump host," using a configuration similar to this (edited for confidentiality and to remove (hopefully) irrelevant details):

Host jump-host
    HostName jumphost.companyname.local

Host destination-host
    Hostname 10.42.0.30
    ProxyJump jump-host

Host *
    PKCS11Provider /usr/local/lib/kr-pkcs11.so
    ProxyCommand /usr/local/bin/krssh %h %p
    IdentityFile ~/.ssh/id_kryptonite

My Kryptonite public key is installed in the authorized_hosts file of both the jump host and the destination host, and I can successfully connect to destination-host with the command ssh destination-host. The problem is that after a recent version upgrade, the "Allow for 3 hours" option in the iOS app only works for the jump host. Here's the sequence of events for a "cold" connection:

1. I use the command ssh destination-host from a computer paired with the Kryptonite iOS app
2. The connection to jump-host is initiated, and I'm alerted on my phone to approve of an authentication request from jump-host.companyname.local.
3. I choose "Allow for 3 hours."
4. The connection to the jump host is established.
5. A connection to the destination host is initiated through a jump host tunnel, and and I'm alerted on my phone to approve of an authentication request from unknown host.
6. I choose "Allow for 3 hours."
7. The connection to the destination host is established.

But when I reattempt the connection immediately thereafter:

1. ssh destination-host
2. The connection to jump-host is initiated, I'm alerted on my phone that an authentication request from jump-host.companyname.local was automatically approved, and the connection to the jump host is established.
3. A connection to the destination host is initiated through a jump host tunnel, and and I'm alerted on my phone to approve of an authentication request from unknown host.
4. I'm once more presented with the phone prompt to allow or reject the authentication request.

Additional observations:

• My iOS app's known hosts shows the jump host (jump-host.companyname.local), but not the destination host.
• When I run a verbose SSH command, I can see the jump host identifying itself by FQDN (jump-host.companyname.local), but the destination host by IP address.
• The destination host's IP address is in an IPv4 private address range.

Some possibly relevant debug messages from the ssh client (from a "warm" connection attempt, and edited for confidentiality):

debug1: Executing proxy command: exec /usr/local/bin/krssh jump-host.companyname.local 22

debug1: Authenticating to jump-host.companyname.local:22 as 'username'

debug1: Host 'jump-host.companyname.local' is known and matches the RSA host key.
debug1: Found key in /Users/username/.ssh/known_hosts:236

debug1: Offering RSA public key: /Users/username/.ssh/id_kryptonite
debug1: Server accepts key: pkalg ssh-rsa blen 535
Kryptonite ▶ Requesting SSH authentication from phone
Kryptonite ▶ Success. Request Allowed ✔
debug1: Authentication succeeded (publickey).
Authenticated to jump-host.companyname.local (via proxy).
debug1: channel_connect_stdio_fwd 10.20.0.75:22
debug1: channel 0: new [stdio-forward]

debug1: Authenticating to 10.42.0.30:22 as 'username'

debug1: Offering RSA public key: /Users/username/.ssh/id_kryptonite
debug1: Server accepts key: pkalg ssh-rsa blen 535
Kryptonite ▶ Requesting SSH authentication from phone
Kryptonite ▶ Phone approval required. Respond using the Kryptonite app
Kryptonite ▶ Success. Request Allowed ✔
debug1: Authentication succeeded (publickey).
Authenticated to 10.42.0.30 (via proxy).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.

I can't use Krypton with Google Smart Lock, preventing me from logging in on iOS devices. During the process Smart Lock pops up a notification asking if I want to open Krypton (to handle the U2F bits), so I said "Open App". Krypton shows the authentication request, I accept it, but then instead of popping back into Smart Lock it opens Safari which just results in a 400 Error from Google.

I also have a bluetooth U2F token from Feitian that I could use but once I've told Smart Lock it can open Krypton I can't stop that from happening, preventing me from using the bluetooth token. Reinstalling Smart Lock didn't help resetting that flow.

For some reason (DHCP slow?) when Krypton is started from a notification while the phone is asleep, a popup sometimes shows up with a "Cannot connect to Internet" message while any other app may access the Internet.

I suspect Krypton is faster to test the connection than the phone is to obtain an access to the Internet when connected to some enterprise WiFi network.

It would be no trouble if the popup had a "Try again" button - but unfortunately it had not, only an abort or Settings button to reach the connection settings that need no change.

Once this popup is closed, there is no immediate option (but kill the SSH request on the host side and restart a new SSH connection) to obtain a new authorisation request to show up on Krypton UI.

Hey guys,

Currently using Krypton on iOS and my Mac for development. I have Krypton tied to my BitBucket account which works great. Finally decided to start up source tree to push a few things and noticed that it is sending dozens of approvals. I know this is technically by design for both Krypton and Source Tree but not sure what I can do to silence this other then using a separate key for Source Tree

In my setup, I use a "bastion" (aka SSH jumpbox or proxy) which randomly assigns localhost TCP ports whenever I create a new SSH connection tunneled via an HTTPS WebSocket. For instance, it allows me to connect to a server in a private network when I connect to localhost:12345 where 12345 is a randomly assigned port number.

For the local SSH agent, I can add StrictHostKeyChecking=no and UserKnownHostsFiles=/dev/null to .ssh/config's Host localhost section, to prevent clutters caused by randomized host:port pairs (even when connecting to the same destination server).

I'd like to have a simple option to achieve the same effect for localhost in Kryptonite. Also, if this is enabled, all pairs of localhost and random port numbers should be treated as the same target host so that "allow for 3 hours" work with all localhost connections (maybe releated to #63).

I updated to 2.1.0 on my macbook last week, and now the Allow for 3 hours option is no longer working, and I'm being asked for every request. I was not notified of any update to the app.

Not sure if this is a client or a server problem.

Request failed.

The incoming request was invalid. badLogBlockHash. Please try again

I've been getting this error whenever I use Krypton with Git. It seems to not matter however, I get the regular confirmation push notification after that and everything still works.

👋 Apologies if this is a duplicate, and I really love krypton btw!

When logging into AWS I see the following error unless I explicitly open the app. EDIT: this is actually happening on all services for me now.

I've tried re-pairing with the browser but to no avail. Happy to provide any other info if you think it's helpful.

Everytime I tried to pair iPhone Krypton App with Krypton Authenticator in the Chrome App, it fails. Android app is on the other hand, succeeds.

Version: 2.4.2677

Pairing with Google Account on Safari 13.1.1 doesn't work, having the app installed on iOS 13.4.1. Notification arrives on the iPhone, I approve it, I get approval notification on macOS but on the google page the pairing doesn't happen. The page says: "Something went wrong. Retry"

I've made paper backup like on the image. Now i want to import it to another phone. How can i do it? I can't find any option in app to input secrets. I think that i should have QR code here to scan in another app.

Since I’ve upgraded to iOS 14, I’ve found that I need to have Krypton in the foreground with the phone unlocked to either be able to sign commits or authorize SSH signatures.

This may be related to know iOS security/privacy measures, but it’s making Krypton substantially less useful for me.

I'm trying to sign my krypton public key to SSH into a machine which trusts that certificate authority key. I can do so with a non krypton key (just a normal rsa key with the private key stored on my computer), but krypton doesn't seem to be able to authenticate the request when I try to sign my id_krypton.pub key.

I signed it like this:- ssh-keygen -s ../temp/ca-key -I david -n root -V +1w -z 1 id_krypton.pub

Krypton on iOS reports:- Request failed The incoming request was invalid/ UnsupportedSSHDigestAlgorithm(). Please try again.

ssh -vvv reports debug2: sign_and_send_pubkey: using private key "/Users/david/.ssh/id_krypton" for certificate debug3: sign_and_send_pubkey: signing using [email protected]

It seems that [email protected] is not one of the supported digests (see extension DigestType in Krypton/Keypair+SSHFormat.swift)

What would be required to support this? Would the phone need a copy of the CA public key?

When I try to log in to Github on my iOS device (iOS 13.5.1), the Krypton app does not open. Instead a popup prompts me to connect a security key.

From reading other issues it seems that this has worked before. (#115, https://krypt.co/blog/posts/use-google-advanced-protection-with-krypton.html#setup-instructions)