Key enrollment failed: invalid format
wujas-dongiel opened this issue · 2 comments
libfido2-1.11.0
Linux Slackware 15.0
OpenSSH 8.8p1-x86_64-2
I have similar problem to issue reported here Key enrollment failed: invalid format
$ ssh-keygen -t ed25519-sk -vvvv
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=7418
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/libexec/ssh-sk-helper
debug1: sshsk_enroll: provider "", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
No FIDO SecurityKeyProvider specified
debug1: ssh-sk-helper: Enrollment failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=7418
Key enrollment failed: invalid format
fido2-token -L
$ fido2-token -L /dev/hidraw4: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)
fido2-token -I
$ fido2-token -I <device> proto: 0x02 major: 0x05 minor: 0x04 build: 0x03 caps: 0x05 (wink, cbor, msg) version strings: U2F_V2, FIDO_2_0, FIDO_2_1_PRE extension strings: credProtect, hmac-secret transport strings: nfc, usb algorithms: es256 (public-key), eddsa (public-key) aaguid: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx options: rk, up, noplat, clientPin, credentialMgmtPreview maxmsgsiz: 1200 maxcredcntlst: 8 maxcredlen: 128 maxlargeblob: 0 fwversion: 0x50403 pin protocols: 2, 1 pin retries: 8 uv retries: undefined
FIDO_DEBUG=1
$ export FIDO_DEBUG=1 $ fido2-token -L get_key_val: key_len=4 run_manifest: found 1 hid device run_manifest: found 0 nfc devices /dev/hidraw4: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)
ykman info
$ ykman info Device type: YubiKey 5C NFC Serial number: xxxxxxxxxxxx Firmware version: 5.4.3 Form factor: Keychain (USB-C) Enabled USB interfaces: OTP, FIDO, CCID NFC transport is enabled.Applications USB NFC
FIDO2 Enabled Enabled
OTP Enabled Enabled
FIDO U2F Enabled Enabled
OATH Enabled Enabled
YubiHSM Auth Enabled Enabled
OpenPGP Enabled Enabled
PIV Enabled Enabled
I've built the libsk-libfido2.so from here external-sk-libfido2 but get the following
$ssh-keygen -t ed25519-sk -w ./libsk-libfido2.so -vvvvv
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=8144
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/libexec/ssh-sk-helper
debug1: sshsk_enroll: provider "./libsk-libfido2.so", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: sshsk_open: provider ./libsk-libfido2.so implements version 0x00040000
Provider "./libsk-libfido2.so" implements unsupported version 0x00040000 (supported: 0x00070000)
debug1: ssh-sk-helper: Enrollment failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=8144
Key enrollment failed: invalid format
I've tried it with libfido-1.4.0 and libfido2-1.11.0 with the same result
When I've cheated a bit and changed the api version line to match the supported version (0x00070000) and recompiled then at least I was asked for PIN and expected to touch Yubikey. But that failed otherwise.
Hi,
Thank you for the report. As you have observed, the problem is due to mismatching API versions:
Provider "./libsk-libfido2.so" implements unsupported version 0x00040000 (supported: 0x00070000)
If possible, consider rebuilding OpenSSH with --with-security-key-builtin, which will make OpenSSH use its internal middleware. The alternative would be to update https://github.com/pts/external-sk-libfido2 to provide the API version expected by your existing OpenSSH build.
-p.
Hi,
Thanks for Your reply. I've compiled with the --with-security-key-builtin and now it works.