OpenSSH support
AS137430 opened this issue · 6 comments
Please see solokeys/solo1#374 and rgerganov/solo@ef17163
Can this be done for WearAuthn to support 0x41 command to support OpenSSH?
Thanks.
Yes, it is working if I compile libfido2 from source. I needed to pass in the hidraw device as udev rule wasn't working for OpenSSH (it was working for Chrome):
ssh-keygen -t ecdsa-sk -vv -O device=/dev/hidraw3
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug1: start_helper: starting /usr/local/libexec/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "/dev/hidraw3", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: check_enroll_options: requested device /dev/hidraw3
debug1: ssh_sk_enroll: using device /dev/hidraw3
debug1: ssh-sk-helper: reply len 799
..
Yes, it is working if I compile libfido2 from source. I needed to pass in the hidraw device as udev rule wasn't working for OpenSSH (it was working for Chrome):
Thanks for the confirmation. Could you also send me the log in case you leave out the -O device=/dev/hidraw3
? It shouldn't be udev rules that make ssh-keygen
fail in that case. Which platform are you on?
Here's the log without the -O device
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug1: start_helper: starting /usr/local/libexec/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: pick_first_device: fido_dev_info_manifest bad len 0
debug1: ssh_sk_enroll: pick_first_device failed
debug1: sshsk_enroll: provider "internal" returned failure -4
debug1: ssh-sk-helper: Enrollment failed: device not found
debug1: ssh-sk-helper: reply len 8
debug1: client_converse: helper returned error -60
Key enrollment failed: device not found
I'm on Ubuntu 19.10.
Just to provide more details,
fido2-token -I /dev/hidraw3
proto: 0x02
major: 0x00
minor: 0x00
build: 0x00
caps: 0x04 (nowink, cbor, msg)
version strings: FIDO_2_0, U2F_V2
extension strings: hmac-secret, exts, txAuthSimple, uvm
aaguid: <guidvalue>
options: rk, up, nouv, noplat
maxmsgsiz: 4096
maxcredcntlst: 5
maxcredlen: 257
fwversion: 0x0
pin retries: undefined
fido2-token -L has no output.
Thanks! I believe that this issue should be resolved by Yubico/libfido2#169, which hasn't been merged yet. Without this commit, libfido2 and therefore OpenSSH can speak to WearAuthn if requested to do so, but will not detect it as a FIDO2-compatible device when none is specified.
Thanks, pulled the PR into my libfido2, rebuilt and confirmed it is working well:
ssh-keygen -t ecdsa-sk -vv
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug1: start_helper: starting /usr/local/libexec/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: ssh_sk_enroll: using device /dev/hidraw3
debug1: ssh-sk-helper: reply len 801
...