FIDO fails when requests to confirm on ssh, but works fine for ssh-keygen
w7rus opened this issue · 1 comments
w7rus commented
For key generation i use following:
SSH_SK_PROVIDER=libwindowsfidobridge.so ssh-keygen -t ecdsa-sk -Oapplication=ssh:windows-fido-bridge-verify-required
Then it asks me to confirm the key, with success.
Then i add public key to the server, with verify-required before the key and save the file
And finally try to connect to my server via ssh -oSecurityKeyProvider=libwindowsfidobridge.so *****@*.*.*.*
which results into this:
Confirm user presence for key ECDSA-SK SHA256:NkBUzghWtXZDS415hNnZlGu1aJIXFE1U0evIhsXej6U
[2022-01-25 23:37:11.057] [wfb-middleware] [debug] Parameters from OpenSSH:
[2022-01-25 23:37:11.057] [wfb-middleware] [debug] Algorithm: 0
[2022-01-25 23:37:11.057] [wfb-middleware] [debug] Data:
[2022-01-25 23:37:11.057] [wfb-middleware] [debug] | 0 1 2 3 4 5 6 7 8 9 a b c d e f
[2022-01-25 23:37:11.057] [wfb-middleware] [debug] | 0000: 00 00 00 20 5a 15 64 a4 8a 45 b0 0d 77 50 e0 d0 ... Z.d..E..wP..
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 0010: 6a cc 7a ec fe ea a4 43 52 45 1a 5f bb e1 0d ac j.z....CRE._....
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 0020: 2f 29 d9 d5 32 00 00 00 05 61 64 6d 69 6e 00 00 /)..2....admin..
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 0030: 00 0e 73 73 68 2d 63 6f 6e 6e 65 63 74 69 6f 6e ..ssh-connection
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 0040: 00 00 00 09 70 75 62 6c 69 63 6b 65 79 01 00 00 ....publickey...
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 0050: 00 22 73 6b 2d 65 63 64 73 61 2d 73 68 61 32 2d ."sk-ecdsa-sha2-
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 0060: 6e 69 73 74 70 32 35 36 40 6f 70 65 6e 73 73 68 nistp256@openssh
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 0070: 2e 63 6f 6d 00 00 00 a2 00 00 00 22 73 6b 2d 65 .com......."sk-e
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 0080: 63 64 73 61 2d 73 68 61 32 2d 6e 69 73 74 70 32 cdsa-sha2-nistp2
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 0090: 35 36 40 6f 70 65 6e 73 73 68 2e 63 6f 6d 00 00 56@openssh.com..
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 00a0: 00 08 6e 69 73 74 70 32 35 36 00 00 00 41 04 34 ..nistp256...A.4
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 00b0: 88 81 ea e6 1f 08 12 1b 78 6d 9e 9f 13 cd 66 a7 ........xm....f.
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 00c0: d2 6a a6 1f 12 c1 fc 30 2a 79 3b 6f d9 1e 0a 9e .j.....0*y;o....
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 00d0: f1 c8 1e 7b 86 5e 4d 8f 3d de b0 ff 9d 0a a1 25 ...{.^M.=......%
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 00e0: 2a 63 1f 33 bc f4 5c 22 71 90 a9 bd 87 40 8b 00 *c.3..\"q....@..
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 00f0: 00 00 27 73 73 68 3a 77 69 6e 64 6f 77 73 2d 66 ..'ssh:windows-f
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 0100: 69 64 6f 2d 62 72 69 64 67 65 2d 76 65 72 69 66 ido-bridge-verif
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 0110: 79 2d 72 65 71 75 69 72 65 64 y-required
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] Application: "ssh:windows-fido-bridge-verify-required"
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] Key handle:
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 0 1 2 3 4 5 6 7 8 9 a b c d e f
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 0000: ec 68 9d 51 79 ab 48 b1 16 72 21 1c f3 fc 09 6c .h.Qy.H..r!....l
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 0010: 19 86 68 aa 98 89 06 ad 9c ec e4 07 9b 5c 2e 1f ..h..........\..
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 0020: 75 8f d1 10 27 41 b1 d8 1b 99 17 b9 b3 b4 40 ff u...'A........@.
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 0030: 8a 82 3d ea 6f ad eb fd d2 cb 63 01 75 bb 90 c4 ..=.o.....c.u...
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] | 0040: f9 87 e8 18 f4 00 ......
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] Flags: 0b00000001
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] PIN: (not present)
[2022-01-25 23:37:11.058] [wfb-middleware] [debug] Forcing user verification because the environment variable "WINDOWS_FIDO_BRIDGE_FORCE_USER_VERIFICATION" is set to any value
terminate called after throwing an instance of 'std::system_error'
what(): Failed to get WebAuthN assertion (NotAllowedError): The operation was canceled by the user.
terminate called after throwing an instance of 'std::runtime_error'
what(): End of stream
client_converse: receive: unexpected internal error
reap_helper: helper exited abnormally
sign_and_send_pubkey: signing failed for ECDSA-SK "/home/w7rus/.ssh/id_ecdsa_sk": unexpected internal error
I use OnlyKey as a FIDO key, running debug multiple times shows no difference in the output.
japtain-cack commented
I got it working using the command in this alias I made.
alias ssho="ssh -oIdentitiesOnly=yes -oSecurityKeyProvider=/usr/local/lib/libwindowsfidobridge.so -i ~/.ssh/onlykey"
You want it to use a specific key, and disregard what's loaded in the agent already. IdentitiesOnly=yes does this. I also have to specify the full path to the libwindowsfidobridge.so, presumably because it's not in my path, but that's fine.
Also, this was good advice. Increased the speed of the windows hello popup. Now it's instant.