mgbowen/windows-fido-bridge

signing failed for ECDSA-SK - requested feature not supported

mdeweerd opened this issue · 1 comments

mdeweerd commented

Back in march I think I had a working setup and I probably updated cygwin since.

When I tried to connect now, I got a signing failed error (a transcript of the essential messages is below).
I regenerated some keys using ssh-keygen -t ecdsa-sk which generated the popop where I could select my physical key to add as 2FA.
I also recompiled the dll, ensured (through strace) that it is using the one I expected

OpenSSH_9.3p1, OpenSSL 1.1.1t  7 Feb 2023
debug1: identity file /cygdrive/d/....../.ssh/id_ecdsa_sk type 10
debug1: Will attempt key: /cygdrive/d/........./.ssh/id_ecdsa_sk ECDSA-SK SHA256:Udm3GW19WwtoBwo00IalCv1bDP0xdXX9KUCZje6wy4E authenticator
debug1: Trying private key: /cygdrive/d/......../.ssh/id_ecdsa
debug1: Offering public key: /cygdrive/d/......../.ssh/id_ecdsa_sk ECDSA-SK SHA256:Udm3GW19WwtoBwo00IalCv1bDP0xdx79KUCZje6wy4E authenticator
debug1: Server accepts key: /cygdrive/d/......../.ssh/id_ecdsa_sk ECDSA-SK SHA256:Udm3GW19WwtoBwo00IalCv1bDP0xdx79KUCZje6wy4E authenticator
debug1: start_helper: starting /usr/sbin/ssh-sk-helper
debug1: process_sign: ready to sign with key ECDSA-SK, provider internal: msg len 246, compat 0x4000000
debug1: sshsk_sign: provider "internal", key ECDSA-SK, flags 0x00
debug1: ssh_sk_sign: fido_dev_get_assert: FIDO_ERR_UNSUPPORTED_OPTION
debug1: sshsk_sign: sk_sign failed with code -2
debug1: ssh-sk-helper: Signing failed: requested feature not supported
debug1: main: reply len 8
debug1: client_converse: helper returned error -59
debug1: identity_sign: sshkey_sign: requested feature not supported
sign_and_send_pubkey: signing failed for ECDSA-SK "/cygdrive/d/......./.ssh/id_ecdsa_sk": requested feature not supported
mdeweerd commented

It turns out that

SecurityKeyProvider=/usr/local/lib/libwindowsfidobridge.dll

needs to be "at the top" of the ssh_config file (where other settings are better at the end if you want to have specific values for selected settings on some hosts).

The SSK_SK_PROVIDER variable is not used by ssh, only by ssh-keygen and ssh-add.