Unable to generate keys using YubiKey
Neurrone opened this issue · 12 comments
Hi,
I'm on windows 10 21h1. I've updated to the latest version of OpenSSh for windows (8.6b1) and have also edited my c://.ssh/config to add these lines:
Host *
SecurityKeyProvider "C:\Program Files\OpenSSH-Win64\winhello.dll"
However, that version of OpenSSH does not yet have fido2 support, hence why I'm trying this middleware, see PowerShell/Win32-OpenSSH#1804.
I'm finding that no matter which commands I use to generate a new key, it fails with an unrecognized algorithm.
> ssh-keygen -t ed25519-sk -O resident -f c:/users/dickson/.ssh/id_mykey_sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
Key enrollment failed: unknown or unsupported key typeLikewise, I get the same result when using ssh-keygen -w "C:\Program Files\OpenSSH-Win64\winhello.dll" -t ecdsa-sk both with and without specifying the full path of the dll.
Hi,
If I want to answer you in short form: You can't use an OpenSSH version which doesn't have FIDO support, you should use something like git for windows .
Long, this module is used as a middleware to connect to FIDO devices and then send the data back to OpenSSH, when OpenSSH has no idea about FIDO keys(compiled in this way, like the windows one), it won't understand the data.
Ugh, that was a real 🤦 moment, I already have WSL2 set up so I didn't think I would need to install the bash that comes with git for windows. I'll give this a try and close this issue for now.
I've written a small guide on how to use my middleware with WSL OpenSSH, you can check that out, I'll help if you need.
https://github.com/tavrez/openssh-sk-winhello/blob/master/WSL.md
Thanks. Do I need to download to v1.x? I see that for the v2.0 release, the only artifact is the .dll without the .exe helper thta the WSL guide mentions.
I managed to get it working with git for window's OpenSSH 🎉
It depend on the version of OpenSSH inside your WSL, in the main readme file, you can see which version is needed for which OpenSSH version.
Is there a version of the .exe for the v2.0 release? I only see the dll file.
find your OpenSSH version inside WSL, get the proper .dll for it.
for exe helper, get anything, all the exe files are same, get it from 1.x releases, get it from git for windows, ....
Thanks a lot, I finally got everything to work.
I do see that it prints the following warning log, although I'm unsure if its anything to worry about:
# from WSL:
> ssh user@host
Confirm user presence for key ED25519-SK ...
init_winhello: WARNING! This should not be like this! WinHello API Error: Is user available=0, User=0.Then it prompts me to touch the YubiKey and logs me in as expected.
I also found that I had to copy the following DLL files from C:\Program Files\Git\usr\bin to C:\Program Files\Git\usr\lib\ssh, where the ssh-sk-helper.exe that comes with Git for Windows is:
- msys-2.0.dll
- msys-cbor-0.8.dll
- msys-crypto-1.1.dll
- msys-fido2-1.dll
- msys-gcc_s-seh-1.dll
- msys-z.dll
Would suggest specifying those files as needed dependencies in the wsl2 documentation.
One last question, when I try adding the ssh key from my YubiKey from within WSL, I get the following error:
Could not add identity "/home/dickson/.ssh/id_ed25519_sk": agent refused operationI copied this private key from what was created via git bash for windows. Is there anything I'm missing to get ssh agent to work within WSL2?
Could not add identity "/home/dickson/.ssh/id_ed25519_sk": agent refused operation
By default ssh-agent only accepts providers inside /usr/lib or /usr/local/lib directory. I think you have to start ssh-agent like this:
ssh-agent -P "c:/gitforwindows/usr/lib/*"But I'm not sure about the directory format, check it's manual for more info
I tried using -p "*/*" just so see if its caused by this and it doesn't seem to be the case.
I'm wondering if somehow the ssh-add command from WSL is connecting to the wrong thing, to something else other than this instance of ssh agent.