-
Notifications
You must be signed in to change notification settings - Fork 770
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSH-KEYGEN returns ''invalid format" when generating ecdsa-sk key and storing it on another device #2279
Labels
Comments
Output with FIDO_DEBUG=1: Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug1: find_helper: using "C:\\WINDOWS\\System32\\OpenSSH\\ssh-sk-helper.exe" as helper
debug3: spawning "C:\\WINDOWS\\System32\\OpenSSH\\ssh-sk-helper.exe" as subprocess
debug3: start_helper: started pid=43952
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x25, challenge len 0
debug1: sshsk_enroll: using random challenge
webauthn_load: api version 7
debug1: ssh_sk_enroll: using device windows://hello
debug1: ssh_sk_enroll: key exists
debug1: sshsk_enroll: provider "internal" failure -5
debug1: ssh-sk-helper: Enrollment failed: bad permissions
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -44
debug3: reap_helper: pid=43952
A resident key scoped to 'ssh:' with user id 'null' already exists.
Overwrite key in token (y/n)? y
You may need to touch your authenticator again to authorize key generation.
debug1: find_helper: using "C:\\WINDOWS\\System32\\OpenSSH\\ssh-sk-helper.exe" as helper
debug3: spawning "C:\\WINDOWS\\System32\\OpenSSH\\ssh-sk-helper.exe" as subprocess
debug3: start_helper: started pid=77712
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x35, challenge len 0
debug1: sshsk_enroll: using random challenge
webauthn_load: api version 7
debug1: ssh_sk_enroll: using device windows://hello
cbor_decode_cred_authdata: buf=000001E8D8C78480, len=148
0000: e3 06 10 e8 a1 62 11 59 60 fe 1e c2 23 e6 52 9c
0016: 9f 4b 6e 80 20 0d cb 5e 5c 32 1c 8a f1 e2 b1 bf
0032: 5d 00 00 00 00 ea 9b 8d 66 4d 01 1d 21 3c e4 b6
0048: b4 8c b5 75 d4 00 10 7b 9c db fc 23 e7 68 76 a0
0064: c3 77 af d5 85 15 12 a5 01 02 03 26 20 01 21 58
0080: 20 0f 6d 83 5a 21 54 34 5f c1 13 43 80 d3 c9 76
0096: bc 24 db b0 61 b3 c8 d7 7f 1d c1 9e d7 53 34 79
0112: a9 22 58 20 5a aa be c4 e5 85 89 28 b4 48 ff d2
0128: 3e 4b 91 a6 91 5d 94 cf cf e9 1f 1a 3e 15 cb f5
0144: ba f1 ad ad
decode_attcred: buf=000001E8D8C784A5, len=111
0000: ea 9b 8d 66 4d 01 1d 21 3c e4 b6 b4 8c b5 75 d4
0016: 00 10 7b 9c db fc 23 e7 68 76 a0 c3 77 af d5 85
0032: 15 12 a5 01 02 03 26 20 01 21 58 20 0f 6d 83 5a
0048: 21 54 34 5f c1 13 43 80 d3 c9 76 bc 24 db b0 61
0064: b3 c8 d7 7f 1d c1 9e d7 53 34 79 a9 22 58 20 5a
0080: aa be c4 e5 85 89 28 b4 48 ff d2 3e 4b 91 a6 91
0096: 5d 94 cf cf e9 1f 1a 3e 15 cb f5 ba f1 ad ad
decode_attcred: attcred->id.len=16
debug1: ssh_sk_enroll: self-attested credential
fido_cred_verify_self: cdh=000001E8D8C4F060, authdata=000001E8D8C761E0, x5c=0000000000000000, sig=0000000000000000, fmt=000001E8D8C3BEC0 id=000001E8D8C474C0, rp.id=ssh:
debug1: ssh_sk_enroll: fido_cred_verify_self: FIDO_ERR_INVALID_ARGUMENT
debug1: sshsk_enroll: provider "internal" failure -1
debug1: ssh-sk-helper: Enrollment failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=77712
Key enrollment failed: invalid format |
Can confirm same behaviour from my side. Laptop with facial + fingerprint works. Another related issue is #2040 |
I bought a discrete TPM module and with that I was able to enroll the key. Think it has something to do that the firmware TPM that I was using does not allow that type of key. |
Maybe this is related |
michael-dev
added a commit
to michael-dev/openssh-portable-powershell
that referenced
this issue
Nov 29, 2024
Using libfido2 with windows://hello results in security key returning no attestation data. This currently fails due to fido_cred_verify_self failing. According to Yubico/libfido2#840 this is not a bug in libfido2, but openssh instead has to skip the verify call if no attestation is given. This fixes the issue by skipping attestation verification during key generation if there is no attestation. Fixes PowerShell/Win32-OpenSSH#2279 and PowerShell/Win32-OpenSSH#2040 Signed-off-by: Michael Braun <[email protected]>
This was referenced Nov 29, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Prerequisites
Steps to reproduce
While using
OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2
on Windows 11 24H2 on a non-elevated command prompt, generating an ecdsa-sk key withssh-keygen -t ecdsa-sk
does not work when, at the pop-up opened by ssh-sk-helper.exe titled "Where do you want to store this passkey?" an external device or "iPhone, iPad or Android device" is selected, even if the key is stored correctly on the Android device. Selecting, however, an on-device authentication method like an onboard fingerprint reader or Windows Hello face scanner, does generate a key correctly most of the time.Expected behavior
Actual behavior
Error details
Environment data
Version
OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2 being run on Windows Terminal 1.21.2701.0 on Windows 11 24H2 build 26100.1742
Visuals
INFO THAT DIDN'T FIT ELSEWHERE
-O "resident"
or not didn't change the actual behaviour.MEDIA TO ILLUSTRATE THE ISSUE
Succesful key generation on-device
VID-20241008-WA0000.mp4
Failed key generation on another device
ssh_fail.-.Trim.mp4
Note that when the second to last pop up dissapears on its own is when I confirm my biometrics on my Android device and it confirms the process was succesful.
The text was updated successfully, but these errors were encountered: