Comments (5)
A more verbose log.
[brittle@archdesktop ~]$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk -v
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug1: start_helper: starting /usr/lib/ssh/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: ssh_sk_enroll: using device /dev/hidraw0
debug1: ssh_sk_enroll: fido_dev_make_cred: FIDO_ERR_PIN_REQUIRED
debug1: sshsk_enroll: provider "internal" returned failure -3
debug1: ssh-sk-helper: Enrollment failed: incorrect passphrase supplied to decrypt private key
debug1: ssh-sk-helper: reply len 8
debug1: client_converse: helper returned error -43
Enter PIN for authenticator:
debug1: start_helper: starting /usr/lib/ssh/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0 with-pin
debug1: sshsk_enroll: using random challenge
debug1: ssh_sk_enroll: using device /dev/hidraw0
debug1: ssh_sk_enroll: fido_dev_make_cred: FIDO_ERR_UNSUPPORTED_ALGORITHM
debug1: sshsk_enroll: provider "internal" returned failure -2
debug1: ssh-sk-helper: Enrollment failed: requested feature not supported
debug1: ssh-sk-helper: reply len 8
debug1: client_converse: helper returned error -59
Key enrollment failed: requested feature not supported
from opensk.
Thank you for reporting, I was able to replicate the issue. The culprit is
https://github.com/google/OpenSK/blob/master/src/ctap/data_formats.rs#L501 .
If you comment that line out, everything is working as intended. I'll look into OpenSSH to check why they report a different algorithm in that case. Until then, commenting out lines 499-502 should help.
from opensk.
OpenSSH sends a COSE_ES256 == -7 defined here:
https://github.com/Yubico/libfido2/blob/780ad3c258aea5028b7b94c6623a96da3fd55224/src/fido/param.h#L72
We expect COSE_ECDH_ES256 == -25, since the specification has an exception here:
https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html#authenticatorClientPIN
"Note: The COSEAlgorithmIdentifier used is -25 (ECDH-ES + HKDF-256) although this is NOT the algorithm actually used. Setting this to a different value may result in compatibility issues."
I see different ways to resolve this:
- Accept both the true and the fake algorithm identifier in OpenSK.
- "Fix" OpenSSH to use the wrong CTAP2 identifier.
- Check with FIDO how badly things break if the exception is removed.
@jmichelp Thoughts?
from opensk.
I would go for (1) because it will take time to do (2) and that new packages are produced and deployed everywhere. And in parallel, issue a PR for (2).
from opensk.
Corresponding libfido2 PR: Yubico/libfido2#155.
from opensk.
Related Issues (20)
- versions in develop should include FIDO_2_1 HOT 1
- "configuring device" step needs a confirmation prompt to replug device on nrf52840_dongle_dfu HOT 5
- AuthenticatorConfigParameters swaps pinUvAuthProtocol and pinUvAuthParam field IDs HOT 1
- error: failed to get `arrayref` as a dependency of package `ctap2 v1.0.0 (/home/USER/OpenSK)` HOT 6
- WebUSB compatible? HOT 4
- How to change pin in Makerdiary nRF52840-MDK USB dongle HOT 2
- Improve Tock patches
- Move storage syscalls
- Edit the readme to link to the Quantum paper and point to the implementation file.
- Setup script can't install pip packages to the user's environment on Arch Linux HOT 2
- nordic dfu in develop fails to configure HOT 4
- Key not supported on ios for Apple Id 2fa HOT 36
- wrong board type in flashing command in install.md HOT 1
- Suggested environment to be able to build/compile HOT 10
- nrf52840_dongle: deploy.py succeeds programming but testing board not recognised by testing webpages. HOT 12
- How to delete an account you no longer use? HOT 2
- Can't enable JTAG lockdown HOT 4
- `async` API for `Env`? HOT 3
- Misuse of const in sha256 module HOT 8
- Question: what is the purpose of `feature = "vendor_hid"`? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opensk.