search

PowerShell / Win32-OpenSSH

Win32 port of OpenSSH
7.43k stars 760 forks source link

[FIDO] PIN is asked even when verify-required is not set by the server. #2016

Closed hecheng337 closed 1 year ago

hecheng337 commented 1 year ago

Prerequisites

Steps to reproduce

According to the openssh manual, there are three options when sshd initiates a request to the security key:

Sets one or more public key authentication options. The supported keywords are: none (the default; indicating no additional options are enabled), touch-required and verify-required. The touch-required option causes public key authentication using a FIDO authenticator algorithm (i.e. ecdsa-sk or ed25519-sk) to always require the signature to attest that a physically present user explicitly confirmed the authentication (usually by touching the authenticator). By default, sshd(8) requires user presence unless overridden with an authorized_keys option.

The verify-required option requires a FIDO key signature attest that the user was verified, e.g. via a PIN.

TL;DR: When you generate a key pair with the default option: ssh-keygen -t ed25519-sk, there is no parameter appended to the public key. In this situation, the server will not request a client to verify a PIN, but only a touch. This optionality of user verification is a part of the webauthn specification.

For example, with a pub key sk-ssh-ed25519@openssh.com AAA******o= cardno:114514, the login process of a client is as follows:

root@localhost:~# ssh root@192.168.1.1
Confirm user presence for key ED25519-SK SHA256:X3TF******HY
User presence confirmed  #I touched the key here.
root@192.168.1.1:~#

Things change only when generating key with -O verify-required or append verify-required to the end of pub key: sk-ssh-ed25519@openssh.com AAA******o= cardno:114514 verify-required

Expected behavior

Do not require a PIN unless the server requested.

Actual behavior

However, openssh on Windows just keep asking for a PIN. This can be annoying when you need to connect to servers frequently.

Error details

No response

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.22621.436
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22621.436
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version

OpenSSH_for_Windows_8.9p1, LibreSSL 3.4.3

Visuals

No response

tgauth commented 1 year ago

The 9.1 release that was published yesterday should include the fix for this. Can you try with: https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.1.0.0p1-Beta

hecheng337 commented 1 year ago

The 9.1 release that was published yesterday should include the fix for this. Can you try with: https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.1.0.0p1-Beta

Thank you for your prompt reply! This issue has been fixed in the latest release, I`m closing it as finished.