Open rokoucha opened 1 year ago
Would really love to see this working.
Right now I'm using virtual smart cards for TPM-backed SSH private keys, they also have the advantage of working over RDP sessions, but apparently they're deprecated. I suppose FIDO2 is theoretically the way forward but not all the pieces are in place yet for that.
I actually have a working setup with Windows 10 and OpenSSH client and a key with FIDO support. This is my home PC where an OpenSSH >=8.2 was pre-installed.
However, on my work PC there is an LTSC version of Windows 10 where an OpenSSH version 7.x was pre-installed. I've manually upgraded to version 8.x or 9.x but somehow FIDO support isn't working there.
Btw, I'm successfully using FIDO support on my work PC for web authentication
Some of the computers I own work with Windows Hello + PIN and some do not.
Using this site to debug, https://webauthn.me/debugger#
I found that Windows Hello Fido? storage requires the rs256
attribute/flag set. I believe openssh is not using that, preventing you from being able to store the passkey in Windows.
I am on a laptops configured with Windows Hello fingerprint/PIN. I was able to create SSH keys with the fingerprint/PIN.
Once I reset the PIN and the SSH keys, it never allows me to ceate SSH keys with the fingerprint/PIN anymore.
@masakura Did you find any clue or ways to completely reset Windows Hello?
I'm on OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2, running on Windows 10 22H2 on a Dell XPS 7390 which has a built in finger print sensor (Goodix) and TPM2.0, which works with Windows Hello. But when trying either ecdsa-sk or ed25519-sk prompts me to setup a USB key, and won't use Windows Hello as-is.
I feel that if Windows is able to secure itself through a fingerprint sensor, then this should be sufficient for OpenSSH too. I tried entering my Windows Hello pin too, but to no avail.
It all works as expected when using a USB key, but that's an unnecessary extra expense (and frankly less secure than something biometric).
C:\WINDOWS\system32>ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
You may need to touch your authenticator again to authorize key generation.
PIN incorrect
Enter PIN for authenticator:
You may need to touch your authenticator again to authorize key generation.
PIN incorrect
Too many incorrect PINs
I think this also depends on the Windows version — only Windows 11 seems to support ECDSA for WebAuthn and Windows Hello.
Recently I recreate my PIN/biometrics of windows hello and it seems that windows start to use TPM2.0 hardware backed storage (confrim by running certutil -csp "Microsoft Passport Key Storage Provider" -key -v) instead of the old one.
Now when I try to genearte a new key in SK-SSH-Agent, Windows Hello do not allowing creating passkeys using PIN/biometrics, the only option is to use the USB FIDO/U2F security key which I do not have.
This does not only affect SK-SSH-Agent but also the browsers. I tried on https://webauthn.me/debugger# and find out that the new Windows hello with PIN/biometrics requires public-key to be RS256+ES256. if you request for ES256 only, it will not allow you to use PIN/biometrics anymore.
It would be nice to support RSASSA-PKCS1-v1_5_w_SHA256 keys, so that people can continue using PIN/biometrics instead of USB FIDO/U2F
Prerequisites
Steps to reproduce
Cannot create ecdsa-sk key with Windows Hello in ssh-keygen. Fingerprint authentication and PIN fail in the same way but it worked fine with YubiKey 5C NFC.
Expected behavior
Actual behavior
Error details
Environment data
Version
OpenSSH_for_Windows_9.2p1, LibreSSL 3.6.1
Visuals
No response