PowerShell / Win32-OpenSSH

Win32 port of OpenSSH
7.43k stars 761 forks source link

SSH login fails when a fido2 key has `verify-required` set for it on the server #2156

Open Neurrone opened 1 year ago

Neurrone commented 1 year ago

Prerequisites

Steps to reproduce

  1. On the server that you're connecting to via ssh, add verify-required to the FIDO2 key.
  2. Try to ssh into it.

Expected behavior

I should be able to connect to it via SSH.

Actual behavior

> ssh myserver
Confirm user presence for key ED25519-SK SHA256:MufoyNasWrapCyR9sP84dQvByUD2o18/kUxvfJKWmgs                                          
User presence confirmed                                                                                                              
user@myserver: Permission denied (publickey). 

If I remove `verify-required`, I can connect just fine.

Error details

No response

Environment data

Name                           Value                                                                                                 
----                           -----                                                                                                 
PSVersion                      5.1.22621.1778                                                                                        
PSEdition                      Desktop                                                                                               
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                               
BuildVersion                   10.0.22621.1778                                                                                       
CLRVersion                     4.0.30319.42000                                                                                       
WSManStackVersion              3.0                                                                                                   
PSRemotingProtocolVersion      2.3                                                                                                   
SerializationVersion           1.1.0.1
OpenSSH_for_Windows_9.2p1, LibreSSL 3.7.2

Version

OpenSSH_for_Windows_9.2p1, LibreSSL 3.7.2

Visuals

No response

daemonhorn commented 3 months ago

Might be worth getting some additional configuration details about this failure, as this can work in certain situations with the right versions of sshd and ssh and ssh-keygen configurations with some FIDO authenticators. See https://man.openbsd.org/ssh-keygen.1#FIDO_AUTHENTICATOR and https://man.openbsd.org/sshd_config#PubkeyAuthOptions and https://man.openbsd.org/sshd.8#verify-required

What FIDO authenticator is in use ? (e.g. Windows Hello from Windows 11 build XXX or Yubikey 5C f/w 5.2.3, etc.) What version of openssh server sshd -v on what OS ? What version of openssh client ssh -V on what OS ? (Assuming OpenSSH_for_Windows_9.2p1 from your report, but what OS version?) Are you using ssh-agent brokered authentication on the client? Please provide ssh -vvv myserver logs (debug3) of the failure Please provide ssh-keygen cli syntax parameters used when generating your FIDO2 SK key. (see man page above for ssh-keygen optional feature syntax) Please provide sshd authentication failure log snippet (location depends on OS/config, may require running with increased verbosity)

Make sure you are running reasonably modern ssh server along with modern ssh client for FIDO2 to work more seemlessly (especially with these optional configuration knobs). I am successful in using this feature against a 9.4p1 openssh-server (FreeBSD) with ssh for windows 9.5p1 client and verify-required with Windows 11 Hello FIDO2 (24H2) id_ecdsa_sk format.
YMMV