Open Neurrone opened 1 year ago
Might be worth getting some additional configuration details about this failure, as this can work in certain situations with the right versions of sshd and ssh and ssh-keygen configurations with some FIDO authenticators. See https://man.openbsd.org/ssh-keygen.1#FIDO_AUTHENTICATOR and https://man.openbsd.org/sshd_config#PubkeyAuthOptions and https://man.openbsd.org/sshd.8#verify-required
What FIDO authenticator is in use ? (e.g. Windows Hello from Windows 11 build XXX or Yubikey 5C f/w 5.2.3, etc.)
What version of openssh server sshd -v
on what OS ?
What version of openssh client ssh -V
on what OS ? (Assuming OpenSSH_for_Windows_9.2p1 from your report, but what OS version?)
Are you using ssh-agent brokered authentication on the client?
Please provide ssh -vvv myserver
logs (debug3) of the failure
Please provide ssh-keygen
cli syntax parameters used when generating your FIDO2 SK key. (see man page above for ssh-keygen optional feature syntax)
Please provide sshd authentication failure log snippet (location depends on OS/config, may require running with increased verbosity)
Make sure you are running reasonably modern ssh server along with modern ssh client for FIDO2 to work more seemlessly (especially with these optional configuration knobs). I am successful in using this feature against a 9.4p1 openssh-server (FreeBSD) with ssh for windows 9.5p1 client and verify-required with Windows 11 Hello FIDO2 (24H2) id_ecdsa_sk
format.
YMMV
Prerequisites
Steps to reproduce
verify-required
to the FIDO2 key.Expected behavior
Actual behavior
Error details
No response
Environment data
Version
OpenSSH_for_Windows_9.2p1, LibreSSL 3.7.2
Visuals
No response