search

Yubico / libfido2

Provides library functionality for FIDO2, including communication with a device over USB or NFC.
Other
590 stars 152 forks source link

Key enrollment failed: invalid format #630

Closed wujas-dongiel closed 2 years ago

wujas-dongiel commented 2 years ago

libfido2-1.11.0 Linux Slackware 15.0 OpenSSH 8.8p1-x86_64-2

I have similar problem to issue reported here Key enrollment failed: invalid format

$ ssh-keygen -t ed25519-sk -vvvv Generating public/private ed25519-sk key pair. You may need to touch your authenticator to authorize key generation. debug3: start_helper: started pid=7418 debug3: ssh_msg_send: type 5 debug3: ssh_msg_recv entering debug1: start_helper: starting /usr/libexec/ssh-sk-helper debug1: sshsk_enroll: provider "", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0 debug1: sshsk_enroll: using random challenge No FIDO SecurityKeyProvider specified debug1: ssh-sk-helper: Enrollment failed: invalid format debug1: main: reply len 8 debug3: ssh_msg_send: type 5 debug1: client_converse: helper returned error -4 debug3: reap_helper: pid=7418 Key enrollment failed: invalid format

fido2-token -L 
$ fido2-token -L
/dev/hidraw4: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)
fido2-token -I 
$ fido2-token -I <device>
proto: 0x02
major: 0x05
minor: 0x04
build: 0x03
caps: 0x05 (wink, cbor, msg)
version strings: U2F_V2, FIDO_2_0, FIDO_2_1_PRE
extension strings: credProtect, hmac-secret
transport strings: nfc, usb
algorithms: es256 (public-key), eddsa (public-key)
aaguid: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
options: rk, up, noplat, clientPin, credentialMgmtPreview
maxmsgsiz: 1200
maxcredcntlst: 8
maxcredlen: 128
maxlargeblob: 0
fwversion: 0x50403
pin protocols: 2, 1
pin retries: 8
uv retries: undefined
FIDO_DEBUG=1 
$ export FIDO_DEBUG=1
$ fido2-token -L
get_key_val: key_len=4
run_manifest: found 1 hid device
run_manifest: found 0 nfc devices
/dev/hidraw4: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)
ykman info 
$ ykman info
Device type: YubiKey 5C NFC
Serial number: xxxxxxxxxxxx
Firmware version: 5.4.3
Form factor: Keychain (USB-C)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled.

Applications    USB     NFC
FIDO2           Enabled Enabled
OTP             Enabled Enabled
FIDO U2F        Enabled Enabled
OATH            Enabled Enabled
YubiHSM Auth    Enabled Enabled
OpenPGP         Enabled Enabled
PIV             Enabled Enabled

I've built the libsk-libfido2.so from here external-sk-libfido2 but get the following

$ssh-keygen -t ed25519-sk -w ./libsk-libfido2.so -vvvvv Generating public/private ed25519-sk key pair. You may need to touch your authenticator to authorize key generation. debug3: start_helper: started pid=8144 debug3: ssh_msg_send: type 5 debug3: ssh_msg_recv entering debug1: start_helper: starting /usr/libexec/ssh-sk-helper debug1: sshsk_enroll: provider "./libsk-libfido2.so", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0 debug1: sshsk_enroll: using random challenge debug1: sshsk_open: provider ./libsk-libfido2.so implements version 0x00040000 Provider "./libsk-libfido2.so" implements unsupported version 0x00040000 (supported: 0x00070000) debug1: ssh-sk-helper: Enrollment failed: invalid format debug1: main: reply len 8 debug3: ssh_msg_send: type 5 debug1: client_converse: helper returned error -4 debug3: reap_helper: pid=8144 Key enrollment failed: invalid format

I've tried it with libfido-1.4.0 and libfido2-1.11.0 with the same result When I've cheated a bit and changed the api version line to match the supported version (0x00070000) and recompiled then at least I was asked for PIN and expected to touch Yubikey. But that failed otherwise.

martelletto commented 2 years ago

Hi,

Thank you for the report. As you have observed, the problem is due to mismatching API versions:

Provider "./libsk-libfido2.so" implements unsupported version 0x00040000 (supported: 0x00070000)

If possible, consider rebuilding OpenSSH with --with-security-key-builtin, which will make OpenSSH use its internal middleware. The alternative would be to update https://github.com/pts/external-sk-libfido2 to provide the API version expected by your existing OpenSSH build.

-p.

wujas-dongiel commented 2 years ago

Hi,

Thanks for Your reply. I've compiled with the --with-security-key-builtin and now it works.