search

canokeys / canokey-core

Core implementations of an open-source secure key
https://canokeys.org/
Apache License 2.0
314 stars 35 forks source link

fail to use ssh resident keys #48

Closed DictXiong closed 2 years ago

DictXiong commented 2 years ago

SSH private keys can be store on fido2 devices using ssh-keygen -t ed25519-sk -O resident (https://man.openbsd.org/ssh-keygen.1). However, when I tried this on my canokey, the key just can't be store.

In detail:

$ ssh-keygen -vvv -t ed25519-sk -O resident
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=13326
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x21, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: ssh_sk_enroll: using device /dev/hidraw1
debug1: ssh_sk_enroll: fido_dev_make_cred: FIDO_ERR_PIN_REQUIRED
debug1: sshsk_enroll: provider "internal" returned failure -3
debug1: ssh-sk-helper: Enrollment failed: incorrect passphrase supplied to decrypt private key
debug1: ssh-sk-helper: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -43
debug3: reap_helper: pid=13326
Enter PIN for authenticator:
debug3: start_helper: started pid=13336
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x21, challenge len 0 with-pin
debug1: sshsk_enroll: using random challenge
debug1: ssh_sk_enroll: using device /dev/hidraw1
debug3: ssh_sk_enroll: attestation cert len=443
debug1: ssh-sk-helper: reply len 713
debug3: ssh_msg_send: type 5
debug3: reap_helper: pid=13336
Enter file in which to save the key (/root/.ssh/id_ed25519_sk):
/root/.ssh/id_ed25519_sk already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ed25519_sk
Your public key has been saved in /root/.ssh/id_ed25519_sk.pub
The key fingerprint is:
SHA256:xxx root@xxx
The key's randomart image is:
xxx

then I try to download the private key:

$ ssh-keygen -K
Enter PIN for authenticator:
No keys to download

or

$ ssh-add -K
Enter PIN for authenticator:

$ ssh-add -L
The agent has no identities.

no keys found on canokey. I wonder if canokey just can't support this?

my canokey's version and firmware:

image

In addition: I can't find a way to manage fido resident keys. When using ykman:

$ ./ykman -r "Canokeys" info
Device type: Security Key NFC
Serial number: xxx
Firmware version: 5.5.5
Form factor: Keychain (USB-A)
NFC transport is enabled.

Applications    USB             NFC
FIDO2           Enabled         Enabled
OTP             Not available   Not available
FIDO U2F        Enabled         Enabled
OATH            Enabled         Enabled
YubiHSM Auth    Not available   Not available
OpenPGP         Enabled         Enabled
PIV             Enabled         Enabled

$ ./ykman -r "Canokeys" fido credentials list
Enter your PIN:
Error: Authenticator does not support Credential Management

and also, bitlocker report that this key is not compatible: image

What's wrong with my key?

ZenithalHourlyRate commented 2 years ago

https://github.com/canokeys/canokey-pigeon/discussions/10

DictXiong commented 2 years ago

Got it. Thanks for that.