search

drduh / YubiKey-Guide

Guide to using YubiKey for GnuPG and SSH
http://drduh.github.io/YubiKey-Guide/
MIT License
11.2k stars 1.19k forks source link

Windows 10 - SSH no longer doing public key authentication #216

Closed Sebazzz closed 1 year ago

Sebazzz commented 4 years ago

Previously I had SSH public key authentication operational but at some point it stopped working and I have not been able to get it working anymore. Please note that git commit signing works properly.

GPG shows the keys properly:

C:\Users\sebas>gpg --list-public-keys
gpg: using character set 'CP850'
gpg: using pgp trust model
gpg: key 2B6BA86C5A678282: accepted as trusted key
C:/Users/sebas/AppData/Roaming/gnupg/pubring.kbx
------------------------------------------------
pub   rsa4096 2020-03-05 [C]
      EB9A138EE6CD391D80BE724A2B6BA86C5A678282
uid           [ultimate] Sebastiaan Dammann <my-email@outlook.com>
sub   rsa4096 2020-03-05 [S] [expires: 2023-03-05]
sub   rsa4096 2020-03-05 [E] [expires: 2023-03-05]
sub   rsa4096 2020-03-05 [A] [expires: 2023-03-05]

Windows service ssh-agent is running. GPG connect agent is running. My %USERPROFILE%/.ssh/id_rsa.pub contains my key: 

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3ecHNRAMm3ayRoEjQ28y+IU3nGyIzeA1jrtrDo7M5FJHHNkmGp2S0MLqvFHrfV+xAuxWcQiFLuRDMbj+zw8hGHLdWmliv0gGBMRFgSxPiK9Jn1W2O4gOW2dZmmUd2hdXm41ZFCGGyriFke9OavUAJhIpoJTHQUso+50yxj0St+cOAM0SpLWWqy44BHd6RhDOA1kMZ1Ns8f2U9SGa7UEEG+Q1npj/BR6n65IAn+TDe2SZwImy8arNx5wslelxzDFjRS7AM0DvO+5Y0kMEO7LO/tu8QsKUetSuj7hpdI+wvgVmnpJXVDaZZHrUr2MUUt8+lurNP8OXPFK4Lm5tzbO75xMAR48KgYy4ir9Cltd04d2mL6diX/YkEYEwd++1vax7A4JoYkQBYF9uFiD4ln+3v9neBthTDLnkA1I+FyMrH31MxCfu/dmS+j5HPapioV2aCbGCgeLiR5F/57thW7yH1BbgHrCqi7lRxeO9TQuox4ZgNl35pYIhWQS2pO42xH/R3JTA0Jat8167whnXxF09RuymWtMgjdvDdD834SxCB3s1aX2D1wA8lDuHJsd1pH8T29NQjPtH1IwZa7CWevV+KqhODB+mZt2usCpidAk93Le/X7GK4evaqCfErG/MYe+oqb1cI/lj3fDClGHYJ7frYgOJ3yOXIqazhz87rCMQjiw== openpgp:0xB54EC4DA

scdaemon.conf contains my Yubikey device name as shown in device manager:

reader-port Yubico YubiKey OTP+FIDO+CCID 0

image

gpg-agent.conf contains:

enable-ssh-support
enable-putty-support
default-cache-ttl 60
max-cache-ttl 120

My .ssh/config file is empty.

When connecting to SSH (for instance my local Home Assistant instance - but it happens with any SSH host):

C:\Users\sebas>ssh hassio@hassio.local -vvv
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug1: Reading configuration data C:\\Users\\sebas/.ssh/config
debug1: C:\\Users\\sebas/.ssh/config line 4: Applying options for *
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug2: resolving "hassio.local" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to hassio.local [192.168.0.2] port 22.
debug1: Connection established.
[...]
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:Cupj8urw603kxU7xN92kmKKbfpOIyBqAT7w0dNY0WYE C:\\Users\\sebas/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug2: input_userauth_pk_ok: fp SHA256:Cupj8urw603kxU7xN92kmKKbfpOIyBqAT7w0dNY0WYE
debug3: sign_and_send_pubkey: RSA SHA256:Cupj8urw603kxU7xN92kmKKbfpOIyBqAT7w0dNY0WYE
debug3: no such identity: C:\\Users\\sebas/.ssh/id_rsa: No such file or directory
debug1: Trying private key: C:\\Users\\sebas/.ssh/id_dsa
debug3: no such identity: C:\\Users\\sebas/.ssh/id_dsa: No such file or directory
debug1: Trying private key: C:\\Users\\sebas/.ssh/id_ecdsa
debug3: no such identity: C:\\Users\\sebas/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: C:\\Users\\sebas/.ssh/id_ed25519
debug3: no such identity: C:\\Users\\sebas/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: C:\\Users\\sebas/.ssh/id_xmss
debug3: no such identity: C:\\Users\\sebas/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
hassio@hassio.local: Permission denied (publickey).

Full output: ssh-connect-output.log

The only thing I see is when I run ssh-add - but perhaps this is a red herring:

C:\Users\sebas>ssh-add -L
The agent has no identities.

I can't figure it out. Everything seems like it should be - but I can't get it to work.

Anyone have any idea?

Sebazzz commented 4 years ago

I was able to "resolve" this by doing it a completely different way:

I also tried this guide, which directly links OpenSSH to the Yubico library as well, but that didn't work either:

debug1: provider libykcs11.dll: manufacturerID <Yubico (www.yubico.com)> cryptokiVersion 2.40 libraryDescription <PKCS#11 PIV Library (SP-800-73)> libraryVersion 2.11
debug1: provider libykcs11.dll slot 0: label <YubiKey PIV #10146553> manufacturerID <Yubico (www.yubico.com)> model <YubiKey YK5> serial <10146553> flags 0x40d
debug1: have 1 keys
[...]
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: libykcs11.dll RSA SHA256:Xk7dUop5/qjwucmsUduwTtG9hgBmOE/jD3UJh+wqlVY token
debug1: Will attempt key: C:\\Users\\sebas/.ssh/id_rsa RSA SHA256:Cupj8urw603kxU7xN92kmKKbfpOIyBqAT7w0dNY0WYE
debug1: Will attempt key: C:\\Users\\sebas/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\sebas/.ssh/id_ecdsa
[...]
debug1: Authentications that can continue: publickey
debug1: Offering public key: C:\\Users\\sebas/.ssh/id_rsa RSA SHA256:Cupj8urw603kxU7xN92kmKKbfpOIyBqAT7w0dNY0WYE
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: C:\\Users\\sebas/.ssh/id_rsa RSA SHA256:Cupj8urw603kxU7xN92kmKKbfpOIyBqAT7w0dNY0WYE
debug3: sign_and_send_pubkey: RSA SHA256:Cupj8urw603kxU7xN92kmKKbfpOIyBqAT7w0dNY0WYE
debug3: sign_and_send_pubkey: signing using rsa-sha2-512
debug3: no such identity: C:\\Users\\sebas/.ssh/id_rsa: No such file or directory
debug1: pkcs11_k11_free: parent 000001D789DF91B0 ptr 0000000000000000 idx 0
debug1: Trying private key: C:\\Users\\sebas/.ssh/id_dsa
debug3: no such identity: C:\\Users\\sebas/.ssh/id_dsa: No such file or directory

Still, I'm happy to know any insights why the method described in this Github repository does not work anymore.

drduh commented 3 years ago

@Sebazzz I'm not a Windows user; can you take another look at the guide and recommend any improvements to the Windows or troubleshooting sections, or even better, send a PR with the same?

drduh commented 1 year ago

@Sebazzz wondering if you could take another look at your convenience and help us out.

drduh commented 1 year ago

Resolving to inactivity. Sorry Windows users.