OpenSSH support

[AS137430]

Please see https://github.com/solokeys/solo/issues/374 and https://github.com/rgerganov/solo/commit/ef171639319066fa57bb9ba27021d5a2d3e627f3

Can this be done for WearAuthn to support 0x41 command to support OpenSSH? Thanks.

[fmeum]

Non-resident ecdsa-sk SSH keys should already be supported by the current version of WearAuthn, assuming you compile libfido2 from source. The current packaged version 1.4.0 can't speak to WearAuthn yet, but this has been fixed.

Resident FIDO2 SSH keys will undergo important changes in the next version of OpenSSH and should not be relied upon until then. I hope to get WearAuthn to support Credential Management by that time, but that may require some hacks since the OpenSSH middleware does not support internal user verification.

I will leave this issue open and provide updates on the level of SSH key support.

[AS137430]

Yes, it is working if I compile libfido2 from source. I needed to pass in the hidraw device as udev rule wasn't working for OpenSSH (it was working for Chrome):

ssh-keygen -t ecdsa-sk -vv -O device=/dev/hidraw3
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug1: start_helper: starting /usr/local/libexec/ssh-sk-helper 
debug1: sshsk_enroll: provider "internal", device "/dev/hidraw3", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: check_enroll_options: requested device /dev/hidraw3
debug1: ssh_sk_enroll: using device /dev/hidraw3
debug1: ssh-sk-helper: reply len 799
..

[fmeum]

Yes, it is working if I compile libfido2 from source. I needed to pass in the hidraw device as udev rule wasn't working for OpenSSH (it was working for Chrome):

Thanks for the confirmation. Could you also send me the log in case you leave out the -O device=/dev/hidraw3? It shouldn't be udev rules that make ssh-keygen fail in that case. Which platform are you on?

[AS137430]

Here's the log without the -O device

Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug1: start_helper: starting /usr/local/libexec/ssh-sk-helper 
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: pick_first_device: fido_dev_info_manifest bad len 0
debug1: ssh_sk_enroll: pick_first_device failed
debug1: sshsk_enroll: provider "internal" returned failure -4
debug1: ssh-sk-helper: Enrollment failed: device not found
debug1: ssh-sk-helper: reply len 8
debug1: client_converse: helper returned error -60
Key enrollment failed: device not found

I'm on Ubuntu 19.10.

Just to provide more details,

fido2-token  -I /dev/hidraw3
proto: 0x02
major: 0x00
minor: 0x00
build: 0x00
caps: 0x04 (nowink, cbor, msg)
version strings: FIDO_2_0, U2F_V2
extension strings: hmac-secret, exts, txAuthSimple, uvm
aaguid: <guidvalue>
options: rk, up, nouv, noplat
maxmsgsiz: 4096
maxcredcntlst: 5
maxcredlen: 257
fwversion: 0x0
pin retries: undefined

fido2-token -L has no output.

[fmeum]

Thanks! I believe that this issue should be resolved by https://github.com/Yubico/libfido2/pull/169, which hasn't been merged yet. Without this commit, libfido2 and therefore OpenSSH can speak to WearAuthn if requested to do so, but will not detect it as a FIDO2-compatible device when none is specified.

[AS137430]

Thanks, pulled the PR into my libfido2, rebuilt and confirmed it is working well:

ssh-keygen -t ecdsa-sk -vv
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug1: start_helper: starting /usr/local/libexec/ssh-sk-helper 
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: ssh_sk_enroll: using device /dev/hidraw3
debug1: ssh-sk-helper: reply len 801
...