Git operations using SSH with a FIDO/U2F key trigger a host authentication dialog

[jaksi]

Type: Bug

Git operations using SSH with a FIDO/U2F key (ecdsa-sk or ed25519-sk) trigger an incorrect "key" has fingerprint "undefined" Are you sure you want to continue connecting? dialog when SSH prompts for user presence. The security key still starts blinking and tapping it makes the operation succeed, but the dialog still remains and is incorrect.

I assume the SSH CLI output (Confirm user presence for key ...) is misinterpreted as a host key verification prompt?

A security key and a modern OpenSSH version are required to reproduce (I'm using a Yubikey and OpenSSH 9.1p1 installed using Homebrew on macOS). A key can be generated using e.g. ssh-keygen -t ed25519-sk.

VS Code version: Code 1.72.2 (d045a5eda657f4d7b676dedbfa7aab8207f8a075, 2022-10-12T22:15:55.763Z) OS version: Darwin arm64 21.6.0 Modes: Sandboxed: No

System Info

|Item|Value| |---|---| |CPUs|Apple M1 (8 x 24)| |GPU Status|2d_canvas: enabled
canvas_oop_rasterization: disabled_off
direct_rendering_display_compositor: disabled_off_ok
gpu_compositing: enabled
metal: disabled_off
multiple_raster_threads: enabled_on
opengl: enabled_on
rasterization: enabled
raw_draw: disabled_off_ok
skia_renderer: enabled_on
video_decode: enabled
video_encode: enabled
vulkan: disabled_off
webgl: enabled
webgl2: enabled
webgpu: disabled_off| |Load (avg)|2, 2, 2| |Memory (System)|16.00GB (2.83GB free)| |Process Argv|. --crash-reporter-id 35069983-5026-4390-94a6-9fa2b4b209ab| |Screen Reader|no| |VM|0%|

Extensions (5)

Extension|Author (truncated)|Version ---|---|--- godot-tools|gee|1.3.1 copilot|Git|1.54.7077 go|gol|0.35.2 rust-analyzer|rus|0.3.1248 vscode-lldb|vad|1.8.1 (2 theme extensions excluded)

A/B Experiments

``` vsliv368cf:30146710 vsreu685:30147344 python383cf:30185419 vspor879:30202332 vspor708:30202333 vspor363:30204092 vstes627:30244334 vslsvsres303:30308271 pythonvspyl392:30443607 vserr242cf:30382550 pythontb:30283811 vsjup518:30340749 pythonptprofiler:30281270 vsdfh931:30280409 vshan820:30294714 vstes263cf:30335440 pythondataviewer:30285071 vscod805cf:30301675 binariesv615:30325510 bridge0708:30335490 bridge0723:30353136 cmake_vspar411:30581797 vsaa593:30376534 pythonvs932:30410667 cppdebug:30492333 vsclangdc:30486549 c4g48928:30535728 dsvsc012:30540252 azure-dev_surveyone:30548225 2144e591:30553903 pyindex848:30577860 nodejswelcome1cf:30587006 40g7c324:30573242 ```

[jaksi]

Screenshot:

CLI session for reference:

$ git fetch
Confirm user presence for key ED25519-SK SHA256:[...]
# touching security key
User presence confirmed

[lszomoru]

@jaksi, does your SSH key has a passphrase or it's just stored on a hardware key?

[jaksi]

@lszomoru There's no passphrase, it's just backed by a hardware security key. Here's how I generated it:

$ ssh-keygen -t ed25519-sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
<Touching the security key>
Enter file in which to save the key (/Users/jaksi/.ssh/id_ed25519_sk): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
<Kept the passphrase empty>
Your identification has been saved in /Users/jaksi/.ssh/id_ed25519_sk
Your public key has been saved in /Users/jaksi/.ssh/id_ed25519_sk.pub
The key fingerprint is:
SHA256:[...] jaksi@jaksi-macbook.local
The key's randomart image is:
+[ED25519-SK 256]-+
[...]
+----[SHA256]-----+
$

And here's how it's being used with git:

$ git fetch
Confirm user presence for key ED25519-SK SHA256:[...]
<Touching the security key>
User presence confirmed
$

[lszomoru]

@jaksi, thanks for the clarifications.

[Tchekda]

Also happening here, but git isn't logging anything...

$ git fetch
<Touching security key>
remote: Enumerating objects: 84, done.
remote: Counting objects: 100% (84/84), done.
remote: Compressing objects: 100% (21/21), done.
remote: Total 56 (delta 33), reused 42 (delta 26), pack-reused 0
Unpacking objects: 100% (56/56), 4.91 KiB | 558.00 KiB/s, done.
From github.com:XXXXX/XXXXX
   xxxxxx..xxxxx  master     -> origin/master

[Bardiamist]

Would be good don't see this dialog

[Bardiamist]

VS code stopped to work with ECDSA-SK. Maybe reason: Updated macOS to Sonoma 14.0

2023-09-28 12:46:54.073 [info] > git pull --tags gitlab multi-chain-api [1242ms]
2023-09-28 12:46:54.073 [info] sign_and_send_pubkey: signing failed for ECDSA-SK "/Users/bardiamist/.ssh/id_ecdsa_sk" from agent: agent refused operation
git@34.105.132.242: Permission denied (publickey,keyboard-interactive).
fatal: Could not read from remote repository.

Everything works in the system Terminal If run eval $(ssh-agent) in the VSCode Terminal then starts to work in the VSCode Terminal until relaunch but Source Control don't works

[kaibloecker]

Interestingly, VSCode does show "Confirm user presence", just not for Git-over-SSH actions, but when connecting to a remote server with the Remote-SSH extension.

See the screenshot in https://github.com/microsoft/vscode-remote-release/issues/6486

[Dominic-Wagner]

I also noticed, that there is no pin-request via source control.

[megmug]

Facing the same problem here with VS Code 1.88.0. Annoyingly, when using git from VS Code, there is only the erroneous popup, and no possibility to input the key PIN, so if the key is marked as verify-required, it can't be used in VS Code for syncing.

At least, there exists the workaround of using the integrated terminal to complete syncing operations.

[Bardiamist]

I added

eval $(ssh-agent)
ssh-add

into .zshrc

And it helped. All terminals restart should be required.

Now I see a little extra logs on terminal open but it helped and worked a long time. Once tried to remove and problem appeared agian so returned back.