tavrez
commented
4 years ago Thanks for reporting, could you tell me:
- Have you compiled module by yourself or it's the provided binary
- Give me this log but when you are not using winhello.dll
Open rdeker opened 4 years ago
tavrez
commented
4 years ago Thanks for reporting, could you tell me:
rdeker
commented
4 years ago Thanks for responding so quickly.
tavrez
commented
4 years ago Removing SecurityKeyProvider should be enough, remember to run git bash as administrator. Also could you tell me if you are running Windows in VM or not. Seems like the problem is with the webauthn.dll not returning success message after initiation, you can also test any FIDO process inside any browsers and see if they are using win hello or falling back to their own implementation
On Thu, May 28, 2020 at 12:19 AM Rob Deker notifications@github.com wrote:
Thanks for responding so quickly.
- I am using the binaries from your github release
- Can you clarify exactly what you'd like me to log? I'm not sure if you mean simply removing the SecurityKeyProvider configuration, reverting to the ssh-sk-helper provided by Git for Windows, or something else.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/tavrez/openssh-sk-winhello/issues/1#issuecomment-634903157, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACFM2DKLM6U5TLMX2HYYK6TRTVVELANCNFSM4NMHBL3A .
rdeker
commented
4 years ago I've tried in a VirtualBox Win10 virtual, and on Win10 running natively. As an additional note, the id_ecdsa_sk was generated on a Linux box and copied to Windows, but I've verified that the key is identical and didn't get mangled in copying. etc. Using the same key file and same YubiKey device works fine from a linux host (Ubuntu 20.04).
Using Win10 running natively, running Git bash as administrator, with the SecurityKeyProvider disabled in the ssh config, and the original ssh-sk-helper.exe (just in case), I get the following (note that there is a pause of several seconds after "find_device: found key"):
$ ssh -vv deker@10.10.1.222
OpenSSH_8.2p1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /c/Users/Deker/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 10.10.1.222 is address
debug2: ssh_connect_direct
debug1: Connecting to 10.10.1.222 [10.10.1.222] port 22.
debug1: Connection established.
debug1: identity file /c/Users/Deker/.ssh/id_rsa type -1
debug1: identity file /c/Users/Deker/.ssh/id_rsa-cert type -1
debug1: identity file /c/Users/Deker/.ssh/id_dsa type -1
debug1: identity file /c/Users/Deker/.ssh/id_dsa-cert type -1
debug1: identity file /c/Users/Deker/.ssh/id_ecdsa type -1
debug1: identity file /c/Users/Deker/.ssh/id_ecdsa-cert type -1
debug1: identity file /c/Users/Deker/.ssh/id_ecdsa_sk type -1
debug1: identity file /c/Users/Deker/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /c/Users/Deker/.ssh/id_ed25519 type -1
debug1: identity file /c/Users/Deker/.ssh/id_ed25519-cert type -1
debug1: identity file /c/Users/Deker/.ssh/id_ed25519_sk type -1
debug1: identity file /c/Users/Deker/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /c/Users/Deker/.ssh/id_xmss type -1
debug1: identity file /c/Users/Deker/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4
debug1: match: OpenSSH_8.2p1 Ubuntu-4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 10.10.1.222:22 as 'deker'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:BbeOXU9GQubTOCVJmzlQEuTt0OIhh8IDcJGzT47NQLY
debug1: Host '10.10.1.222' is known and matches the ECDSA host key.
debug1: Found key in /c/Users/Deker/.ssh/known_hosts:2
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /c/Users/Deker/.ssh/id_rsa
debug1: Will attempt key: /c/Users/Deker/.ssh/id_dsa
debug1: Will attempt key: /c/Users/Deker/.ssh/id_ecdsa
debug1: Will attempt key: /c/Users/Deker/.ssh/id_ecdsa_sk
debug1: Will attempt key: /c/Users/Deker/.ssh/id_ed25519
debug1: Will attempt key: /c/Users/Deker/.ssh/id_ed25519_sk
debug1: Will attempt key: /c/Users/Deker/.ssh/id_xmss
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /c/Users/Deker/.ssh/id_rsa
debug1: Trying private key: /c/Users/Deker/.ssh/id_dsa
debug1: Trying private key: /c/Users/Deker/.ssh/id_ecdsa
debug1: Trying private key: /c/Users/Deker/.ssh/id_ecdsa_sk
Enter passphrase for key '/c/Users/Deker/.ssh/id_ecdsa_sk':
debug1: start_helper: starting /usr/lib/ssh/ssh-sk-helper
debug1: ssh-sk-helper: ready to sign with key ECDSA-SK, provider internal: msg len 247, compat 0x4000000
debug1: sshsk_sign: provider "internal", key ECDSA-SK, flags 0x01
debug1: find_device: found 1 device(s)
debug1: find_device: trying device 0: \\\\?\\hid#vid_1050&pid_0407&mi_01#7&3a4fbee5&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
debug1: try_device: fido_dev_get_assert: FIDO_ERR_SUCCESS
debug1: find_device: found key
debug1: ssh_sk_sign: fido_dev_get_assert: FIDO_ERR_ACTION_TIMEOUT
debug1: sshsk_sign: sk_sign failed with code -1
debug1: ssh-sk-helper: Signing failed: invalid format
debug1: ssh-sk-helper: reply len 8
debug1: client_converse: helper returned error -4
debug1: identity_sign: sshkey_sign: invalid format
sign_and_send_pubkey: signing failed for ECDSA-SK "/c/Users/Deker/.ssh/id_ecdsa_sk": invalid format
debug1: Trying private key: /c/Users/Deker/.ssh/id_ed25519
debug1: Trying private key: /c/Users/Deker/.ssh/id_ed25519_sk
debug1: Trying private key: /c/Users/Deker/.ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
deker@10.10.1.222's password:For completeness, on the same Windows host, with the SecurityKeyProvider enabled, and using your modified ssh-sk-helper.exe, I get the following with no real delay noticeable:
$ ssh -vv deker@10.10.1.222
OpenSSH_8.2p1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /c/Users/Deker/.ssh/config
debug1: /c/Users/Deker/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 10.10.1.222 is address
debug2: ssh_connect_direct
debug1: Connecting to 10.10.1.222 [10.10.1.222] port 22.
debug1: Connection established.
debug1: identity file /c/Users/Deker/.ssh/id_rsa type -1
debug1: identity file /c/Users/Deker/.ssh/id_rsa-cert type -1
debug1: identity file /c/Users/Deker/.ssh/id_dsa type -1
debug1: identity file /c/Users/Deker/.ssh/id_dsa-cert type -1
debug1: identity file /c/Users/Deker/.ssh/id_ecdsa type -1
debug1: identity file /c/Users/Deker/.ssh/id_ecdsa-cert type -1
debug1: identity file /c/Users/Deker/.ssh/id_ecdsa_sk type -1
debug1: identity file /c/Users/Deker/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /c/Users/Deker/.ssh/id_ed25519 type -1
debug1: identity file /c/Users/Deker/.ssh/id_ed25519-cert type -1
debug1: identity file /c/Users/Deker/.ssh/id_ed25519_sk type -1
debug1: identity file /c/Users/Deker/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /c/Users/Deker/.ssh/id_xmss type -1
debug1: identity file /c/Users/Deker/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4
debug1: match: OpenSSH_8.2p1 Ubuntu-4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 10.10.1.222:22 as 'deker'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:BbeOXU9GQubTOCVJmzlQEuTt0OIhh8IDcJGzT47NQLY
debug1: Host '10.10.1.222' is known and matches the ECDSA host key.
debug1: Found key in /c/Users/Deker/.ssh/known_hosts:2
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /c/Users/Deker/.ssh/id_rsa
debug1: Will attempt key: /c/Users/Deker/.ssh/id_dsa
debug1: Will attempt key: /c/Users/Deker/.ssh/id_ecdsa
debug1: Will attempt key: /c/Users/Deker/.ssh/id_ecdsa_sk
debug1: Will attempt key: /c/Users/Deker/.ssh/id_ed25519
debug1: Will attempt key: /c/Users/Deker/.ssh/id_ed25519_sk
debug1: Will attempt key: /c/Users/Deker/.ssh/id_xmss
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /c/Users/Deker/.ssh/id_rsa
debug1: Trying private key: /c/Users/Deker/.ssh/id_dsa
debug1: Trying private key: /c/Users/Deker/.ssh/id_ecdsa
debug1: Trying private key: /c/Users/Deker/.ssh/id_ecdsa_sk
Enter passphrase for key '/c/Users/Deker/.ssh/id_ecdsa_sk':
debug1: start_helper: starting /usr/lib/ssh/ssh-sk-helper
debug1: ssh-sk-helper: ready to sign with key ECDSA-SK, provider /usr/bin/winhello.dll: msg len 247, compat 0x4000000
debug1: sshsk_sign: provider "/usr/bin/winhello.dll", key ECDSA-SK, flags 0x01
debug1: sshsk_open: provider /usr/bin/winhello.dll implements version 0x001c0000
Provider "/usr/bin/winhello.dll" implements unsupported version 0x001c0000 (supported: 0x00040000)
debug1: ssh-sk-helper: Signing failed: invalid format
debug1: ssh-sk-helper: reply len 8
debug1: client_converse: helper returned error -4
debug1: identity_sign: sshkey_sign: invalid format
sign_and_send_pubkey: signing failed for ECDSA-SK "/c/Users/Deker/.ssh/id_ecdsa_sk": invalid format
debug1: Trying private key: /c/Users/Deker/.ssh/id_ed25519
debug1: Trying private key: /c/Users/Deker/.ssh/id_ed25519_sk
debug1: Trying private key: /c/Users/Deker/.ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
deker@10.10.1.222's password:Any thoughts or additional help are greatly appreciated.
tavrez
commented
4 years ago Your first run shows that ssh found your key, but when it's tried to communicate with it, it got no answer, something must be wrong with the key or it's softwares(driver, configuration,...)
debug1: find_device: found key
debug1: ssh_sk_sign: fido_dev_get_assert: FIDO_ERR_ACTION_TIMEOUTCould you please tell me:
I'm working on a new release for OpenSSH 8.3 which doesn't need modified ssh-sk-helper, I'll add more debug information to module to see what is wrong with your configs
tavrez
commented
4 years ago I just remembered another thing: Did you use no-touch-required option when you tried to generate your key? This can lead to problems Edit: nvm, checked your flags, it’s not the case
rdeker
commented
4 years ago Reza,
1) The FIDO/U2F test from Firefox on a Win10 VM works fine. 2) No. I'm using the defaults in the YubiKey for FIDO/U2F. I do also have a cert loaded into the PIV app for another project, but that shouldn't be an issue, correct? Also, you are correct, I did not use the no-touch-required option.
jschwina
commented
4 years ago I seem to be having the same or a similar issue. With the current version (1.0 RC), I get an error when I try to use or generate a key:
init_winhello: WinHello API Error: Version=2, Is user available=0, user=0I'm on 20H1, I can use FIDO from a browser (I've tried Firefox, Chrome, and Edge) without any issue, and I did not use the no-touch-required option when trying to generate a key. I've also tried two different FIDO2 keys with the same result.
tavrez
commented
4 years ago @rdeker firefox has two implementation for accessing fido keys, can you show me the screenshot of your browser when web application ask for the key? Or just confirm it's same as the one I posted in README file. also, version 1.0 is availble for OpenSSH 8.3, it has more debug output.
tavrez
commented
4 years ago @jschwina Can you also post screenshot of your browser when it's asking for key? And please, could you tell me if internal implementation of OpenSSH for FIDO keys are working for you? (with administrator privileges)
jschwina
commented
4 years ago Sure, it's the Windows Hello implementation:
And yes, the internal implementation of OpenSSH for FIDO keys works fine with administrator privileges.
JohnVillalovos
commented
4 years ago No idea if useful but Yubico has a Python implementation of interacting with the U2F key in Windows:
https://github.com/Yubico/python-fido2/blob/master/fido2/client.py#L647-L752
https://github.com/Yubico/python-fido2
Under Windows 10 (1903 or later) access to FIDO devices is restricted and requires running as Administrator. This library can still be used when running as non-administrator, via the fido.client.WindowsClient class. An example of this is included in the file examples/credential.py.
tavrez
commented
4 years ago It is not so different with what I did, my code is inspired by Google Chrome and Firefox source code. When this module is not working and browsers are working at the same time, there most be some settings preventing this module from accessing WinHello platform(maybe because of being an unsigned app) Since I cannot reproduce the issue I’m gonna release a version and remove the check which is failing to see if users with problem can use it or not.
JohnVillalovos
commented
4 years ago @tavrez Off-topic: Since you know way much more about this than me. Do you know if this could be done in Pageant for something like PuTTY? Can the ssh-agent do all the work and the ssh client not need to be modified? I'm guessing no, but was hopeful it might be a yes and then could create an ssh agent that could work with PuTTY, or in my case MobaXterm. Thanks!
tavrez
commented
4 years ago @rdeker @jschwina Please test version 1.0.1 report to me, thank you.
tavrez
commented
4 years ago @tavrez Off-topic: Since you know way much more about this than me. Do you know if this could be done in Pageant for something like PuTTY? Can the ssh-agent do all the work and the ssh client not need to be modified? I'm guessing no, but was hopeful it might be a yes and then could create an ssh agent that could work with PuTTY, or in my case MobaXterm. Thanks!
Some part of working with FIDO keys implemented inside ssh client and server, they need to know how to handle new key types(ecdsa-sk and ed25519-sk). Signing and verification process of these two keys are different with normal ecdsa and ed25519 so it can't be done using agent alone. PuTTY should implement these keys first.
jschwina
commented
4 years ago @rdeker @jschwina Please test version 1.0.1 report to me, thank you.
1.0.1 is working fine for me. Log output is as follows:
init_winhello: WARNING! This should not be like this!
WinHello API Error: Version=2, Is user available=0, user=0
Hi, I'm using your openssh-sk-winhello binaries on Win10 version 1909, build 18363.778 with Git for Windows version 2.62.2-64-bit and a YubiKey 5 NFC. System is running in a Virtualbox VM (though I have also tried with a native Windows install on another machine). When I originally set things up, authentication to a Linux host (Ubuntu 20.04, OpenSSH 8.2p1, also a VM) was functioning, but having come back to it a bit later to document for a client, auth is now failing.
Using the same YubiKey and ecdsa_sk key from a Linux host works perfectly.
Here is the output of "ssh -v" on the Windows host:
Any advice or assistance would be greatly appreciated. Please let me know what other debug info would be useful.