Unable to generate keys using YubiKey

tavrez / openssh-sk-winhello

A helper for OpenSSH to interact with FIDO2 and U2F security keys through native Windows Hello API

GNU Lesser General Public License v3.0

184 stars 14 forks source link

Unable to generate keys using YubiKey #12

Closed Neurrone closed 2 years ago

Neurrone commented 2 years ago

Hi,

I'm on windows 10 21h1. I've updated to the latest version of OpenSSh for windows (8.6b1) and have also edited my c://.ssh/config to add these lines:

Host *
    SecurityKeyProvider "C:\Program Files\OpenSSH-Win64\winhello.dll"

However, that version of OpenSSH does not yet have fido2 support, hence why I'm trying this middleware, see PowerShell/Win32-OpenSSH#1804.

I'm finding that no matter which commands I use to generate a new key, it fails with an unrecognized algorithm.

> ssh-keygen -t ed25519-sk -O resident -f c:/users/dickson/.ssh/id_mykey_sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
Key enrollment failed: unknown or unsupported key type

Likewise, I get the same result when using ssh-keygen -w "C:\Program Files\OpenSSH-Win64\winhello.dll" -t ecdsa-sk both with and without specifying the full path of the dll.

tavrez commented 2 years ago

Hi, If I want to answer you in short form: You can't use an OpenSSH version which doesn't have FIDO support, you should use something like git for windows .

Long, this module is used as a middleware to connect to FIDO devices and then send the data back to OpenSSH, when OpenSSH has no idea about FIDO keys(compiled in this way, like the windows one), it won't understand the data.

Neurrone commented 2 years ago

Ugh, that was a real 🤦 moment, I already have WSL2 set up so I didn't think I would need to install the bash that comes with git for windows. I'll give this a try and close this issue for now.

tavrez commented 2 years ago

I've written a small guide on how to use my middleware with WSL OpenSSH, you can check that out, I'll help if you need. https://github.com/tavrez/openssh-sk-winhello/blob/master/WSL.md

Neurrone commented 2 years ago

Thanks. Do I need to download to v1.x? I see that for the v2.0 release, the only artifact is the .dll without the .exe helper thta the WSL guide mentions.

I managed to get it working with git for window's OpenSSH 🎉

tavrez commented 2 years ago

It depend on the version of OpenSSH inside your WSL, in the main readme file, you can see which version is needed for which OpenSSH version.

Neurrone commented 2 years ago

Is there a version of the .exe for the v2.0 release? I only see the dll file.

tavrez commented 2 years ago

find your OpenSSH version inside WSL, get the proper .dll for it. for exe helper, get anything, all the exe files are same, get it from 1.x releases, get it from git for windows, ....

Neurrone commented 2 years ago

Thanks a lot, I finally got everything to work.

I do see that it prints the following warning log, although I'm unsure if its anything to worry about:

# from WSL:
> ssh user@host
Confirm user presence for key ED25519-SK ...
init_winhello: WARNING! This should not be like this! WinHello API Error: Is user available=0, User=0.

Then it prompts me to touch the YubiKey and logs me in as expected.

I also found that I had to copy the following DLL files from C:\Program Files\Git\usr\bin to C:\Program Files\Git\usr\lib\ssh, where the ssh-sk-helper.exe that comes with Git for Windows is:

msys-2.0.dll
msys-cbor-0.8.dll
msys-crypto-1.1.dll
msys-fido2-1.dll
msys-gcc_s-seh-1.dll
msys-z.dll

Would suggest specifying those files as needed dependencies in the wsl2 documentation.

Neurrone commented 2 years ago

One last question, when I try adding the ssh key from my YubiKey from within WSL, I get the following error:

Could not add identity "/home/dickson/.ssh/id_ed25519_sk": agent refused operation

I copied this private key from what was created via git bash for windows. Is there anything I'm missing to get ssh agent to work within WSL2?

tavrez commented 2 years ago

Could not add identity "/home/dickson/.ssh/id_ed25519_sk": agent refused operation

By default ssh-agent only accepts providers inside /usr/lib or /usr/local/lib directory. I think you have to start ssh-agent like this:

ssh-agent -P "c:/gitforwindows/usr/lib/*"

But I'm not sure about the directory format, check it's manual for more info

Neurrone commented 2 years ago

I tried using -p "*/*" just so see if its caused by this and it doesn't seem to be the case.

I'm wondering if somehow the ssh-add command from WSL is connecting to the wrong thing, to something else other than this instance of ssh agent.

tavrez commented 2 years ago

I'm not sure at this moment, I'll try to test on my free time and report back.

On Sun, Feb 6, 2022 at 5:10 PM Dickson Tan @.***> wrote:

I tried using -p "/" just so see if its caused by this and it doesn't seem to be the case.

I'm wondering if somehow the ssh-add command from WSL is connecting to the wrong thing, to something else other than this instance of ssh agent.

— Reply to this email directly, view it on GitHub https://github.com/tavrez/openssh-sk-winhello/issues/12#issuecomment-1030834653, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACFM2DPW2JAUBKN53KDBTELUZZ23RANCNFSM5NUB63HA . You are receiving this because you commented.Message ID: @.***>