OpenSSH 8.9 breaks version 2.0.0

[brian-maloney]

Looks like OpenSSH 8.9 has updated the required version for the FIDO library, which breaks version 2.0.0:

$ SSH_SK_PROVIDER=winhello.dll ssh-keygen -t  ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Provider "winhello.dll" implements unsupported version 0x00070000 (supported: 0x00090000)
Key enrollment failed: invalid format

[tavrez]

Yes, new version is on the way, thanks for report

[Neurrone]

I'm getting this error while I suspect is also an instance of this:

Provider "c:/Program Files/OpenSSH/winhello.dll" implements unsupported version 0x00070000 (supported: 0x00090000)

[abairit]

Yes, new version is on the way, thanks for report

Hi, I have the same problem. The new Win32 OpenSSH 8.9.1 Version (https://github.com/PowerShell/Win32-OpenSSH) needs a newer library version. I can't use the older version 8.6 of Win32 Open SSH because there is no FIDO support in this version (https://github.com/PowerShell/Win32-OpenSSH/releases/tag/V8.6.0.0p1-Beta)

Can you say, when the new version of your middleware will be available?

Best regards

[aldobarr]

Yes, new version is on the way, thanks for report

Is there any update on this? It's pretty crucial for this to continue working

[tavrez]

Sorry I'm terribly busy during these days, maybe a PR from someone could help...

[aldobarr]

Sorry I'm terribly busy during these days, maybe a PR from someone could help...

I might give this a shot when I get some free time. Keeping in mind I've never worked with any Windows APIs or openssh, can you provide some documentation to look over?

[wlius-support3]

I also don't have any experience in this realm, but from what I can tell, the conflicting version number comes from: https://github.com/tavrez/openssh-sk-winhello/blob/master/src/sk-api.h

And an updated version of that file can be found here: https://github.com/openssh/openssh-portable/blob/master/sk-api.h

I don't know what other code needs to be changed to adapt to the updated file - but that would likely be where you'd want to start.

[aldobarr]

I also don't have any experience in this realm, but from what I can tell, the conflicting version number comes from: https://github.com/tavrez/openssh-sk-winhello/blob/master/src/sk-api.h

And an updated version of that file can be found here: https://github.com/openssh/openssh-portable/blob/master/sk-api.h

I don't know what other code needs to be changed to adapt to the updated file - but that would likely be where you'd want to start.

I had seen that, it was going to be where I'd start but obviously understanding the documentation behind the change would be better.

[wlius-support3]

According to this: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/webauthnapis

Their only "documentation" is the headers file here: https://github.com/microsoft/webauthn

This is referenced within this codebase here: https://github.com/tavrez/openssh-sk-winhello/blob/master/src/webauthn/webauthn.h

So, I'm guessing you'd need to update that headers file and update sk-api to that spec.

There, otherwise, does not seem to be any user-friendly documentation that I can find.

[madaster97]

I took a first pass at this by just changing the version hardcoded in sk-api.h, but I get this error (after entering my pin and interacting with my yubikey):

Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
sshsk_ecdsa_assemble: sshbuf_put_string: insufficient buffer space
client_converse: receive: unexpected internal error
reap_helper: helper exited abnormally
Key enrollment failed: unexpected internal error

I even tried manually applying recent changes to webauthn.h and saw the same results.

PS - This is an awesome lib! I've been trying to apply FIDO to some consulting projects and knowing about the windows hello option is very helpful.

[abairit]

Hi @tavrez, would it be possible to publish the preview version with the fix from the pull request?