search

tetractic / SK-SSH-Agent

An SSH agent that supports using FIDO/U2F security keys with PuTTY and OpenSSH for Windows.
GNU General Public License v3.0
22 stars 1 forks source link

What command line arguments does your tool support? #5

Closed Sidicer closed 2 months ago

Sidicer commented 2 months ago

Hello. I am looking on automating the whole procedure of generating and loading the keys using sk-ssh-agent but after a quick glance I was not able to see if it's possible to do so without using the UI ?

I saw from the previous issue that loading the key is possible by running sk-ssh-agent and providing a path to the key as an argument, but is it possible to do similar thing with key generation ?

Or should I be able to just use ssh-keygen and select to generate inside usb smartkey with -O "resident" -O "verify-required"

carlreinke commented 2 months ago

Only loading keys is currently supported via command-line arguments.

As far as I'm aware, ssh-keygen on Windows does not support -t ecdsa-sk or -t ed25519-sk. But if it does, SK SSH Agent can load the key file that it generates. The -O resident option isn't useful as far as SK SSH Agent is concerned, since (with the current Windows APIs) it can't support loading the key from the security key, so you'd have to load the private key file anyway.

What's the use case for automating key generation? You have to interact with the security key during the key generation process, so it can't be fully automated.

Sidicer commented 2 months ago

Windows OpenSSH above 8.9p1 supports -sk keys. 

Remove-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
winget install "openssh beta"

Stop-Service -Name sshd -Force -ErrorAction SilentlyContinue
Set-Service -Name sshd -StartupType Disabled
Stop-Service -Name ssh-agent -Force -ErrorAction SilentlyContinue
Set-Service -Name ssh-agent -StartupType Disabled

ssh-keygen -t ed25519-sk -O resident -O application=ssh:fidotest -q -N '""' -C "fidotest"

Only issue is that this works if PubkeyAuthOptions verify-required is not enabled on the server. verify-required does not work when connecting from windows machine using sk-ssh-agent.

edit: -O verify-required fixes PubkeyAuthOptions verify-required. So no issue. -sk keys are working with new openssh version. automation just to make it quicker in the future, ssh-keygen is use for everything key generation related.