trussed-dev / fido-authenticator

FIDO authenticator Trussed app
Apache License 2.0
36 stars 10 forks source link

Unable to create resident keys #3

Open graystevens opened 3 years ago

graystevens commented 3 years ago

I've tried to generate a resident key on both of my Solo2s (USB-C and A) but both error out..

➜ ssh-keygen -t ed25519-sk -O resident -vvv
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
debug3: start_helper: started pid=18049
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /opt/homebrew/Cellar/openssh/8.8p1/libexec/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x21, challenge len 0 with-pin
debug1: sshsk_enroll: using random challenge
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by touch
debug1: ssh_sk_enroll: using device IOService:/AppleARMPE/arm-io@10F00000/AppleT810xIO/usb-drd1@2280000/AppleT8103USBXHCI@01000000/usb-drd1-port-hs@01100000/Solo 2 Security Key@01100000/IOUSBHostInterface@1/AppleUserUSBHostHIDDevice
debug1: ssh_sk_enroll: IOService:/AppleARMPE/arm-io@10F00000/AppleT810xIO/usb-drd1@2280000/AppleT8103USBXHCI@01000000/usb-drd1-port-hs@01100000/Solo 2 Security Key@01100000/IOUSBHostInterface@1/AppleUserUSBHostHIDDevice does not support credprot, refusing to create unprotected resident/verify-required key
debug1: sshsk_enroll: provider "internal" failure -2
debug1: ssh-sk-helper: Enrollment failed: requested feature not supported
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -59
debug3: reap_helper: pid=18049
Key enrollment failed: requested feature not supported

Tried the same sequence on Ubuntu 20.04 and Arch machines (where I can successfully see them via solo2 and update them both). I've also run fido2-token, which provided the following:

➜ fido2-token -I /dev/hidraw4   
proto: 0x02
major: 0x00
minor: 0x00
build: 0x00
caps: 0x05 (wink, cbor, msg)
version strings: U2F_V2, FIDO_2_0
extension strings: hmac-secret
aaguid: xxxxxxxxxxxxxxxxxxxxxxxxx
options: rk, up, credMgmt, clientPin
maxmsgsiz: 7609
maxcredcntlst: 10
maxcredlen: 512
fwversion: 0x0
pin protocols: 1
pin retries: 8
uv retries: undefined
nickray commented 3 years ago

Ack.

nickray commented 3 years ago

Fix incoming; ssh doesn't like us not signaling credProtect extension support in GetInfo.

nickray commented 3 years ago

Got auto-closed prematurely, will await the next release for feedback.

graystevens commented 2 years ago

Have you got any rough timescales for when this may be included in a release? I'm keen to switch over from a few other keys, but this is blocking that unfortunately.

nickray commented 2 years ago

I think this particular PR should be in the latest released FW version 1.0.9, but I also can't full-heartedly recommend updating as there are other open issues still (some users claim ".7 works, but .8 and .9 do not").

kanru commented 2 years ago

Unable to download resident keys, should I open a new issue?

$ fido2-token -I  /dev/hidraw1
proto: 0x02
major: 0x00
minor: 0x00
build: 0x00
caps: 0x05 (wink, cbor, msg)
version strings: U2F_V2, FIDO_2_0
extension strings: credProtect, hmac-secret
aaguid: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
options: rk, up, credMgmt, clientPin
maxmsgsiz: 7609
maxcredcntlst: 10
maxcredlen: 512
fwversion: 0x0
pin protocols: 1
pin retries: 8
uv retries: undefined
$ ssh-add -K -v
Enter PIN for authenticator: 
debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper 
debug1: sshsk_load_resident: provider "internal", have-pin
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by touch
debug1: ssh_sk_load_resident_keys: trying /dev/hidraw1
debug1: check_sk_options: option uv is unknown
debug1: read_rks: device /dev/hidraw1 does not support resident keys
debug1: main: reply len 4
$ solo2 ls
Solo 2 XXXXXXXXXXXXXXXXXXXXX (CTAP+PCSC, firmware 1:20200101.9)

The debug1: check_sk_options: option uv is unknown line in ssh is printed after checking the fido_credman_get_dev_metadata() returns FIDO_ERR_INVALID_COMMAND

$ fido2-token -I -c /dev/hidraw1
Enter PIN for /dev/hidraw1: 
fido2-token: fido_credman_get_dev_metadata: FIDO_ERR_INVALID_COMMAND
arathunku commented 2 years ago

I'm running into the same issue.

I've set up PIN and key was generated but when doing "ssh-add -vvv -K", I get

debug1: read_rks: device /dev/hidraw6 does not support resident keys

I'm running on latest .09 version