search

wez / wezterm

A GPU-accelerated cross-platform terminal emulator and multiplexer written by @wez and implemented in Rust
https://wezfurlong.org/wezterm/
Other
17.84k stars 799 forks source link

weterm ssh fails to use Yubikey for authentication when using FIDO2 #4295

Open apastuszak opened 1 year ago

apastuszak commented 1 year ago

What Operating System(s) are you seeing this problem on?

macOS

Which Wayland compositor or X11 Window manager(s) are you using?

N/A

WezTerm version

20230712-072601-f4abf8fd

Did you try the latest nightly build to see if the issue is better (or worse!) than your current version?

No, and I'll explain why below

Describe the bug

When I attempt to ssh into a server in my house using my Yubikey using FIDO2, I am not prompted for my pin. The ssh key is ignored and I am prompted for my SSH password.

Using the openssh client prompts me for my pin and using the ssh kitten in kitty also prompts me for my pin.

I set up my ssh key using this webpage from Yubico:

https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html

I created non-discoverable credentials.

To Reproduce

Use this guide from Yubico to create non-discoverable FIDO2 credentials and set them up on a server:

https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html

wezterm ssh -v -oIdentityFile=~/.ssh/id_ecdsa_sk servername

Configuration

no config

Expected Behavior

It should prompt me for my PIN. Then my Yubikey should start flashing and I login after I hit the button on my Yubikey.

Logs

22:44:11.083  INFO   mux::ssh > Using ssh config: {
    "hostname": "fedora-server",
    "identityagent": "/private/tmp/com.apple.launchd.paW3jAmKuX/Listeners",
    "identityfile": "/Users/andy/.ssh/id_ecdsa_sk",
    "port": "22",
    "sendenv": "LANG LC_*",
    "user": "andy",
    "userknownhostsfile": "/Users/andy/.ssh/known_hosts /Users/andy/.ssh/known_hosts2",
    "wezterm_ssh_backend": "libssh",
    "wezterm_ssh_verbose": "true",
}
22:44:11.083  INFO   libssh::ssh_config_parse_file > Reading configuration data from /Users/andy/.ssh/config
22:44:11.083  INFO   libssh::ssh_config_parse_file > Reading configuration data from /etc/ssh/ssh_config
22:44:11.084  INFO   libssh::local_parse_file      > Cannot find file /etc/ssh/ssh_config.d/* to load
22:44:11.084  INFO   libssh::ssh_config_parse_line > Unapplicable option: SendEnv, line: 55
22:44:11.094  INFO   wezterm_ssh::sessioninner     > resolved fedora-server:22 -> 172.25.100.6:22
22:44:11.098  INFO   libssh::ssh_connect           > libssh 0.8.90 (c) 2003-2023 Aris Adamantiadis, Andreas Schneider and libssh contributors. Distributed under the LGPL, please refer to COPYING file for information about your rights, using threading threads_pthread
22:44:11.098  INFO   libssh::ssh_connect           > Socket connecting, now waiting for the callbacks to work
22:44:11.098  INFO   libssh::ssh_connect           > Actual timeout : 10000
22:44:11.098  INFO   libssh::ssh_socket_pollcallback > Received POLLOUT in connecting state
22:44:11.098  INFO   libssh::socket_callback_connected > Socket connection callback: 1 (0)
22:44:11.098  INFO   libssh::ssh_client_connection_callback > session_state=2
22:44:11.098  INFO   libssh::ssh_socket_unbuffered_write    > Enabling POLLOUT for socket
22:44:11.108  INFO   libssh::callback_receive_banner        > Received banner: SSH-2.0-OpenSSH_9.0
22:44:11.108  INFO   libssh::ssh_client_connection_callback > session_state=3
22:44:11.108  INFO   libssh::ssh_client_connection_callback > SSH server banner: SSH-2.0-OpenSSH_9.0
22:44:11.108  INFO   libssh::ssh_analyze_banner             > Analyzing banner: SSH-2.0-OpenSSH_9.0
22:44:11.108  INFO   libssh::ssh_analyze_banner             > We are talking to an OpenSSH server version: 9.0 (90000)
22:44:11.109  INFO   libssh::ssh_client_select_hostkeys     > Order of wanted host keys: "ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256"
22:44:11.109  INFO   libssh::ssh_known_hosts_read_entries   > Failed to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory
22:44:11.109  INFO   libssh::ssh_client_select_hostkeys     > Algorithms found in known_hosts files: "ssh-ed25519"
22:44:11.109  INFO   libssh::ssh_client_select_hostkeys     > Changing host key method to "ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256"
22:44:11.109  INFO   libssh::ssh_socket_unbuffered_write    > Enabling POLLOUT for socket
22:44:11.109  INFO   libssh::packet_send2                   > packet: wrote [type=20, len=908, padding_size=11, comp=896, payload=896]
22:44:11.109  INFO   libssh::ssh_send_kex                   > SSH_MSG_KEXINIT sent
22:44:11.111  INFO   libssh::ssh_packet_socket_callback     > packet: read type 20 [len=932,padding=8,comp=923,payload=923]
22:44:11.111  INFO   libssh::ssh_packet_process             > Dispatching handler for packet type 20
22:44:11.111  INFO   libssh::ssh_client_connection_callback > session_state=5
22:44:11.111  INFO   libssh::ssh_kex_select_methods         > Negotiated curve25519-sha256,ssh-ed25519,chacha20-poly1305@openssh.com,chacha20-poly1305@openssh.com,aead-poly1305,aead-poly1305,none,none,,
22:44:11.112  INFO   libssh::ssh_socket_unbuffered_write    > Enabling POLLOUT for socket
22:44:11.112  INFO   libssh::packet_send2                   > packet: wrote [type=30, len=44, padding_size=6, comp=37, payload=37]
22:44:11.162  INFO   libssh::ssh_packet_socket_callback     > packet: read type 31 [len=188,padding=8,comp=179,payload=179]
22:44:11.162  INFO   libssh::ssh_packet_process             > Dispatching handler for packet type 31
22:44:11.163  INFO   libssh::ssh_socket_unbuffered_write    > Enabling POLLOUT for socket
22:44:11.163  INFO   libssh::packet_send2                   > packet: wrote [type=21, len=12, padding_size=10, comp=1, payload=1]
22:44:11.163  INFO   libssh::crypt_set_algorithms2          > Set output algorithm to chacha20-poly1305@openssh.com
22:44:11.163  INFO   libssh::crypt_set_algorithms2          > Set HMAC output algorithm to aead-poly1305
22:44:11.163  INFO   libssh::crypt_set_algorithms2          > Set input algorithm to chacha20-poly1305@openssh.com
22:44:11.163  INFO   libssh::crypt_set_algorithms2          > Set HMAC input algorithm to aead-poly1305
22:44:11.163  INFO   libssh::ssh_init_rekey_state           > Set rekey after 134217728 blocks
22:44:11.163  INFO   libssh::ssh_init_rekey_state           > Set rekey after 134217728 blocks
22:44:11.163  INFO   libssh::ssh_packet_client_curve25519_reply > SSH_MSG_NEWKEYS sent
22:44:11.163  INFO   libssh::ssh_packet_socket_callback         > Processing 332 bytes left in socket buffer
22:44:11.163  INFO   libssh::ssh_packet_socket_callback         > packet: read type 21 [len=12,padding=10,comp=1,payload=1]
22:44:11.163  INFO   libssh::ssh_packet_process                 > Dispatching handler for packet type 21
22:44:11.163  INFO   libssh::ssh_packet_newkeys                 > Received SSH_MSG_NEWKEYS
22:44:11.164  INFO   libssh::ssh_packet_newkeys                 > Signature verified and valid
22:44:11.164  INFO   libssh::ssh_client_connection_callback     > session_state=6
22:44:11.164  INFO   libssh::ssh_packet_socket_callback         > Processing 316 bytes left in socket buffer
22:44:11.164  INFO   libssh::ssh_packet_socket_callback         > packet: read type 7 [len=296,padding=8,comp=287,payload=287]
22:44:11.164  INFO   libssh::ssh_packet_process                 > Dispatching handler for packet type 7
22:44:11.164  INFO   libssh::ssh_packet_ext_info                > Received SSH_MSG_EXT_INFO
22:44:11.164  INFO   libssh::ssh_packet_ext_info                > Follows 2 extensions
22:44:11.164  INFO   libssh::ssh_packet_ext_info                > Extension: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
22:44:11.164  INFO   libssh::ssh_packet_ext_info                > Unknown extension: publickey-hostbound@openssh.com
22:44:11.164  INFO   libssh::ssh_connect                        > current state : 7
22:44:11.165  INFO   libssh::packet_send2                       > packet: wrote [type=5, len=24, padding_size=6, comp=17, payload=17]
22:44:11.165  INFO   libssh::ssh_service_request                > Sent SSH_MSG_SERVICE_REQUEST (service ssh-userauth)
22:44:11.165  INFO   libssh::ssh_socket_unbuffered_write        > Enabling POLLOUT for socke22:44:11.208  INFO   libssh::ssh_packet_socket_callback         > packet: read type 6 [len=24,padding=6,comp=17,payload=17]
22:44:11.208  INFO   libssh::ssh_packet_process                 > Dispatching handler for packet type 6
22:44:11.208  INFO   libssh::ssh_packet_service_accept          > Received SSH_MSG_SERVICE_ACCEPT
22:44:11.208  INFO   libssh::ssh_socket_unbuffered_write        > Enabling POLLOUT for socket
22:44:11.208  INFO   libssh::packet_send2                       > packet: wrote [type=50, len=40, padding_size=4, comp=35, payload=35]
22:44:11.221  INFO   libssh::ssh_packet_socket_callback         > packet: read type 51 [len=64,padding=10,comp=53,payload=53]
22:44:11.221  INFO   libssh::ssh_packet_process                 > Dispatching handler for packet type 51
22:44:11.221  INFO   libssh::ssh_packet_userauth_failure        > Access denied for 'none'. Authentication that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
22:44:11.221  INFO   libssh::ssh_packet_userauth_failure        > Access denied for 'none'. Authentication that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
22:44:11.223  INFO   libssh::ssh_agent_get_ident_count          > Answer type: 12, expected answer: 12
22:44:11.223  INFO   libssh::ssh_agent_get_ident_count          > Agent count: 0
22:44:11.223  INFO   libssh::ssh_userauth_publickey_auto        > Trying to authenticate with /Users/andy/.ssh/id_ecdsa_sk
22:44:11.223  INFO   libssh::ssh_key_type_to_hash               > Digest algorithm to be used with key type 15 is not defined
22:44:11.223  INFO   libssh::ssh_key_algorithm_allowed          > Checking sk-ecdsa-sha2-nistp256@openssh.com with list <ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256>
22:44:11.223  INFO   libssh::ssh_socket_unbuffered_write        > Enabling POLLOUT for socket
22:44:11.224  INFO   libssh::packet_send2                       > packet: wrote [type=50, len=232, padding_size=8, comp=223, payload=223]
22:44:11.231  INFO   libssh::ssh_packet_socket_callback         > packet: read type 60 [len=192,padding=8,comp=183,payload=183]
22:44:11.231  INFO   libssh::ssh_packet_process                 > Dispatching handler for packet type 60
22:44:11.231  INFO   libssh::ssh_pki_import_privkey_base64      > Trying to decode privkey passphrase=false
22:44:11.231  INFO   libssh::ssh_pki_openssh_import             > Opening OpenSSH private key: ciphername: none, kdf: none, nkeys: 1
22:44:11.231  INFO   libssh::pki_import_privkey_buffer          > Unknown private key type (15)
22:44:11.231  INFO   libssh::pki_openssh_import_privkey_blob    > Failed to read key in OpenSSH format
22:44:11.231  INFO   libssh::ssh_userauth_publickey_auto        > Failed to read private key: /Users/andy/.ssh/id_ecdsa_sk
22:44:11.232  INFO   libssh::ssh_userauth_publickey_auto        > Trying to authenticate with /Users/andy/.ssh/id_ed25519
22:44:11.232  INFO   libssh::ssh_pki_import_pubkey_file         > Error opening /Users/andy/.ssh/id_ed25519.pub: No such file or directory
22:44:11.232  INFO   libssh::ssh_pki_import_privkey_file        > Error opening /Users/andy/.ssh/id_ed25519: No such file or directory
22:44:11.232  INFO   libssh::ssh_userauth_publickey_auto        > Private key /Users/andy/.ssh/id_ed25519 doesn't exist.
22:44:11.232  INFO   libssh::ssh_userauth_publickey_auto        > Trying to authenticate with /Users/andy/.ssh/id_ecdsa
22:44:11.232  INFO   libssh::ssh_pki_import_pubkey_file         > Error opening /Users/andy/.ssh/id_ecdsa.pub: No such file or directory
22:44:11.232  INFO   libssh::ssh_pki_import_privkey_file        > Error opening /Users/andy/.ssh/id_ecdsa: No such file or directory
22:44:11.232  INFO   libssh::ssh_userauth_publickey_auto        > Private key /Users/andy/.ssh/id_ecdsa doesn't exist.
22:44:11.232  INFO   libssh::ssh_userauth_publickey_auto        > Trying to authenticate with /Users/andy/.ssh/id_rsa
22:44:11.232  INFO   libssh::ssh_pki_import_pubkey_file         > Error opening /Users/andy/.ssh/id_rsa.pub: No such file or directory
22:44:11.232  INFO   libssh::ssh_pki_import_privkey_file        > Error opening /Users/andy/.ssh/id_rsa: No such file or directory
22:44:11.232  INFO   libssh::ssh_userauth_publickey_auto        > Private key /Users/andy/.ssh/id_rsa doesn't exist.
22:44:11.232  INFO   libssh::ssh_userauth_publickey_auto        > Trying to authenticate with /Users/andy/.ssh/id_dsa
22:44:11.232  INFO   libssh::ssh_pki_import_pubkey_file         > Error opening /Users/andy/.ssh/id_dsa.pub: No such file or directory
22:44:11.232  INFO   libssh::ssh_pki_import_privkey_file        > Error opening /Users/andy/.ssh/id_dsa: No such file or directory
22:44:11.232  INFO   libssh::ssh_userauth_publickey_auto        > Private key /Users/andy/.ssh/id_dsa doesn't exist.
22:44:11.232  INFO   libssh::ssh_userauth_publickey_auto        > Tried every public key, none matched
22:44:18.105  INFO   libssh::ssh_socket_unbuffered_write        > Enabling POLLOUT for socket
22:44:18.105  INFO   libssh::packet_send2                       > packet: wrote [type=50, len=56, padding_size=11, comp=44, payload=44]
22:44:18.121  INFO   libssh::ssh_packet_socket_callback         > packet: read type 51 [len=64,padding=10,comp=53,payload=53]
22:44:18.121  INFO   libssh::ssh_packet_process                 > Dispatching handler for packet type 51
22:44:18.121  INFO   libssh::ssh_packet_userauth_failure        > Access denied for 'password'. Authentication that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
22:44:18.121  INFO   libssh::ssh_packet_userauth_failure        > Access denied for 'password'. Authentication that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

Anything else?

No response

wez commented 1 year ago

Looks like the underlying libssh library doesn't understand your chosen key file:

libssh::pki_openssh_import_privkey_blob    > Failed to read key in OpenSSH format
ibssh::ssh_userauth_publickey_auto        > Failed to read private key: /Users/andy/.ssh/id_ecdsa_sk

and then the server denies the attempt to use password authentication:

Access denied for 'password'. Authentication that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

I think support for this is not yet implemented in libssh: https://gitlab.com/libssh/libssh-mirror/-/issues/34