"resident" OpenSSH-sk keys not working (yet?) #108
-
I am trying to use the solo2 for SSH authentication making use of the FIDO2 feature introduced with OpenSSH 8.2. While I can successfully generate and use an ed25519-sk key using trying to store the "keys" on the device (for easier switching between computers) using fails with a Windows Security message saying This security key can't be used. Please try a different one. Question: Is this a hardware limitiation, a not yet implemented feature or a bug? My system: Windows 11 - OpenSSH_for_Windows_8.9p1, LibreSSL 3.4.3 |
Beta Was this translation helpful? Give feedback.
Replies: 9 comments 20 replies
-
I had the same issue, trying out the new putty-cac with fido2 support: Seems to be not working yet. |
Beta Was this translation helpful? Give feedback.
-
Just tried again after installing the newest firmware but still no luck... Downloading latest release from https://github.com/solokeys/solo2/
Fetched firmware version 1:20200101.9
Tap button on key to confirm, or replug to abort...
LPC55 Bootloader detected. The LED should be off.
Writing new firmware...
Done. Rebooting key. The LED should turn back on.
PS D:\> ssh-keygen -vvv -t ed25519-sk -O resident -f D:\id_ed25519_solo2-sk-test
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug1: find_helper: using "c:\\Program Files\\OpenSSH\\ssh-sk-helper.exe" as helper
debug3: Creating process with CREATE_NO_WINDOW
debug3: spawning "c:\\Program Files\\OpenSSH\\ssh-sk-helper.exe" as subprocess
debug3: start_helper: started pid=19056
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=19056
Key enrollment failed: invalid format
PS D:\> ssh -V
OpenSSH_for_Windows_8.9p1, LibreSSL 3.4.3
PS D:\> Seems there are open issues (here and here) about this topic. Looks like there are way too many places where questions are asked, topics are discussed, ... for the Solo2 :-/ |
Beta Was this translation helpful? Give feedback.
-
Still a problem on 2:20220822.0 :( |
Beta Was this translation helpful? Give feedback.
-
This should work (i.e. just verified, on Linux, openssh 9.0p1). The error messages can be confusing... Steps:
|
Beta Was this translation helpful? Give feedback.
-
The
|
Beta Was this translation helpful? Give feedback.
-
No luck here. I did
|
Beta Was this translation helpful? Give feedback.
-
The solution for me was to perform a reset with fido-token after updating even though the key was not reporting any stored credentials. Ed25519-sk works fine for me with resident keys now except for the |
Beta Was this translation helpful? Give feedback.
-
I was able to generate ssh resident key but I have problems loading the key with ssh version: OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022 I started with a reset
I tried also replugging the key, same result. Maybe doesn't work on old openssh version? @nickray tried with 9.0p1. |
Beta Was this translation helpful? Give feedback.
-
I'm running into this issue on NixOS 23.05 running the following software versions:
Using the latest Solo2 firmware $ solo2 ls
Solo 2 57BD8C5F18005750B5C4BXXXXXXXXX (CTAP+PCSC, firmware 2:20220822.0, locked) I started with a reset $ ssh-keygen -t ecdsa-sk -O resident
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
You may need to touch your authenticator again to authorize key generation.
A resident key scoped to 'ssh:' with user id 'null' already exists.
Overwrite key in token (y/n)? y
You may need to touch your authenticator again to authorize key generation.
Enter file in which to save the key (/home/USER/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/USER/.ssh/id_ecdsa_sk
Your public key has been saved in /home/USER/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:7H8F1oNsXjpGqP4+g+oWjrRY7kO+mLJdWSO0YHLggiU lriutzel@reg
The key's randomart image is:
+-[ECDSA-SK 256]--+
|E . |
|o+ |
|+.+ . o o |
|.+ o . . . B + |
| o o S. = + . |
| ++.o. = . |
| Bo+ o.. . o |
|...+* o o.o . |
|.o+.o=o. o++ |
+----[SHA256]-----+ Then load the resident key $ ssh-add -K -v
Enter PIN for authenticator:
debug1: start_helper: starting /nix/store/960l5qaraqbm9mm5r002kgws7hi8vfhh-openssh-9.3p1/libexec/ssh-sk-helper
debug1: sshsk_load_resident: provider "internal", have-pin
debug1: sk_probe: 2 device(s) detected
debug1: sk_probe: selecting sk by touch
debug1: sk_touch_poll: polling /dev/hidraw9
debug1: sk_touch_poll: polling pcsc://slot0
debug1: sk_touch_poll: polling /dev/hidraw9
debug1: ssh_sk_load_resident_keys: trying /dev/hidraw9
debug1: check_sk_options: option uv is unknown
debug1: read_rks: existing 1, remaining 99
debug1: read_rks: Device /dev/hidraw9 has resident keys for 1 RPs
debug1: read_rks: rp 0: name="(none)" id="ssh:" hashlen=32
debug1: read_rks: RP "ssh:" has 1 resident keys
debug1: read_rks: Device /dev/hidraw9 RP "ssh:" user "openssh" uidlen 32 slot 0: type -7 flags 0x00 prot 0x02
debug1: process_load_resident: key 0 ECDSA-SK ssh: uidlen 32
debug1: main: reply len 316
debug1: sshsk_load_resident: srks[0]: ECDSA-SK ssh: uidlen 32
Unable to add key ECDSA-SK SHA256:lIhLCp9lrSwvSoiurARFldv1RKW6niNHM2QzuzsfTAw I tried as root with the same outcome. I also tried replugging and running ssh-add again.
This is in addition to the "normal" udev rules I have for solo2
I also tried to reset the key with chrome at |
Beta Was this translation helpful? Give feedback.
The
ssh-add -K
doesn't work as well but finally pointed to the (stupid) solution. Found it in the Yubikey-Subreddit: On windows you need an elevated prompt and then everything is working fine. 😲 😖