Cannot generate ssh key #16

New Issue

2023-09-17T19:29:33+08:00

aa889788 commented

2023-09-17 19:29:33 +08:00

(Migrated from github.com)

I'm trying to auth the ssh using pico-fido, but the key cannot be generated

$ ssh-keygen -vvvv -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=14873
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/lib/ssh/ssh-sk-helper 
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by touch
debug1: ssh_sk_enroll: using device /dev/hidraw2
debug1: ssh_sk_enroll: fido_dev_make_cred: FIDO_ERR_RX
debug1: sshsk_enroll: provider "internal" failure -1
debug1: ssh-sk-helper: Enrollment failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=14873
Key enrollment failed: invalid format

$ ssh-keygen -vvvv -t ecdsa-sk -O resident
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=14953
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/lib/ssh/ssh-sk-helper 
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x21, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by touch
debug1: ssh_sk_enroll: using device /dev/hidraw2
debug1: check_sk_options: option uv is unknown
debug1: key_lookup: fido_dev_get_assert: FIDO_ERR_RX
debug1: ssh_sk_enroll: key_lookup failed
debug1: sshsk_enroll: provider "internal" failure -1
debug1: ssh-sk-helper: Enrollment failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=14953

I'm trying to auth the ssh using pico-fido, but the key cannot be generated ```bash $ ssh-keygen -vvvv -t ecdsa-sk Generating public/private ecdsa-sk key pair. You may need to touch your authenticator to authorize key generation. debug3: start_helper: started pid=14873 debug3: ssh_msg_send: type 5 debug3: ssh_msg_recv entering debug1: start_helper: starting /usr/lib/ssh/ssh-sk-helper debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0 debug1: sshsk_enroll: using random challenge debug1: sk_probe: 1 device(s) detected debug1: sk_probe: selecting sk by touch debug1: ssh_sk_enroll: using device /dev/hidraw2 debug1: ssh_sk_enroll: fido_dev_make_cred: FIDO_ERR_RX debug1: sshsk_enroll: provider "internal" failure -1 debug1: ssh-sk-helper: Enrollment failed: invalid format debug1: main: reply len 8 debug3: ssh_msg_send: type 5 debug1: client_converse: helper returned error -4 debug3: reap_helper: pid=14873 Key enrollment failed: invalid format ``` ```bash $ ssh-keygen -vvvv -t ecdsa-sk -O resident Generating public/private ecdsa-sk key pair. You may need to touch your authenticator to authorize key generation. debug3: start_helper: started pid=14953 debug3: ssh_msg_send: type 5 debug3: ssh_msg_recv entering debug1: start_helper: starting /usr/lib/ssh/ssh-sk-helper debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x21, challenge len 0 debug1: sshsk_enroll: using random challenge debug1: sk_probe: 1 device(s) detected debug1: sk_probe: selecting sk by touch debug1: ssh_sk_enroll: using device /dev/hidraw2 debug1: check_sk_options: option uv is unknown debug1: key_lookup: fido_dev_get_assert: FIDO_ERR_RX debug1: ssh_sk_enroll: key_lookup failed debug1: sshsk_enroll: provider "internal" failure -1 debug1: ssh-sk-helper: Enrollment failed: invalid format debug1: main: reply len 8 debug3: ssh_msg_send: type 5 debug1: client_converse: helper returned error -4 debug3: reap_helper: pid=14953 ```

aa889788 commented

2023-09-17 19:30:46 +08:00

(Migrated from github.com)

I don't know if it's because the pico-fido does not support ssh, or my environment has some issues?

polhenarejos commented

2023-09-18 00:58:22 +08:00

(Migrated from github.com)

Which OS?
Is you pico-fido properly recognized?

Which OS? Is you pico-fido properly recognized?

polhenarejos commented

2023-09-18 02:12:58 +08:00

(Migrated from github.com)

For first error (no resident), it is caused due to PIN protection. For an unknown reason, ssh-keygen does not prompt for PIN.
If you remove PIN protection, it should work.

Second error is related to resident list. Since this resident list is empty, it fails on finding key. Try to generate a resident key first.

For first error (no resident), it is caused due to PIN protection. For an unknown reason, ssh-keygen does not prompt for PIN. If you remove PIN protection, it should work. Second error is related to resident list. Since this resident list is empty, it fails on finding key. Try to generate a resident key first.

polhenarejos commented

2023-09-18 02:56:04 +08:00

(Migrated from github.com)

Digging into ssh-keygen code, it seems that all problems are related with PIN, which is not asked. Need to fix it first.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dearsky/pico-fido#16