failed to load resident ssh key(ever since 5.10 version and still exist in 5.12 version),Err code:Unable to load resident keys: device not found #59
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Hi
I'm running 5.12 eddsa (with vendor patch to Yubikey 4/5 OTP+FIDO+CCID )on my pico board,using openssh windows from this repo.
I managed to created resident ssh key and save it to the pico key(pretty sure about it since I see the light in processing mode and If I create a new ssh key with the same name it tells me there is already a key with same name there).
But it never allow me to readout the resident key using
ssh-add -K -S internalorssh-keygen -K.Using these command under a admin mode powershell(has to run under admin mode since this is a bug for openssh windows version)give me a result like this
I can see that the led light turned to press to confirm mode,and after I pressed the button,it turned to active mode rather than processing mode.
Also there is something wrong with the hid device driver after I pluged in the pico key.
But Everything else works fine like using the key to login website with webauthn.
It even works when I login ssh with -i option to load the key file from local hard disk like:
ssh root@myserver -v -i .\id_ed25519_skI just can't use the ssh-add or ssh-keygen command to dump the key file from pico key to local disk.
I've tried several board like official pico board, waveshare pico zero and some board I made by myself,got the same result.
Could it be the driver issue or something else?
Update:
I just did some more test and confirmed that this issue(ssh key load and yellow exclamation mark in Device Manager) happens since 5.10 version,rollback to 5.8 solves the problem.But 5.8 has some other issues fixed in 5.10 and 5.12 which bother me more.
On the same pc(windows 11 os),using 5.8 version everything seems fine in the device manager,
with 5.10 version:
with 5.12 version:
No difference between eddsa branch or main branch.
yubico 5 and neo fido_5.8 firmware works great as it should, Yubico Authenticator and YubiKey Personalization Tool handle it, but fido 5.10 and 5.12 are completely defective, yubico manager programs don't handle them completely error-free either! The developer gives very few answers here on the forum, documentation is incomplete, hms versions are still we will never be able to communicate under Windows/Linux or with the recommended environmental software! tutorial video would help a lot for hsm device!
How are you sure it is in the device? How do you generate it?
Fixed in
ec612a4.I use command as below to generate the key(under an admin mode powershell env)
ssh-keygen -t ed25519-sk -O resident -O application=ssh:YourTextHere -O verify-requiredI'm sure it is in the device since I generated it with a pico key with 5.8 version and everything works fine,just upgrading a firmware version won't erase the key already exist,right?
Thank you for the fix,I will try to build and verify it later.
H,I just compiled the development branch and confirmed that this commit works,can you please merge it into the eddsa branch?
Also I found a problem that I have to use flash_nuke.uf2 file to reset the pico board(which erase everything on the spi flash I think) then reinstall the new firmware.
If I just put it into boot mode and upgrade with the compiled firmware the problem still exist.
I'm not sure whether it's the problem that I upgrade with a non-eddsa firmware on the pico board which was running a eddsa firmware or some other reason.
Can you please merge this commit to the eddsa branch?Thank you.