[Bug 3463] cannot gen ed25519-sk residental key with fido2

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Jul 19 19:02:05 AEST 2022


https://bugzilla.mindrot.org/show_bug.cgi?id=3463

--- Comment #5 from sergey at markow.su ---
I've fully rebuilt openssh9:
../configure --with-security-key-builtin --with-md5-passwords
--with-selinux --with-privsep-path=$HOME/openssl-8/test-openssh
--sysconfdir=$HOME/openssl-9/test-openssh
--prefix=$HOME/openssl-9/test-openssh --enable-security-key
--enable-fido2

config log is attached

the output of the command is different:
bin $ FIDO_DEBUG=1 ./ssh-keygen -vvv -t ed25519-sk -O resident -f
/tmp/foo
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator: 
debug3: start_helper: started pid=16068
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting
/home/galina/openssl-9/test-openssh/libexec/ssh-sk-helper 
debug1: sshsk_enroll: provider "internal", device "(null)", application
"ssh:", userid "(null)", flags 0x21, challenge len 0 with-pin
debug1: sshsk_enroll: using random challenge
fido_hid_unix_open: open /dev/hidraw0: Permission denied
fido_hid_unix_open: open /dev/hidraw1: Permission denied
fido_hid_unix_open: open /dev/hidraw2: Permission denied
run_manifest: found 1 hid device
run_manifest: found 0 nfc devices
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by touch
fido_tx: dev=0x563bc994a6b0, cmd=0x06
fido_tx: buf=0x563bc994a6b0, len=8
0000: ad 85 51 90 9c ad 17 93
fido_rx: dev=0x563bc994a6b0, cmd=0x06, ms=-1
rx_preamble: buf=0x7ffe22c2aa10, len=64
0000: ff ff ff ff 86 00 11 ad 85 51 90 9c ad 17 93 81
0016: 74 34 79 02 05 04 03 05 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=17
fido_rx: buf=0x563bc994a6b8, len=17
0000: ad 85 51 90 9c ad 17 93 81 74 34 79 02 05 04 03
0016: 05
fido_dev_get_cbor_info_tx: dev=0x563bc994a6b0
fido_tx: dev=0x563bc994a6b0, cmd=0x10
fido_tx: buf=0x7ffe22c2aa77, len=1
0000: 04
fido_dev_get_cbor_info_rx: dev=0x563bc994a6b0, ci=0x563bc993a070, ms=-1
fido_rx: dev=0x563bc994a6b0, cmd=0x10, ms=-1
rx_preamble: buf=0x7ffe22c2a1d0, len=64
0000: 81 74 34 79 90 00 c8 00 ac 01 83 66 55 32 46 5f
0016: 56 32 68 46 49 44 4f 5f 32 5f 30 6c 46 49 44 4f
0032: 5f 32 5f 31 5f 50 52 45 02 82 6b 63 72 65 64 50
0048: 72 6f 74 65 63 74 6b 68 6d 61 63 2d 73 65 63 72
rx: payload_len=200
rx: buf=0x7ffe22c2a1d0, len=64
0000: 81 74 34 79 00 65 74 03 50 ee 88 28 79 72 1c 49
0016: 13 97 75 3d fc ce 97 07 2a 04 a5 62 72 6b f5 62
0032: 75 70 f5 64 70 6c 61 74 f4 69 63 6c 69 65 6e 74
0048: 50 69 6e f4 75 63 72 65 64 65 6e 74 69 61 6c 4d
rx: buf=0x7ffe22c2a1d0, len=64
0000: 81 74 34 79 01 67 6d 74 50 72 65 76 69 65 77 f5
0016: 05 19 04 b0 06 82 02 01 07 08 08 18 80 09 81 63
0032: 75 73 62 0a 82 a2 63 61 6c 67 26 64 74 79 70 65
0048: 6a 70 75 62 6c 69 63 2d 6b 65 79 a2 63 61 6c 67
rx: buf=0x7ffe22c2a1d0, len=64
0000: 81 74 34 79 02 27 64 74 79 70 65 6a 70 75 62 6c
0016: 69 63 2d 6b 65 79 0d 04 0e 1a 00 05 04 03 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
fido_rx: buf=0x7ffe22c2a260, len=200
0000: 00 ac 01 83 66 55 32 46 5f 56 32 68 46 49 44 4f
0016: 5f 32 5f 30 6c 46 49 44 4f 5f 32 5f 31 5f 50 52
0032: 45 02 82 6b 63 72 65 64 50 72 6f 74 65 63 74 6b
0048: 68 6d 61 63 2d 73 65 63 72 65 74 03 50 ee 88 28
0064: 79 72 1c 49 13 97 75 3d fc ce 97 07 2a 04 a5 62
0080: 72 6b f5 62 75 70 f5 64 70 6c 61 74 f4 69 63 6c
0096: 69 65 6e 74 50 69 6e f4 75 63 72 65 64 65 6e 74
0112: 69 61 6c 4d 67 6d 74 50 72 65 76 69 65 77 f5 05
0128: 19 04 b0 06 82 02 01 07 08 08 18 80 09 81 63 75
0144: 73 62 0a 82 a2 63 61 6c 67 26 64 74 79 70 65 6a
0160: 70 75 62 6c 69 63 2d 6b 65 79 a2 63 61 6c 67 27
0176: 64 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65 79
0192: 0d 04 0e 1a 00 05 04 03
parse_reply_element: cbor type
fido_dev_open_rx: FIDO_MAXMSG=2048, maxmsgsiz=1200
debug1: ssh_sk_enroll: using device /dev/hidraw3
fido_dev_authkey_tx: dev=0x563bc994a6b0
fido_tx: dev=0x563bc994a6b0, cmd=0x10
fido_tx: buf=0x563bc993bd20, len=6
0000: 06 a2 01 02 02 02
fido_dev_authkey_rx: dev=0x563bc994a6b0, authkey=0x563bc9939f20, ms=-1
fido_rx: dev=0x563bc994a6b0, cmd=0x10, ms=-1
rx_preamble: buf=0x7ffe22c2a210, len=64
0000: 81 74 34 79 90 00 51 00 a1 01 a5 01 02 03 38 18
0016: 20 01 21 58 20 55 c5 cc 67 da df 27 ce 28 ff de
0032: ad 86 a0 63 55 45 02 b5 a2 77 86 81 66 5b 6f be
0048: 75 42 a5 cc 9e 22 58 20 d8 36 8e bb c2 9c 5c 37
rx: payload_len=81
rx: buf=0x7ffe22c2a210, len=64
0000: 81 74 34 79 00 44 18 a0 6b ff d0 8a 41 5d fc 20
0016: 4d 75 56 18 98 59 a4 ad 31 36 be b5 aa 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
fido_rx: buf=0x7ffe22c2a2a0, len=81
0000: 00 a1 01 a5 01 02 03 38 18 20 01 21 58 20 55 c5
0016: cc 67 da df 27 ce 28 ff de ad 86 a0 63 55 45 02
0032: b5 a2 77 86 81 66 5b 6f be 75 42 a5 cc 9e 22 58
0048: 20 d8 36 8e bb c2 9c 5c 37 44 18 a0 6b ff d0 8a
0064: 41 5d fc 20 4d 75 56 18 98 59 a4 ad 31 36 be b5
0080: aa
fido_tx: dev=0x563bc994a6b0, cmd=0x10
fido_tx: buf=0x563bc99389e0, len=120
0000: 06 a4 01 02 02 05 03 a5 01 02 03 38 18 20 01 21
0016: 58 20 1b d4 1b 61 76 47 01 bb 76 1f 3e 4f 90 91
0032: c3 2b 15 dd 28 13 dc 60 7b 22 87 91 06 f9 e9 76
0048: 83 9e 22 58 20 31 f2 cf b6 1d ea 12 e5 a2 ea 1c
0064: 3a 5a 19 f2 15 98 d6 5a da 04 b8 5f 89 24 35 26
0080: 73 b7 6a 6f a9 06 58 20 3a e3 67 0c ea 44 8e 0d
0096: 2a a3 d2 cc 4d db c9 6c eb 9c 77 ab ef cd 87 d3
0112: b2 75 37 3a 89 91 ea 36
fido_rx: dev=0x563bc994a6b0, cmd=0x10, ms=-1
rx_preamble: buf=0x7ffe22c2a200, len=64
0000: 81 74 34 79 90 00 01 35 00 00 00 00 00 00 00 00
0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=1
fido_rx: buf=0x7ffe22c2a2a0, len=1
0000: 35
cbor_parse_reply: blob[0]=0x35
uv_token_rx: parse_uv_token
cbor_add_uv_params: fido_dev_get_uv_token
fido_dev_make_cred_tx: cbor_add_uv_params
debug1: ssh_sk_enroll: fido_dev_make_cred: FIDO_ERR_PIN_NOT_SET
fido_tx: dev=0x563bc994a6b0, cmd=0x11
fido_tx: buf=(nil), len=0
debug1: sshsk_enroll: provider "internal" failure -1
debug1: ssh-sk-helper: Enrollment failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=16068
Key enrollment failed: invalid format

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list