[Bug 3748] "webauthn-sk-ecdsa-sha2-nistp256 at openssh.com" signature type not supported from ssh agent

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Nov 2 03:04:16 AEDT 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3748

--- Comment #3 from bmhomer13 at gmail.com ---
Ok I managed to get this working i.e. the signature verified and I
could log in.

However, on the server-side I had to comment out this check:
https://github.com/openssh/openssh-portable/blob/V_8_7/ssh-ecdsa-sk.c#L124

I think it may be because we are using certs i.e. ECDSA-SK-CERT.

Still not sure I understand this, but the expected clientData preamble
seemed to contain cert info in the "challenge" section, whereas the
challenge we return in our agent contains a much shorter challenge
returned from Apple APIs (specifically
https://developer.apple.com/documentation/authenticationservices/asauthorizationsecuritykeypublickeycredentialprovider).

Given that the signature verified once I removed this check, I'm not
sure it's implemented correctly.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list