U2F support in OpenSSH HEAD

Michael Forney mforney at mforney.org
Fri Nov 15 12:54:42 AEDT 2019


On 2019-11-14, Damien Miller <djm at mindrot.org> wrote:
> Please give this a try - security key support is a substantial change and
> it really needs testing ahead of the next release.

Hi Damien,

Thanks for working on security key support, this is a really nice
feature to have in openssh.

My non-FIDO2 security key (YubiKey NEO) doesn't work with the latest
changes to openssh and libfido2, failing with `try_device:
fido_dev_get_assert: FIDO_ERR_USER_PRESENCE_REQUIRED`. I'm not sure if
this is a problem in libfido2 or sk-usbhid.c (I also reported this
issue at https://github.com/Yubico/libfido2/issues/73).

Is try_device incompatible with U2F keys? It seems to me to be trying
to detect the presence of a key handle using an assert with up=0, but
that causes the U2F codepath in libfido2 to return an error
FIDO_ERR_USER_PRESENCE_REQUIRED.

I believe that since try_device is only trying to find the device with
the key, FIDO_ERR_USER_PRESENCE_REQUIRED should be ignored here, since
that seems to indicate that the key lookup succeeded, but
authentication was not attempted. I attached a diff that makes this
change and it seems to fix my issue.
-------------- next part --------------
diff --git a/sk-usbhid.c b/sk-usbhid.c
index c0a6bd0d..00c07685 100644
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -204,7 +204,7 @@ try_device(fido_dev_t *dev, const uint8_t *message, size_t message_len,
  out:
 	fido_assert_free(&assert);
 
-	return r != FIDO_OK ? -1 : 0;
+	return r != FIDO_OK && r != FIDO_ERR_USER_PRESENCE_REQUIRED ? -1 : 0;
 }
 
 /* Iterate over configured devices looking for a specific key handle */


More information about the openssh-unix-dev mailing list