U2F support in OpenSSH HEAD

Damien Miller djm at mindrot.org
Fri Nov 15 13:23:08 AEDT 2019 


On Thu, 14 Nov 2019, Michael Forney wrote:

> On 2019-11-14, Damien Miller <djm at mindrot.org> wrote:
> > Please give this a try - security key support is a substantial change and
> > it really needs testing ahead of the next release.
> 
> Hi Damien,
> 
> Thanks for working on security key support, this is a really nice
> feature to have in openssh.
> 
> My non-FIDO2 security key (YubiKey NEO) doesn't work with the latest
> changes to openssh and libfido2, failing with `try_device:
> fido_dev_get_assert: FIDO_ERR_USER_PRESENCE_REQUIRED`. I'm not sure if
> this is a problem in libfido2 or sk-usbhid.c (I also reported this
> issue at https://github.com/Yubico/libfido2/issues/73).
> 
> Is try_device incompatible with U2F keys? It seems to me to be trying
> to detect the presence of a key handle using an assert with up=0, but
> that causes the U2F codepath in libfido2 to return an error
> FIDO_ERR_USER_PRESENCE_REQUIRED.
> 
> I believe that since try_device is only trying to find the device with
> the key, FIDO_ERR_USER_PRESENCE_REQUIRED should be ignored here, since
> that seems to indicate that the key lookup succeeded, but
> authentication was not attempted. I attached a diff that makes this
> change and it seems to fix my issue.

Thanks for testing this!

Does this patch help? If you're able to test multiple U2F-only keys in
a host then that would be ideal - you'll be able to see whether ssh is
trying each device if you run it in verbose mode (i.e. ssh -vvv ...)

Basically, I want to make sure that FIDO_ERR_USER_PRESENCE_REQUIRED is
returned only when a token actually claims a key handle, and not all the
time...

diff --git a/sk-usbhid.c b/sk-usbhid.c
index 63c7cb2..8758e2d 100644
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -197,6 +197,10 @@ try_device(fido_dev_t *dev, const uint8_t *message, size_t message_len,
 	}
 	r = fido_dev_get_assert(dev, assert, NULL);
 	skdebug(__func__, "fido_dev_get_assert: %s", fido_strerr(r));
+	if (r == FIDO_ERR_USER_PRESENCE_REQUIRED) {
+		/* U2F tokens may return this */
+		r = FIDO_OK;
+	}
  out:
 	fido_assert_free(&assert);

More information about the openssh-unix-dev mailing list