Hello, I'm helping the Git for windows team and contributing in git-for-windows repository to help expand the OpenSSH support for fido2 devices on Windows. Currently we are using your internal implementation(sk-usbhic.c) however since Windows 10 version 1903 this requires administrator privileges. I'm trying to create a module for OpenSSH to use webauthn.dll instead of direct calling to libfido2 to eliminate the need for administrator privileges I noticed that in ssh-sk.c in function sshsk_sign you hash the input data before passing it to external module sk_sign function. The problem is, Windows API automatically hash the input before sending it to fido device, so I need to receive the data without hashing to be able to use this or else the data will be hashed two times and verification will fail. May I suggest that you do this part inside sk_sign command so the module using your sk-api.h interface can do this if it's needed? Thank you,
On Thu, 5 Mar 2020, Reza Tavakoli wrote:> Hello, > > I'm helping the Git for windows team and contributing in git-for-windows > repository to help expand the OpenSSH support for fido2 devices on Windows. > Currently we are using your internal implementation(sk-usbhic.c) however > since Windows 10 version 1903 this requires administrator privileges. > > I'm trying to create a module for OpenSSH to use webauthn.dll instead of > direct calling to libfido2 to eliminate the need for administrator > privileges > I noticed that in ssh-sk.c in function sshsk_sign you hash the input data > before passing it to external module sk_sign function. The problem is, > Windows API automatically hash the input before sending it to fido device, > so I need to receive the data without hashing to be able to use this or > else the data will be hashed two times and verification will fail. > > May I suggest that you do this part inside sk_sign command so the module > using your sk-api.h interface can do this if it's needed?That sounds reasonable - do you have a patch you can share? We'd need to increase the SSH_SK_VERSION_MAJOR, but we'll probably do that before the next release anyway. -d
Here is the patch I've used. I've also changed sk-dummy.c but seems like I can't invoke it properly(no test fail in any case). So far with these changes everything is working fine(I SSHed to myself with both internal implementation and my custom module) On Fri, Mar 6, 2020 at 2:50 AM Damien Miller <djm at mindrot.org> wrote:> On Thu, 5 Mar 2020, Reza Tavakoli wrote: > > > Hello, > > > > I'm helping the Git for windows team and contributing in git-for-windows > > repository to help expand the OpenSSH support for fido2 devices on > Windows. > > Currently we are using your internal implementation(sk-usbhic.c) however > > since Windows 10 version 1903 this requires administrator privileges. > > > > I'm trying to create a module for OpenSSH to use webauthn.dll instead of > > direct calling to libfido2 to eliminate the need for administrator > > privileges > > I noticed that in ssh-sk.c in function sshsk_sign you hash the input data > > before passing it to external module sk_sign function. The problem is, > > Windows API automatically hash the input before sending it to fido > device, > > so I need to receive the data without hashing to be able to use this or > > else the data will be hashed two times and verification will fail. > > > > May I suggest that you do this part inside sk_sign command so the module > > using your sk-api.h interface can do this if it's needed? > > That sounds reasonable - do you have a patch you can share? We'd need to > increase the SSH_SK_VERSION_MAJOR, but we'll probably do that before the > next release anyway. > > -d >
On Fri, 6 Mar 2020, Damien Miller wrote:> On Thu, 5 Mar 2020, Reza Tavakoli wrote: > > > Hello, > > > > I'm helping the Git for windows team and contributing in git-for-windows > > repository to help expand the OpenSSH support for fido2 devices on Windows. > > Currently we are using your internal implementation(sk-usbhic.c) however > > since Windows 10 version 1903 this requires administrator privileges. > > > > I'm trying to create a module for OpenSSH to use webauthn.dll instead of > > direct calling to libfido2 to eliminate the need for administrator > > privileges > > I noticed that in ssh-sk.c in function sshsk_sign you hash the input data > > before passing it to external module sk_sign function. The problem is, > > Windows API automatically hash the input before sending it to fido device, > > so I need to receive the data without hashing to be able to use this or > > else the data will be hashed two times and verification will fail. > > > > May I suggest that you do this part inside sk_sign command so the module > > using your sk-api.h interface can do this if it's needed? > > That sounds reasonable - do you have a patch you can share? We'd need to > increase the SSH_SK_VERSION_MAJOR, but we'll probably do that before the > next release anyway.Hi, I committed a change to move the hashing from ssh-sk.c to the middleware, bumping the expected middleware version along the way. Please take a look (commit 59d2de956e). -d
Reasonably Related Threads
- Building libsk-libfido2.so?
- Incomplete attestation data for FIDO2 SKs?
- [PATCH 0/2] Fix Memory Management Issue in `ssh-sk-helper` with External SK Libraries
- U2F support in OpenSSH HEAD
- [Bug 3188] New: Problems creating a second ecdsa-sk key for a second Yubikey