bugzilla-daemon at mindrot.org
2024-Oct-29 11:31 UTC
[Bug 3748] New: "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" signature type not supported from ssh agent
https://bugzilla.mindrot.org/show_bug.cgi?id=3748 Bug ID: 3748 Summary: "webauthn-sk-ecdsa-sha2-nistp256 at openssh.com" signature type not supported from ssh agent Product: Portable OpenSSH Version: 9.7p1 Hardware: 68k OS: Mac OS X Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: bmhomer13 at gmail.com Hi, A "webauthn-sk-ecdsa-sha2-nistp256 at openssh.com" signature type was added in this commit: https://github.com/openssh/openssh-portable/commit/bb52e70fa5330070ec9a23069c311d9e277bbd6f We have an SSH agent which tries to return this webauthn signature type for an "sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com" cert. However, this fails with the following output on the client side: ``` debug1: Server accepts key: ECDSA-SK-CERT SHA256:1FFCks/uvL5MVUBOcr8f3mNlLpdaw1Qt1CHA7JNqZp0 authenticator agent debug3: sign_and_send_pubkey: using publickey with ECDSA-SK-CERT SHA256:1FFCks/uvL5MVUBOcr8f3mNlLpdaw1Qt1CHA7JNqZp0 debug1: sign_and_send_pubkey: no separate private key for certificate "" debug3: sign_and_send_pubkey: signing using sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com SHA256:1FFCks/uvL5MVUBOcr8f3mNlLpdaw1Qt1CHA7JNqZp0 agent key ECDSA-SK-CERT SHA256:1FFCks/uvL5MVUBOcr8f3mNlLpdaw1Qt1CHA7JNqZp0 returned incorrect signature type debug3: sign_and_send_pubkey: signing using sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com SHA256:1FFCks/uvL5MVUBOcr8f3mNlLpdaw1Qt1CHA7JNqZp0 sign_and_send_pubkey: signing failed for ECDSA-SK-CERT "" from agent: signature algorithm not supported ``` This error comes from here: https://github.com/openssh/openssh-portable/blob/ef7c26cd2f0f9a8222f851d1e551f6dfd3113f8b/sshconnect2.c#L1438 I believe there may be a bug in the `key_sig_algorithm` function (https://github.com/openssh/openssh-portable/blob/ef7c26cd2f0f9a8222f851d1e551f6dfd3113f8b/sshconnect2.c#L1153) which assumes that the signature algorithm will only different from the key algorithm for RSA keys/certs. However, based on my understanding it should be possible to use "webauthn-sk-ecdsa-sha2-nistp256 at openssh.com" for "sk-ecdsa-sha2-nistp256 at openssh.com" keys (there is an example of this here: https://github.com/openssh/openssh-portable/blob/master/regress/unittests/sshsig/webauthn.html). Perhaps I'm missing something here, it would be great if someone could clarify the current state of webauthn support in general. Many thanks! -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Oct-30 06:31 UTC
[Bug 3748] "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" signature type not supported from ssh agent
https://bugzilla.mindrot.org/show_bug.cgi?id=3748 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- Unfortunately the status of webauthn signatures is largely untested. The basic support is there for signature verification, but nothing in OpenSSH generates webauthn signatures so some of the other plumbing might be missing. It might be this check that is causing your error: https://github.com/openssh/openssh-portable/blob/88b35cbdc1500efece65cd6a9a20a72cf7e46eaa/authfd.c#L440-L442 - does removing it help? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2024-Nov-01 13:12 UTC
[Bug 3748] "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" signature type not supported from ssh agent
https://bugzilla.mindrot.org/show_bug.cgi?id=3748 --- Comment #2 from bmhomer13 at gmail.com --- Thanks for confirming the status of webauthn support, this is what I suspected. I tried to disable the check you mentioned, this does resolve the error on the client-side. However, I then run into the following on the server-side: "debug3: mm_answer_keyverify: publickey ECDSA-SK-CERT signature unverified: incomplete message" I checked that my agent code produces a signature which is the same as https://github.com/openssh/openssh-portable/blob/master/regress/unittests/sshsig/webauthn.html given the same inputs, so not sure what happened here yet. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2024-Nov-01 16:04 UTC
[Bug 3748] "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" signature type not supported from ssh agent
https://bugzilla.mindrot.org/show_bug.cgi?id=3748 --- Comment #3 from bmhomer13 at gmail.com --- Ok I managed to get this working i.e. the signature verified and I could log in. However, on the server-side I had to comment out this check: https://github.com/openssh/openssh-portable/blob/V_8_7/ssh-ecdsa-sk.c#L124 I think it may be because we are using certs i.e. ECDSA-SK-CERT. Still not sure I understand this, but the expected clientData preamble seemed to contain cert info in the "challenge" section, whereas the challenge we return in our agent contains a much shorter challenge returned from Apple APIs (specifically https://developer.apple.com/documentation/authenticationservices/asauthorizationsecuritykeypublickeycredentialprovider). Given that the signature verified once I removed this check, I'm not sure it's implemented correctly. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Nov-04 03:45 UTC
[Bug 3748] "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" signature type not supported from ssh agent
https://bugzilla.mindrot.org/show_bug.cgi?id=3748 --- Comment #4 from Damien Miller <djm at mindrot.org> --- Yeah, that seems very wrong. Can you get a hexdump of the signature? sshbuf_dump() or sshbuf_dump_data() are handy for this. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2024-Nov-04 17:31 UTC
[Bug 3748] "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" signature type not supported from ssh agent
https://bugzilla.mindrot.org/show_bug.cgi?id=3748 --- Comment #5 from bmhomer13 at gmail.com --- Ok, turns out the second issue with the server-side check was entirely my fault. We were hashing the challenge and it was also getting doubly base64 encoded. Once fixed the server-side check passes. The original problem with the client-side check however I think is a genuine issue. One way I found to get around this, besides disabling the check (https://github.com/openssh/openssh-portable/blob/88b35cbdc1500efece65cd6a9a20a72cf7e46eaa/authfd.c#L440-L442 ) entirely, is to just get the agent to return "sk-ecdsa-sha2-nistp256 at openssh.com" as the format, but pass the full webauthn signature structure (https://github.com/openssh/openssh-portable/blob/bb52e70fa5330070ec9a23069c311d9e277bbd6f/PROTOCOL.u2f#L212). Then on the server side, just detect that it's a webauthn signature based on the structure, rather than the key type (by modifying the code here a bit: https://github.com/openssh/openssh-portable/blob/master/ssh-ecdsa-sk.c#L288). I guess that's probably not a viable fix for me to push upstream - just mentioning as a possible server-side solution, as in our case we have more control over the server-side deployment. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.