openssh bugs - Oct 2024 - [Bug 3748] New: "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" signature type not supported from ssh agent

https://bugzilla.mindrot.org/show_bug.cgi?id=3748

            Bug ID: 3748
           Summary: "webauthn-sk-ecdsa-sha2-nistp256 at openssh.com"
                    signature type not supported from ssh agent
           Product: Portable OpenSSH
           Version: 9.7p1
          Hardware: 68k
                OS: Mac OS X
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: bmhomer13 at gmail.com

Hi,

A "webauthn-sk-ecdsa-sha2-nistp256 at openssh.com" signature type was
added in this commit:
https://github.com/openssh/openssh-portable/commit/bb52e70fa5330070ec9a23069c311d9e277bbd6f

We have an SSH agent which tries to return this webauthn signature type
for an "sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com" cert.

However, this fails with the following output on the client side:

```
debug1: Server accepts key:  ECDSA-SK-CERT
SHA256:1FFCks/uvL5MVUBOcr8f3mNlLpdaw1Qt1CHA7JNqZp0 authenticator agent
debug3: sign_and_send_pubkey: using publickey with ECDSA-SK-CERT
SHA256:1FFCks/uvL5MVUBOcr8f3mNlLpdaw1Qt1CHA7JNqZp0
debug1: sign_and_send_pubkey: no separate private key for certificate
""
debug3: sign_and_send_pubkey: signing using
sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com
SHA256:1FFCks/uvL5MVUBOcr8f3mNlLpdaw1Qt1CHA7JNqZp0
agent key ECDSA-SK-CERT
SHA256:1FFCks/uvL5MVUBOcr8f3mNlLpdaw1Qt1CHA7JNqZp0 returned incorrect
signature type
debug3: sign_and_send_pubkey: signing using
sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com
SHA256:1FFCks/uvL5MVUBOcr8f3mNlLpdaw1Qt1CHA7JNqZp0
sign_and_send_pubkey: signing failed for ECDSA-SK-CERT "" from agent:
signature algorithm not supported
```

This error comes from here:
https://github.com/openssh/openssh-portable/blob/ef7c26cd2f0f9a8222f851d1e551f6dfd3113f8b/sshconnect2.c#L1438

I believe there may be a bug in the `key_sig_algorithm` function
(https://github.com/openssh/openssh-portable/blob/ef7c26cd2f0f9a8222f851d1e551f6dfd3113f8b/sshconnect2.c#L1153)
which assumes that the signature algorithm will only different from the
key algorithm for RSA keys/certs.
However, based on my understanding it should be possible to use
"webauthn-sk-ecdsa-sha2-nistp256 at openssh.com" for
"sk-ecdsa-sha2-nistp256 at openssh.com" keys
(there is an example of this here:
https://github.com/openssh/openssh-portable/blob/master/regress/unittests/sshsig/webauthn.html).

Perhaps I'm missing something here, it would be great if someone could
clarify the current state of webauthn support in general. Many thanks!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3748

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Unfortunately the status of webauthn signatures is largely untested.
The basic support is there for signature verification, but nothing in
OpenSSH generates webauthn signatures so some of the other plumbing
might be missing.

It might be this check that is causing your error:
https://github.com/openssh/openssh-portable/blob/88b35cbdc1500efece65cd6a9a20a72cf7e46eaa/authfd.c#L440-L442
 - does removing it help?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3748

--- Comment #2 from bmhomer13 at gmail.com ---
Thanks for confirming the status of webauthn support, this is what I
suspected.

I tried to disable the check you mentioned, this does resolve the error
on the client-side. However, I then run into the following on the
server-side: "debug3: mm_answer_keyverify: publickey ECDSA-SK-CERT
signature unverified: incomplete message"

I checked that my agent code produces a signature which is the same as
https://github.com/openssh/openssh-portable/blob/master/regress/unittests/sshsig/webauthn.html
given the same inputs, so not sure what happened here yet.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3748

--- Comment #3 from bmhomer13 at gmail.com ---
Ok I managed to get this working i.e. the signature verified and I
could log in.

However, on the server-side I had to comment out this check:
https://github.com/openssh/openssh-portable/blob/V_8_7/ssh-ecdsa-sk.c#L124

I think it may be because we are using certs i.e. ECDSA-SK-CERT.

Still not sure I understand this, but the expected clientData preamble
seemed to contain cert info in the "challenge" section, whereas the
challenge we return in our agent contains a much shorter challenge
returned from Apple APIs (specifically
https://developer.apple.com/documentation/authenticationservices/asauthorizationsecuritykeypublickeycredentialprovider).

Given that the signature verified once I removed this check, I'm not
sure it's implemented correctly.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3748

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Yeah, that seems very wrong. Can you get a hexdump of the signature?
sshbuf_dump() or sshbuf_dump_data() are handy for this.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3748

--- Comment #5 from bmhomer13 at gmail.com ---
Ok, turns out the second issue with the server-side check was entirely
my fault. We were hashing the challenge and it was also getting doubly
base64 encoded. Once fixed the server-side check passes.

The original problem with the client-side check however I think is a
genuine issue. One way I found to get around this, besides disabling
the check
(https://github.com/openssh/openssh-portable/blob/88b35cbdc1500efece65cd6a9a20a72cf7e46eaa/authfd.c#L440-L442
) entirely, is to just get the agent to return
"sk-ecdsa-sha2-nistp256 at openssh.com" as the format, but pass the
full
webauthn signature structure
(https://github.com/openssh/openssh-portable/blob/bb52e70fa5330070ec9a23069c311d9e277bbd6f/PROTOCOL.u2f#L212).
Then on the server side, just detect that it's a webauthn signature
based on the structure, rather than the key type (by modifying the code
here a bit:
https://github.com/openssh/openssh-portable/blob/master/ssh-ecdsa-sk.c#L288).
I guess that's probably not a viable fix for me to push upstream - just
mentioning as a possible server-side solution, as in our case we have
more control over the server-side deployment.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3748

J? ?gila Bitsch <jgilab at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jgilab at gmail.com

--- Comment #6 from J? ?gila Bitsch <jgilab at gmail.com> ---
Created attachment 3881
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3881&action=edit
patch for allowing webauthn signatures via ssh agent

I was running into the same problem and would like to suggest the
following (see patch):
* add special handling for KEY_ECDSA_SK in
sshkey_match_keyname_to_sigalgs as already exists for KEY_RSA
* use sshkey_match_keyname_to_sigalgs instead of sshkey_sigalg_by_name
in sshkey_check_sigtype.

Does that make sense or am I overlooking something obvious?

I did not yet check, if certs would need special handling as well.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3748

--- Comment #7 from J? ?gila Bitsch <jgilab at gmail.com> ---
I was playing around with certificates signed using an
webauthn-sk-ecdsa-sha2-nistp256 at openssh.com signature today as well,
and they need to also be handled specifically. So this would just mean
update the if statement in my suggested patch to if (ktype =KEY_ECDSA_SK ||
ktype == KEY_ECDSA_SK_CERT)

I tested:
* SSH signatures
* creating ssh certificates with a CA key in an agent
* authenticating to a server with a public key with an agent producing
a webauthn-sk-ecdsa-sha2-nistp256 at openssh.com signature
* authenticating to a server with a certificate with an agent producing
a webauthn-sk-ecdsa-sha2-nistp256 at openssh.com signature

This would cover the most obvious use cases I can think of. Anything
else I should test?

I'll propose a patch over on github later.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3748

--- Comment #8 from J? ?gila Bitsch <jgilab at gmail.com> ---
I added a pull request in
https://github.com/openssh/openssh-portable/pull/571

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3748

--- Comment #9 from J? ?gila Bitsch <jgilab at gmail.com> ---
the patch that I previously added had issues. I fixed them on the
github PR.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3748

J? ?gila Bitsch <jgilab at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3881|0                           |1
        is obsolete|                            |

--- Comment #10 from J? ?gila Bitsch <jgilab at gmail.com> ---
Comment on attachment 3881
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3881
patch for allowing webauthn signatures via ssh agent
>diff --git a/sshkey.c b/sshkey.c
>index 9e31411e2..57a61fd7b 100644
>--- a/sshkey.c
>+++ b/sshkey.c
>@@ -315,6 +315,9 @@ sshkey_match_keyname_to_sigalgs(const char *keyname,
const char *sigalgs)
> 		    sigalgs, 0) == 1 ||
> 		    match_pattern_list("rsa-sha2-512-cert-v01 at openssh.com",
> 		    sigalgs, 0) == 1;
>+	} else if (ktype == KEY_ECDSA_SK) {
>+		return match_pattern_list("sk-ecdsa-sha2-nistp256 at
openssh.com", sigalgs, 0) == 1 ||
>+		    match_pattern_list("webauthn-sk-ecdsa-sha2-nistp256 at
openssh.com", sigalgs, 0) == 1;
> 	} else
> 		return match_pattern_list(keyname, sigalgs, 0) == 1;
> }
>@@ -2162,17 +2165,14 @@ int
> sshkey_check_sigtype(const u_char *sig, size_t siglen,
>     const char *requested_alg)
> {
>-	const char *expected_alg;
> 	char *sigtype = NULL;
> 	int r;
> 
> 	if (requested_alg == NULL)
> 		return 0;
>-	if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL)
>-		return SSH_ERR_INVALID_ARGUMENT;
> 	if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0)
> 		return r;
>-	r = strcmp(expected_alg, sigtype) == 0;
>+	r = sshkey_match_keyname_to_sigalgs(requested_alg, sigtype);
> 	free(sigtype);
> 	return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED;
> }
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3748

--- Comment #11 from J? ?gila Bitsch <jgilab at gmail.com> ---
Created attachment 3894
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3894&action=edit
patch for allowing webauthn signatures via ssh agent v2

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3748

--- Comment #12 from J? ?gila Bitsch <jgilab at gmail.com> ---
I updated the patch here to match the diff of my pull request on
github.

I was thinking about how to improve the general support for
webauthn-sk-ecdsa-sha2-nistp256 at openssh.org signature types and going
through the code a bit to investigate, but I need guidance what the
best direction would be.

The main use case for this signature type is to allow to offload the
signature generation to a browser.

For the sake of discussion I propose the following general context: An
application like https://cockpit-project.org/ (An easy-to-use,
integrated, glanceable, and open web-based interface for your servers,
that comes with most linux distributions) wants to remotely log into a
different server via ssh. Currently it uses password based login or key
based login, where the private key is available as a file and added to
an ssh agent on a bastion host that is decoded based on the login
password. 

I would prefer if I could use a passkey/fido2 token in the browser
instead. Maybe even based on an ssh certificate.

The integration between the browser and the ssh binary would most
likely be via an alternative ssh-agent implementation. Cockpit in
particular allows to provide a unix domain socket based service via
javascript, so directly in the browser. Cockpit could open a unix
domain socket and set the environment or arguments for the ssh call
accordingly to connect to this socket as an ssh-agent. Aside from
allowing webauthn-sk-ecdsa-sha2-nistp256 at openssh.org from an agent,
there would not be any other code changes necessary to be able to use
the well-tested and established openssh binaries themselves.

Maybe openssh ssh-agent could provide a way to call into an additional
ssh-agent recursively so that a custom provider could provide
additional keys via a browser interface but the built-in mechanisms and
safety checks from openssh ssh-agent are still in place, but that is
not strictly necessary.

Now, to what extend should openssh itself produce this type of
signatures?
The points that would need to be adjusted would be:
* ssh-keygen.c main() would need to allow other application strings not
starting with "ssh:" when creating a ecdsa-sk key as webauthn
signatures only make sense from a web-like origin
* ssh-sk.c sshksign() would need to replace the data with the
client_data json as is ssh-ecdsa-sk.c webauthn_check_prepare_hash() use
a different signature name and transfer the origin, client_data and
extensions to sshsk_ecdsa_sig for inclusion in the serialized
signature.

Is that something that makes sense to the openssh project?

As a starting point, I would suggest though that I prepare a very
minimal dummy agent in the regression test suite that works with
sk-dummy.c based keys and prepare additional tests to ensure the
signature type is well supported for the default use cases server
login, certificate signing and sshsig.

I'm open to any guidance on this topic.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3748

--- Comment #13 from J? ?gila Bitsch <jgilab at gmail.com> ---
I added regression tests for the webauthn signature for the use cases:

* create sshsig using webauthn-dummy-agent and verify
* sign a certificate via webauthn-dummy-agent and verify
* connect to a server with a key in webauthn-dummy-agent
* connect to a server with a cert signed by webauthn-dummy-agent

Right now, the webauthn dummy agent is a copy of the ssh-agent.c code
where I extend the data to be signed and reformat the resulting
signature, if the key is a sk-ecdsa key.

The reason for this is to ensure that the changes to already existing
code are minimal and localized. However, I'm very open to guidance, if
you think another way is better.

The code is over on github:
https://github.com/openssh/openssh-portable/pull/571

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3748

Filippo Valsorda <filippo at ml.filippo.io> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |filippo at ml.filippo.io

--- Comment #14 from Filippo Valsorda <filippo at ml.filippo.io> ---
I also have a use case for an agent that produces webauthn-sk-
signatures: mine would simply coordinate with a static page hosted on
an origin trusted by the user and/or host to produce the signature, and
allow logging in to unmodified OpenSSH servers.

It'd be great to get this fixed!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.