bugzilla-daemon at mindrot.org
2024-Dec-02 09:57 UTC
[Bug 3761] New: ssh-keygen fails for security keys without attestation
https://bugzilla.mindrot.org/show_bug.cgi?id=3761
Bug ID: 3761
Summary: ssh-keygen fails for security keys without attestation
Product: Portable OpenSSH
Version: 9.9p1
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: michael-dev at fami-braun.de
Hi,
ssh-keygen fails for security key key types (ecdsa-sk and alike) if
they do not support attestation. A notable example is the current
windows 11 windows hello security key.
This results in the following bugs:
* https://github.com/PowerShell/Win32-OpenSSH/issues/2040
* https://github.com/PowerShell/Win32-OpenSSH/issues/2279
It used to work, so probably windows hello removed attestation in
preparation for passkey support:
https://svrooij.io/2024/01/01/secure-ssh-windows-hello/
According to https://github.com/Yubico/libfido2/issues/840,
fido_cred_verify_self should not be called for "none" type
attestation,
so this has to be fixed in openssh.
Please find a patch here
https://github.com/openssh/openssh-portable/pull/542/files that works
for me.
Regards,
M. Braun
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Dec-04 13:15 UTC
[Bug 3761] ssh-keygen fails for security keys without attestation
https://bugzilla.mindrot.org/show_bug.cgi?id=3761
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Blocks| |3740
CC| |djm at mindrot.org
Resolution|--- |FIXED
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Applied - thanks
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3740
[Bug 3740] Tracking bug for OpenSSH 10.0
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.