Hi, So I finally have time to test the u2f support but so far I haven't been very successful, Specifically, current HEAD has SSH_SK_VERSION_MAJOR 0x00040000 and I can't seem to find a matching libfido2 version, current HEAD of Yubico/libfido2 is 0x00020000 Is there a more up to date libfido2 or a particular commit of openssh-portable I should be using? thanks Sean
Sean Liao:> Specifically, current HEAD has > SSH_SK_VERSION_MAJOR 0x00040000 > and I can't seem to find a matching libfido2 version, > current HEAD of Yubico/libfido2 is 0x00020000Those are unrelated. SSH_SK_VERSION_MAJOR is the API version of the middleware library that communicates with the authenticators; see PROTOCOL.u2f. Obviously, OpenSSH's internal USB HID support matches this. OpenSSH's internal USB HID support happens to be built on top of libfido2, but that is an independent fact. libfido2 itself is NOT a middleware library that directly interfaces with OpenSSH. -- Christian "naddy" Weisgerber naddy at mips.inka.de
I have it all working in a container located here: https://github.com/kfox1111/u2f-sshd Might be a good starting point. Thanks, Kevin ________________________________________ From: openssh-unix-dev <openssh-unix-dev-bounces+kevin.fox=pnnl.gov at mindrot.org> on behalf of Christian Weisgerber <naddy at mips.inka.de> Sent: Friday, January 10, 2020 3:01 PM To: Sean Liao Cc: openssh-unix-dev at mindrot.org Subject: Re: u2f / libfido2 version Sean Liao:> Specifically, current HEAD has > SSH_SK_VERSION_MAJOR 0x00040000 > and I can't seem to find a matching libfido2 version, > current HEAD of Yubico/libfido2 is 0x00020000Those are unrelated. SSH_SK_VERSION_MAJOR is the API version of the middleware library that communicates with the authenticators; see PROTOCOL.u2f. Obviously, OpenSSH's internal USB HID support matches this. OpenSSH's internal USB HID support happens to be built on top of libfido2, but that is an independent fact. libfido2 itself is NOT a middleware library that directly interfaces with OpenSSH. -- Christian "naddy" Weisgerber naddy at mips.inka.de _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://protect2.fireeye.com/v1/url?k=825bacff-deee9230-825b86ea-0cc47adc5e60-c6be987b598c6267&q=1&e=813f5d22-87ac-4a99-a5ed-07cc93ef308e&u=https%3A%2F%2Flists.mindrot.org%2Fmailman%2Flistinfo%2Fopenssh-unix-dev
You should use the provider library shipped with openssh, because we did not update the initial version that?s included in libfido2 -m Sean Liao <seankhliao at gmail.com> schrieb am Fr. 10. Jan. 2020 um 02:14:> Hi, > > So I finally have time to test the u2f support > but so far I haven't been very successful, > Specifically, current HEAD has > SSH_SK_VERSION_MAJOR 0x00040000 > and I can't seem to find a matching libfido2 version, > current HEAD of Yubico/libfido2 is 0x00020000 > > Is there a more up to date libfido2 > or a particular commit of openssh-portable > I should be using? > > thanks > > Sean > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Thanks for the hint, got it working by not setting $SSH_SK_PROVIDER which I thought was necessary from the initial email As an aside, the error message for ed25519-sk not being supported could be more explicit currently it just exits after "You may need to touch ..." with debug its "debug1: client_converse: helper returned error -4" and the ssh-sk-helper logs: error: Security key provider "internal" returned failure -1 error: ssh-sk-helper: Enrollment failed: invalid format thanks, sean On Sun, Jan 12, 2020 at 3:22 PM Markus Friedl <mfriedl at gmail.com> wrote:> > You should use the provider library shipped > with openssh, because we did not update the initial version that?s included in libfido2 > > -m > > > Sean Liao <seankhliao at gmail.com> schrieb am Fr. 10. Jan. 2020 um 02:14: >> >> Hi, >> >> So I finally have time to test the u2f support >> but so far I haven't been very successful, >> Specifically, current HEAD has >> SSH_SK_VERSION_MAJOR 0x00040000 >> and I can't seem to find a matching libfido2 version, >> current HEAD of Yubico/libfido2 is 0x00020000 >> >> Is there a more up to date libfido2 >> or a particular commit of openssh-portable >> I should be using? >> >> thanks >> >> Sean >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev