Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssh-agent/fido2-token/libfido2 cant retrieve resident key #496

Closed
b90g opened this issue May 9, 2024 · 8 comments · Fixed by #502
Closed

ssh-agent/fido2-token/libfido2 cant retrieve resident key #496

b90g opened this issue May 9, 2024 · 8 comments · Fixed by #502

Comments

@b90g
Copy link

b90g commented May 9, 2024

I recently updated to 1.7.0 and ever since the ssh-agent doesnt retrieve the resident key

[user@disp9643 ~]$ ssh-add -K -vvvv
Enter PIN for authenticator: 
debug3: start_helper: started pid=1276
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/libexec/openssh/ssh-sk-helper 
debug1: sshsk_load_resident: provider "internal", have-pin
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by touch
debug1: ssh_sk_load_resident_keys: trying /dev/hidraw0
debug1: check_sk_options: option uv is unknown
debug1: read_rks: existing 2, remaining 8
debug1: read_rks: Device /dev/hidraw0 has resident keys for 2 RPs
debug1: read_rks: rp 0: name="(none)" id="github.com" hashlen=32
debug1: read_rks: rp 1: name="(none)" id="ssh:" hashlen=32
debug1: read_rks: get RKs for /dev/hidraw0 slot 1 failed: FIDO_ERR_PIN_AUTH_INVALID
debug1: ssh_sk_load_resident_keys: read_rks failed for /dev/hidraw0
Provider "internal" returned failure -1
debug1: ssh-sk-helper: sshsk_load_resident failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=1276
Unable to load resident keys: invalid format

intrestingly i used the nitrokey3a-mini to webauthn/passkey login into github.

i tried generating a new key but it still does not work with a new one..

i wonder why reading for RKs it tells me the PIN was invalid, i just get promted once, and the pin is correct. else the credentials wouldnt be shown as far as i understand.

after the the update i did an nk3 test and it passed all tests
i tried to retrieve the key on fedora40&debian12

should i try anything, need more info?

@robin-nitrokey
Copy link
Member

Release v1.7.0 includes various improvements to the FIDO implementation, including support for PIN protocol 2 and implementing permissions for PIN tokens. There could be an incompatibility with how these features are handled in the firmware and libfido2. I’ll try to reproduce the problem. Which version of libfido2 is installed on your systems?

@b90g
Copy link
Author

b90g commented May 10, 2024

Debian:
libfido2-1/stable,now 1.12.0-2+b1 amd64 [installed,automatic]
Fedora:
libfido2.x86_64 1.14.0-4.fc40 @System

@fira959
Copy link

fira959 commented May 14, 2024

Same problem on Arch:
Version : 1.14.0-2

@robin-nitrokey
Copy link
Member

Thank you for the reports. I have been able to reproduce the problem. Indeed we are a bit too strict when validating the permissions on PIN tokens. This will be fixed in the next firmware release.

@ChristianTacke
Copy link

ChristianTacke commented May 22, 2024

Thanks to all partipating in this issue! :-)

This will be fixed in the next firmware release.

If this is part of some alpha/beta firmware, please let us know, so that we can try it.

Note this also affects fido2-token:

$ fido2-token -L -k ssh: /dev/hidraw6
Enter PIN for /dev/hidraw6: 
fido2-token: fido_credman_get_dev_rk: FIDO_ERR_PIN_AUTH_INVALID
$ fido2-token -V
1.14.0

(fido2-token rebuild from debian/testing.)

P.S.: Since I was too lazy to find this issue, I opened a thread on the support forum.

robin-nitrokey added a commit that referenced this issue May 27, 2024
This patch updates fido-authenticator to v0.1.1-nitrokey.15 to add
support for scoped PIN tokens when enumerating credentials.  This fixes
an incompatibility with libfido2, affecting ssh-agent.

Fixes: #496
robin-nitrokey added a commit that referenced this issue May 28, 2024
This patch updates fido-authenticator to v0.1.1-nitrokey.15 to add
support for scoped PIN tokens when enumerating credentials.  This fixes
an incompatibility with libfido2, affecting ssh-agent.

Fixes: #496
@ObiWahn
Copy link

ObiWahn commented Jun 17, 2024

please rename to something containing fido2 resident storage i did not find the issue or only very late. This is not about the ssh-agent

@b90g
Copy link
Author

b90g commented Jun 17, 2024

this issues is already closed.

feel free to ask if Nitrokey/fido-authenticator#80 can be renamed.

@robin-nitrokey robin-nitrokey changed the title ssh-agent cant retrieve key ssh-agent/fido2-token/libfido2 cant retrieve resident key Jun 17, 2024
@robin-nitrokey
Copy link
Member

This should be fixed in v1.7.2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants