-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssh-agent/fido2-token/libfido2 cant retrieve resident key #496
Comments
Release v1.7.0 includes various improvements to the FIDO implementation, including support for PIN protocol 2 and implementing permissions for PIN tokens. There could be an incompatibility with how these features are handled in the firmware and libfido2. I’ll try to reproduce the problem. Which version of libfido2 is installed on your systems? |
Debian: |
Same problem on Arch: |
Thank you for the reports. I have been able to reproduce the problem. Indeed we are a bit too strict when validating the permissions on PIN tokens. This will be fixed in the next firmware release. |
Thanks to all partipating in this issue! :-)
If this is part of some alpha/beta firmware, please let us know, so that we can try it. Note this also affects $ fido2-token -L -k ssh: /dev/hidraw6
Enter PIN for /dev/hidraw6:
fido2-token: fido_credman_get_dev_rk: FIDO_ERR_PIN_AUTH_INVALID
$ fido2-token -V
1.14.0 (fido2-token rebuild from debian/testing.) P.S.: Since I was too lazy to find this issue, I opened a thread on the support forum. |
This patch updates fido-authenticator to v0.1.1-nitrokey.15 to add support for scoped PIN tokens when enumerating credentials. This fixes an incompatibility with libfido2, affecting ssh-agent. Fixes: #496
This patch updates fido-authenticator to v0.1.1-nitrokey.15 to add support for scoped PIN tokens when enumerating credentials. This fixes an incompatibility with libfido2, affecting ssh-agent. Fixes: #496
please rename to something containing |
this issues is already closed. feel free to ask if Nitrokey/fido-authenticator#80 can be renamed. |
This should be fixed in v1.7.2. |
I recently updated to 1.7.0 and ever since the ssh-agent doesnt retrieve the resident key
intrestingly i used the nitrokey3a-mini to webauthn/passkey login into github.
i tried generating a new key but it still does not work with a new one..
i wonder why reading for RKs it tells me the PIN was invalid, i just get promted once, and the pin is correct. else the credentials wouldnt be shown as far as i understand.
after the the update i did an nk3 test and it passed all tests
i tried to retrieve the key on fedora40&debian12
should i try anything, need more info?
The text was updated successfully, but these errors were encountered: