-
Notifications
You must be signed in to change notification settings - Fork 767
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding U2F/Fido2 keys to the agent from other clients #1961
Labels
Comments
Running windows ssh agent in debug mode gives this message:
type 25 is:
ssh-agent.c handles this with the same code path as add_identity:
|
ddrown
added a commit
to ddrown/win32-openssh-portable
that referenced
this issue
Jul 3, 2022
…ADD_IDENTITY This ignores the requested constraints: - SSH_AGENT_CONSTRAIN_LIFETIME - SSH_AGENT_CONSTRAIN_CONFIRM - SSH_AGENT_CONSTRAIN_MAXSIGN - SSH_AGENT_CONSTRAIN_EXTENSION SSH2_AGENTC_ADD_ID_CONSTRAINED is needed to support add U2F/Fido2 ssh keys to the agent from WSL ssh-add and KeePassXC ref PowerShell/Win32-OpenSSH#1961
This was referenced Jul 3, 2022
Simply adding a key with a lifetime ( > & 'C:\Program Files\OpenSSH\ssh-add.exe' -t 60 .\.ssh\id_ed25519
Enter passphrase for .\.ssh\id_ed25519:
Could not add identity ".\.ssh\id_ed25519": communication with agent failed |
tgauth
pushed a commit
to PowerShell/openssh-portable
that referenced
this issue
Apr 5, 2023
) * support SSH2_AGENTC_ADD_ID_CONSTRAINED by treating it as SSH2_AGENTC_ADD_IDENTITY This ignores the requested constraints: - SSH_AGENT_CONSTRAIN_LIFETIME - SSH_AGENT_CONSTRAIN_CONFIRM - SSH_AGENT_CONSTRAIN_MAXSIGN - SSH_AGENT_CONSTRAIN_EXTENSION SSH2_AGENTC_ADD_ID_CONSTRAINED is needed to support add U2F/Fido2 ssh keys to the agent from WSL ssh-add and KeePassXC ref PowerShell/Win32-OpenSSH#1961 * update buffer pointer to after comment string sshbuf_peek_string_direct doesn't update request offset pointer * parse agent constraint messages returns SSH_AGENT_FAILURE on unsupported constraint types, such as: * SSH_AGENT_CONSTRAIN_LIFETIME * SSH_AGENT_CONSTRAIN_CONFIRM * SSH_AGENT_CONSTRAIN_MAXSIGN returns SSH_AGENT_FAILURE on unsupported constrain extensions, such as: "restrict-destination-v00@openssh.com" accepts and ignores constrain extension "sk-provider@openssh.com" * reject non-internal skproviders & log
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Prerequisites
Steps to reproduce
When trying to add an ecdsa-sk key to the Windows ssh-agent:
Using the Windows ssh-add (works properly):
From Fedora 35 WSL2 (OpenSSH 8.7p1, via npiperelay, fails):
From KeePassXC 2.7.1 (fails):
Fedora and KeePassXC are able to add non-U2F/Fido2 keys
If I change the Fedora ssh-add client to not send a skprovider, it works:
Expected behavior
SSH key loaded into agent
Actual behavior
Error messages from other ssh agent clients
Error details
No response
Environment data
Version
8.9.1.0
Visuals
No response
The text was updated successfully, but these errors were encountered: