Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding U2F/Fido2 keys to the agent from other clients #1961

Closed
3 tasks done
ddrown opened this issue Jul 2, 2022 · 2 comments
Closed
3 tasks done

Adding U2F/Fido2 keys to the agent from other clients #1961

ddrown opened this issue Jul 2, 2022 · 2 comments
Assignees

Comments

@ddrown
Copy link

ddrown commented Jul 2, 2022

Prerequisites

  • Write a descriptive title.
  • Make sure you are able to repro it on the latest version
  • Search the existing issues.

Steps to reproduce

When trying to add an ecdsa-sk key to the Windows ssh-agent:

Using the Windows ssh-add (works properly):

PS > & "C:\Program Files\OpenSSH\ssh-add" id_ecdsa_sk
Identity added: id_ecdsa_sk (somu)

From Fedora 35 WSL2 (OpenSSH 8.7p1, via npiperelay, fails):

$ ssh-add -d
Identity removed: /home/abob/.ssh/id_ecdsa_sk ECDSA-SK ((null))
$ ssh-add -l
The agent has no identities.
$ ssh-add id_ecdsa_sk
Could not add identity "id_ecdsa_sk": communication with agent failed

From KeePassXC 2.7.1 (fails):
image

Fedora and KeePassXC are able to add non-U2F/Fido2 keys

If I change the Fedora ssh-add client to not send a skprovider, it works:

$ ./ssh-add -l
The agent has no identities.
$ ./ssh-add ~/.ssh/id_ecdsa_sk
Identity added: /home/abob/.ssh/id_ecdsa_sk (somu)
$ ./ssh-add -l
256 SHA256:8gAXpKjrC+SzxcCkKk6xb6Rk4I+U/FyewnQy2H+zvtA somu (ECDSA-SK)

Expected behavior

SSH key loaded into agent

Actual behavior

Error messages from other ssh agent clients

Error details

No response

Environment data

PS > & "C:\Program Files\OpenSSH\ssh" -V
OpenSSH_for_Windows_8.9p1, LibreSSL 3.4.3

Version

8.9.1.0

Visuals

No response

@ddrown
Copy link
Author

ddrown commented Jul 3, 2022

Running windows ssh agent in debug mode gives this message:

debug1: process agent request type 25
debug1: unknown agent request 25

type 25 is:

$ grep 25 authfd.h
#define SSH2_AGENTC_ADD_ID_CONSTRAINED          25

ssh-agent.c handles this with the same code path as add_identity:

        case SSH2_AGENTC_ADD_IDENTITY:
        case SSH2_AGENTC_ADD_ID_CONSTRAINED:
                process_add_identity(e);
                break;

ddrown added a commit to ddrown/win32-openssh-portable that referenced this issue Jul 3, 2022
…ADD_IDENTITY

This ignores the requested constraints:
- SSH_AGENT_CONSTRAIN_LIFETIME
- SSH_AGENT_CONSTRAIN_CONFIRM
- SSH_AGENT_CONSTRAIN_MAXSIGN
- SSH_AGENT_CONSTRAIN_EXTENSION

SSH2_AGENTC_ADD_ID_CONSTRAINED is needed to support add U2F/Fido2 ssh keys to the agent from WSL ssh-add and KeePassXC
ref PowerShell/Win32-OpenSSH#1961
@carlolars
Copy link

Simply adding a key with a lifetime (-t life) using ssh-add.exe shipped with Win32-OpenSSH fails:

> & 'C:\Program Files\OpenSSH\ssh-add.exe' -t 60 .\.ssh\id_ed25519
Enter passphrase for .\.ssh\id_ed25519:
Could not add identity ".\.ssh\id_ed25519": communication with agent failed

tgauth pushed a commit to PowerShell/openssh-portable that referenced this issue Apr 5, 2023
)

* support SSH2_AGENTC_ADD_ID_CONSTRAINED by treating it as SSH2_AGENTC_ADD_IDENTITY

This ignores the requested constraints:
- SSH_AGENT_CONSTRAIN_LIFETIME
- SSH_AGENT_CONSTRAIN_CONFIRM
- SSH_AGENT_CONSTRAIN_MAXSIGN
- SSH_AGENT_CONSTRAIN_EXTENSION

SSH2_AGENTC_ADD_ID_CONSTRAINED is needed to support add U2F/Fido2 ssh keys to the agent from WSL ssh-add and KeePassXC
ref PowerShell/Win32-OpenSSH#1961

* update buffer pointer to after comment string

sshbuf_peek_string_direct doesn't update request offset pointer

* parse agent constraint messages

returns SSH_AGENT_FAILURE on unsupported constraint types, such as:
* SSH_AGENT_CONSTRAIN_LIFETIME
* SSH_AGENT_CONSTRAIN_CONFIRM
* SSH_AGENT_CONSTRAIN_MAXSIGN

returns SSH_AGENT_FAILURE on unsupported constrain extensions, such as:
"restrict-destination-v00@openssh.com"

accepts and ignores constrain extension "sk-provider@openssh.com"

* reject non-internal skproviders & log
@tgauth tgauth closed this as completed Apr 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants