Skip to content

Adding U2F/Fido2 keys to the agent from other clients #1961

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
3 tasks done
ddrown opened this issue Jul 2, 2022 · 2 comments
Closed
3 tasks done

Adding U2F/Fido2 keys to the agent from other clients #1961

ddrown opened this issue Jul 2, 2022 · 2 comments
Assignees
@tgauth
Labels
Resolution - Fixed

Comments

@ddrown
Copy link

ddrown commented Jul 2, 2022
edited
Loading

Prerequisites

  • Write a descriptive title.
  • Make sure you are able to repro it on the latest version
  • Search the existing issues.

Steps to reproduce

When trying to add an ecdsa-sk key to the Windows ssh-agent:

Using the Windows ssh-add (works properly):

PS > & "C:\Program Files\OpenSSH\ssh-add" id_ecdsa_sk
Identity added: id_ecdsa_sk (somu)

From Fedora 35 WSL2 (OpenSSH 8.7p1, via npiperelay, fails):

$ ssh-add -d
Identity removed: /home/abob/.ssh/id_ecdsa_sk ECDSA-SK ((null))
$ ssh-add -l
The agent has no identities.
$ ssh-add id_ecdsa_sk
Could not add identity "id_ecdsa_sk": communication with agent failed

From KeePassXC 2.7.1 (fails):
image

Fedora and KeePassXC are able to add non-U2F/Fido2 keys

If I change the Fedora ssh-add client to not send a skprovider, it works:

$ ./ssh-add -l
The agent has no identities.
$ ./ssh-add ~/.ssh/id_ecdsa_sk
Identity added: /home/abob/.ssh/id_ecdsa_sk (somu)
$ ./ssh-add -l
256 SHA256:8gAXpKjrC+SzxcCkKk6xb6Rk4I+U/FyewnQy2H+zvtA somu (ECDSA-SK)

Expected behavior

SSH key loaded into agent

Actual behavior

Error messages from other ssh agent clients

Error details

No response

Environment data

PS > & "C:\Program Files\OpenSSH\ssh" -V
OpenSSH_for_Windows_8.9p1, LibreSSL 3.4.3

Version

8.9.1.0

Visuals

No response
@ddrown
Copy link
Author

ddrown commented Jul 3, 2022

Running windows ssh agent in debug mode gives this message:

debug1: process agent request type 25
debug1: unknown agent request 25

type 25 is:

$ grep 25 authfd.h
#define SSH2_AGENTC_ADD_ID_CONSTRAINED          25

ssh-agent.c handles this with the same code path as add_identity:

        case SSH2_AGENTC_ADD_IDENTITY:
        case SSH2_AGENTC_ADD_ID_CONSTRAINED:
                process_add_identity(e);
                break;

ddrown added a commit to ddrown/win32-openssh-portable that referenced this issue Jul 3, 2022
@ddrown
support SSH2_AGENTC_ADD_ID_CONSTRAINED by treating it as SSH2_AGENTC_…
e6d3776 
…ADD_IDENTITY

This ignores the requested constraints:
- SSH_AGENT_CONSTRAIN_LIFETIME
- SSH_AGENT_CONSTRAIN_CONFIRM
- SSH_AGENT_CONSTRAIN_MAXSIGN
- SSH_AGENT_CONSTRAIN_EXTENSION

SSH2_AGENTC_ADD_ID_CONSTRAINED is needed to support add U2F/Fido2 ssh keys to the agent from WSL ssh-add and KeePassXC
ref PowerShell/Win32-OpenSSH#1961
This was referenced Jul 3, 2022
Merged
Open
@carlolars
Copy link

Simply adding a key with a lifetime (-t life) using ssh-add.exe shipped with Win32-OpenSSH fails:

> & 'C:\Program Files\OpenSSH\ssh-add.exe' -t 60 .\.ssh\id_ed25519
Enter passphrase for .\.ssh\id_ed25519:
Could not add identity ".\.ssh\id_ed25519": communication with agent failed

tgauth pushed a commit to PowerShell/openssh-portable that referenced this issue Apr 5, 2023
@ddrown
support SSH2_AGENTC_ADD_ID_CONSTRAINED for sk-provider@openssh.com (#612
59d9124 
)

* support SSH2_AGENTC_ADD_ID_CONSTRAINED by treating it as SSH2_AGENTC_ADD_IDENTITY

This ignores the requested constraints:
- SSH_AGENT_CONSTRAIN_LIFETIME
- SSH_AGENT_CONSTRAIN_CONFIRM
- SSH_AGENT_CONSTRAIN_MAXSIGN
- SSH_AGENT_CONSTRAIN_EXTENSION

SSH2_AGENTC_ADD_ID_CONSTRAINED is needed to support add U2F/Fido2 ssh keys to the agent from WSL ssh-add and KeePassXC
ref PowerShell/Win32-OpenSSH#1961

* update buffer pointer to after comment string

sshbuf_peek_string_direct doesn't update request offset pointer

* parse agent constraint messages

returns SSH_AGENT_FAILURE on unsupported constraint types, such as:
* SSH_AGENT_CONSTRAIN_LIFETIME
* SSH_AGENT_CONSTRAIN_CONFIRM
* SSH_AGENT_CONSTRAIN_MAXSIGN

returns SSH_AGENT_FAILURE on unsupported constrain extensions, such as:
"restrict-destination-v00@openssh.com"

accepts and ignores constrain extension "sk-provider@openssh.com"

* reject non-internal skproviders & log
@tgauth tgauth closed this as completed Apr 12, 2023
@wojiushixiaobai wojiushixiaobai mentioned this issue Oct 16, 2023
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@tgauth tgauth

Labels
Resolution - Fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ddrown @carlolars @tgauth @maertendMSFT