Bug 3491

Summary: Cannot import FIDO2 keys when macOS lockdown mode enabled
Product: Portable OpenSSH Reporter: vivithecanine
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: NEW ---    
Severity: normal CC: djm
Priority: P5    
Version: 9.1p1   
Hardware: All   
OS: Mac OS X   

Description vivithecanine 2022-10-27 06:31:35 AEDT 
Overview: Enabling Lockdown mode on macOS 13.0 breaks FIDO2 security key authentication.

As a note, I am using the Homebrew version of OpenSSH as the version bundled with macOS is woefully ancient, it was however working before lockdown mode was activated.

The documentation on Lockdown Mode is unfortunately sparse, but here is a marketing blurb on the feature set. https://www.apple.com/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyware/

This feature automatically requires USB allow listing and seemingly alters some other behavior that OpenSSH relies on.

FIDO2 authentication behaves as expected in Google Chrome and the Yubico Manager with my Yubikey 5 NFC. I can still list and add/remove Discoverable Credentials without a hitch.

Steps to Reproduce:

1) Enroll security keys on a FIDO2 token on a macOS machine https://xeiaso.net/blog/yubikey-ssh-key-storage
2) Enable Lockdown Mode https://support.apple.com/en-us/HT212650
3) Attempt to add a key to ssh-agent using ssh-add -K or use ssh-keygen -K
4) Enter your FIDO2 PIN

Actual results:
OpenSSH emits the following error
Unable to add key ED25519-SK SHA256:<fingerprint>

Expected results:
OpenSSH would request a presence touch on the Yubikey and successfully import the key material

Build and OS Version:

% ssh -V
OpenSSH_9.1p1, OpenSSL 1.1.1q  5 Jul 2022

% sw_vers
ProductName:		macOS
ProductVersion:		13.0
BuildVersion:		22A380

Debug output from ssh-add below:

% ssh-add -K -vvv
Enter PIN for authenticator:
debug3: start_helper: started pid=21930
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /opt/homebrew/Cellar/openssh/9.1p1/libexec/ssh-sk-helper
debug1: sshsk_load_resident: provider "internal", have-pin
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by touch
debug1: ssh_sk_load_resident_keys: trying ioreg://4294976002
debug1: check_sk_options: option uv is unknown
debug1: read_rks: existing 4, remaining 21
debug1: read_rks: Device ioreg://4294976002 has resident keys for 3 RPs
debug1: read_rks: rp 0: name="(none)" id="login.microsoft.com" hashlen=32
debug1: read_rks: rp 1: name="(none)" id="ssh:vivithecanine" hashlen=32
debug1: read_rks: RP "ssh:vivithecanine" has 1 resident keys
debug1: read_rks: Device ioreg://4294976002 RP "ssh:vivithecanine" user "openssh" uidlen 32 slot 0: type -8 flags 0x00 prot 0x03
debug1: read_rks: rp 2: name="(none)" id="ssh:user" hashlen=32
debug1: read_rks: RP "ssh:user" has 1 resident keys
debug1: read_rks: Device ioreg://4294976002 RP "ssh:user" user "openssh" uidlen 32 slot 0: type -8 flags 0x00 prot 0x03
debug3: sshsk_load_resident: rk 0: slot 0, alg 1, app "ssh:vivithecanine", uidlen 32
debug3: sshsk_load_resident: rk 1: slot 0, alg 1, app "ssh:user", uidlen 32
debug1: process_load_resident: key 0 ED25519-SK ssh:vivithecanine uidlen 32
debug1: process_load_resident: key 1 ED25519-SK ssh:user uidlen 32
debug1: main: reply len 371
debug3: ssh_msg_send: type 5
debug3: reap_helper: pid=21930
debug1: sshsk_load_resident: srks[0]: ED25519-SK ssh:vivithecanine uidlen 32
debug1: sshsk_load_resident: srks[1]: ED25519-SK ssh:user uidlen 32
Unable to add key ED25519-SK SHA256:[redacted]
Unable to add key ED25519-SK SHA256:[redacted]
Comment 1 Damien Miller 2022-11-17 13:58:55 AEDT 
From the debug log, it appears that ssh-add was successfully downloading the keys from your FIDO2 token, but failing to add them to ssh-agent. I wonder if lockdown mode is simply breaking ssh-agent?

Could you confirm that key download works using "ssh-keygen -K"?

If that works, are you able to add them to ssh-agent directly using ssh-add?

According to https://support.apple.com/en-us/HT212650 it is possible to exempt particular applications from the lockdown. Maybe you could exempt ssh-agent?