./ssh-keygen -t ed25519-sk -O resident Generating public/private ed25519-sk key pair. You may need to touch your authenticator to authorize key generation. Enter PIN for authenticator: Key enrollment failed: invalid format It looks like this feature was broker since 8.2. Openssh 9.0 was build with: ../configure --with-security-key-builtin --with-md5-passwords --with-selinux --with-privsep-path=$HOME/openssl-8/test-openssh --sysconfdir=$HOME/openssl-8/test-openssh --prefix=$HOME/openssl-8/test-openssh --enable-security-key --enable-fido2 for instance expected result (it was taken from 8.2 version): ./ssh-keygen -t ed25519-sk -O resident Generating public/private ed25519-sk key pair. You may need to touch your authenticator to authorize key generation. Enter file in which to save the key (/home/galina/.ssh/id_ed25519_sk): ./id_ed25519_sk Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ./id_ed25519_sk Your public key has been saved in ./id_ed25519_sk.pub The key fingerprint is: SHA256:+3o85xn1NtIUJGfQupvtCQpb2gQmSXviP3bbcuHZ+R0 galina@galina The key's randomart image is: +[ED25519-SK 256]-+ | oo+ | | =. | | . .. | | . o . .| | =S+ o. | | . =.. +o. | | ..o oooBE+| | .+@o+Oo==| | o*+B*..o+| +----[SHA256]-----+
Works for me on a Yubico Security Key with firmware 5.2.4. Could you please provide the output of fido2-token -L, fido2-token -I <dev>, and FIDO_DEBUG=1 ssh-keygen -vvv -t ed25519-sk -O resident -f /tmp/foo? Thanks.
yes sure: $ fido2-token -L /dev/hidraw3: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID) $ fido2-token -I /dev/hidraw3 proto: 0x02 major: 0x05 minor: 0x04 build: 0x03 caps: 0x05 (wink, cbor, msg) version strings: U2F_V2, FIDO_2_0, FIDO_2_1_PRE extension strings: credProtect, hmac-secret transport strings: usb algorithms: es256 (public-key), eddsa (public-key) aaguid: ee882879721c491397753dfcce97072a options: rk, up, noplat, noclientPin, credentialMgmtPreview maxmsgsiz: 1200 maxcredcntlst: 8 maxcredlen: 128 maxlargeblob: 0 fwversion: 0x50403 pin protocols: 2, 1 pin retries: undefined uv retries: undefined $ FIDO_DEBUG=1 ssh-keygen -vvv -t ed25519-sk -O resident -f /tmp/foo Generating public/private ed25519-sk key pair. You may need to touch your authenticator to authorize key generation. Enter PIN for authenticator: debug3: start_helper: started pid=14181 debug3: ssh_msg_send: type 5 debug3: ssh_msg_recv entering debug1: start_helper: starting /usr/local/libexec/ssh-sk-helper debug1: sshsk_enroll: provider "", device "(null)", application "ssh:", userid "(null)", flags 0x21, challenge len 0 with-pin debug1: sshsk_enroll: using random challenge No FIDO SecurityKeyProvider specified debug1: ssh-sk-helper: Enrollment failed: invalid format debug1: main: reply len 8 debug3: ssh_msg_send: type 5 debug1: client_converse: helper returned error -4 debug3: reap_helper: pid=14181 Key enrollment failed: invalid format
> debug1: start_helper: starting /usr/local/libexec/ssh-sk-helper > debug1: sshsk_enroll: provider "", device "(null)", application "ssh:", > userid "(null)", flags 0x21, challenge len 0 with-pin > debug1: sshsk_enroll: using random challenge > No FIDO SecurityKeyProvider specified This looks like the invocation of a ssh-keygen/ssh-sk-helper pair built without --with-security-key-builtin. If this is indeed the ssh-keygen you built, please double-check the value of _PATH_SSH_SK_HELPER in Makefile to ensure the correct ssh-sk-helper is being picked up.
Created attachment 3604 [details] config log
I've fully rebuilt openssh9: ../configure --with-security-key-builtin --with-md5-passwords --with-selinux --with-privsep-path=$HOME/openssl-8/test-openssh --sysconfdir=$HOME/openssl-9/test-openssh --prefix=$HOME/openssl-9/test-openssh --enable-security-key --enable-fido2 config log is attached the output of the command is different: bin $ FIDO_DEBUG=1 ./ssh-keygen -vvv -t ed25519-sk -O resident -f /tmp/foo Generating public/private ed25519-sk key pair. You may need to touch your authenticator to authorize key generation. Enter PIN for authenticator: debug3: start_helper: started pid=16068 debug3: ssh_msg_send: type 5 debug3: ssh_msg_recv entering debug1: start_helper: starting /home/galina/openssl-9/test-openssh/libexec/ssh-sk-helper debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x21, challenge len 0 with-pin debug1: sshsk_enroll: using random challenge fido_hid_unix_open: open /dev/hidraw0: Permission denied fido_hid_unix_open: open /dev/hidraw1: Permission denied fido_hid_unix_open: open /dev/hidraw2: Permission denied run_manifest: found 1 hid device run_manifest: found 0 nfc devices debug1: sk_probe: 1 device(s) detected debug1: sk_probe: selecting sk by touch fido_tx: dev=0x563bc994a6b0, cmd=0x06 fido_tx: buf=0x563bc994a6b0, len=8 0000: ad 85 51 90 9c ad 17 93 fido_rx: dev=0x563bc994a6b0, cmd=0x06, ms=-1 rx_preamble: buf=0x7ffe22c2aa10, len=64 0000: ff ff ff ff 86 00 11 ad 85 51 90 9c ad 17 93 81 0016: 74 34 79 02 05 04 03 05 00 00 00 00 00 00 00 00 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 rx: payload_len=17 fido_rx: buf=0x563bc994a6b8, len=17 0000: ad 85 51 90 9c ad 17 93 81 74 34 79 02 05 04 03 0016: 05 fido_dev_get_cbor_info_tx: dev=0x563bc994a6b0 fido_tx: dev=0x563bc994a6b0, cmd=0x10 fido_tx: buf=0x7ffe22c2aa77, len=1 0000: 04 fido_dev_get_cbor_info_rx: dev=0x563bc994a6b0, ci=0x563bc993a070, ms=-1 fido_rx: dev=0x563bc994a6b0, cmd=0x10, ms=-1 rx_preamble: buf=0x7ffe22c2a1d0, len=64 0000: 81 74 34 79 90 00 c8 00 ac 01 83 66 55 32 46 5f 0016: 56 32 68 46 49 44 4f 5f 32 5f 30 6c 46 49 44 4f 0032: 5f 32 5f 31 5f 50 52 45 02 82 6b 63 72 65 64 50 0048: 72 6f 74 65 63 74 6b 68 6d 61 63 2d 73 65 63 72 rx: payload_len=200 rx: buf=0x7ffe22c2a1d0, len=64 0000: 81 74 34 79 00 65 74 03 50 ee 88 28 79 72 1c 49 0016: 13 97 75 3d fc ce 97 07 2a 04 a5 62 72 6b f5 62 0032: 75 70 f5 64 70 6c 61 74 f4 69 63 6c 69 65 6e 74 0048: 50 69 6e f4 75 63 72 65 64 65 6e 74 69 61 6c 4d rx: buf=0x7ffe22c2a1d0, len=64 0000: 81 74 34 79 01 67 6d 74 50 72 65 76 69 65 77 f5 0016: 05 19 04 b0 06 82 02 01 07 08 08 18 80 09 81 63 0032: 75 73 62 0a 82 a2 63 61 6c 67 26 64 74 79 70 65 0048: 6a 70 75 62 6c 69 63 2d 6b 65 79 a2 63 61 6c 67 rx: buf=0x7ffe22c2a1d0, len=64 0000: 81 74 34 79 02 27 64 74 79 70 65 6a 70 75 62 6c 0016: 69 63 2d 6b 65 79 0d 04 0e 1a 00 05 04 03 00 00 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fido_rx: buf=0x7ffe22c2a260, len=200 0000: 00 ac 01 83 66 55 32 46 5f 56 32 68 46 49 44 4f 0016: 5f 32 5f 30 6c 46 49 44 4f 5f 32 5f 31 5f 50 52 0032: 45 02 82 6b 63 72 65 64 50 72 6f 74 65 63 74 6b 0048: 68 6d 61 63 2d 73 65 63 72 65 74 03 50 ee 88 28 0064: 79 72 1c 49 13 97 75 3d fc ce 97 07 2a 04 a5 62 0080: 72 6b f5 62 75 70 f5 64 70 6c 61 74 f4 69 63 6c 0096: 69 65 6e 74 50 69 6e f4 75 63 72 65 64 65 6e 74 0112: 69 61 6c 4d 67 6d 74 50 72 65 76 69 65 77 f5 05 0128: 19 04 b0 06 82 02 01 07 08 08 18 80 09 81 63 75 0144: 73 62 0a 82 a2 63 61 6c 67 26 64 74 79 70 65 6a 0160: 70 75 62 6c 69 63 2d 6b 65 79 a2 63 61 6c 67 27 0176: 64 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65 79 0192: 0d 04 0e 1a 00 05 04 03 parse_reply_element: cbor type fido_dev_open_rx: FIDO_MAXMSG=2048, maxmsgsiz=1200 debug1: ssh_sk_enroll: using device /dev/hidraw3 fido_dev_authkey_tx: dev=0x563bc994a6b0 fido_tx: dev=0x563bc994a6b0, cmd=0x10 fido_tx: buf=0x563bc993bd20, len=6 0000: 06 a2 01 02 02 02 fido_dev_authkey_rx: dev=0x563bc994a6b0, authkey=0x563bc9939f20, ms=-1 fido_rx: dev=0x563bc994a6b0, cmd=0x10, ms=-1 rx_preamble: buf=0x7ffe22c2a210, len=64 0000: 81 74 34 79 90 00 51 00 a1 01 a5 01 02 03 38 18 0016: 20 01 21 58 20 55 c5 cc 67 da df 27 ce 28 ff de 0032: ad 86 a0 63 55 45 02 b5 a2 77 86 81 66 5b 6f be 0048: 75 42 a5 cc 9e 22 58 20 d8 36 8e bb c2 9c 5c 37 rx: payload_len=81 rx: buf=0x7ffe22c2a210, len=64 0000: 81 74 34 79 00 44 18 a0 6b ff d0 8a 41 5d fc 20 0016: 4d 75 56 18 98 59 a4 ad 31 36 be b5 aa 00 00 00 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fido_rx: buf=0x7ffe22c2a2a0, len=81 0000: 00 a1 01 a5 01 02 03 38 18 20 01 21 58 20 55 c5 0016: cc 67 da df 27 ce 28 ff de ad 86 a0 63 55 45 02 0032: b5 a2 77 86 81 66 5b 6f be 75 42 a5 cc 9e 22 58 0048: 20 d8 36 8e bb c2 9c 5c 37 44 18 a0 6b ff d0 8a 0064: 41 5d fc 20 4d 75 56 18 98 59 a4 ad 31 36 be b5 0080: aa fido_tx: dev=0x563bc994a6b0, cmd=0x10 fido_tx: buf=0x563bc99389e0, len=120 0000: 06 a4 01 02 02 05 03 a5 01 02 03 38 18 20 01 21 0016: 58 20 1b d4 1b 61 76 47 01 bb 76 1f 3e 4f 90 91 0032: c3 2b 15 dd 28 13 dc 60 7b 22 87 91 06 f9 e9 76 0048: 83 9e 22 58 20 31 f2 cf b6 1d ea 12 e5 a2 ea 1c 0064: 3a 5a 19 f2 15 98 d6 5a da 04 b8 5f 89 24 35 26 0080: 73 b7 6a 6f a9 06 58 20 3a e3 67 0c ea 44 8e 0d 0096: 2a a3 d2 cc 4d db c9 6c eb 9c 77 ab ef cd 87 d3 0112: b2 75 37 3a 89 91 ea 36 fido_rx: dev=0x563bc994a6b0, cmd=0x10, ms=-1 rx_preamble: buf=0x7ffe22c2a200, len=64 0000: 81 74 34 79 90 00 01 35 00 00 00 00 00 00 00 00 0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 rx: payload_len=1 fido_rx: buf=0x7ffe22c2a2a0, len=1 0000: 35 cbor_parse_reply: blob[0]=0x35 uv_token_rx: parse_uv_token cbor_add_uv_params: fido_dev_get_uv_token fido_dev_make_cred_tx: cbor_add_uv_params debug1: ssh_sk_enroll: fido_dev_make_cred: FIDO_ERR_PIN_NOT_SET fido_tx: dev=0x563bc994a6b0, cmd=0x11 fido_tx: buf=(nil), len=0 debug1: sshsk_enroll: provider "internal" failure -1 debug1: ssh-sk-helper: Enrollment failed: invalid format debug1: main: reply len 8 debug3: ssh_msg_send: type 5 debug1: client_converse: helper returned error -4 debug3: reap_helper: pid=16068 Key enrollment failed: invalid format
it shows that FIDO_ERR_PIN_NOT_SET but the PIN is set. Morevoer as you can see the keys is generated I've done it by openssh8.2 but I cannot do it via openssh9: gpg/card> verify Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00 Application ID ...: D2760001240103040006138359960000 Application type .: OpenPGP Version ..........: 3.4 Manufacturer .....: Yubico Serial number ....: 13835996 Name of cardholder: [не установлено] Language prefs ...: [не установлено] Salutation .......: URL of public key : [не установлено] Login data .......: [не установлено] Signature PIN ....: не требуется Key attributes ...: ed25519 cv25519 ed25519 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 0 3 Signature counter : 4 KDF setting ......: off Signature key ....: 1D53 6712 BE10 A563 D131 0372 E350 77E5 D106 CC6E created ....: 2022-07-13 13:49:14 Encryption key....: C01A 68D2 3252 27FB 6F0D 044E EEEC F1F6 88FC DB7C created ....: 2022-07-13 13:49:14 Authentication key: C5E6 51BC 4219 5AC4 0B3D DF60 58D6 560B 7E39 B47A created ....: 2022-07-13 13:49:14 General key info..: pub ed25519/E35077E5D106CC6E 2022-07-13 Sergey-V Markov (mars) <sergey@markow.su> sec> ed25519/E35077E5D106CC6E создан: 2022-07-13 годен до: никогда номер карты: 0006 13835996 ssb> ed25519/58D6560B7E39B47A создан: 2022-07-13 годен до: никогда номер карты: 0006 13835996 ssb> cv25519/EEECF1F688FCDB7C создан: 2022-07-13 годен до: никогда номер карты: 0006 13835996
The FIDO and GPG subsystems of a Yubikey are independent and have separate PINs. It looks like the GPG PIN is set, but the FIDO PIN isn't. You can set the FIDO PIN using fido2-token -S <dev>. The existing code prompts for a PIN even if one isn't set. This is addressed by https://github.com/openssh/openssh-portable/pull/329.
hmm OK. It works for now! I was confused because openssh8.2 works just fine with PIN which was set by gpg Thanks!
Thanks Pedro for digging into this!
OpenSSH 9.3 has been released. Close resolved bugs