Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSH 8.9 breaks version 2.0.0 #13

Open
brian-maloney opened this issue Feb 27, 2022 · 11 comments · May be fixed by #16
Open

OpenSSH 8.9 breaks version 2.0.0 #13

brian-maloney opened this issue Feb 27, 2022 · 11 comments · May be fixed by #16

Comments

@brian-maloney
Copy link

Looks like OpenSSH 8.9 has updated the required version for the FIDO library, which breaks version 2.0.0:

$ SSH_SK_PROVIDER=winhello.dll ssh-keygen -t  ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Provider "winhello.dll" implements unsupported version 0x00070000 (supported: 0x00090000)
Key enrollment failed: invalid format
@tavrez
Copy link
Owner

tavrez commented Feb 27, 2022

Yes, new version is on the way, thanks for report

@Neurrone
Copy link

I'm getting this error while I suspect is also an instance of this:

Provider "c:/Program Files/OpenSSH/winhello.dll" implements unsupported version 0x00070000 (supported: 0x00090000)

@abairit
Copy link

abairit commented Jun 27, 2022

Yes, new version is on the way, thanks for report

Hi, I have the same problem. The new Win32 OpenSSH 8.9.1 Version (https://github.com/PowerShell/Win32-OpenSSH) needs a newer library version. I can't use the older version 8.6 of Win32 Open SSH because there is no FIDO support in this version (https://github.com/PowerShell/Win32-OpenSSH/releases/tag/V8.6.0.0p1-Beta)

Can you say, when the new version of your middleware will be available?

Best regards

@aldobarr
Copy link

Yes, new version is on the way, thanks for report

Is there any update on this? It's pretty crucial for this to continue working

@tavrez
Copy link
Owner

tavrez commented Jul 27, 2022

Sorry I'm terribly busy during these days, maybe a PR from someone could help...

@aldobarr
Copy link

aldobarr commented Aug 1, 2022

Sorry I'm terribly busy during these days, maybe a PR from someone could help...

I might give this a shot when I get some free time. Keeping in mind I've never worked with any Windows APIs or openssh, can you provide some documentation to look over?

@wlius-support3
Copy link

I also don't have any experience in this realm, but from what I can tell, the conflicting version number comes from:
https://github.com/tavrez/openssh-sk-winhello/blob/master/src/sk-api.h

And an updated version of that file can be found here:
https://github.com/openssh/openssh-portable/blob/master/sk-api.h

I don't know what other code needs to be changed to adapt to the updated file - but that would likely be where you'd want to start.

@aldobarr
Copy link

aldobarr commented Aug 1, 2022

I also don't have any experience in this realm, but from what I can tell, the conflicting version number comes from: https://github.com/tavrez/openssh-sk-winhello/blob/master/src/sk-api.h

And an updated version of that file can be found here: https://github.com/openssh/openssh-portable/blob/master/sk-api.h

I don't know what other code needs to be changed to adapt to the updated file - but that would likely be where you'd want to start.

I had seen that, it was going to be where I'd start but obviously understanding the documentation behind the change would be better.

@wlius-support3
Copy link

According to this:
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/webauthnapis

Their only "documentation" is the headers file here:
https://github.com/microsoft/webauthn

This is referenced within this codebase here:
https://github.com/tavrez/openssh-sk-winhello/blob/master/src/webauthn/webauthn.h

So, I'm guessing you'd need to update that headers file and update sk-api to that spec.

There, otherwise, does not seem to be any user-friendly documentation that I can find.

@madaster97
Copy link

I took a first pass at this by just changing the version hardcoded in sk-api.h, but I get this error (after entering my pin and interacting with my yubikey):

Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
sshsk_ecdsa_assemble: sshbuf_put_string: insufficient buffer space
client_converse: receive: unexpected internal error
reap_helper: helper exited abnormally
Key enrollment failed: unexpected internal error

I even tried manually applying recent changes to webauthn.h and saw the same results.

PS - This is an awesome lib! I've been trying to apply FIDO to some consulting projects and knowing about the windows hello option is very helpful.

@madaster97 madaster97 linked a pull request Aug 9, 2022 that will close this issue
Open
@tavrez tavrez linked a pull request Aug 9, 2022 that will close this issue
#13 - Update SSH_SK_VERSION_MAJOR from 7 to 9 #16
Open
@abairit
Copy link

abairit commented Aug 29, 2022

Hi @tavrez, would it be possible to publish the preview version with the fix from the pull request?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

#13 - Update SSH_SK_VERSION_MAJOR from 7 to 9 madaster97/openssh-sk-winhello
7 participants
@aldobarr @brian-maloney @tavrez @Neurrone @abairit @wlius-support3 @madaster97