Win32-OpenSSH icon indicating copy to clipboard operation
Win32-OpenSSH copied to clipboard

Published 20 hours ago verified publisher icon PowerShell

Adding U2F/Fido2 keys to the agent from other clients

Open ddrown opened this issue 3 years ago • 2 comments

Prerequisites

  • [X] Write a descriptive title.
  • [X] Make sure you are able to repro it on the latest version
  • [X] Search the existing issues.

Steps to reproduce

When trying to add an ecdsa-sk key to the Windows ssh-agent:

Using the Windows ssh-add (works properly):

PS > & "C:\Program Files\OpenSSH\ssh-add" id_ecdsa_sk
Identity added: id_ecdsa_sk (somu)

From Fedora 35 WSL2 (OpenSSH 8.7p1, via npiperelay, fails):

$ ssh-add -d
Identity removed: /home/abob/.ssh/id_ecdsa_sk ECDSA-SK ((null))
$ ssh-add -l
The agent has no identities.
$ ssh-add id_ecdsa_sk
Could not add identity "id_ecdsa_sk": communication with agent failed

From KeePassXC 2.7.1 (fails): image

Fedora and KeePassXC are able to add non-U2F/Fido2 keys

If I change the Fedora ssh-add client to not send a skprovider, it works:

$ ./ssh-add -l
The agent has no identities.
$ ./ssh-add ~/.ssh/id_ecdsa_sk
Identity added: /home/abob/.ssh/id_ecdsa_sk (somu)
$ ./ssh-add -l
256 SHA256:8gAXpKjrC+SzxcCkKk6xb6Rk4I+U/FyewnQy2H+zvtA somu (ECDSA-SK)

Expected behavior

SSH key loaded into agent

Actual behavior

Error messages from other ssh agent clients

Error details

No response

Environment data

PS > & "C:\Program Files\OpenSSH\ssh" -V
OpenSSH_for_Windows_8.9p1, LibreSSL 3.4.3

Version

8.9.1.0

Visuals

No response

ddrown avatar Jul 02 '22 04:07 ddrown

Running windows ssh agent in debug mode gives this message:

debug1: process agent request type 25
debug1: unknown agent request 25

type 25 is:

$ grep 25 authfd.h
#define SSH2_AGENTC_ADD_ID_CONSTRAINED          25

ssh-agent.c handles this with the same code path as add_identity:

        case SSH2_AGENTC_ADD_IDENTITY:
        case SSH2_AGENTC_ADD_ID_CONSTRAINED:
                process_add_identity(e);
                break;

ddrown avatar Jul 03 '22 03:07 ddrown

Simply adding a key with a lifetime (-t life) using ssh-add.exe shipped with Win32-OpenSSH fails:

> & 'C:\Program Files\OpenSSH\ssh-add.exe' -t 60 .\.ssh\id_ed25519
Enter passphrase for .\.ssh\id_ed25519:
Could not add identity ".\.ssh\id_ed25519": communication with agent failed

carlolars avatar Jul 29 '22 11:07 carlolars