Cannot create ecdsa-sk key with Windows Hello in ssh-keygen

[rokoucha]

trafficstars

Prerequisites

• [X] Write a descriptive title.
• [X] Make sure you are able to repro it on the latest version
• [X] Search the existing issues.

Steps to reproduce

Cannot create ecdsa-sk key with Windows Hello in ssh-keygen. Fingerprint authentication and PIN fail in the same way but it worked fine with YubiKey 5C NFC.

Expected behavior

PS> ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter file in which to save the key (C:\Users\user/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\user/.ssh/id_ecdsa_sk
Your public key has been saved in C:\Users\user/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:88noPFdjOpQ3iy7+spFw5nsIehFsxstYlMYCs+BCAjo user@localhost
The key's randomart image is:
+-[ECDSA-SK 256]--+
|=.o. . .         |
|=. o. =          |
|E..  *           |
|..    B          |
|     *.oS  .     |
|    . == *o.*    |
|     . o=o+* +   |
|    . .o=o* .    |
|     . .*Xo.     |
+----[SHA256]-----+

Actual behavior

PS> ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Key enrollment failed: invalid format

Error details

PS> $Env:FIDO_DEBUG=1
PS> ssh-keygen -t ecdsa-sk -vvvvv
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug1: find_helper: using "C:\\Program Files\\OpenSSH\\ssh-sk-helper.exe" as helper
debug3: spawning "C:\\Program Files\\OpenSSH\\ssh-sk-helper.exe" as subprocess
debug3: start_helper: started pid=29492
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
webauthn_load: api version 4
debug1: ssh_sk_enroll: using device windows://hello
cbor_decode_cred_authdata: buf=000001102A344560, len=164
0000: e3 06 10 e8 a1 62 11 59 60 fe 1e c2 23 e6 52 9c
0016: 9f 4b 6e 80 20 0d cb 5e 5c 32 1c 8a f1 e2 b1 bf
0032: 45 00 00 00 00 08 98 70 58 ca dc 4b 81 b6 e1 30
0048: de 50 dc be 96 00 20 c4 25 b3 37 c2 b5 90 90 a9
0064: eb 73 a6 63 2d 27 60 39 4c 1a a1 50 fa e6 22 49
0080: 82 63 2b ad 87 18 3d a5 01 02 03 26 20 01 21 58
0096: 20 65 53 09 f3 80 5d 7a 86 ca 3e f5 01 de 2a b2
0112: aa d4 db 8e 96 fa 10 19 85 3b 65 00 a8 75 c9 a1
0128: b6 22 58 20 9c 9e c8 06 a4 71 fe e7 d8 e1 1a c3
0144: 9b 68 30 bd 25 32 c0 ba be 06 cc 48 46 60 26 0a
0160: 0f 6f 3d a2
decode_attcred: buf=000001102A344585, len=127
0000: 08 98 70 58 ca dc 4b 81 b6 e1 30 de 50 dc be 96
0016: 00 20 c4 25 b3 37 c2 b5 90 90 a9 eb 73 a6 63 2d
0032: 27 60 39 4c 1a a1 50 fa e6 22 49 82 63 2b ad 87
0048: 18 3d a5 01 02 03 26 20 01 21 58 20 65 53 09 f3
0064: 80 5d 7a 86 ca 3e f5 01 de 2a b2 aa d4 db 8e 96
0080: fa 10 19 85 3b 65 00 a8 75 c9 a1 b6 22 58 20 9c
0096: 9e c8 06 a4 71 fe e7 d8 e1 1a c3 9b 68 30 bd 25
0112: 32 c0 ba be 06 cc 48 46 60 26 0a 0f 6f 3d a2
decode_attcred: attcred->id.len=32
debug1: ssh_sk_enroll: self-attested credential
fido_cred_verify_self: cdh=000001102A31E270, authdata=000001102A30EDC0, x5c=0000000000000000, sig=0000000000000000, fmt=000001102A30A0D0 id=000001102A31DD30, rp.id=ssh:
debug1: ssh_sk_enroll: fido_cred_verify_self: FIDO_ERR_INVALID_ARGUMENT
debug1: sshsk_enroll: provider "internal" failure -1
debug1: ssh-sk-helper: Enrollment failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=29492
Key enrollment failed: invalid format

Environment data

PS> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.3.3
PSEdition                      Core
GitCommitId                    7.3.3
OS                             Microsoft Windows 10.0.22621
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Version

OpenSSH_for_Windows_9.2p1, LibreSSL 3.6.1

Visuals

No response

[Zaba]

Would really love to see this working.

Right now I'm using virtual smart cards for TPM-backed SSH private keys, they also have the advantage of working over RDP sessions, but apparently they're deprecated. I suppose FIDO2 is theoretically the way forward but not all the pieces are in place yet for that.

[Slarag]

I actually have a working setup with Windows 10 and OpenSSH client and a key with FIDO support. This is my home PC where an OpenSSH >=8.2 was pre-installed.

However, on my work PC there is an LTSC version of Windows 10 where an OpenSSH version 7.x was pre-installed. I've manually upgraded to version 8.x or 9.x but somehow FIDO support isn't working there.

Btw, I'm successfully using FIDO support on my work PC for web authentication

[masakura]

Some of the computers I own work with Windows Hello + PIN and some do not.

• On laptops configured with Windows Hello facial recognition/PIN, we were able to create SSH keys with the PIN.
• On a laptop with only Windows Hello PIN configured, we were able to create SSH keys with the PIN.
  • Windows 11 was newly installed for verification.
  • The fingerprint authentication device is installed, but Windows Hello fingerprint authentication is not configured.
• The same error occurs on desktop computers where only Windows Hello PIN is configured.
• The same error occurs on a Hyper-V virtual machine where only the Windows Hello PIN is configured.

[ZacharyACoon]

Using this site to debug, https://webauthn.me/debugger#

I found that Windows Hello Fido? storage requires the rs256 attribute/flag set. I believe openssh is not using that, preventing you from being able to store the passkey in Windows.

[ghost]

I am on a laptops configured with Windows Hello fingerprint/PIN. I was able to create SSH keys with the fingerprint/PIN.

Once I reset the PIN and the SSH keys, it never allows me to ceate SSH keys with the fingerprint/PIN anymore.

@masakura Did you find any clue or ways to completely reset Windows Hello?

[Dash]

I'm on OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2, running on Windows 10 22H2 on a Dell XPS 7390 which has a built in finger print sensor (Goodix) and TPM2.0, which works with Windows Hello. But when trying either ecdsa-sk or ed25519-sk prompts me to setup a USB key, and won't use Windows Hello as-is.

I feel that if Windows is able to secure itself through a fingerprint sensor, then this should be sufficient for OpenSSH too. I tried entering my Windows Hello pin too, but to no avail.

It all works as expected when using a USB key, but that's an unnecessary extra expense (and frankly less secure than something biometric).

C:\WINDOWS\system32>ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
You may need to touch your authenticator again to authorize key generation.
PIN incorrect
Enter PIN for authenticator:
You may need to touch your authenticator again to authorize key generation.
PIN incorrect
Too many incorrect PINs

[Zaba]

I think this also depends on the Windows version — only Windows 11 seems to support ECDSA for WebAuthn and Windows Hello.

[ghost]

Recently I recreate my PIN/biometrics of windows hello and it seems that windows start to use TPM2.0 hardware backed storage (confrim by running certutil -csp "Microsoft Passport Key Storage Provider" -key -v) instead of the old one.

Now when I try to genearte a new key in SK-SSH-Agent, Windows Hello do not allowing creating passkeys using PIN/biometrics, the only option is to use the USB FIDO/U2F security key which I do not have.

This does not only affect SK-SSH-Agent but also the browsers. I tried on https://webauthn.me/debugger# and find out that the new Windows hello with PIN/biometrics requires public-key to be RS256+ES256. if you request for ES256 only, it will not allow you to use PIN/biometrics anymore.

It would be nice to support RSASSA-PKCS1-v1_5_w_SHA256 keys, so that people can continue using PIN/biometrics instead of USB FIDO/U2F

[rjfmachado]

I'm seeing some unexpected behavior as well. I'm logged into this machine with Windows Hello, but the option does not even show up with ssh. OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2 Windows 11 10.0.22631