openssh-sk-winhello
openssh-sk-winhello copied to clipboard
tavrez
OpenSSH 8.9 breaks version 2.0.0
Looks like OpenSSH 8.9 has updated the required version for the FIDO library, which breaks version 2.0.0:
$ SSH_SK_PROVIDER=winhello.dll ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Provider "winhello.dll" implements unsupported version 0x00070000 (supported: 0x00090000)
Key enrollment failed: invalid format
I'm getting this error while I suspect is also an instance of this:
Provider "c:/Program Files/OpenSSH/winhello.dll" implements unsupported version 0x00070000 (supported: 0x00090000)
Yes, new version is on the way, thanks for report
Hi, I have the same problem. The new Win32 OpenSSH 8.9.1 Version (https://github.com/PowerShell/Win32-OpenSSH) needs a newer library version. I can't use the older version 8.6 of Win32 Open SSH because there is no FIDO support in this version (https://github.com/PowerShell/Win32-OpenSSH/releases/tag/V8.6.0.0p1-Beta)
Can you say, when the new version of your middleware will be available?
Best regards
Yes, new version is on the way, thanks for report
Is there any update on this? It's pretty crucial for this to continue working
Sorry I'm terribly busy during these days, maybe a PR from someone could help...
Sorry I'm terribly busy during these days, maybe a PR from someone could help...
I might give this a shot when I get some free time. Keeping in mind I've never worked with any Windows APIs or openssh, can you provide some documentation to look over?
I also don't have any experience in this realm, but from what I can tell, the conflicting version number comes from: https://github.com/tavrez/openssh-sk-winhello/blob/master/src/sk-api.h
And an updated version of that file can be found here: https://github.com/openssh/openssh-portable/blob/master/sk-api.h
I don't know what other code needs to be changed to adapt to the updated file - but that would likely be where you'd want to start.
I also don't have any experience in this realm, but from what I can tell, the conflicting version number comes from: https://github.com/tavrez/openssh-sk-winhello/blob/master/src/sk-api.h
And an updated version of that file can be found here: https://github.com/openssh/openssh-portable/blob/master/sk-api.h
I don't know what other code needs to be changed to adapt to the updated file - but that would likely be where you'd want to start.
I had seen that, it was going to be where I'd start but obviously understanding the documentation behind the change would be better.
According to this: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/webauthnapis
Their only "documentation" is the headers file here: https://github.com/microsoft/webauthn
This is referenced within this codebase here: https://github.com/tavrez/openssh-sk-winhello/blob/master/src/webauthn/webauthn.h
So, I'm guessing you'd need to update that headers file and update sk-api to that spec.
There, otherwise, does not seem to be any user-friendly documentation that I can find.
I took a first pass at this by just changing the version hardcoded in sk-api.h, but I get this error (after entering my pin and interacting with my yubikey):
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
sshsk_ecdsa_assemble: sshbuf_put_string: insufficient buffer space
client_converse: receive: unexpected internal error
reap_helper: helper exited abnormally
Key enrollment failed: unexpected internal error
I even tried manually applying recent changes to webauthn.h and saw the same results.
PS - This is an awesome lib! I've been trying to apply FIDO to some consulting projects and knowing about the windows hello option is very helpful.
Hi @tavrez, would it be possible to publish the preview version with the fix from the pull request?