wezterm
wezterm copied to clipboard
wez
weterm ssh fails to use Yubikey for authentication when using FIDO2
What Operating System(s) are you seeing this problem on?
macOS
Which Wayland compositor or X11 Window manager(s) are you using?
N/A
WezTerm version
20230712-072601-f4abf8fd
Did you try the latest nightly build to see if the issue is better (or worse!) than your current version?
No, and I'll explain why below
Describe the bug
When I attempt to ssh into a server in my house using my Yubikey using FIDO2, I am not prompted for my pin. The ssh key is ignored and I am prompted for my SSH password.
Using the openssh client prompts me for my pin and using the ssh kitten in kitty also prompts me for my pin.
I set up my ssh key using this webpage from Yubico:
https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html
I created non-discoverable credentials.
To Reproduce
Use this guide from Yubico to create non-discoverable FIDO2 credentials and set them up on a server:
https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html
wezterm ssh -v -oIdentityFile=~/.ssh/id_ecdsa_sk servername
Configuration
no config
Expected Behavior
It should prompt me for my PIN. Then my Yubikey should start flashing and I login after I hit the button on my Yubikey.
Logs
22:44:11.083 INFO mux::ssh > Using ssh config: {
"hostname": "fedora-server",
"identityagent": "/private/tmp/com.apple.launchd.paW3jAmKuX/Listeners",
"identityfile": "/Users/andy/.ssh/id_ecdsa_sk",
"port": "22",
"sendenv": "LANG LC_*",
"user": "andy",
"userknownhostsfile": "/Users/andy/.ssh/known_hosts /Users/andy/.ssh/known_hosts2",
"wezterm_ssh_backend": "libssh",
"wezterm_ssh_verbose": "true",
}
22:44:11.083 INFO libssh::ssh_config_parse_file > Reading configuration data from /Users/andy/.ssh/config
22:44:11.083 INFO libssh::ssh_config_parse_file > Reading configuration data from /etc/ssh/ssh_config
22:44:11.084 INFO libssh::local_parse_file > Cannot find file /etc/ssh/ssh_config.d/* to load
22:44:11.084 INFO libssh::ssh_config_parse_line > Unapplicable option: SendEnv, line: 55
22:44:11.094 INFO wezterm_ssh::sessioninner > resolved fedora-server:22 -> 172.25.100.6:22
22:44:11.098 INFO libssh::ssh_connect > libssh 0.8.90 (c) 2003-2023 Aris Adamantiadis, Andreas Schneider and libssh contributors. Distributed under the LGPL, please refer to COPYING file for information about your rights, using threading threads_pthread
22:44:11.098 INFO libssh::ssh_connect > Socket connecting, now waiting for the callbacks to work
22:44:11.098 INFO libssh::ssh_connect > Actual timeout : 10000
22:44:11.098 INFO libssh::ssh_socket_pollcallback > Received POLLOUT in connecting state
22:44:11.098 INFO libssh::socket_callback_connected > Socket connection callback: 1 (0)
22:44:11.098 INFO libssh::ssh_client_connection_callback > session_state=2
22:44:11.098 INFO libssh::ssh_socket_unbuffered_write > Enabling POLLOUT for socket
22:44:11.108 INFO libssh::callback_receive_banner > Received banner: SSH-2.0-OpenSSH_9.0
22:44:11.108 INFO libssh::ssh_client_connection_callback > session_state=3
22:44:11.108 INFO libssh::ssh_client_connection_callback > SSH server banner: SSH-2.0-OpenSSH_9.0
22:44:11.108 INFO libssh::ssh_analyze_banner > Analyzing banner: SSH-2.0-OpenSSH_9.0
22:44:11.108 INFO libssh::ssh_analyze_banner > We are talking to an OpenSSH server version: 9.0 (90000)
22:44:11.109 INFO libssh::ssh_client_select_hostkeys > Order of wanted host keys: "ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256"
22:44:11.109 INFO libssh::ssh_known_hosts_read_entries > Failed to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory
22:44:11.109 INFO libssh::ssh_client_select_hostkeys > Algorithms found in known_hosts files: "ssh-ed25519"
22:44:11.109 INFO libssh::ssh_client_select_hostkeys > Changing host key method to "ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256"
22:44:11.109 INFO libssh::ssh_socket_unbuffered_write > Enabling POLLOUT for socket
22:44:11.109 INFO libssh::packet_send2 > packet: wrote [type=20, len=908, padding_size=11, comp=896, payload=896]
22:44:11.109 INFO libssh::ssh_send_kex > SSH_MSG_KEXINIT sent
22:44:11.111 INFO libssh::ssh_packet_socket_callback > packet: read type 20 [len=932,padding=8,comp=923,payload=923]
22:44:11.111 INFO libssh::ssh_packet_process > Dispatching handler for packet type 20
22:44:11.111 INFO libssh::ssh_client_connection_callback > session_state=5
22:44:11.111 INFO libssh::ssh_kex_select_methods > Negotiated curve25519-sha256,ssh-ed25519,[email protected],[email protected],aead-poly1305,aead-poly1305,none,none,,
22:44:11.112 INFO libssh::ssh_socket_unbuffered_write > Enabling POLLOUT for socket
22:44:11.112 INFO libssh::packet_send2 > packet: wrote [type=30, len=44, padding_size=6, comp=37, payload=37]
22:44:11.162 INFO libssh::ssh_packet_socket_callback > packet: read type 31 [len=188,padding=8,comp=179,payload=179]
22:44:11.162 INFO libssh::ssh_packet_process > Dispatching handler for packet type 31
22:44:11.163 INFO libssh::ssh_socket_unbuffered_write > Enabling POLLOUT for socket
22:44:11.163 INFO libssh::packet_send2 > packet: wrote [type=21, len=12, padding_size=10, comp=1, payload=1]
22:44:11.163 INFO libssh::crypt_set_algorithms2 > Set output algorithm to [email protected]
22:44:11.163 INFO libssh::crypt_set_algorithms2 > Set HMAC output algorithm to aead-poly1305
22:44:11.163 INFO libssh::crypt_set_algorithms2 > Set input algorithm to [email protected]
22:44:11.163 INFO libssh::crypt_set_algorithms2 > Set HMAC input algorithm to aead-poly1305
22:44:11.163 INFO libssh::ssh_init_rekey_state > Set rekey after 134217728 blocks
22:44:11.163 INFO libssh::ssh_init_rekey_state > Set rekey after 134217728 blocks
22:44:11.163 INFO libssh::ssh_packet_client_curve25519_reply > SSH_MSG_NEWKEYS sent
22:44:11.163 INFO libssh::ssh_packet_socket_callback > Processing 332 bytes left in socket buffer
22:44:11.163 INFO libssh::ssh_packet_socket_callback > packet: read type 21 [len=12,padding=10,comp=1,payload=1]
22:44:11.163 INFO libssh::ssh_packet_process > Dispatching handler for packet type 21
22:44:11.163 INFO libssh::ssh_packet_newkeys > Received SSH_MSG_NEWKEYS
22:44:11.164 INFO libssh::ssh_packet_newkeys > Signature verified and valid
22:44:11.164 INFO libssh::ssh_client_connection_callback > session_state=6
22:44:11.164 INFO libssh::ssh_packet_socket_callback > Processing 316 bytes left in socket buffer
22:44:11.164 INFO libssh::ssh_packet_socket_callback > packet: read type 7 [len=296,padding=8,comp=287,payload=287]
22:44:11.164 INFO libssh::ssh_packet_process > Dispatching handler for packet type 7
22:44:11.164 INFO libssh::ssh_packet_ext_info > Received SSH_MSG_EXT_INFO
22:44:11.164 INFO libssh::ssh_packet_ext_info > Follows 2 extensions
22:44:11.164 INFO libssh::ssh_packet_ext_info > Extension: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]>
22:44:11.164 INFO libssh::ssh_packet_ext_info > Unknown extension: [email protected]
22:44:11.164 INFO libssh::ssh_connect > current state : 7
22:44:11.165 INFO libssh::packet_send2 > packet: wrote [type=5, len=24, padding_size=6, comp=17, payload=17]
22:44:11.165 INFO libssh::ssh_service_request > Sent SSH_MSG_SERVICE_REQUEST (service ssh-userauth)
22:44:11.165 INFO libssh::ssh_socket_unbuffered_write > Enabling POLLOUT for socke22:44:11.208 INFO libssh::ssh_packet_socket_callback > packet: read type 6 [len=24,padding=6,comp=17,payload=17]
22:44:11.208 INFO libssh::ssh_packet_process > Dispatching handler for packet type 6
22:44:11.208 INFO libssh::ssh_packet_service_accept > Received SSH_MSG_SERVICE_ACCEPT
22:44:11.208 INFO libssh::ssh_socket_unbuffered_write > Enabling POLLOUT for socket
22:44:11.208 INFO libssh::packet_send2 > packet: wrote [type=50, len=40, padding_size=4, comp=35, payload=35]
22:44:11.221 INFO libssh::ssh_packet_socket_callback > packet: read type 51 [len=64,padding=10,comp=53,payload=53]
22:44:11.221 INFO libssh::ssh_packet_process > Dispatching handler for packet type 51
22:44:11.221 INFO libssh::ssh_packet_userauth_failure > Access denied for 'none'. Authentication that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
22:44:11.221 INFO libssh::ssh_packet_userauth_failure > Access denied for 'none'. Authentication that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
22:44:11.223 INFO libssh::ssh_agent_get_ident_count > Answer type: 12, expected answer: 12
22:44:11.223 INFO libssh::ssh_agent_get_ident_count > Agent count: 0
22:44:11.223 INFO libssh::ssh_userauth_publickey_auto > Trying to authenticate with /Users/andy/.ssh/id_ecdsa_sk
22:44:11.223 INFO libssh::ssh_key_type_to_hash > Digest algorithm to be used with key type 15 is not defined
22:44:11.223 INFO libssh::ssh_key_algorithm_allowed > Checking [email protected] with list <[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256>
22:44:11.223 INFO libssh::ssh_socket_unbuffered_write > Enabling POLLOUT for socket
22:44:11.224 INFO libssh::packet_send2 > packet: wrote [type=50, len=232, padding_size=8, comp=223, payload=223]
22:44:11.231 INFO libssh::ssh_packet_socket_callback > packet: read type 60 [len=192,padding=8,comp=183,payload=183]
22:44:11.231 INFO libssh::ssh_packet_process > Dispatching handler for packet type 60
22:44:11.231 INFO libssh::ssh_pki_import_privkey_base64 > Trying to decode privkey passphrase=false
22:44:11.231 INFO libssh::ssh_pki_openssh_import > Opening OpenSSH private key: ciphername: none, kdf: none, nkeys: 1
22:44:11.231 INFO libssh::pki_import_privkey_buffer > Unknown private key type (15)
22:44:11.231 INFO libssh::pki_openssh_import_privkey_blob > Failed to read key in OpenSSH format
22:44:11.231 INFO libssh::ssh_userauth_publickey_auto > Failed to read private key: /Users/andy/.ssh/id_ecdsa_sk
22:44:11.232 INFO libssh::ssh_userauth_publickey_auto > Trying to authenticate with /Users/andy/.ssh/id_ed25519
22:44:11.232 INFO libssh::ssh_pki_import_pubkey_file > Error opening /Users/andy/.ssh/id_ed25519.pub: No such file or directory
22:44:11.232 INFO libssh::ssh_pki_import_privkey_file > Error opening /Users/andy/.ssh/id_ed25519: No such file or directory
22:44:11.232 INFO libssh::ssh_userauth_publickey_auto > Private key /Users/andy/.ssh/id_ed25519 doesn't exist.
22:44:11.232 INFO libssh::ssh_userauth_publickey_auto > Trying to authenticate with /Users/andy/.ssh/id_ecdsa
22:44:11.232 INFO libssh::ssh_pki_import_pubkey_file > Error opening /Users/andy/.ssh/id_ecdsa.pub: No such file or directory
22:44:11.232 INFO libssh::ssh_pki_import_privkey_file > Error opening /Users/andy/.ssh/id_ecdsa: No such file or directory
22:44:11.232 INFO libssh::ssh_userauth_publickey_auto > Private key /Users/andy/.ssh/id_ecdsa doesn't exist.
22:44:11.232 INFO libssh::ssh_userauth_publickey_auto > Trying to authenticate with /Users/andy/.ssh/id_rsa
22:44:11.232 INFO libssh::ssh_pki_import_pubkey_file > Error opening /Users/andy/.ssh/id_rsa.pub: No such file or directory
22:44:11.232 INFO libssh::ssh_pki_import_privkey_file > Error opening /Users/andy/.ssh/id_rsa: No such file or directory
22:44:11.232 INFO libssh::ssh_userauth_publickey_auto > Private key /Users/andy/.ssh/id_rsa doesn't exist.
22:44:11.232 INFO libssh::ssh_userauth_publickey_auto > Trying to authenticate with /Users/andy/.ssh/id_dsa
22:44:11.232 INFO libssh::ssh_pki_import_pubkey_file > Error opening /Users/andy/.ssh/id_dsa.pub: No such file or directory
22:44:11.232 INFO libssh::ssh_pki_import_privkey_file > Error opening /Users/andy/.ssh/id_dsa: No such file or directory
22:44:11.232 INFO libssh::ssh_userauth_publickey_auto > Private key /Users/andy/.ssh/id_dsa doesn't exist.
22:44:11.232 INFO libssh::ssh_userauth_publickey_auto > Tried every public key, none matched
22:44:18.105 INFO libssh::ssh_socket_unbuffered_write > Enabling POLLOUT for socket
22:44:18.105 INFO libssh::packet_send2 > packet: wrote [type=50, len=56, padding_size=11, comp=44, payload=44]
22:44:18.121 INFO libssh::ssh_packet_socket_callback > packet: read type 51 [len=64,padding=10,comp=53,payload=53]
22:44:18.121 INFO libssh::ssh_packet_process > Dispatching handler for packet type 51
22:44:18.121 INFO libssh::ssh_packet_userauth_failure > Access denied for 'password'. Authentication that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
22:44:18.121 INFO libssh::ssh_packet_userauth_failure > Access denied for 'password'. Authentication that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
Anything else?
No response
Looks like the underlying libssh library doesn't understand your chosen key file:
libssh::pki_openssh_import_privkey_blob > Failed to read key in OpenSSH format
ibssh::ssh_userauth_publickey_auto > Failed to read private key: /Users/andy/.ssh/id_ecdsa_sk
and then the server denies the attempt to use password authentication:
Access denied for 'password'. Authentication that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
I think support for this is not yet implemented in libssh: https://gitlab.com/libssh/libssh-mirror/-/issues/34
@apastuszak fwiw, using a Unix domain seems to work for me for my FIDO2 SSH key (see: https://github.com/wez/wezterm/issues/1647#issue-1144795125). The relevant bits of my configuration are:
config.unix_domains = {
{
name = "tinfoil",
proxy_command = { "ssh", "-T", "-A", "tinfoil", "wezterm", "cli", "proxy" },
},
}
and then wezterm connect tinfoil in the terminal.
https://api.libssh.org/master/libssh_tutor_fido2.html
It seems that upstream supports this now but i still have issues with it in wezterm. Namely, it doesn't appear to work with ssh agent forwarding
