libfido2 and openssh-portable

bibi

bibi

Hello,

I am trying to generate a fido2 ed25519 ssh keys with the libfido2 and openssh-portable. My Yubikey is recognised, but when i try to do the ssh-keygen i run into the following issue:

Code: 
root@builder:~ # pkg info | grep libfido2
libfido2-1.5.0                 Provides library functionality for FIDO 2.0

root@builder:~ # pkg info | grep openssh-portable
openssh-portable-8.2.p1_1,1    The portable version of OpenBSD's OpenSSH

root@builder:~ # pkg info | grep libudev-devd
libudev-devd-0.4.2_1           libudev-compatible interface for devd

root@builder:~ # cat /etc/devfs.rules
[localrules=5]
add path 'uhid*'    mode 0660 group operator
add path 'da*'    mode 0660 group operator
add path 'cd*'    mode 0660 group operator
add path 'uscanner*'    mode 0660 group operator
add path 'xpt*' mode 660 group operator
add path 'pass*' mode 660 group operator
add path 'md*' mode 0660 group operator
add path 'msdosfs/*' mode 0660 group operator
add path 'ext2fs/*' mode 0660 group operator
add path 'ntfs/*' mode 0660 group operator
add path 'usb/*' mode 0660 group operator

root@builder:~ # fido2-token -L
0000:0004:00: vendor=0x046d, product=0xc52b (Logitech USB Receiver)
0000:0004:01: vendor=0x046d, product=0xc52b (Logitech USB Receiver)
0000:0004:02: vendor=0x046d, product=0xc52b (Logitech USB Receiver)
0002:0008:00: vendor=0x05ac, product=0x8242 (Apple, Inc. IR Receiver)
0000:0002:00: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)
0000:0002:01: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)

root@builder:~ # dmesg |grep Yubico
ugen0.2: <Yubico YubiKey OTP+FIDO+CCID> at usbus0
ukbd0: <Yubico YubiKey OTP+FIDO+CCID, class 0/0, rev 2.00/5.24, addr 1> on usbus0
[14] uhid0: <Yubico YubiKey OTP+FIDO+CCID, class 0/0, rev 2.00/5.24, addr 1> on usbus0
[31789] ugen0.2: <Yubico YubiKey OTP+FIDO+CCID> at usbus0 (disconnected)
[65986] ugen0.2: <Yubico YubiKey OTP+FIDO+CCID> at usbus0
[65986] ukbd0: <Yubico YubiKey OTP+FIDO+CCID, class 0/0, rev 2.00/5.24, addr 4> on usbus0
[65986] uhid0: <Yubico YubiKey OTP+FIDO+CCID, class 0/0, rev 2.00/5.24, addr 4> on usbus0

root@builder:~ # /usr/local/bin/ssh-keygen -t ed25519-sk -O device -w /dev/uhid0 -f .ssh/id_ed25519_sk
Generating public/private ed25519-sk key pair.
Option "device" is unsupported for FIDO authenticator enrollment

root@builder:~ # /usr/local/bin/ssh-keygen -t ed25519-sk -w /dev/uhid0 -f .ssh/id_ed25519_sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Provider "/dev/uhid0" dlopen failed: /dev/uhid0: invalid file format
Key enrollment failed: invalid format

root@builder:~ # /usr/local/bin/ssh-keygen -t ed25519-sk -w /dev/ugen0.2 -f /root/.ssh/id_ed25519_sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Provider "/dev/ugen0.2" dlopen failed: /dev/ugen0.2: invalid file format
Key enrollment failed: invalid format

root@builder:~ # /usr/local/bin/ssh-keygen -t ed25519-sk -w "0000:0002:01" -f .ssh/id_ed25519_sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Provider "0000:0002:01" dlopen failed: Shared object "0000:0002:01" not found, required by "ssh-sk-helper"
Key enrollment failed: invalid format

root@builder:~ # /usr/local/bin/ssh-keygen -t ed25519-sk -w "0000:0002:00" -f .ssh/id_ed25519_sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Provider "0000:0002:00" dlopen failed: Shared object "0000:0002:00" not found, required by "ssh-sk-helper"
Key enrollment failed: invalid format

root@builder:~ # /usr/local/bin/ssh-keygen -t ed25519-sk -w /dev/fido -f .ssh/id_ed25519_sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Provider "/dev/fido" dlopen failed: /dev/fido: invalid file format
Key enrollment failed: invalid format

I have tried a few different way for the fido2 provider but none of them is working...I am running
FreeBSD 12.1-RELEASE-p10 GENERIC amd64. Any idea on how to make it work?

Thanks
 
Hi,

I didn't took time to test on 12.1 p10/11.
I just upgraded to 12.2 yesterday evening, and was able to use a yubikey u2f/fido (the blue one) without forcing the device (-w parameter ), but with all the same parameters you had beside that.

To be specific, I also have the same packages, and run that on a X1 Carbon Gen6.

I'll try a somu from solokeys (open hardware if I'm not mistaken) as soon as I have flashed its firmware and get some feedback here.

Will / PorCus

Edit : Sorry for the grave digging of the topic, hope it's not too far in the past.
 
You must log in or register to reply here.
Back
Top