Post

Replies

Boosts

Views

Activity

macOS bundled OpenSSH 8.6p1 seems don't support FIDO keys
Since 8.2p1 OpenSSH support for FIDO/U2F hardware authenticators, add "ed25519-sk" and "ecdsa-sk" key type. macOS Monterey 12.2 bundled OpenSSH (version: 8.6p1) doesn't include built-in security keys support, but it seems that user can specify middle ware library to use FIDO authenticator-hosted keys (see man ssh-add, man ssh_config and man ssh-agent). I try to implement FIDO security key provider library, but bundled ssh-agent seems don't try to load the implemented library and simply return with "unknown or unsupported key type": $ ssh-agent -d -P "/*" SSH_AUTH_SOCK=SOME_VALUE; export SSH_AUTH_SOCK; echo Agent pid SOME_VALUE; debug1: new_socket: type = SOCKET debug2: fd 3 setting O_NONBLOCK debug1: new_socket: type = CONNECTION debug3: fd 4 is O_NONBLOCK debug1: process_message: socket 1 (fd=4) type 25 debug2: process_add_identity: entering debug1: parse_key_constraint_extension: constraint ext sk-provider@openssh.com debug1: process_add_identity: add sk-ssh-ed25519@openssh.com SHA256:KEY_HASH "KEY_COMMENT" (life: 0) (confirm: 0) (provider: /path/to/libsk-libfido2.so) debug1: new_socket: type = CONNECTION debug3: fd 4 is O_NONBLOCK debug1: process_message: socket 1 (fd=4) type 11 debug2: process_request_identities: entering debug1: process_message: socket 1 (fd=4) type 13 debug1: process_sign_request2: entering Confirm user presence for key ED25519-SK SHA256:KEY_HASH process_sign_request2: sshkey_sign: unknown or unsupported key type User presence confirmed Manually install OpenSSH from third-party (such as MacPorts/Homebrew, or simply build it from source code) works, but third-party OpenSSH can't read passwords stored in Keychain. Is bundled OpenSSH disable hardware key support at build time? Advice most appreciated. Thank you!
13
19
6.6k
Jan ’22