macOS bundled OpenSSH 8.6p1 seems don't support FIDO keys

Question

Created Jan ’22

Replies 13

Boosts 19

Views 6.4k

Participants 12

Since 8.2p1 OpenSSH support for FIDO/U2F hardware authenticators, add "ed25519-sk" and "ecdsa-sk" key type. macOS Monterey 12.2 bundled OpenSSH (version: 8.6p1) doesn't include built-in security keys support, but it seems that user can specify middle ware library to use FIDO authenticator-hosted keys (see man ssh-add, man ssh_config and man ssh-agent).

I try to implement FIDO security key provider library, but bundled ssh-agent seems don't try to load the implemented library and simply return with "unknown or unsupported key type":

$ ssh-agent -d -P "/*"
SSH_AUTH_SOCK=SOME_VALUE; export SSH_AUTH_SOCK;
echo Agent pid SOME_VALUE;
debug1: new_socket: type = SOCKET
debug2: fd 3 setting O_NONBLOCK
debug1: new_socket: type = CONNECTION
debug3: fd 4 is O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 25
debug2: process_add_identity: entering
debug1: parse_key_constraint_extension: constraint ext sk-provider@openssh.com
debug1: process_add_identity: add sk-ssh-ed25519@openssh.com SHA256:KEY_HASH "KEY_COMMENT" (life: 0) (confirm: 0) (provider: /path/to/libsk-libfido2.so)
debug1: new_socket: type = CONNECTION
debug3: fd 4 is O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: process_request_identities: entering
debug1: process_message: socket 1 (fd=4) type 13
debug1: process_sign_request2: entering
Confirm user presence for key ED25519-SK SHA256:KEY_HASH 
process_sign_request2: sshkey_sign: unknown or unsupported key type
User presence confirmed

Manually install OpenSSH from third-party (such as MacPorts/Homebrew, or simply build it from source code) works, but third-party OpenSSH can't read passwords stored in Keychain.

Is bundled OpenSSH disable hardware key support at build time? Advice most appreciated. Thank you!

Boost

Answer 1

zethos OP

Jan ’22

I don't have an answer, but I'm also interested in this. I want to use my Yubikey with SSH and not have to install a 3rd party copy of openssh

1

Answer 2

foo_____ OP

Jan ’22

Thanks for posting. I was scratching to my head as to why ssh with FIDO keys wasn't working with macOS Monterey 12.2 which ships with OpenSSH_8.6p1 (as you say, FIDO support has been present since openssh 8.2). Is Apple rolling their own implementation of OpenSSH?

Back to installing OpenSSH with homebrew....

1

Answer 3

Zerocool OP

Mar ’22

This is also being tracked here

0

Answer 4

litewhatever OP

Mar ’22

Hitting this issue as well.

0

Answer 5

cjl7 OP

Apr ’22

Bump

0

Answer 6

dm3ch OP

Apr ’22

Just created an PR with the removal of --disable-security-key compile option. https://github.com/apple-oss-distributions/OpenSSH/pull/1

Maybe Apple employees will see PR faster than this thread, but the repo is just a mirror so it's a low probability.

1

Answer 7

Ighor OP

Oct ’22

Any news in that direction?

0

Answer 8

jschlyter OP

Oct ’22

macOS Ventura released and no sign of FIDO support in the bundled OpenSSH 9.0p1 :-( Given Apples support for PassKey and other FIDO technologies, this may be perceived as quite strange and inconsistent.

0

Answer 9

DTS Engineer OP

Apple

Oct ’22

this may be perceived as quite strange and inconsistent.

Keep in mind that DevForums is not the right place for such feedback.

Has anyone filed a bug to officially request this support? If not, I recommend that you do so.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 10

HsinyuanX OP

Oct ’22

I flied a bug in 2022/Jan/3 (FB9830898) and discussion in github.com:Yubico/libfido2/issue/464 is FB9888059

1

Answer 11

mitoca OP

Oct ’22

I also filed a bug report with Feedback assistant on May 26, 2022 under FB10028556.

1

Answer 12

DTS Engineer OP

Apple

Oct ’22

Thanks for the bug numbers.

I took a look and there’s really not much I can say here. There’s a significant interest in this, both externally and internally at Apple, but it’s not been implemented yet. As to when that’ll change, I can’t comment on The Future™.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 13

bobshand OP

Oct ’23

There looks to be some movement on this - see the comments in https://github.com/Yubico/libfido2/issues/464#issuecomment-1577748167

The long and short of it; is that it looks like SSH now supports this, but you have to provide your own SSH_SK_PROVIDER by compiling libfido2 as detailed in the comments and this gist https://gist.github.com/thelastlin/c45b96cf460919e39ab5807b6d20ac2a - I haven't verified this myself yet...

0