On 2019-11-14, Damien Miller <djm@xxxxxxxxxxx> wrote: > Please give this a try - security key support is a substantial change and > it really needs testing ahead of the next release. Hi Damien, Thanks for working on security key support, this is a really nice feature to have in openssh. My non-FIDO2 security key (YubiKey NEO) doesn't work with the latest changes to openssh and libfido2, failing with `try_device: fido_dev_get_assert: FIDO_ERR_USER_PRESENCE_REQUIRED`. I'm not sure if this is a problem in libfido2 or sk-usbhid.c (I also reported this issue at https://github.com/Yubico/libfido2/issues/73). Is try_device incompatible with U2F keys? It seems to me to be trying to detect the presence of a key handle using an assert with up=0, but that causes the U2F codepath in libfido2 to return an error FIDO_ERR_USER_PRESENCE_REQUIRED. I believe that since try_device is only trying to find the device with the key, FIDO_ERR_USER_PRESENCE_REQUIRED should be ignored here, since that seems to indicate that the key lookup succeeded, but authentication was not attempted. I attached a diff that makes this change and it seems to fix my issue.
diff --git a/sk-usbhid.c b/sk-usbhid.c index c0a6bd0d..00c07685 100644 --- a/sk-usbhid.c +++ b/sk-usbhid.c @@ -204,7 +204,7 @@ try_device(fido_dev_t *dev, const uint8_t *message, size_t message_len, out: fido_assert_free(&assert); - return r != FIDO_OK ? -1 : 0; + return r != FIDO_OK && r != FIDO_ERR_USER_PRESENCE_REQUIRED ? -1 : 0; } /* Iterate over configured devices looking for a specific key handle */
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
