[Bug 3761] New: ssh-keygen fails for security keys without attestation

bugzilla-daemon Mon, 02 Dec 2024 01:58:11 -0800

https://bugzilla.mindrot.org/show_bug.cgi?id=3761


            Bug ID: 3761
           Summary: ssh-keygen fails for security keys without attestation
           Product: Portable OpenSSH
           Version: 9.9p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-keygen
          Assignee: [email protected]
          Reporter: [email protected]

Hi,

ssh-keygen fails for security key key types (ecdsa-sk and alike) if
they do not support attestation. A notable example is the current
windows 11 windows hello security key.

This results in the following bugs:
* https://github.com/PowerShell/Win32-OpenSSH/issues/2040
* https://github.com/PowerShell/Win32-OpenSSH/issues/2279

It used to work, so probably windows hello removed attestation in
preparation for passkey support:
https://svrooij.io/2024/01/01/secure-ssh-windows-hello/

According to https://github.com/Yubico/libfido2/issues/840,
fido_cred_verify_self should not be called for "none" type attestation,
so this has to be fixed in openssh.

Please find a patch here
https://github.com/openssh/openssh-portable/pull/542/files  that works
for me.

Regards,
M. Braun

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3761] New: ssh-keygen fails for security keys without attestation

Reply via email to