Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

automatically apply correct message authentication code (MAC) for FIDO #2195

Closed
3 tasks done
robinschwab opened this issue Jan 18, 2024 · 1 comment
Closed
3 tasks done

automatically apply correct message authentication code (MAC) for FIDO #2195

robinschwab opened this issue Jan 18, 2024 · 1 comment

Comments

@robinschwab
Copy link

robinschwab commented Jan 18, 2024
edited

Prerequisites

  • Write a descriptive title.
  • Make sure you are able to repro it on the latest version
  • Search the existing issues.

Steps to reproduce

On a Linux machine you are supposed to login with ssh user@host once you have set up your FIDO device with ssh-keygen -t ed25519-sk -O resident and put the public key into authorized_keys on the server.

However, on Windows machines you will get an error Corrupted MAC on input. You must use ssh -m hmac-sha2-512 user@server.com to login.

Once you know this it is pretty trivial. But it took me hours to find out. It would be so much more user friendly if Windows OpenSSH had automatic discovery of message authentication code.

Expected behavior

PS C:\> ssh user@server.com -v
[…]
debug1: kex: host key algorithm: ssh-ed25519-cert-v01@openssh.com
! debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-512 compression: none
! debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-512 compression: none
[…]
Confirm user presence for key ED25519-SK SHA256:abcdefghijklmnop
User presence confirmed
Last login: Thu Jan 18 08:25:20 2024 from 2a00:…

Actual behavior

PS C:\> ssh user@server.com -v
[…]
debug1: kex: host key algorithm: ssh-ed25519-cert-v01@openssh.com
! debug1: kex: server->client cipher: aes128-ctr MAC: umac-128-etm@openssh.com compression: none
! debug1: kex: client->server cipher: aes128-ctr MAC: umac-128-etm@openssh.com compression: none
[…]
Corrupted MAC on input.
ssh_dispatch_run_fatal: Connection to 2a00:… port 22: message authentication code incorrect

Environment data

Name                           Value
----                           -----
PSVersion                      7.4.1
PSEdition                      Core
GitCommitId                    7.4.1
OS                             Microsoft Windows 10.0.19045
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Version

OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2

Visuals

No response
@jansohn
Copy link

jansohn commented Jan 18, 2024

Duplicate #2078

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jansohn @robinschwab