-
Notifications
You must be signed in to change notification settings - Fork 322
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support SSH2_AGENTC_ADD_ID_CONSTRAINED #612
support SSH2_AGENTC_ADD_ID_CONSTRAINED #612
Conversation
…ADD_IDENTITY This ignores the requested constraints: - SSH_AGENT_CONSTRAIN_LIFETIME - SSH_AGENT_CONSTRAIN_CONFIRM - SSH_AGENT_CONSTRAIN_MAXSIGN - SSH_AGENT_CONSTRAIN_EXTENSION SSH2_AGENTC_ADD_ID_CONSTRAINED is needed to support add U2F/Fido2 ssh keys to the agent from WSL ssh-add and KeePassXC ref PowerShell/Win32-OpenSSH#1961
sshbuf_peek_string_direct doesn't update request offset pointer
returns SSH_AGENT_FAILURE on unsupported constraint types, such as: * SSH_AGENT_CONSTRAIN_LIFETIME * SSH_AGENT_CONSTRAIN_CONFIRM * SSH_AGENT_CONSTRAIN_MAXSIGN returns SSH_AGENT_FAILURE on unsupported constrain extensions, such as: "restrict-destination-v00@openssh.com" accepts and ignores constrain extension "sk-provider@openssh.com"
See PowerShell/Win32-OpenSSH#1915 (comment) |
Would love to see this working. I'm trying to use an ed_25519-sk key from a yubikey, but need to ssh-add it to the agent, which fails. With the recent cloudflare discount for yubikeys I imagine this will soon become a hot topic. |
Any chance to merge this fix into coming release? |
@ddrown apologies for the delay in reviewing this. Based on https://github.com/openssh/openssh-portable/blob/master/ssh-agent.c#L1274, would ignoring the constrain extension "sk-provider@openssh.com" deviate from upstream behavior without informing the user? I think this could cause confusion, if I am understanding the flow correctly. |
As far as I can tell, openssh ssh-agent doesn't actually do anything with this constraint currently, aside from rejecting constraints that it doesn't know about. I believe this patch matches the current unix ssh-agent behavior |
The agent code diverges from upstream, but looks like both use the provider for signing - Seems as though we will always set the provider to "internal" - https://github.com/PowerShell/openssh-portable/blob/latestw_all/contrib/win32/win32compat/ssh-agent/keyagent-request.c#L347 So, in a sense, I agree that it's ok to not store the sk_provider, but I have a few more questions:
I would like to confirm if there needs to be an additional check in the agent to confirm that the sk_provider is "internal", a debug message that the internal provider will be used for signing regardless, or that it ultimately will not matter to the user. @anmenaga is more familiar with this code - would like to get his input! |
Ah ok, looking at that code again, it calls sshkey_sign and passes id->sk_provider Which passes it on to either sshsk_sign (which is what should happen for the keys relevant to this PR) or impl->funcs->sign sshsk_sign renames it to provider_path, and passes that to sshsk_open: If provider_path is not "internal", it tries to open the file as a library: And then tries to get the sk_sign identifier from that library: sk_sign is then called to sign the message:
agreed
Fedora ssh-add sends internal by default unless you've passed in something else via the -S flag or used the SSH_SK_PROVIDER environment variable: strace output:
KeePassXC is similar: https://github.com/keepassxreboot/keepassxc/blob/ba1bbd3b52a4260bddd6c501d0447d98d8c5ec4d/src/sshagent/SSHAgent.cpp#L131
I assume most cases are covered by using the internal signature system. That's at least true for the U2F/Fido/WebAuthN keys
A debug message would be handy for when someone is trying to do something that won't work.
|
I'd recommend adding that debug message like @tgauth described. |
After changing it to reject non-internal sk_providers and logging a debug message: testing "internal" still works:
testing "something-other-than-internal" fails:
And the debug logs:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - thanks @ddrown!
PR Summary
support SSH2_AGENTC_ADD_ID_CONSTRAINED by treating it as SSH2_AGENTC_ADD_IDENTITY
PR Context
SSH2_AGENTC_ADD_ID_CONSTRAINED is needed to support adding U2F/Fido2 ssh keys to the agent from WSL ssh-add and KeePassXC
ref PowerShell/Win32-OpenSSH#1961
this returns SSH_AGENT_FAILURE on unsupported constraint types, such as:
and also returns SSH_AGENT_FAILURE on unsupported constrain extensions, such as:
"restrict-destination-v00@openssh.com"
it accepts and ignores constrain extension "sk-provider@openssh.com"