Key enrollment failed: invalid format

[hackdefendr]

Ubuntu 18.04
OpenSSH 8.2p1
libfido2 commit 5efee15

$ ssh-keygen -vvvv -t ecdsa-sk -w /usr/lib/x86_64-linux-gnu/libsk-libfido2.so
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=19109
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/libexec/ssh-sk-helper
debug1: sshsk_enroll: provider "/usr/lib/x86_64-linux-gnu/libsk-libfido2.so", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: sshsk_open: provider /usr/lib/x86_64-linux-gnu/libsk-libfido2.so implements version 0x00020000
Provider "/usr/lib/x86_64-linux-gnu/libsk-libfido2.so" implements unsupported version 0x00020000 (supported: 0x00040000)
debug1: ssh-sk-helper: Enrollment failed: invalid format
debug1: ssh-sk-helper: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=19109
Key enrollment failed: invalid format

The above happens fast. No time to push the button my key.

[hackdefendr]

This is how DMESG shows my Yubico Key...

[87320.342654] usb 1-1.2: new full-speed USB device number 3 using ehci-pci
[87320.453197] usb 1-1.2: New USB device found, idVendor=1050, idProduct=0407
[87320.453199] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[87320.453200] usb 1-1.2: Product: Yubikey 4 OTP+U2F+CCID
[87320.453201] usb 1-1.2: Manufacturer: Yubico
[87320.454397] input: Yubico Yubikey 4 OTP+U2F+CCID as /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0/0003:1050:0407.0004/input/input12
[87320.510918] hid-generic 0003:1050:0407.0004: input,hidraw3: USB HID v1.10 Keyboard [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:00:1a.0-1.2/input0
[87320.511622] hid-generic 0003:1050:0407.0005: hiddev0,hidraw4: USB HID v1.10 Device [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:00:1a.0-1.2/input1

[martelletto]

Hi,

The middleware shipped with libfido2 1.3.0 is not compatible with OpenSSH 8.2. Please use the middleware included in OpenSSH 8.2 instead: https://www.openssh.com/txt/release-8.2

-p.

[hackdefendr]

I really wish you wouldn't close this so quickly and allow for some discussion. According to the release notes for SSH 8.2, your libfido2 still needs to be installed.

If the internal middleware is enabled then it is automatically used by default. This internal middleware requires that libfido2 (https://github.com/Yubico/libfido2) and its dependencies be installed. We recommend that packagers of portable OpenSSH enable the built-in middleware, as it provides the lowest-friction experience for users.

[martelletto]

Hi,

No worries; I don't mean to end the discussion - please feel free to reach out, always. Your understanding is correct; libfido2 is still needed. The middleware, however, lives with OpenSSH itself, and is no longer part of libfido2:

OpenSSH includes a middleware ("SecurityKeyProvider=internal") with
support for USB tokens. It is automatically enabled in OpenBSD and may
be enabled in portable OpenSSH via the configure flag
--with-security-key-builtin.

[hackdefendr]

OK so I did build OpenSSH correctly with the --with-security-key-builtin configure switch :)

I probably need to open an issue with OpenSSH github now. Not sure if Yubikey 4 is supported or not.

$ ssh-keygen -vvvv -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=11912
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/libexec/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: pick_first_device: fido_dev_info_manifest bad len 0
debug1: ssh_sk_enroll: pick_first_device failed
debug1: sshsk_enroll: provider "internal" returned failure -4
debug1: ssh-sk-helper: Enrollment failed: device not found
debug1: ssh-sk-helper: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -60
debug3: reap_helper: pid=11912
Key enrollment failed: device not found

[martelletto]

Do you have the FIDO/U2F interface enabled on your Yubikey 4? You can check that with 'ykman info'.

[hackdefendr]

Looks like I do have it enabled, but FIDO2 is not.

$ ykman info
Device type: YubiKey 4
Serial number: xxxxxxx
Firmware version: 4.2.8
Enabled USB interfaces: OTP+FIDO+CCID

Applications
OTP             Enabled
FIDO U2F        Enabled
OpenPGP         Enabled
PIV             Enabled
OATH            Enabled
FIDO2           Not available

[martelletto]

Then it should work. When you installed libfido2, did you get the accompanying fido2-token tool? If so, can you run FIDO_DEBUG=1 fido2-token -L?

[hackdefendr]

Looks like it should work. Maybe I need to update my YK firmware?

$ FIDO_DEBUG=1 fido2-token -L
get_report_descriptor: open
get_report_descriptor: open
get_report_descriptor: open
/dev/hidraw4: vendor=0x1050, product=0x0407 (Yubico Yubikey 4 OTP+U2F+CCID)

[martelletto]

Strange; that triggers the same code path as OpenSSH. Does FIDO_DEBUG=1 fido2-token -I /dev/hidraw4 work as well?

[hackdefendr]

Looks like it might

$ FIDO_DEBUG=1 fido2-token -I /dev/hidraw4
fido_tx: d=0x55b1601c2260, cmd=0x06, buf=0x55b1601c2260, count=8
0000: 31 85 0f 61 0a b0 35 b3
fido_rx: d=0x55b1601c2260, cmd=0x06, buf=0x55b1601c2268, count=17, ms=-1
rx_preamble: initiation frame at 0x7ffdca08a960
0000: ff ff ff ff 86 00 11 31 85 0f 61 0a b0 35 b3 00
0016: 03 00 02 02 04 02 08 01 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=17
fido_rx: buf=0x55b1601c2268, len=17
0000: 31 85 0f 61 0a b0 35 b3 00 03 00 02 02 04 02 08
0016: 01
proto: 0x02
major: 0x04
minor: 0x02
build: 0x08
caps: 0x01 (wink, nocbor, msg)

[hackdefendr]

Ya know what? Its working now.

$ ssh-keygen -vvvv -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=16681
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/libexec/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: ssh_sk_enroll: using device /dev/hidraw4
debug3: ssh_sk_enroll: attestation cert len=584
debug1: ssh-sk-helper: reply len 903
debug3: ssh_msg_send: type 5
debug3: reap_helper: pid=16681
Enter file in which to save the key (/home/XXXXXX/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/XXXXXX/.ssh/id_ecdsa_sk
Your public key has been saved in /home/XXXXXXX/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The key's randomart image is:
+-[ECDSA-SK 256]--+
|  . . . o ..*=@..|
|   o . o o +.@ *o|
|    . .   . * + =|
|     . .   o = oo|
|    o   S   + E. |
|   . .   o o * . |
|      . . o = = .|
|     . o   o . o |
|      o..        |
+----[SHA256]-----

So many thanks for the assist. Now to figure out how to push this to my bosses for approval.

[martelletto]

Glad to hear! Did you change anything?

[hackdefendr]

Nope, I think I was missing a library and when I installed ykman it pulled in the missing pieces. I'm betting it was libu2f-udev.