-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIDO_ERR_RX with openssh 8.3 and Yubikey 5Ci #190
Comments
Hi,
Thank you for the bug report. Could you capture the output of
FIDO_DEBUG=1 with examples/cred?
…-p.
|
Attached output for |
Thank you. examples/cred seems to work as expected (assuming you have
configured a PIN). Is the problem reproducible? If so, can you try to
get FIDO_DEBUG=1 output from ssh-keygen?
…-p.
|
Yes, sadly this is reproducible every time and
|
My bad; I thought 'FIDO_DEBUG=1 ssh-keygen' would work with OpenSSH 8.3,
but now I see that the call to fido_init() was added after 8.3 was
tagged. We have two options:
a) build OpenSSH from HEAD (it is less work than it sounds) and run
'FIDO_DEBUG=1 ssh-keygen';
b) build libfido2 with debugging enabled by default, and use
LD_LIBRARY_PATH to load our modified libfido2 instead of
/usr/lib64/libfido2.so.1, with ssh as-is.
…-p.
|
Hah! I just built openssh-portable.git and got:
|
Thanks :) Are you using a HID backend different than hid_linux.c? Do you
have more than one security key attached to your machine?
If the answer is 'no' to both questions, I am afraid we will need to
instrument hid_linux.c's fido_hid_read() to see what it is doing. From a
glance, I don't see how it can return 8 when passed a length of 64.
…-p.
|
Now, we are getting somewhere, if I compile with |
I would expect hidapi to do a read(2) on /dev/hidrawX just like
hid_linux.c. Does strace reveal anything?
…-p.
|
strace shows |
Ok problem is elsewhere, hidapi opens Looking at dmesg hidraw5 is the keyboard interface:
|
It looks like
https://github.com/Yubico/libfido2/blob/master/src/hid_hidapi.c#L162 is
missing '|| defined(__linux__)'.
…-p.
|
That doesn't help because usage_page is 0x4800 for both devices. |
I think https://github.com/Yubico/libfido2/blob/master/src/hid_linux.c#L260 eliminates the input interface. |
IIRC (it has been a while since I wrote the code), what eliminates the
input interface in hid_linux.c is is_fido(). Since hidapi doesn't set
usage_page on Linux (as you correctly pointed out), we would need
similar code in hid_hidapi.c.
…-p.
|
That sounds like the right fix. For now, I disabled hidapi usage for openSUSE Linux and asked someone to test (for them it worked with hidapi too). |
Tentative fix developed in https://github.com/Yubico/libfido2/tree/hidapi_linux. I am planning to test it over the weekend, if I find the time. |
Tested on Ubuntu 20.04; macOS and Windows pending. |
I promise I read all the other bug reports :-)
First, the key info:
and trying to create an ecdsa-sk key:
This happens with both libfido 1.4.0 and the latest git checkout. I set a breakpoint on fido_dev_open and it fails at https://github.com/Yubico/libfido2/blob/master/src/io.c#L157
So,
n != d->rx_len
and the function returns -1.The text was updated successfully, but these errors were encountered: