Mailing List Archive: u2f / libfido2 version

u2f / libfido2 version

Jan 9, 2020, 5:02 PM

Post #1 of 5 (795 views)

Hi,

So I finally have time to test the u2f support
but so far I haven't been very successful,
Specifically, current HEAD has
SSH_SK_VERSION_MAJOR 0x00040000
and I can't seem to find a matching libfido2 version,
current HEAD of Yubico/libfido2 is 0x00020000

Is there a more up to date libfido2
or a particular commit of openssh-portable
I should be using?

thanks

Sean
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: u2f / libfido2 version [ In reply to ]

naddy at mips

Jan 10, 2020, 3:01 PM

Post #2 of 5 (791 views)

Permalink

Sean Liao:

> Specifically, current HEAD has
> SSH_SK_VERSION_MAJOR 0x00040000
> and I can't seem to find a matching libfido2 version,
> current HEAD of Yubico/libfido2 is 0x00020000

Those are unrelated. SSH_SK_VERSION_MAJOR is the API version of the
middleware library that communicates with the authenticators; see
PROTOCOL.u2f. Obviously, OpenSSH's internal USB HID support matches
this.

OpenSSH's internal USB HID support happens to be built on top of
libfido2, but that is an independent fact. libfido2 itself is NOT
a middleware library that directly interfaces with OpenSSH.

--
Christian "naddy" Weisgerber naddy@mips.inka.de
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: u2f / libfido2 version [ In reply to ]

Kevin.Fox at pnnl

Jan 10, 2020, 3:41 PM

Post #3 of 5 (791 views)

Permalink

I have it all working in a container located here:
https://github.com/kfox1111/u2f-sshd

Might be a good starting point.

Thanks,
Kevin

________________________________________
From: openssh-unix-dev <openssh-unix-dev-bounces+kevin.fox=pnnl.gov@mindrot.org> on behalf of Christian Weisgerber <naddy@mips.inka.de>
Sent: Friday, January 10, 2020 3:01 PM
To: Sean Liao
Cc: openssh-unix-dev@mindrot.org
Subject: Re: u2f / libfido2 version

Sean Liao:

> Specifically, current HEAD has
> SSH_SK_VERSION_MAJOR 0x00040000
> and I can't seem to find a matching libfido2 version,
> current HEAD of Yubico/libfido2 is 0x00020000

Those are unrelated. SSH_SK_VERSION_MAJOR is the API version of the
middleware library that communicates with the authenticators; see
PROTOCOL.u2f. Obviously, OpenSSH's internal USB HID support matches
this.

OpenSSH's internal USB HID support happens to be built on top of
libfido2, but that is an independent fact. libfido2 itself is NOT
a middleware library that directly interfaces with OpenSSH.

--
Christian "naddy" Weisgerber naddy@mips.inka.de
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://protect2.fireeye.com/v1/url?k=825bacff-deee9230-825b86ea-0cc47adc5e60-c6be987b598c6267&q=1&e=813f5d22-87ac-4a99-a5ed-07cc93ef308e&u=https%3A%2F%2Flists.mindrot.org%2Fmailman%2Flistinfo%2Fopenssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: u2f / libfido2 version [ In reply to ]

mfriedl at gmail

Jan 12, 2020, 6:22 AM

Post #4 of 5 (785 views)

Permalink

You should use the provider library shipped
with openssh, because we did not update the initial version that’s included
in libfido2

-m

Sean Liao <seankhliao@gmail.com> schrieb am Fr. 10. Jan. 2020 um 02:14:

> Hi,
>
> So I finally have time to test the u2f support
> but so far I haven't been very successful,
> Specifically, current HEAD has
> SSH_SK_VERSION_MAJOR 0x00040000
> and I can't seem to find a matching libfido2 version,
> current HEAD of Yubico/libfido2 is 0x00020000
>
> Is there a more up to date libfido2
> or a particular commit of openssh-portable
> I should be using?
>
> thanks
>
> Sean
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: u2f / libfido2 version [ In reply to ]

seankhliao at gmail

Jan 12, 2020, 3:27 PM

Post #5 of 5 (784 views)

Permalink

Thanks for the hint,
got it working by not setting $SSH_SK_PROVIDER
which I thought was necessary from the initial email

As an aside,
the error message for ed25519-sk not being supported could be more explicit
currently it just exits after "You may need to touch ..."
with debug its "debug1: client_converse: helper returned error -4"
and the ssh-sk-helper logs:
error: Security key provider "internal" returned failure -1
error: ssh-sk-helper: Enrollment failed: invalid format

thanks,
sean

On Sun, Jan 12, 2020 at 3:22 PM Markus Friedl <mfriedl@gmail.com> wrote:
>
> You should use the provider library shipped
> with openssh, because we did not update the initial version that’s included in libfido2
>
> -m
>
>
> Sean Liao <seankhliao@gmail.com> schrieb am Fr. 10. Jan. 2020 um 02:14:
>>
>> Hi,
>>
>> So I finally have time to test the u2f support
>> but so far I haven't been very successful,
>> Specifically, current HEAD has
>> SSH_SK_VERSION_MAJOR 0x00040000
>> and I can't seem to find a matching libfido2 version,
>> current HEAD of Yubico/libfido2 is 0x00020000
>>
>> Is there a more up to date libfido2
>> or a particular commit of openssh-portable
>> I should be using?
>>
>> thanks
>>
>> Sean
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev@mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev