Cannot create ecdsa-sk key with Windows Hello in ssh-keygen #2040
Description
Prerequisites
- Write a descriptive title.
- Make sure you are able to repro it on the latest version
- Search the existing issues.
Steps to reproduce
Cannot create ecdsa-sk key with Windows Hello in ssh-keygen.
Fingerprint authentication and PIN fail in the same way but it worked fine with YubiKey 5C NFC.
Expected behavior
PS> ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter file in which to save the key (C:\Users\user/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\user/.ssh/id_ecdsa_sk
Your public key has been saved in C:\Users\user/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:88noPFdjOpQ3iy7+spFw5nsIehFsxstYlMYCs+BCAjo user@localhost
The key's randomart image is:
+-[ECDSA-SK 256]--+
|=.o. . . |
|=. o. = |
|E.. * |
|.. B |
| *.oS . |
| . == *o.* |
| . o=o+* + |
| . .o=o* . |
| . .*Xo. |
+----[SHA256]-----+Actual behavior
PS> ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Key enrollment failed: invalid formatError details
PS> $Env:FIDO_DEBUG=1
PS> ssh-keygen -t ecdsa-sk -vvvvv
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug1: find_helper: using "C:\\Program Files\\OpenSSH\\ssh-sk-helper.exe" as helper
debug3: spawning "C:\\Program Files\\OpenSSH\\ssh-sk-helper.exe" as subprocess
debug3: start_helper: started pid=29492
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
webauthn_load: api version 4
debug1: ssh_sk_enroll: using device windows://hello
cbor_decode_cred_authdata: buf=000001102A344560, len=164
0000: e3 06 10 e8 a1 62 11 59 60 fe 1e c2 23 e6 52 9c
0016: 9f 4b 6e 80 20 0d cb 5e 5c 32 1c 8a f1 e2 b1 bf
0032: 45 00 00 00 00 08 98 70 58 ca dc 4b 81 b6 e1 30
0048: de 50 dc be 96 00 20 c4 25 b3 37 c2 b5 90 90 a9
0064: eb 73 a6 63 2d 27 60 39 4c 1a a1 50 fa e6 22 49
0080: 82 63 2b ad 87 18 3d a5 01 02 03 26 20 01 21 58
0096: 20 65 53 09 f3 80 5d 7a 86 ca 3e f5 01 de 2a b2
0112: aa d4 db 8e 96 fa 10 19 85 3b 65 00 a8 75 c9 a1
0128: b6 22 58 20 9c 9e c8 06 a4 71 fe e7 d8 e1 1a c3
0144: 9b 68 30 bd 25 32 c0 ba be 06 cc 48 46 60 26 0a
0160: 0f 6f 3d a2
decode_attcred: buf=000001102A344585, len=127
0000: 08 98 70 58 ca dc 4b 81 b6 e1 30 de 50 dc be 96
0016: 00 20 c4 25 b3 37 c2 b5 90 90 a9 eb 73 a6 63 2d
0032: 27 60 39 4c 1a a1 50 fa e6 22 49 82 63 2b ad 87
0048: 18 3d a5 01 02 03 26 20 01 21 58 20 65 53 09 f3
0064: 80 5d 7a 86 ca 3e f5 01 de 2a b2 aa d4 db 8e 96
0080: fa 10 19 85 3b 65 00 a8 75 c9 a1 b6 22 58 20 9c
0096: 9e c8 06 a4 71 fe e7 d8 e1 1a c3 9b 68 30 bd 25
0112: 32 c0 ba be 06 cc 48 46 60 26 0a 0f 6f 3d a2
decode_attcred: attcred->id.len=32
debug1: ssh_sk_enroll: self-attested credential
fido_cred_verify_self: cdh=000001102A31E270, authdata=000001102A30EDC0, x5c=0000000000000000, sig=0000000000000000, fmt=000001102A30A0D0 id=000001102A31DD30, rp.id=ssh:
debug1: ssh_sk_enroll: fido_cred_verify_self: FIDO_ERR_INVALID_ARGUMENT
debug1: sshsk_enroll: provider "internal" failure -1
debug1: ssh-sk-helper: Enrollment failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=29492
Key enrollment failed: invalid formatEnvironment data
PS> $PSVersionTable
Name Value
---- -----
PSVersion 7.3.3
PSEdition Core
GitCommitId 7.3.3
OS Microsoft Windows 10.0.22621
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0Version
OpenSSH_for_Windows_9.2p1, LibreSSL 3.6.1
Visuals
No response