-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bundled version of OpenSSH with macOS Monterey doesn't support FIDO2 yubikeys #464
Comments
Sounds good to me. Happy to help, if needed. |
I've had a look into it, and tried reintroducing the library from 1.3.0 including upgrading the API to work with newer versions of OpenSSH. However, I always encountered the same error:
Where I could see the openssh-portable version picking up my compiled library. I suspect that instead Apple may have actually compiled it with Sad. Most likely this is something we'd need to complain to Apple about, as I can't see any way around it if this is the case. |
I had a quick look and that was my impression as well. Bummer. Thanks for taking the initiative, though. Much appreciated! |
I filed a feature request for this here: https://www.apple.com/feedback/macos.html If enough of us do it, perhaps it could appear in a future release of macOS :) |
@cap10morgan, do you happen to have a radar number or other tracking information for the feature request you have opened? Thank you! |
@martelletto No I don't think that form provided anything like that. Or if it did I didn't record it. I think submitting a bunch of duplicate requests is all we've got there, but I'd be happy to be corrected. |
@cap10morgan I see. Thank you! In the understanding that linking to duplicates helps triage, would anyone have a radar number I could link to? |
Wondering why the issue is closed but I still can't use FIDO2 to secure my SSH connection. All suport documentation from Yubiko doesn't indicate clearly that macOS currently is incompatible with FIDO2 giving the current shipped openSSH build. Please considering disclaiming this gotcha clearly since I was mislead reading all the developers.yubico.com docs and bought many keys just to find out that I can't use them as advertised. |
Use of FIDO2 security keys is not possible with Apple's SSH because Apple explicitly disabled the feature. That said, use of FIDO2 security keys with SSH is possible on macOS through Homebrew or if you build OpenSSH yourself. The issue is closed because there is nothing we can do from our side. I will make sure to edit https://developers.yubico.com/SSH/ and https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html to highlight the fact that usage with Apple's SSH is still not possible. Happy to help if you have further questions. Edit: emphasis |
Thanks for your help, the homebrew version doesn't seems to support Also if I use the homebrew version then the Is there a way to build openSSH with all the macOS bells and whistles + support for FIDO2 ? |
You could try to build https://github.com/apple-oss-distributions/OpenSSH without https://github.com/apple-oss-distributions/OpenSSH/blob/main/configure-for-osx.sh#L7 (which is what apple-oss-distributions/OpenSSH#1 does). Regarding Homebrew, does your security key have a PIN set? If not, you can use |
I've setup a PIN using the YubiKey Manager software, and it seems to me that the setup was successful since I could login into macOS using the key+PIN. I'll try using the CLI. Only thing that I didn't set was the management key but I don't think that was necessary. Edit: Ok just find out that PIV PIN != FIDO PIN. Still learning |
Just got my first YubiKeys today and wanted to create Hope to see this supported soon. |
It is supported but disabled in Apple's SSH. If you'd like to use ed25519-sk keys on macOS, install ssh from Homebrew. |
Yeap I've read the rest of the thread - I understand that OpenSSH v8.6 supports it, it's was just not built & bundled by Apple with PS: Apologies if I sounded like I'm complaining to Yubico - my rant is to Apple :) |
@martelletto apologies for jumping on the thread, but I'm seeing the same thing, and the solutions here are not working for me. I've got 2 yubikeys:
macOS:
OpenSSH from homebrew:
libfido2:
I've set a FIDO PIN using Calling
Whenever I try to generate a resident key, I get the following:
Following along from above, I also tried to build openssh from From my reading these devices should support resident keys, but it's not working. Am I holding it wrong? Any suggestions to get it working would be most welcome :) |
@simpsora, it looks like the key you are using does not support credProtect, which is required for
Edit: clarify that credProtect is needed for |
@martelletto indeed:
I assume that FIDO 2.1 must be supported in later firmware versions for these keys, given that the yubi/github blog post said:
Searching for Looks like it's SSH via PIV for me, and time to order some new keys! Thanks for your quick reply :) |
Just thought I'd chime in here. I've been using Yubkey with an ECCP256 key via the PIV module on both Linux and Windows for the last year or so. It's been a rock solid solution. I recently got myself a Mac Studio and noticed that I couldn't login to any of my servers via SSH. I'd get the following error message:
I saw a similar issue on the OpenSC Github community and they pointed at OpenSSH as the problem (OpenSC/OpenSC#2559) I took one of my Yubikeys and re-created a PIV auth certificate with RSA2048 instead of ECCP256 - It works. i guess I'll just migrate over to RSA2048 for compatibility until a more robust solution comes alone. I hope we get support for ECCP256 and ECCP384 in the not so distant future. |
@sourcenix That's actually an entirely different mode than the one being discussed here. Native fido2 support in openssh doesn't use the PIV module. Sad to hear it doesn't work there either. |
Thanks for this information. It seems that this problem hasn't been fixed with macOS 13.2RC (22D49).
|
Unfortunately this seems to be a Ventura fix only. |
I may have completely jumped the gun on this one in my excitement. I mixed and matched upstream OpenSSH That was a stupid mistake. Now I'm just embarrassed 😞 . So sorry everyone! (The dream lives on) Edit: I will let the shame set in for a day and then delete my original comment |
Just noting that this is still the case with the binaries in macOS 13.2 (Ventura)
|
Hi, I've just tried your lib on a clean installation of Sonoma and I get an 'invalid format' error. ssh-keygen -t ed25519-sk -O resident -O verify-required
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Provider "/opt/homebrew/lib/libsk-libfido2.dylib" dlopen failed: (null)
Key enrollment failed: invalid format |
@mlcsthor |
@MichaelRoosz |
Any luck making this work with the macOS ssh agent?
It worked using the For what it's worth, it all worked fine adding a non-sk key to the agent. |
@tdb A buddy of mine (thanks @scottgeary) had the answer to this one. ssh-agent only loads providers from an allow-listed set of directories, configurable with
I tried this, and as I have an intel mac @MichaelRoosz homebrew script (thank you btw for this!!) puts libsk-libfido2.dylib into one of the default locations, however it is a symbolic link to
|
Thank you for the feedback @stoggi To automatically copy the lib to the correct place, I have created this homebrew cask:
It installs "michaelroosz/ssh/libsk-libfido2" and needs sudo access to copy the file to "/usr/local/lib/libsk-libfido2.dylib" then you need to use
for both Intel and Apple M1/M2 silicion to make it work |
Thanks @stoggi and @MichaelRoosz, this worked great! Really happy to finally have a working solution using (mostly!) the builtin tools. |
Did this, but im getting:
Sonoma, Mac Studio M2 |
@oezh this error happens when "SSH_SK_PROVIDER" is not set or empty. does it work if your run both in one line?: if yes, you need to permanently set it for your shell |
That worked perfectly. Added to shell. Thank you @MichaelRoosz |
You may also set the following line into
Authentication would then work without |
Do I need to setup SSH_ASKPASS in my environment? When I use my Yubikey on linux, I have to type in my PIN twice - once after "ssh-add -K" and once again when opening the ssh connection with the key plugged in. But when I try to use the same setup on Mac OS, I have to type the PIN once after "ssh-add -K" and that's it, but when I open the ssh session, pubkey authentication fails and falls back to keyboard authentication. |
@ulischaefer when you generated your key, it sounds like you specified the
And I think you are correct, ssh-agent would use SSH_ASKPASS to request the PIN, as seen in the 8.9 release notes:
But macOS doesn't provide a ssh-askpass utility, nor can you easily modify the environment variables set with the default agent found in (protected by apple's system integrity protection):
What you could do, is create your own |
I have updated the homebrew cask and formula to configure the native ssh-agent to use ssh-askpass and to set the needed env vars system-wide:
so simply running
should take care of everything now |
@MichaelRoosz thank you for all you're doing for this. So, I've just upgraded to the latest, and forgive my lack of understanding, but if a key is saved in the keychain, now with your latest, when I attempt to SSH, should I get a popup (or text in a terminal) telling me that I need to touch my YubiKey? (It doesn't seem to do that - the YubiKey flashes, and I touch it, and I'm in - but no message.) Or is there something else I'm missing? Oh - and I should mention that, when I did the upgrade, I received an warning. I don't know if this affects anything:
Also - after install, I opened a new terminal and tried to output the env vars, but they didn't seem to be set. |
@mrthebob when a touch is needed there is no popup, this is how ssh works currently - but it should show you a popup when the ssh-agent needs your yubikey pin I will look into the error message, as a temporary workaround it might start working after a reboot or after you start the service yourself via edit: with the latest versions the error should be fixed |
@MichaelRoosz that helped, and now it does show a popup when I need to touch the key, so I'm happy! Thanks for the help! |
Hi, does someone know why this is happening: # ssh-keygen -t ed25519-sk -O resident -O application=ssh:YubiSSH -O verify-required
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
You may need to touch your authenticator again to authorize key generation.
Key enrollment failed: invalid format Sys Info
Thanks Edit: |
I was also able to generate the key using |
@pkolano You are trying to open
But this is not needed for the homebrew version of ssh-keygen, only for the builtin macos version of ssh-keygen. The homebrew version already links to libfido2 when compiled. Try simply removing the
|
Thank you, I was able to get it fully working by removing the extra stuff like you suggested along with various other things like putting homebrew first in my $PATH and making sure $SSH_ASKPASS was set before invoking the agent. |
@maxcom thank you for your message. |
@MichaelRoosz Thank you for your answer. I deleted that comment because I think it was my fault when I tried to debug it. Actually I got some strange problem with ssh-askpass -- it crashed due to some strange error:
Error translates as "The specified button does not exist." Sonoma 14.7.1 |
With the latest version of macOS Monterey (12.0.1) Apple have bundled a newer version of OpenSSH (OpenSSH_8.6p1, LibreSSL 2.8.3) but seem to have compiled it without
--with-security-key-builtin
. This is disappointing, but makes sense, as it would be unlikely that Apple would redistribute libfido2. However even though the bundled version man pages indicate that it should support creatingecdsa-sk
anded25519-sk
key types it doesn't work.I saw that in version
1.3.0
libfido2 used to compile the helper librarysk-libfido2
which would connect OpenSSH to a Yubikey by specifyingSSH_SK_PROVIDER
or passing it as a command line parameter tossh-add
,ssh-keygen
, orssh
. This was removed in1.3.1
as it was picked up by the OpenSSH codebase:libfido2/NEWS
Line 127 in e1c761a
So, I'm proposing that we add the helper library back in to libfido2, so that Yubikey users can create
ecdsa-sk
anded25519-sk
with yubikeys using the bundled versions of OpenSSH in macOS. That way a user can do:Why not just use
brew install openssh
? Because the ssh-agent that comes bundled with macOS has some useful integrations with keychain, and launchctl. As well as the expectation that the bundled SSH version 8.6 should work with a Yubikey out of the box.I am willing to contribute this change if there is interest for it. I think it has value in
libfido2
rather than a separate github repository.The text was updated successfully, but these errors were encountered: