`ssh-add -K` not working any longer after upgrading to 1.7.0?

ChristianTacke · May 22, 2024, 12:34pm

I noticed that credentialMgmtPreview is missing from the fido2-token -I output after upgrading to 1.7.0.

This is probably related to supporting FIDO_2_1 instead of FIDO_2_1_PRE?

I guess that the missing credentialMgmtPreview is the root cause for no longer working ssh-keygen -K / ssh-add -K on Debian/stable:

$ ssh-keygen -K                                     
Enter PIN for authenticator: 
You may need to touch your authenticator to authorize key download.
Provider "internal" returned failure -1
Unable to load resident keys: invalid format

Also after installing fido2-token 1.14.0 from Debian/testing, the following did not work any more:

$ fido2-token -L -k ssh: /dev/hidraw6
Enter PIN for /dev/hidraw6: 
fido2-token: fido_credman_get_dev_rk: FIDO_ERR_PIN_AUTH_INVALID

What’s going on here? What am I missing?

ion · May 22, 2024, 8:18pm

Your issue reads like this bug: ssh-agent cant retrieve key · Issue #496 · Nitrokey/nitrokey-3-firmware · GitHub
Try adding the -vvvv debug flags and add to the bug report, if it’s different.

ChristianTacke · May 22, 2024, 10:08pm

Yes, the output from -vvvv matches mine exactly in all relevant points! Thanks for finding the issue for me!

I posted on the issue to note that fido2-token is also affected.

ChristianTacke · June 11, 2024, 8:16pm

Additional information:

It looks like the fix for this is in 1.7.2 (not yet available for public install). From the release notes:

fido-authenticator: Fix incompatibility when enumerating resident keys with libfido2/ssh-agent (#496)

The full release notes are here:

obey · June 17, 2024, 9:25am

Can this be renamed to something containing the keywords fido2 ssh resident-storage I would have found the issue sooner.

ChristianTacke · June 18, 2024, 12:39pm

I don’t have permission to rename / add more keywords / etc. I hope that your posting / mentioning adds those keywords to the search at least.