`ssh-add -K` not working any longer after upgrading to 1.7.0?

I noticed that credentialMgmtPreview is missing from the fido2-token -I output after upgrading to 1.7.0.

This is probably related to supporting FIDO_2_1 instead of FIDO_2_1_PRE?

I guess that the missing credentialMgmtPreview is the root cause for no longer working ssh-keygen -K / ssh-add -K on Debian/stable:

$ ssh-keygen -K                                     
Enter PIN for authenticator: 
You may need to touch your authenticator to authorize key download.
Provider "internal" returned failure -1
Unable to load resident keys: invalid format

Also after installing fido2-token 1.14.0 from Debian/testing, the following did not work any more:

$ fido2-token -L -k ssh: /dev/hidraw6
Enter PIN for /dev/hidraw6: 
fido2-token: fido_credman_get_dev_rk: FIDO_ERR_PIN_AUTH_INVALID

What’s going on here? What am I missing?

Your issue reads like this bug: ssh-agent cant retrieve key · Issue #496 · Nitrokey/nitrokey-3-firmware · GitHub
Try adding the -vvvv debug flags and add to the bug report, if it’s different.

1 Like

Yes, the output from -vvvv matches mine exactly in all relevant points! Thanks for finding the issue for me! :slight_smile:

I posted on the issue to note that fido2-token is also affected.

Additional information:

It looks like the fix for this is in 1.7.2 (not yet available for public install). From the release notes:

  • fido-authenticator: Fix incompatibility when enumerating resident keys with libfido2/ssh-agent (#496)

The full release notes are here:

Can this be renamed to something containing the keywords fido2 ssh resident-storage I would have found the issue sooner.