PowerShell
Issue with YubiKey and ECC keys
"OpenSSH for Windows" version : 8.9.1.0
Client OperatingSystem : Windows 11 21H2
What is failing I'm facing an issue with OpenSSH, OpenSC and the use of a YubiKey 5. It seems that ECCP256 and ECCP384 keys are not supported by OpenSSH on Windows. When I try to export the public key from the YubiKey multiple errors like unsupported key type are thrown. I have already opened an issue on OpenSC's side (OpenSC/OpenSC#2559) but for them the problem is with OpenSSH for Windows.
Step to reproduce Generate an ECCP256 or ECCP384 on the YubiKey with the yubico-piv-tool (source) :
PS > & 'C:\Program Files\Yubico\Yubico PIV Tool\bin\yubico-piv-tool.exe' -s 9a -a generate -A ECCP384 -o public.pem
PS > & 'C:\Program Files\Yubico\Yubico PIV Tool\bin\yubico-piv-tool.exe' -a verify-pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i public.pem -o cert.pem
PS > & 'C:\Program Files\Yubico\Yubico PIV Tool\bin\yubico-piv-tool.exe' -a import-certificate -s 9a -i cert.pem
Then try to export the public key from the YubiKey with the following command :
PS > ssh-keygen.exe -D 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll' -e
Expected output The public key of the generated certificate should be printed to stdout.
Actual output
PS > ssh-keygen.exe -vvv -D 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll' -e
skipping unsupported key type
failed to fetch key
unknown certificate key type
failed to fetch key
Enter PIN for 'SSH key':
skipping unsupported key type
failed to fetch key
unknown certificate key type
failed to fetch key
cannot read public key from pkcs11
Just to doubly verify that it's a problem with OpenSSH and not the OpenSC framework, can you see if you can reproduce the issue with PuTTY CAC?
Thanks for your answer. I can't reproduce the issue with PuTTY CAC.
I've made the following configuration in Putty : in Connection --> SSH --> Certificate, pressed "Set PKCS Cert..." then browse to opensc-pkcs11.dll file.
Then pressed "Copy to Clipboard" and pasted the output to a Linux server with OpenSSH.
Finally tried to connect to the remote server, the PIN of the YubiKey was asked and the connection was successful.
I suspect this is because HAVE_EC_KEY_METHOD_NEW was not defined at compile time. I'll see if I can build you a version with it on for testing.
Have you been able to build a version that fixes this bug? I would be happy to test it and give you feedback.
Your binary seems to work fine @NoMoreFood :)
PS > & 'C:\Program Files\Yubico\Yubico PIV Tool\bin\yubico-piv-tool.exe' -s 9a -a generate -A ECCP384 -o public.pem
Successfully generated a new private key.
PS > & 'C:\Program Files\Yubico\Yubico PIV Tool\bin\yubico-piv-tool.exe' -a verify-pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i public.pem -o cert.pem
Enter PIN:
Successfully verified PIN.
Successfully generated a new self signed certificate.
PS > & 'C:\Program Files\Yubico\Yubico PIV Tool\bin\yubico-piv-tool.exe' -a import-certificate -s 9a -i cert.pem
Successfully imported a new certificate.
PS > .\OpenSSH\ssh-keygen.exe -D 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll' -e
ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAUFwDnpJQ9g2HuT5kI6tqdyiZmAiGkMC1XFB36v/2kml4ZmMG0Hm7wieQ9FxwQO1SW6KzNXYqdWjrPEjPyDFdM1c9ox0wwyk63I31lyVkAJDNS+6wOZ65bEcBP5zeutwg== PIV AUTH pubkey
I also tried to copy the public key in the authorized_keys file of a remote server and the connection works!
Alright, sounds good. I will submit a pull request to get it in the next official release.
I had same issue, however was using Yubico PIV Tool PKCS#11 driver.
The binaries you made with EC support did make it show up in ssh-keygen, but after ssh-add -s "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll" they do not show up in ssh-add -l
The card slot does not matter as much, had RSA key in 9a, so added the eddp384 to slot 9c
PS > C:\OpenSSH-EC\ssh-keygen.exe -D libykcs11.dll -e
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDL5Dt3nCSPbtPT8mbyF5W7qbsoifIy58irjBcwKr09YRWuMSe3NlHZn6iL4KdcPJSkRU+0uMzWdpz1sVi4WpQ+vTYL+P/9GmE3+1ASfFNyXXrMG/aZ2VO8bEKZlowt5U/rUH/ei/v0Sa2YzzE87O3U5xvJT3x5U2n8X3B7zkRk+LTOQrRsJ0xV1DwG/2X5qaoOlUvM6KRdOVhM5oCWqmVIjLh8Z77FdUjNMQGDw3vXjfp2nemQRYIKnwIshI6GNXdBrgi8B9LFzhngemLW7Wsm42PWc3vRfZzCbAXEEpjyR4ZIdIgK+rMYovu1SQRPqNJljfQCQW0qJIV7fAo4B5WX Public key for PIV Authentication
ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIdphEu1Bx7dtjQB6fue22OwypsqxtkoeQwHtkI4C4sawm0dPJArF7KKNUxaSLtlz5dizG8F6ZWDsOy2BNsY8hiYRwUI/7XJKMSD6LQnosYHLd2sGOABcyUPjCi51mcqBQ== Public key for Digital Signature
PS > C:\OpenSSH-EC\ssh-add.exe -s "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll"
Enter passphrase for PKCS#11:
Card added: C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll
PS > C:\OpenSSH-EC\ssh-add.exe -l
2048 SHA256:7qoRH4qZZE3Z02PSXk2bn8RMXbUzJAEjNfq4rB0RHE8 C:/Program Files/Yubico/Yubico PIV Tool/bin/libykcs11.dll (RSA)
ssh itself is able to connect.
Alright, sounds good. I will submit a pull request to get it in the next official release.
Hello NoMoreFood!
Can you please provide the binaries or any other temporary workaround for Mac users facing this issue as well? The bins you provided above also worked for me but I want to get it working on my Mac as well. Thanks a lot!
@JuniperCisco Unless it's assisted by Wine or some virtualization technology, I do not believe there is a pathway for Mac users to use PuTTY CAC. The functions we use are very much Windows-specific (which is one of the reasons the upstream PuTTY is not interested in integrating these enhancements into the product).
@NoMoreFood please forgive me for not clarifying it, I want to use just a normal shell, without PuttyCAC. ssh via cmd on Win wasn't working until I used your binaries, I thought there might be some similar solution to allow ECCP keys to be used on Mac, since I get the same errors I've been getting on Win before I loaded the binaries. Thanks a lot for your time.