Win32-OpenSSH icon indicating copy to clipboard operation
Win32-OpenSSH copied to clipboard
verified publisher icon PowerShell

Cannot work with Windows Hello with ecdsa-sk since 25H2

Open wzssyqa opened this issue 3 months ago • 3 comments

Prerequisites

  • [x] Write a descriptive title.
  • [x] Make sure you are able to repro it on the latest version
  • [x] Search the existing issues.

Steps to reproduce

ssh-keygen -t ecdsa-sk

We select to store the key on This Windows, and then get a promption from Windows Hello to use fingerprint or face.

ssh user@a-host

It seems appearing after upgrade to 25H2 or 2025.10 monthly update.

Expected behavior

We should get a window that ask to use fingerprint or face

Actual behavior

We get a prompt that we can select from:
    * iPhone, iPad, or an Android device
    * external USB security key

Error details

debug1: process_sign: ready to sign with key ECDSA-SK, provider internal: msg len 326, compat 0x0
debug1: sshsk_sign: provider "internal", key ECDSA-SK, flags 0x01
webauthn_load: api version 7
winhello_get_assert: NotAllowedError -> FIDO_ERR_OPERATION_DENIED
fido_winhello_get_assert: winhello_get_assert
debug1: ssh_sk_sign: fido_dev_get_assert: FIDO_ERR_OPERATION_DENIED
debug1: sshsk_sign: sk_sign failed with code -3

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.26100.6899
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.26100.6899
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version

OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2, and In fact I have a try with v9.8.3.0p2-Preview

Visuals

No response

wzssyqa avatar Oct 27 '25 13:10 wzssyqa

Hello,

I'm experiencing the same issue. When creating the key, I successfully get "Window hello" and am asked to enter a PIN. But after a restart and when using the key, I only get,

Image

Thank you

Ali

gink-lia avatar Oct 29 '25 11:10 gink-lia

I have the same issue. I can also create a new key, there the fingerprint shows up. But if I want to use it, I doesn't show the option.

benniju avatar Oct 29 '25 15:10 benniju

I find a workaround of this problem: delete the old "通行密钥" (I don't know what's the correct original English text, maybe it is "passkey").

In the "Account" of "Settings" there is a "通行密钥", which may be the last one of "Account Settings" section. Delete all the "ssh: \n openssh" entries, so that we can recreate ssh keys now.

wzssyqa avatar Nov 03 '25 05:11 wzssyqa