macOS bundled OpenSSH 8.6p1 seems don't support FIDO keys

Since 8.2p1 OpenSSH support for FIDO/U2F hardware authenticators, add "ed25519-sk" and "ecdsa-sk" key type. macOS Monterey 12.2 bundled OpenSSH (version: 8.6p1) doesn't include built-in security keys support, but it seems that user can specify middle ware library to use FIDO authenticator-hosted keys (see man ssh-add, man ssh_config and man ssh-agent).

I try to implement FIDO security key provider library, but bundled ssh-agent seems don't try to load the implemented library and simply return with "unknown or unsupported key type":

$ ssh-agent -d -P "/*"
SSH_AUTH_SOCK=SOME_VALUE; export SSH_AUTH_SOCK;
echo Agent pid SOME_VALUE;
debug1: new_socket: type = SOCKET
debug2: fd 3 setting O_NONBLOCK
debug1: new_socket: type = CONNECTION
debug3: fd 4 is O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 25
debug2: process_add_identity: entering
debug1: parse_key_constraint_extension: constraint ext sk-provider@openssh.com
debug1: process_add_identity: add sk-ssh-ed25519@openssh.com SHA256:KEY_HASH "KEY_COMMENT" (life: 0) (confirm: 0) (provider: /path/to/libsk-libfido2.so)
debug1: new_socket: type = CONNECTION
debug3: fd 4 is O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: process_request_identities: entering
debug1: process_message: socket 1 (fd=4) type 13
debug1: process_sign_request2: entering
Confirm user presence for key ED25519-SK SHA256:KEY_HASH 
process_sign_request2: sshkey_sign: unknown or unsupported key type
User presence confirmed

Manually install OpenSSH from third-party (such as MacPorts/Homebrew, or simply build it from source code) works, but third-party OpenSSH can't read passwords stored in Keychain.

Is bundled OpenSSH disable hardware key support at build time? Advice most appreciated. Thank you!

Post not yet marked as solved Up vote post of HsinyuanX Down vote post of HsinyuanX
5.5k views
Posted by
HsinyuanX
Reply
Add a Comment

Replies

I don't have an answer, but I'm also interested in this. I want to use my Yubikey with SSH and not have to install a 3rd party copy of openssh

Posted by
zethos
Post not yet marked as solved Up vote reply of zethos Down vote reply of zethos
Add a Comment

Thanks for posting. I was scratching to my head as to why ssh with FIDO keys wasn't working with macOS Monterey 12.2 which ships with OpenSSH_8.6p1 (as you say, FIDO support has been present since openssh 8.2). Is Apple rolling their own implementation of OpenSSH?

Back to installing OpenSSH with homebrew....

Posted by
foo_____
Post not yet marked as solved Up vote reply of foo_____ Down vote reply of foo_____
Add a Comment

This is also being tracked here

Posted by
Zerocool
Up vote reply of Zerocool Down vote reply of Zerocool
Add a Comment

Hitting this issue as well.

Posted by
litewhatever
Up vote reply of litewhatever Down vote reply of litewhatever
Add a Comment

Bump

Posted by
cjl7
Up vote reply of cjl7 Down vote reply of cjl7
Add a Comment

Just created an PR with the removal of --disable-security-key compile option. https://github.com/apple-oss-distributions/OpenSSH/pull/1

Maybe Apple employees will see PR faster than this thread, but the repo is just a mirror so it's a low probability.

Posted by
dm3ch
Post not yet marked as solved Up vote reply of dm3ch Down vote reply of dm3ch
Add a Comment

Any news in that direction?

Posted by
Ighor
Up vote reply of Ighor Down vote reply of Ighor
Add a Comment

macOS Ventura released and no sign of FIDO support in the bundled OpenSSH 9.0p1 :-( Given Apples support for PassKey and other FIDO technologies, this may be perceived as quite strange and inconsistent.

Posted by
jschlyter
Up vote reply of jschlyter Down vote reply of jschlyter
Add a Comment

this may be perceived as quite strange and inconsistent.

Keep in mind that DevForums is not the right place for such feedback.

Has anyone filed a bug to officially request this support? If not, I recommend that you do so.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • @eskimo I submitted a Feedback bug report a while back and the Feedback number is FB10028556. Thanks for making the recommendation to post it here. It would be great if Apple would change course on this particular issue so that we can use the native OpenSSH client with our FIDO2/U2F hardware keys.

    Cheers!

    mitoca
Add a Comment

I flied a bug in 2022/Jan/3 (FB9830898) and discussion in github.com:Yubico/libfido2/issue/464 is FB9888059

Posted by
HsinyuanX
Post not yet marked as solved Up vote reply of HsinyuanX Down vote reply of HsinyuanX
Add a Comment

I also filed a bug report with Feedback assistant on May 26, 2022 under FB10028556.

Posted by
mitoca
Post not yet marked as solved Up vote reply of mitoca Down vote reply of mitoca
Add a Comment

Thanks for the bug numbers.

I took a look and there’s really not much I can say here. There’s a significant interest in this, both externally and internally at Apple, but it’s not been implemented yet. As to when that’ll change, I can’t comment on The Future™.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

There looks to be some movement on this - see the comments in https://github.com/Yubico/libfido2/issues/464#issuecomment-1577748167

The long and short of it; is that it looks like SSH now supports this, but you have to provide your own SSH_SK_PROVIDER by compiling libfido2 as detailed in the comments and this gist https://gist.github.com/thelastlin/c45b96cf460919e39ab5807b6d20ac2a - I haven't verified this myself yet...

Posted by
bobshand
Up vote reply of bobshand Down vote reply of bobshand
Add a Comment