| 4 Dec 2023 |
 Ilan Joselevich (Kranzes) | openssh has been supporting -sk keys for a while now though so idk | 14:42:13 |
| Ilan Joselevich (Kranzes) | I think that's the problem | 14:50:10 |
| Ilan Joselevich (Kranzes) | when using -v I see that these are the supported key types kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> | 14:50:22 |
| Ilan Joselevich (Kranzes) | which does not include mine | 14:50:45 |
| Ilan Joselevich (Kranzes) | when I try to ssh into one of my nixos systems it's this:
kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com,ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512>
| 14:51:04 |
| Ilan Joselevich (Kranzes) | https://github.com/Yubico/libfido2/issues/464 | 14:54:22 |
| Ilan Joselevich (Kranzes) | Here's an issue for this | 14:54:29 |
| Ilan Joselevich (Kranzes) | Seems to have some workarounds, would be nice if you could implement them as it seems other people also have -sk keys configured for the community darwin builder, and it probably doesn't work for them either. | 14:55:14 |
| Ilan Joselevich (Kranzes) | Redacted or Malformed Event | 14:58:22 |
 Lily Foster | In reply to @kranzes:matrix.org
libfido2 in nixpkgs already has what we need, just gotta plug that into sshd:
[kranzes@pongo ~]$ nix build nixpkgs\#libfido2 --system x86_64-darwin
[kranzes@pongo ~]$ cd result
[kranzes@pongo ~/result]$ ls
bin lib
[kranzes@pongo ~/result]$ tree
.
├── bin
│ ├── fido2-assert
│ ├── fido2-cred
│ └── fido2-token
└── lib
├── libfido2.1.13.0.dylib
├── libfido2.1.dylib -> libfido2.1.13.0.dylib
├── libfido2.a
└── libfido2.dylib -> libfido2.1.dylib
i mean the nixpkgs openssh is already built with -sk key support on darwin. i assume it's using the openssh built-in to macOS though | 15:02:00 |
| Ilan Joselevich (Kranzes) | It's not. | 15:02:15 |
| Lily Foster | What's not? | 15:02:31 |
| Lily Foster | Using the built-in openssh or our openssh is not compiled with -sk key support? | 15:02:41 |
| Ilan Joselevich (Kranzes) | The darwin box is using the MacOS provided openssh. | 15:02:54 |
| Lily Foster | yeah, so we could presumably switch it to use the nixpkgs openssh, no? | 15:03:18 |
| Lily Foster | or am i misunderstanding what you're saying | 15:03:24 |
| Ilan Joselevich (Kranzes) | Yeah | 15:03:28 |
| Ilan Joselevich (Kranzes) | If you can help figure this out | 15:03:35 |
| Ilan Joselevich (Kranzes) |
replacing ssh with Homebrew's will break integrations with keychain etc, so that's why I'm not doing it.
| 15:04:21 |
| Ilan Joselevich (Kranzes) | replacing it completely can have some problems with launchctl and keychain | 15:04:44 |
| Ilan Joselevich (Kranzes) | Oh someone says that this entire problem was fixed in MacOS Venture | 15:06:05 |
| Ilan Joselevich (Kranzes) | * Oh someone says that this entire problem was fixed in MacOS Ventura | 15:06:07 |
| Lily Foster | looks like support would need to be added to nix-darwin, yeah: https://github.com/LnL7/nix-darwin/issues/627 | 15:06:15 |
| Ilan Joselevich (Kranzes) | Do you know what version we're running on? | 15:06:16 |
| Lily Foster | lily@darwin03> sw_vers ~
ProductName: macOS
ProductVersion: 13.6.1
BuildVersion: 22G313
``
| 15:06:56 |
| Lily Foster | * lily@darwin03> sw_vers
ProductName: macOS
ProductVersion: 13.6.1
BuildVersion: 22G313
| 15:07:06 |
| Ilan Joselevich (Kranzes) | That's ventura | 15:07:29 |
| Ilan Joselevich (Kranzes) | hmmm | 15:07:32 |
| Ilan Joselevich (Kranzes) | Well you got access now the the machine, can you check supported keys and such | 15:07:59 |
| Ilan Joselevich (Kranzes) | I have no way of fixing this myself without access | 15:08:08 |
