| 4 Dec 2023 |
 Ilan Joselevich (Kranzes) | Maybe this can be debugged on the server? | 03:56:16 |
| Ilan Joselevich (Kranzes) | The PR I made looks fine | 03:58:59 |
| Ilan Joselevich (Kranzes) | it deployed it just fine | 03:59:05 |
 zowoq | Everything looks correct on the machine. We added someone else a few hours ago and looks like they have been able to access it. | 04:08:52 |
| Ilan Joselevich (Kranzes) | That's so weird... | 04:10:20 |
| Ilan Joselevich (Kranzes) | Any further suggestions? I'll look into this when I wake later, it's already 6 AM and I've been up for a while | 04:13:27 |
| zowoq | No, nothing that I can think of at the moment. | 04:33:18 |
 Mic92 | zowoq: ok, it still crashes. I will look into this. | 07:07:49 |
| Ilan Joselevich (Kranzes) | In reply to @zowoq:matrix.org
No, nothing that I can think of at the moment. None of my keys work on that machine, could it be that it doesn't support -sk keys? | 14:41:51 |
| Ilan Joselevich (Kranzes) | openssh has been supporting -sk keys for a while now though so idk | 14:42:13 |
| Ilan Joselevich (Kranzes) | I think that's the problem | 14:50:10 |
| Ilan Joselevich (Kranzes) | when using -v I see that these are the supported key types kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> | 14:50:22 |
| Ilan Joselevich (Kranzes) | which does not include mine | 14:50:45 |
| Ilan Joselevich (Kranzes) | when I try to ssh into one of my nixos systems it's this:
kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com,ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512>
| 14:51:04 |
| Ilan Joselevich (Kranzes) | https://github.com/Yubico/libfido2/issues/464 | 14:54:22 |
| Ilan Joselevich (Kranzes) | Here's an issue for this | 14:54:29 |
| Ilan Joselevich (Kranzes) | Seems to have some workarounds, would be nice if you could implement them as it seems other people also have -sk keys configured for the community darwin builder, and it probably doesn't work for them either. | 14:55:14 |
| Ilan Joselevich (Kranzes) | Redacted or Malformed Event | 14:58:22 |
 Lily Foster | In reply to @kranzes:matrix.org
libfido2 in nixpkgs already has what we need, just gotta plug that into sshd:
[kranzes@pongo ~]$ nix build nixpkgs\#libfido2 --system x86_64-darwin
[kranzes@pongo ~]$ cd result
[kranzes@pongo ~/result]$ ls
bin lib
[kranzes@pongo ~/result]$ tree
.
├── bin
│ ├── fido2-assert
│ ├── fido2-cred
│ └── fido2-token
└── lib
├── libfido2.1.13.0.dylib
├── libfido2.1.dylib -> libfido2.1.13.0.dylib
├── libfido2.a
└── libfido2.dylib -> libfido2.1.dylib
i mean the nixpkgs openssh is already built with -sk key support on darwin. i assume it's using the openssh built-in to macOS though | 15:02:00 |
| Ilan Joselevich (Kranzes) | It's not. | 15:02:15 |
| Lily Foster | What's not? | 15:02:31 |
| Lily Foster | Using the built-in openssh or our openssh is not compiled with -sk key support? | 15:02:41 |
| Ilan Joselevich (Kranzes) | The darwin box is using the MacOS provided openssh. | 15:02:54 |
| Lily Foster | yeah, so we could presumably switch it to use the nixpkgs openssh, no? | 15:03:18 |
| Lily Foster | or am i misunderstanding what you're saying | 15:03:24 |
| Ilan Joselevich (Kranzes) | Yeah | 15:03:28 |
| Ilan Joselevich (Kranzes) | If you can help figure this out | 15:03:35 |
| Ilan Joselevich (Kranzes) |
replacing ssh with Homebrew's will break integrations with keychain etc, so that's why I'm not doing it.
| 15:04:21 |
| Ilan Joselevich (Kranzes) | replacing it completely can have some problems with launchctl and keychain | 15:04:44 |
| Ilan Joselevich (Kranzes) | Oh someone says that this entire problem was fixed in MacOS Venture | 15:06:05 |
