Does the ssh-keygen have any vendor restrictions on FIDO devices?

[laughingbro]

• I was not able to find an open or closed issue matching what I'm seeing

Setup

• Which version of Git for Windows are you using? Is it 32-bit or 64-bit?

$ git --version --build-options

** git version 2.33.0.windows.2 **

• Which version of Windows are you running? Vista, 7, 8, 10? Is it 32-bit or 64-bit?

$ cmd.exe /c ver

** Windows 11 64-bit **

Does the ssh-keygen have any vendor restrictions on FIDO devices?

[dscho]

Does the ssh-keygen have any vendor restrictions on FIDO devices?

I don't know what type of restrictions you're thinking about, please clarify.

As to what the ssh-keygen shipped with Git for Windows supports: we build it as part of the openssh package. Whatever OpenSSH supports, we theoretically support, too (depending on libraries linked in, build-time options chosen, etc).

[laughingbro]

I have two FIDOs, one is from Yubico, another is from eSecu. The Yubico works OK, but the eSecu works fail. Can't capture any faults of the usb protocol. Can't capture any FIDO commands sended to the device. So, is there a compatible vendor IDs list?

[dscho]

is there a compatible vendor IDs list?

Maybe? If I were you, I'd look here: https://github.com/openssh/openssh-portable/search?q=fido

[laughingbro]

Helpless, but thank you.

[rimrul]

OpenSSH uses libfido2 to deal with FIDO devices. Their README claims libfido2 supports the FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) protocols.

OpenSSH seems to support them as ecdsa-sha2-nistp256 or ssh-ed25519 variants.

Did you verify that your eSecu supports one of those protocols and key types? Their current models seem to do that, but I'm unsure about potential older devices.

You could try to get more info from ssh-keygen with higher verbosity (-vvv) or trying to get a debug log from libfido2 (FIDO_DEBUG)

If ssh-keygen -vvv and FIDO_DEBUG don't help you figure this out, you might need to download the Git for Windows SDK and build the libfido2 examples against our libfido2.