我正在尝试在 Mac 上使用
ssh-keygen$ ssh-keygen -t ed25519-sk -f ed25519-sk -vvv
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=62321
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/libexec/ssh-sk-helper
debug1: sshsk_enroll: provider "", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
No FIDO SecurityKeyProvider specified
debug1: ssh-sk-helper: Enrollment failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=62321
Key enrollment failed: invalid format
我错过了什么?
以下是其他信息:
我的ssh版本是:
$ ssh -V
OpenSSH_9.7p1, OpenSSL 3.3.0 9 Apr 2024
我尝试使用brew安装libfido2:
$ brew info libfido2
==> libfido2: stable 1.14.0 (bottled)
Provides library functionality for FIDO U2F & FIDO 2.0, including USB
https://developers.yubico.com/libfido2/
Installed
/usr/local/Cellar/libfido2/1.14.0_1 (553 files, 1.2MB) *
Poured from bottle using the formulae.brew.sh API on 2024-05-07 at 11:47:50
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/lib/libfido2.rb
License: BSD-2-Clause
==> Dependencies
Build: cmake ✘, mandoc ✘, pkg-config ✔
Required: libcbor ✔, openssl@3 ✔
==> Analytics
install: 31,572 (30 days), 116,359 (90 days), 382,831 (365 days)
install-on-request: 20,242 (30 days), 70,197 (90 days), 187,156 (365 days)
build-error: 22 (30 days)
并在密钥生成过程中指定它:
$ SSH_SK_PROVIDER=/usr/local/lib/libfido2.dylib ssh-keygen -t ed25519-sk -f ~/.ssh/ed25519-sk -vvv
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=62422
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/libexec/ssh-sk-helper
debug1: sshsk_enroll: provider "/usr/local/lib/libfido2.dylib", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
lib_contains_symbol: /usr/local/lib/libfido2.dylib does not contain expected string sk_api_version
provider /usr/local/lib/libfido2.dylib is not an OpenSSH FIDO library
debug1: ssh-sk-helper: Enrollment failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=62422
Key enrollment failed: invalid format
Yubi密钥信息:
$ ykman info
Device type: YubiKey 5C NFC
Serial number: 23843986
Firmware version: 5.4.3
Form factor: Keychain (USB-C)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled
Applications USB NFC
Yubico OTP Enabled Enabled
FIDO U2F Enabled Enabled
FIDO2 Enabled Enabled
OATH Enabled Enabled
PIV Enabled Enabled
OpenPGP Enabled Enabled
YubiHSM Auth Enabled Enabled
我还尝试为 fido2 设置引脚,但输出没有任何差异。
最终问题出在指向
ssh-keygen位于 /usr/bin/ssh-keygen 的 Mac 内置二进制文件位于路径的第一个位置,但无法生成密钥。
brew OpenSSH 安装中的正确二进制文件应该是
/usr/local/bin/ssh-keygen -> ../Cellar/openssh/9.7p1/bin/ssh-keygen