SSH-KEYGEN returns ''invalid format" when generating ecdsa-sk key and storing it on another device #2279
Open
Description
Prerequisites
- Write a descriptive title.
- Make sure you are able to repro it on the latest version
- Search the existing issues.
Steps to reproduce
While using OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2 on Windows 11 24H2 on a non-elevated command prompt, generating an ecdsa-sk key with ssh-keygen -t ecdsa-sk does not work when, at the pop-up opened by ssh-sk-helper.exe titled "Where do you want to store this passkey?" an external device or "iPhone, iPad or Android device" is selected, even if the key is stored correctly on the Android device. Selecting, however, an on-device authentication method like an onboard fingerprint reader or Windows Hello face scanner, does generate a key correctly most of the time.
Expected behavior
C:\Users\User>ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter file in which to save the key (C:\Users\User/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\User/.ssh/id_ecdsa_sk
Your public key has been saved in C:\Users\User/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:AyVE8F6emXJEpgpyWTZG+oDKjI0uWVbV5xMPIRvh6t0 User@HOSTNAME
The key's randomart image is:
+-[ECDSA-SK 256]--+
| .B+=.B... |
| . * + rB.++ |
|o * . +a HD=) |
|== = o n* +o . |
|+o+ o + d S . |
|.+ . + o |
|o. . . m E |
|. g |
| |
+----[SHA256]-----+Actual behavior
C:\Users\User>ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
You may need to touch your authenticator again to authorize key generation.
Key enrollment failed: invalid formatError details
C:\Users\User>ssh-keygen -t ecdsa-sk -vvvv
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug1: find_helper: using "C:\\WINDOWS\\System32\\OpenSSH\\ssh-sk-helper.exe" as helper
debug3: Creating process with CREATE_NO_WINDOW
debug3: spawning "C:\\WINDOWS\\System32\\OpenSSH\\ssh-sk-helper.exe" as subprocess
debug3: start_helper: started pid=73540
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=73540
Key enrollment failed: invalid formatEnvironment data
Name Value
---- -----
PSVersion 5.1.26100.1591
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.26100.1591
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Version
OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2 being run on Windows Terminal 1.21.2701.0 on Windows 11 24H2 build 26100.1742
Visuals
INFO THAT DIDN'T FIT ELSEWHERE
- ed25519-sk keys are not supported for storage at least on my Android phone and my Windows Device (Lenovo Thinkpad Yoga L13 2022).
- Specifying
-O "resident"or not didn't change the actual behaviour. - When performed on an elevated Powershell or CMD prompt, even storing the keys locally on device by choosing an embedded Windows Hello enabled authentication method does not work, and gives the same error (Key enrollment failed: invalid format)