Yubikey uhid(4) problem? (PR 263995)

From: Christian Weisgerber <naddy_at_mips.inka.de>
Date: Thu, 19 May 2022 12:20:14 UTC
From the 13.1 release announcement:

| * The use of FIDO/U2F hardware authenticators has been enabled in ssh,
|   using the new public key types ecdsa-sk and ed25519-sk, along with
|   corresponding certificate types.

I'm trying to use this on 13.1-STABLE/amd64 with a USB-attached
FIDO authenticator (Yubico Security Key).  It works in principle
but not reliably.  After excluding other possibilities, I wonder
if that's due to a USB problem.

I have collected more information at...
... but I'll summarize:

uhid1: <Yubico YubiKey FIDO, class 0/0, rev 2.00/5.43, addr 14> on usbus0

For about one out of three authentication attempts, ssh-sk-helper(8)
hangs while talking to the authenticator over a uhid(4) device.
There are full ktrace dumps attached to the PR, but the relevant
part is this:

 71467 ssh-sk-helper CALL  openat(AT_FDCWD,0x801e22060,0x2<O_RDWR>)
 71467 ssh-sk-helper NAMI  "/dev/uhid1"
 71467 ssh-sk-helper RET   openat 3
 71467 ssh-sk-helper CALL  fstat(0x3,0x7fffffffe0b0)
 71467 ssh-sk-helper STRU  struct stat {dev=1895890688, ino=538, mode=020664, nlink=1, uid=0, gid=116, rdev=538, atime=1652708407, mtime=1652708973, ctime=1652708973, birthtime=-1, size=0, blksize=4096, blocks=0, flags=0x0 }
 71467 ssh-sk-helper RET   fstat 0
 71467 ssh-sk-helper CALL  ioctl(0x3,HIDRAW_GET_REPORT_DESC,0x7fffffffe1c0)
 71467 ssh-sk-helper RET   ioctl 0
 71467 ssh-sk-helper CALL  write(0x3,0x7fffffffe1c1,0x40)
 71467 ssh-sk-helper GIO   fd 3 wrote 64 bytes
       0x0000 ffff ffff 8600 08be d2ad 6cec a1e4 b200  |..........l.....|
       0x0010 0000 0000 0000 0000 0000 0000 0000 0000  |................|
       0x0020 0000 0000 0000 0000 0000 0000 0000 0000  |................|
       0x0030 0000 0000 0000 0000 0000 0000 0000 0000  |................|
 71467 ssh-sk-helper RET   write 64/0x40
 71467 ssh-sk-helper CALL  ppoll(0x7fffffffe130,0x1,0,0)

ssh-sk-helper opens a uhid device and writes a CTAPHID_INIT message
to it.  When authentication works, ssh-sk-helper receives a reply
from the uhid device and some further messages are exchanged.  When
it hangs, ssh-sk-helper simply sits in the ppoll(2) waiting for a
response that never comes.  I have fixed truss(1) to decode ppoll(2)'s
arguments and the correct file descriptor is passed.

I don't see how this can be a bug in ssh-sk-helper.

Using my backup authenticator or different USB ports doesn't make
any difference.  Also, I cannot reproduce the problem on OpenBSD.

Is this a problem at the USB level?

I have now enabled hw.usb.uhid.debug=1.
When there is a successful authentication exchange, there are
a number of "uhid_intr_read_callback: transferred!" messages.
When ssh-sk-helper hangs, there are none.

I don't know how to debug this any further.

Christian "naddy" Weisgerber                          naddy@mips.inka.de