I have a setup with several on-demand SSH tunnels that I like to manage via Windows Services. I normally use Cygwin with its own OpenSSH (OpenSSH_9.5p1, OpenSSL 3.0.12 24 Oct 2023), but have also tried Microsoft's OpenSSH port (OpenSSH_for_Windows_9.4p1, LibreSSL 3.7.3). I use Cygwin's cygrunsrv to manage these SSH tunnels as Windows Services, throwing in autossh into the mix. I've been using this setup for about 10 years now, and it worked amazingly well. Now I'm trying to get everything to work with a FIDO authenticator, and there's trouble.
With both abovementioned SSH implementations, I can successfully connect to a server with an ed25519_sk private key, touching my FIDO authenticator when asked.
However, I've been unsuccessful trying to get the user presence prompt when the connection is made via a Windows Service. The problem seems to be, that Windows Services are detached from the user's desktop session and cannot easily interact with the user. Indeed, Microsoft recommends having a desktop application running which handles user interactions when needed by your service (at least as one of the solutions).
The question: Is there a way to interact with the user and allow the presence to be proven, when either port of SSH is running as a Windows Service?
What have I tried?
"Normal" connection attempts
Windows ssh interactively
debug1: Offering public key: C:\\Users\\.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator
debug1: Server accepts key: C:\\Users\\.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator
Confirm user presence for key ED25519-SK SHA256:...
debug1: find_helper: using "C:\\Program Files\\OpenSSH\\ssh-sk-helper.exe" as helper
User presence confirmed
Authenticated to ...
Windows ssh as a windows-service:
debug1: Offering public key: C:\\Users\\.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: C:\\Users\\.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator
debug3: sign_and_send_pubkey: using publickey with ED25519-SK SHA256:...
debug3: sign_and_send_pubkey: signing using sk-ssh-ed25519@openssh.com SHA256:...
debug3: notify_start: cannot notify: no display
debug1: find_helper: using "C:\\Program Files\\OpenSSH\\ssh-sk-helper.exe" as helper
debug3: Creating process with CREATE_NO_WINDOW
debug3: spawning "C:\\Program Files\\OpenSSH\\ssh-sk-helper.exe" as subprocess
debug3: start_helper: started pid=18372
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: process_sign: ready to sign with key ED25519-SK, provider internal: msg len 186, compat 0x4000000
debug1: sshsk_sign: provider "internal", key ED25519-SK, flags 0x01
debug1: ssh_sk_sign: fido_dev_get_assert: FIDO_ERR_INTERNAL
debug1: sshsk_sign: sk_sign failed with code -1
debug1: ssh-sk-helper: Signing failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=18372
debug1: identity_sign: sshkey_sign: invalid format
sign_and_send_pubkey: signing failed for ED25519-SK "C:\\Users\\.../.ssh/id_ed25519_sk": invalid format
Interactive works, as a windows service it doesn't.
Cygwin ssh interactively
The success case with Cygwin OpenSSH is very similar to the Windows one (not reproduced here for brevity).
Cygwin ssh as a windows service
debug1: Offering public key: /home/.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /home/.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator
debug3: sign_and_send_pubkey: using publickey with ED25519-SK SHA256:...
debug3: sign_and_send_pubkey: signing using sk-ssh-ed25519@openssh.com SHA256:...
debug3: no authentication agent, not adding key
debug3: notify_start: cannot notify: no display
debug3: start_helper: started pid=62202
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/sbin/ssh-sk-helper
debug1: process_sign: ready to sign with key ED25519-SK, provider internal: msg len 186, compat 0x4000000
debug1: sshsk_sign: provider "internal", key ED25519-SK, flags 0x01
debug1: ssh_sk_sign: fido_dev_get_assert: FIDO_ERR_INTERNAL
debug1: sshsk_sign: sk_sign failed with code -1
debug1: ssh-sk-helper: Signing failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=62202
debug1: identity_sign: sshkey_sign: invalid format
sign_and_send_pubkey: signing failed for ED25519-SK "/home/.../.ssh/id_ed25519_sk": invalid format
In both failing cases, the problem seems to be that no window can be created, i.e. direct interaction with the user is impossible as a Windows Service. This is in-line with the changes since Windows Vista and the recommendation by Microsoft resources.
SSH agent-mediated connection attempts
Now I thought that SSH agent would help. Both Windows and Cygwin SSH work with their own respective ssh-agents successfully (output skipped, nothing interesting). However, when running as a windows service:
Windows ssh + ssh-agent:
debug1: Offering public key: C:\\Users\\.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: C:\\Users\\.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator agent
debug3: sign_and_send_pubkey: using publickey with ED25519-SK SHA256:...
debug3: sign_and_send_pubkey: signing using sk-ssh-ed25519@openssh.com SHA256:...
sign_and_send_pubkey: signing failed for ED25519-SK "C:\\Users\\.../.ssh/id_ed25519_sk" from agent: agent refused operation
Cygwin ssh + ssh-agent:
debug1: Offering public key: /home/.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /home/.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator
debug3: sign_and_send_pubkey: using publickey with ED25519-SK SHA256:...
debug3: sign_and_send_pubkey: signing using sk-ssh-ed25519@openssh.com SHA256:...
debug3: ssh_get_authentication_socket_path: path '~/.ssh-agent'
debug3: no authentication agent, not adding key
debug3: notify_start: cannot notify: no display
debug3: start_helper: started pid=62407
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/sbin/ssh-sk-helper
debug1: process_sign: ready to sign with key ED25519-SK, provider internal: msg len 186, compat 0x4000000
debug1: sshsk_sign: provider "internal", key ED25519-SK, flags 0x01
debug1: ssh_sk_sign: fido_dev_get_assert: FIDO_ERR_INTERNAL
debug1: sshsk_sign: sk_sign failed with code -1
debug1: ssh-sk-helper: Signing failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=62407
debug1: identity_sign: sshkey_sign: invalid format
sign_and_send_pubkey: signing failed for ED25519-SK "/home/.../.ssh/id_ed25519_sk": invalid format
I thought that the ssh-agent would solve the problem, but for some reason it didn't work.
Similar questions
Why does ssh-agent with sk-ssh-ed25519@openssh.com key produces agent refused operation This one seems fundamentally similar, albeit purely linux-based.
