SSH 无法使用 FIDO2 resident keys

[z4yx]

RT，需要 debug

[z4yx]

结论 SSH 需要使用 FIDO 2.1 的 Credential Management 和 Credential Protection 特性，而当前固件（v1.5.2）只支持 FIDO 2.0，故无法使用。新版本预计会支持相关特性。

相关报错日志：

root@a1f762d739fd:/# ssh-keygen -vvv -t ed25519-sk -Oresident -Oapplication=ssh:lesser -f ~/.ssh/ed25519_sk_lesser
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator: 
debug3: start_helper: started pid=3763
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper 
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:lesser", userid "(null)", flags 0x21, challenge len 0 with-pin
debug1: sshsk_enroll: using random challenge
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by touch
debug1: ssh_sk_enroll: using device /dev/hidraw6
debug1: ssh_sk_enroll: /dev/hidraw6 does not support credprot, refusing to create unprotected resident/verify-required key
debug1: sshsk_enroll: provider "internal" returned failure -2
debug1: ssh-sk-helper: Enrollment failed: requested feature not supported
debug1: ssh-sk-helper: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -59
debug3: reap_helper: pid=3763
Key enrollment failed: requested feature not supported

对应源码，要求 Credential Protection 特性：
https://github.com/openssh/openssh-portable/blob/bd69e29f5716090181dbe0b8272eb7eab1a383bb/sk-usbhid.c#L820

在使用resident keys时需要 Credential Management 特性：
https://github.com/openssh/openssh-portable/blob/bd69e29f5716090181dbe0b8272eb7eab1a383bb/sk-usbhid.c#L1179

初步分析 SSH 需要该特性的原因是，要列举卡上的 RK，从而向服务器发送可用秘钥列表，由服务器决定用哪一个来认证。

[davy-ikv]

根據當前的 libfido2 實作，要求的應該是 CTAP2.1 Pre 的 prototype credential management (0x41) 而非 CTAP2.1 的 0x0A command

https://github.com/Yubico/libfido2/blob/main/src/credman.c#L123

[z4yx]

最新的v2.0.0版本固件已经支持管理功能，并在SSH上测试通过。