Cannot work with Windows Hello with ecdsa-sk since 25H2 #2408
Description
Prerequisites
- Write a descriptive title.
- Make sure you are able to repro it on the latest version
- Search the existing issues.
Steps to reproduce
ssh-keygen -t ecdsa-sk
We select to store the key on This Windows, and then get a promption from Windows Hello to use fingerprint or face.
ssh user@a-host
It seems appearing after upgrade to 25H2 or 2025.10 monthly update.
Expected behavior
We should get a window that ask to use fingerprint or faceActual behavior
We get a prompt that we can select from:
* iPhone, iPad, or an Android device
* external USB security keyError details
debug1: process_sign: ready to sign with key ECDSA-SK, provider internal: msg len 326, compat 0x0
debug1: sshsk_sign: provider "internal", key ECDSA-SK, flags 0x01
webauthn_load: api version 7
winhello_get_assert: NotAllowedError -> FIDO_ERR_OPERATION_DENIED
fido_winhello_get_assert: winhello_get_assert
debug1: ssh_sk_sign: fido_dev_get_assert: FIDO_ERR_OPERATION_DENIED
debug1: sshsk_sign: sk_sign failed with code -3Environment data
Name Value
---- -----
PSVersion 5.1.26100.6899
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.26100.6899
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Version
OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2, and In fact I have a try with v9.8.3.0p2-Preview
Visuals
No response