[Bug 3877] New: Regression when trying to free CA keys in ssh-keygen
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Oct 8 22:11:34 AEDT 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3877
Bug ID: 3877
Summary: Regression when trying to free CA keys in ssh-keygen
Product: Portable OpenSSH
Version: 10.1p1
Hardware: All
OS: Linux
Status: NEW
Severity: major
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: cjwatson at debian.org
In Debian, we noticed that the ssh-agent-filter package's tests fail
against OpenSSH 10.1p1. An example log is at
https://ci.debian.net/packages/s/ssh-agent-filter/testing/amd64/65004014/,
and since that may expire and the output is quite short I'll copy it
here:
Agent pid 972
Identity added: key0 (key0)
Identity added: key1 (key1)
test_list_filter
test_sign_filter
ASSERT:
test_confirmation
ASSERT:
ASSERT:
Ran 3 tests.
FAILED (failures=3)
I bisected this to
https://anongit.mindrot.org/openssh.git/commit/?id=846987d1233f24bbe87ebed347e328f45525388a
(applying
https://anongit.mindrot.org/openssh.git/commit/?id=1362f6c0f4ca3306a201a6572bb9ec0d47d8edb3
to fix the build on Linux); specifically it's due to the addition of
sshkey_free(ca) in do_ca_sign. Here's a cut-down reproducer, to be run
in a temporary directory:
$ ssh-agent sh -c 'ssh-keygen -q -t ed25519 -N "" -C key0 -f key0 &&
ssh-keygen -q -t ed25519 -N "" -C key1 -f key1 && ssh-add key0 key1 &&
rm key0 key1 && ssh-keygen -Us key1 -I identify key0; echo $?; rm -f
key0* key1*'
Identity added: key0 (key0)
Identity added: key1 (key1)
Signed user key key0-cert.pub: id "identify" serial 0 valid forever
pkcs11_key_free: no helper for ED25519 key
255
https://anongit.mindrot.org/openssh.git/commit/?id=a8c0e5c871c0c7ee5ae93e353b1499a53c09c71d
is clearly related. It's not specific to Ed25519; RSA and ECDSA behave
the same way.
It seems that ssh-keygen is setting SSHKEY_FLAG_EXT in ca->flags, which
causes sshkey_free_contents to call pkcs11_key_free, which assumes that
a helper has been started even though that isn't the case here. But
I'm not quite sure what the right approach to fixing this should be;
should ssh-keygen be arranging to start a helper somehow, or should
something between sshkey_free_contents and pkcs11_key_free arrange for
this situation not to be a fatal error?
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list