[Bug 3877] New: Regression when trying to free CA keys in ssh-keygen

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Oct 8 22:11:34 AEDT 2025 

https://bugzilla.mindrot.org/show_bug.cgi?id=3877

            Bug ID: 3877
           Summary: Regression when trying to free CA keys in ssh-keygen
           Product: Portable OpenSSH
           Version: 10.1p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: cjwatson at debian.org

In Debian, we noticed that the ssh-agent-filter package's tests fail
against OpenSSH 10.1p1.  An example log is at
https://ci.debian.net/packages/s/ssh-agent-filter/testing/amd64/65004014/,
and since that may expire and the output is quite short I'll copy it
here:

  Agent pid 972
  Identity added: key0 (key0)
  Identity added: key1 (key1)
  test_list_filter
  test_sign_filter
  ASSERT:
  test_confirmation
  ASSERT:
  ASSERT:

  Ran 3 tests.

  FAILED (failures=3)

I bisected this to
https://anongit.mindrot.org/openssh.git/commit/?id=846987d1233f24bbe87ebed347e328f45525388a
(applying
https://anongit.mindrot.org/openssh.git/commit/?id=1362f6c0f4ca3306a201a6572bb9ec0d47d8edb3
to fix the build on Linux); specifically it's due to the addition of
sshkey_free(ca) in do_ca_sign.  Here's a cut-down reproducer, to be run
in a temporary directory:

  $ ssh-agent sh -c 'ssh-keygen -q -t ed25519 -N "" -C key0 -f key0 &&
ssh-keygen -q -t ed25519 -N "" -C key1 -f key1 && ssh-add key0 key1 &&
rm key0 key1 && ssh-keygen -Us key1 -I identify key0; echo $?; rm -f
key0* key1*'
  Identity added: key0 (key0)
  Identity added: key1 (key1)
  Signed user key key0-cert.pub: id "identify" serial 0 valid forever
  pkcs11_key_free: no helper for ED25519 key
  255

https://anongit.mindrot.org/openssh.git/commit/?id=a8c0e5c871c0c7ee5ae93e353b1499a53c09c71d
is clearly related.  It's not specific to Ed25519; RSA and ECDSA behave
the same way.

It seems that ssh-keygen is setting SSHKEY_FLAG_EXT in ca->flags, which
causes sshkey_free_contents to call pkcs11_key_free, which assumes that
a helper has been started even though that isn't the case here.  But
I'm not quite sure what the right approach to fixing this should be;
should ssh-keygen be arranging to start a helper somehow, or should
something between sshkey_free_contents and pkcs11_key_free arrange for
this situation not to be a fatal error?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list