Call for testing: OpenSSH 8.9

[Damien Miller]

On Fri, 11 Feb 2022, Corinna Vinschen wrote:

> On Feb 10 15:18, Damien Miller wrote:
> > Hi,
> > 
> > OpenSSH 8.9p1 is almost ready for release, so we would appreciate testing
> > on as many platforms and systems as possible. This is a bugfix release.
> 
> Builds OOTB on Cygwin x86_64, almost all tests pass, except a single
> test in hostkey-agent:
> 
> -------------
>   FAIL: cert type sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com failed
>   FAIL: bad SSH_CONNECTION key type sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com
> -------------
> 
> I'm building OPenSSH exactly as if I create a distro build, using the
> following configuration options:
> 
>   --with-libedit
>   --with-xauth=/usr/bin/xauth
>   --disable-strip
>   --without-hardening
>   --with-security-key-builtin

It's passing for me with similar options (missing --with-libedit and
--with-security-key-builtin). I'm using:

> CYGWIN_NT-10.0 win10pro 3.2.0(0.340/5/3) 2021-03-29 08:42 x86_64 Cygwin

>   debug1: kex: host key algorithm: (no match)
>   Unable to negotiate with UNKNOWN port 65535: no matching host key type found.
>   Their offer:
>   ssh-ed25519-cert-v01 at openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-
>   cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,e
>   cdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com
>   ,ecdsa-sha2-nistp521-cert-v01 at openssh.com^M
> 
> I wonder why sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com is not in the
> above list of cert type offers.  What explanation could that have?

It looks like the server offer is missing all SK keytypes. What does
'grep ENABLE_SK config.h' show? If it is disabled there, then config.log
might have clues as to why.

I'll try it again on an image with libfido2 just to rule that out, though
AFAIK it's not in the path for any of this (we use sk-dummy.so in the
tests).

-d