[Bug 3121] New: Without --with-security-key-builtin=yes, the tools give non-useful error logs

Tue Feb 18 21:27:09 AEDT 2020

https://bugzilla.mindrot.org/show_bug.cgi?id=3121

            Bug ID: 3121
           Summary: Without --with-security-key-builtin=yes, the tools
                    give non-useful error logs
           Product: Portable OpenSSH
           Version: 8.2p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

In Fedora, we do not have the libfido2 so I built the OpenSSH without
--with-security-key-builtin=yes flag and when trying to use the tools,
one gets hard-to-decipher error messages:

$ ssh-keygen -t ecdsa-sk  -f /tmp/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Provider "" dlsym(sk_api_version) failed:
/usr/libexec/openssh/ssh-sk-helper: undefined symbol: sk_api_version
Key enrollment failed: invalid format

I think when there is no internal u2f support, no environment variable
provided and no -w provided we should fail earlier than when trying to
dlopen zero-lenght string.

I did not test other tools yet, but I assume they will be failing in
similar manner.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.