Call for testing: OpenSSH 8.9
Corinna Vinschen
vinschen at redhat.com
Thu Feb 17 08:57:47 AEDT 2022
On Feb 11 19:54, Corinna Vinschen wrote:
> On Feb 11 22:25, Darren Tucker wrote:
> > On Fri, 11 Feb 2022 at 21:53, Corinna Vinschen <vinschen at redhat.com> wrote:
> >
> > > [...]
> > > I wonder why sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com is not in the
> > > above list of cert type offers. What explanation could that have?
> > >
> > [...]
> I've just built OpenSSH without the above flag and it builds and
> packages fine. Thanks for pointing this out! I will certainly build
> with hardening in future.
>
> I also ran the hostkey-agent test again, but yeah, hardening doesn't
> change the result. Still
>
> bad SSH_CONNECTION key type sk-ssh-ed25519-cert-v01 at openssh.com
>
> I'm going to run the entire testsuite now, but I don't expect any
> other problem.
I just reproduced this problem on Fedora 35. It's actually a result
of building in a dedicated build dir:
$ uname -a
Linux calimero 5.16.8-200.fc35.x86_64 #1 SMP PREEMPT Tue Feb 8 20:58:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ pwd
/src/openssh/src
$ mkdir ../build
$ cd ../build
$ ../src/configure --with-kerberos5 --with-libedit --with-xauth=/usr/bin/xauth --with-security-key-builtin
[...]
$ make t-exec LTESTS=hostkey-agent
[...]
run test hostkey-agent.sh ...
key type ssh-ed25519
key type ssh-rsa
key type ssh-dss
key type ecdsa-sha2-nistp256
key type ecdsa-sha2-nistp384
key type ecdsa-sha2-nistp521
cert type ssh-ed25519-cert-v01 at openssh.com
cert type sk-ssh-ed25519-cert-v01 at openssh.com
cert type sk-ssh-ed25519-cert-v01 at openssh.com failed
bad SSH_CONNECTION key type sk-ssh-ed25519-cert-v01 at openssh.com
cert type ssh-rsa-cert-v01 at openssh.com
cert type rsa-sha2-256-cert-v01 at openssh.com
cert type rsa-sha2-512-cert-v01 at openssh.com
cert type ssh-dss-cert-v01 at openssh.com
cert type ecdsa-sha2-nistp256-cert-v01 at openssh.com
cert type ecdsa-sha2-nistp384-cert-v01 at openssh.com
cert type ecdsa-sha2-nistp521-cert-v01 at openssh.com
cert type sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com
cert type sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com failed
bad SSH_CONNECTION key type sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com
failed hostkey agent
make[1]: *** [Makefile:221: t-exec] Error 1
make[1]: Leaving directory '/src/openssh/src/regress'
make: *** [Makefile:727: t-exec] Error 2
Now building in the source dir:
$ uname -a
Linux calimero 5.16.8-200.fc35.x86_64 #1 SMP PREEMPT Tue Feb 8 20:58:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ pwd
/src/openssh/src
$ ./configure --with-kerberos5 --with-libedit --with-xauth=/usr/bin/xauth --with-security-key-builtin
[...]
$ make t-exec LTESTS=hostkey-agent
[...]
run test hostkey-agent.sh ...
key type ssh-ed25519
key type sk-ssh-ed25519 at openssh.com
key type ssh-rsa
key type ssh-dss
key type ecdsa-sha2-nistp256
key type ecdsa-sha2-nistp384
key type ecdsa-sha2-nistp521
key type sk-ecdsa-sha2-nistp256 at openssh.com
cert type ssh-ed25519-cert-v01 at openssh.com
cert type sk-ssh-ed25519-cert-v01 at openssh.com
cert type ssh-rsa-cert-v01 at openssh.com
cert type rsa-sha2-256-cert-v01 at openssh.com
cert type rsa-sha2-512-cert-v01 at openssh.com
cert type ssh-dss-cert-v01 at openssh.com
cert type ecdsa-sha2-nistp256-cert-v01 at openssh.com
cert type ecdsa-sha2-nistp384-cert-v01 at openssh.com
cert type ecdsa-sha2-nistp521-cert-v01 at openssh.com
cert type sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com
ok hostkey agent
make[1]: Leaving directory '/src/openssh/src/regress'
all t-exec passed
So the sk certs fail if builddir != srcdir, independent of the target.
Corinna
More information about the openssh-unix-dev
mailing list