Call for testing: OpenSSH 8.9

Corinna Vinschen vinschen at redhat.com
Thu Feb 17 20:28:21 AEDT 2022 

[This mail was hold back, awaiting moderator approval, because it
 had the "failed-*.log" files attached, so it was too big.  I send
 it now again, just FTR, this time without the log files attached.]

On Feb 14 17:41, Damien Miller wrote:
> On Fri, 11 Feb 2022, Corinna Vinschen wrote:
> 
> > On Feb 10 15:18, Damien Miller wrote:
> > > Hi,
> > > 
> > > OpenSSH 8.9p1 is almost ready for release, so we would appreciate testing
> > > on as many platforms and systems as possible. This is a bugfix release.
> > 
> > Builds OOTB on Cygwin x86_64, almost all tests pass, except a single
> > test in hostkey-agent:
> > 
> > -------------
> >   FAIL: cert type sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com failed
> >   FAIL: bad SSH_CONNECTION key type sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com
> > -------------
> > 
> > I'm building OPenSSH exactly as if I create a distro build, using the
> > following configuration options:
> > 
> >   --with-libedit
> >   --with-xauth=/usr/bin/xauth
> >   --disable-strip
> >   --without-hardening
> >   --with-security-key-builtin
> 
> It's passing for me with similar options (missing --with-libedit and
> --with-security-key-builtin). I'm using:

Hmm, this is puzzeling...

Please note that kerberos support is built in, too.  But this happens
automatically, so there's no explicit configure option.

> > CYGWIN_NT-10.0 win10pro 3.2.0(0.340/5/3) 2021-03-29 08:42 x86_64 Cygwin
> 
> >   debug1: kex: host key algorithm: (no match)
> >   Unable to negotiate with UNKNOWN port 65535: no matching host key type found.
> >   Their offer:
> >   ssh-ed25519-cert-v01 at openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-
> >   cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,e
> >   cdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com
> >   ,ecdsa-sha2-nistp521-cert-v01 at openssh.com^M
> > 
> > I wonder why sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com is not in the
> > above list of cert type offers.  What explanation could that have?
> 
> It looks like the server offer is missing all SK keytypes. What does
> 'grep ENABLE_SK config.h' show? If it is disabled there, then config.log
> might have clues as to why.

Looks good to me:

$ grep ENABLE_SK config.h
#define ENABLE_SK /**/
#define ENABLE_SK_INTERNAL /**/

> I'll try it again on an image with libfido2 just to rule that out, though
> AFAIK it's not in the path for any of this (we use sk-dummy.so in the
> tests).

I attached my failed-*.log files again.  Curious: Despite defining
TEST_SSH_UNSAFE_PERMISSIONS=1 in the environment. the failed-sshd.log
file contains WARNING: UNPROTECTED PRIVATE KEY FILE! messages, plus
lines like these:

  Unable to load host key "/home/corinna/tmp/openssh/openssh-8.9p0-1.x86_64/build/regress/agent-key.ecdsa-sha2-nistp521.pub": bad permissions

However, these are pub files, not priv files.  Is it possible that
the test fails because srcdir != builddir?


Thanks,
Corinna

More information about the openssh-unix-dev mailing list