15-CURRENT /usr/lib/pam_ssh.so.6: /usr/lib/libprivatessh.so.5: Undefined symbol "Fssh_sshsk_sign"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 19 Apr 2025 03:22:21 UTC
Hello,
After attempting to update from
168d873ae41fd8bd40555322a79c9f215cb4cb9c[1] (2025-04-17 19:08:02 +0000),
to 7121e9414f294d116caeadd07ebd969136d3a631[2] (2025-04-18 00:30:11
+0000), I noticed that $(su -), $(doas su -), x11/slim, and physical
login were not working, when pam_ssh is configured for login. I was
still able to use $(doas some_cmd), so was able to git bisect. The
following commit[3] is claimed to the the first offending commit from
the git-bisect process:
The branch main has been updated by jlduran:
URL:
https://cgit.FreeBSD.org/src/commit/?id=65d8491719bbc88ed45637d2381931c2d29cfe87
commit 65d8491719bbc88ed45637d2381931c2d29cfe87
Author: Jose Luis Duran <jlduran@FreeBSD.org>
AuthorDate: 2025-04-17 19:08:02 +0000
Commit: Jose Luis Duran <jlduran@FreeBSD.org>
CommitDate: 2025-04-17 19:12:39 +0000
secure: Adapt Makefile to ssh-sk-client everywhere
Upstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client
everywhere")
adapted the Makefiles to ssh-sk-client. Do the same here.
Reviewed by: emaste
Approved by: emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D49795
---
I am not sure if security/opendoas needed to be rebuilt, I did not
bother, because $(su -) threw the same error:
su: pam_start: System error
With the commit[3] of interest, dmesg produces the following, regarding
slim:
[12.609735] Apr 18 03:45:50 direwolf slim[42177]: in try_dlopen():
/usr/lib/pam_ssh.so.6: /usr/lib/libprivatessh.so.5: Undefined symbol
"Fssh_sshsk_sign"
[12.609775] Apr 18 03:45:50 direwolf slim[42177]: in
openpam_load_module(): no pam_ssh.so found
I noticed three interesting changes in the commit[3]:
diff --git a/secure/lib/libssh/Makefile b/secure/lib/libssh/Makefile
index f4c60c02c9eb..39083d007675 100644
--- a/secure/lib/libssh/Makefile
+++ b/secure/lib/libssh/Makefile
@@ -38,7 +38,6 @@ SRCS= ${LIBOPENSSH_SRCS} \
kexsntrup761x25519.c kexmlkem768x25519.c sntrup761.c kexgen.c \
sftp-realpath.c platform-pledge.c platform-tracing.c platform-misc.c \
sshbuf-io.c
-SRCS+= ssh-sk-client.c
I restored "SRCS+= ssh-sk-client.c" above. And I have restored all
opendoas operations, slim, and physical access.
diff --git a/secure/ssh.mk b/secure/ssh.mk
index 641343ac993a..84d9a7f57032 100644
--- a/secure/ssh.mk
+++ b/secure/ssh.mk
@@ -5,6 +5,7 @@
SSHDIR= ${SRCTOP}/crypto/openssh
SFTP_CLIENT_SRCS=sftp-common.c sftp-client.c sftp-glob.c
+SKSRCS= ssh-sk-client.c
CFLAGS+= -I${SSHDIR} -include ssh_namespace.h
Above, ssh-sk-client.c is present in ssh.mk, should that enable
Fssh_sshsk_sign symbol visibility?
diff --git a/secure/usr.bin/ssh-keygen/Makefile
b/secure/usr.bin/ssh-keygen/Makefile
index 89e61e68ee55..c9205e71d219 100644
--- a/secure/usr.bin/ssh-keygen/Makefile
+++ b/secure/usr.bin/ssh-keygen/Makefile
@@ -2,8 +2,7 @@
.include "${SRCTOP}/secure/ssh.mk"
PROG= ssh-keygen
-# XXX ssh-sk-client.c in libssh maybe?
-SRCS= ssh-keygen.c sshsig.c ssh-sk-client.c
+SRCS= ssh-keygen.c sshsig.c $(SKSRCS)
PACKAGE= ssh
LIBADD= crypto ssh
The XXX comment above seem to indicate there might be a problem with
removing ssh-sk-client.c from libssh.
1:
https://cgit.freebsd.org./src/commit/?id=168d873ae41fd8bd40555322a79c9f215cb4cb9c
2:
https://cgit.freebsd.org./src/commit/?id=7121e9414f294d116caeadd07ebd969136d3a631
3:
https://cgit.freebsd.org./src/commit/?id=65d8491719bbc88ed45637d2381931c2d29cfe87
--
To good health,
Alastair