git: 19261079b743 - main - openssh: update to OpenSSH v8.7p1

Guido Falsi madpilot at FreeBSD.org
Thu Sep 9 15:41:37 UTC 2021 

On 09/09/21 16:33, Kyle Evans wrote:
> On Thu, Sep 9, 2021 at 6:24 AM Guido Falsi <madpilot at freebsd.org> wrote:
>>
>> On 08/09/21 03:07, Ed Maste wrote:
>>> The branch main has been updated by emaste:
>>>
>>> URL: https://cgit.FreeBSD.org/src/commit/?id=19261079b74319502c6ffa1249920079f0f69a72
>>>
>>> commit 19261079b74319502c6ffa1249920079f0f69a72
>>> Merge: c5128c48df3c 66719ee573ac
>>> Author:     Ed Maste <emaste at FreeBSD.org>
>>> AuthorDate: 2021-09-08 01:05:51 +0000
>>> Commit:     Ed Maste <emaste at FreeBSD.org>
>>> CommitDate: 2021-09-08 01:05:51 +0000
>>>
>>>       openssh: update to OpenSSH v8.7p1
>>>
>>>       Some notable changes, from upstream's release notes:
>>>
>>>       - sshd(8): Remove support for obsolete "host/port" syntax.
>>>       - ssh(1): When prompting whether to record a new host key, accept the key
>>>         fingerprint as a synonym for "yes".
>>>       - ssh-keygen(1): when acting as a CA and signing certificates with an RSA
>>>         key, default to using the rsa-sha2-512 signature algorithm.
>>>       - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
>>>         (RSA/SHA1) algorithm from those accepted for certificate signatures.
>>>       - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
>>>         support to provide address-space isolation for token middleware
>>>         libraries (including the internal one).
>>>       - ssh(1): this release enables UpdateHostkeys by default subject to some
>>>         conservative preconditions.
>>>       - scp(1): this release changes the behaviour of remote to remote copies
>>>         (e.g. "scp host-a:/path host-b:") to transfer through the local host
>>>         by default.
>>>       - scp(1): experimental support for transfers using the SFTP protocol as
>>>         a replacement for the venerable SCP/RCP protocol that it has
>>>         traditionally used.
>>>
>>>       Additional integration work is needed to support FIDO/U2F in the base
>>>       system.
>>>
>>>       Deprecation Notice
>>>       ------------------
>>>
>>>       OpenSSH will disable the ssh-rsa signature scheme by default in the
>>>       next release.
>>>
>>>       Reviewed by:    imp
>>>       MFC after:      1 month
>>>       Relnotes:       Yes
>>>       Sponsored by:   The FreeBSD Foundation
>>>       Differential Revision:  https://reviews.freebsd.org/D29985
>>>
>>
>> While upgrading my current machines I encountered an issue with pam_ssh
>> which seems to be caused by this update.
>>
>> I filed a bug report with all the details:
>>
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258384
>>
>> Could you take a look?
>>
>> Seems to be caused by the ssh code trying to call a function available
>> only when FIDO/U2F support is enabled, which is not the case in our
>> source base.
>>
>> I tried a quick fix by adding some ifdefs, but it failed to make it
>> work, I'm still trying to find a solution myself.
>>
> 
> Looks like the reference in openssh/sshkey.c... probably the correct
> thing to do is add ssh-sk.c to the secure/lib/libssh build; it still
> requires additional integration for FIDO/U2F, though.
> 

You suggestion is correct, but adding only ssh-sk.c solved the error, 
but unmassked more missing symbols, I ended up adding "ssh-sk.c 
ssh-ecdsa-sk.c ssh-ed25519-sk.c".

Now things are back to normal for me.

I attached a patch to the bug report [1], I don't have any U2F/FIDO 
hardware so I can't test that and, egoistically, don't need it, but this 
patch at least fixes the regression, so I think it should be committed 
to head.

I can send the patch as a review if required.

Thanks for your suggestion Kyle!

[1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258384

-- 
Guido Falsi <madpilot at FreeBSD.org>

More information about the dev-commits-src-main mailing list