git: 19261079b743 - main - openssh: update to OpenSSH v8.7p1
Guido Falsi
madpilot at FreeBSD.org
Thu Sep 9 15:41:37 UTC 2021
On 09/09/21 16:33, Kyle Evans wrote:
> On Thu, Sep 9, 2021 at 6:24 AM Guido Falsi <madpilot at freebsd.org> wrote:
>>
>> On 08/09/21 03:07, Ed Maste wrote:
>>> The branch main has been updated by emaste:
>>>
>>> URL: https://cgit.FreeBSD.org/src/commit/?id=19261079b74319502c6ffa1249920079f0f69a72
>>>
>>> commit 19261079b74319502c6ffa1249920079f0f69a72
>>> Merge: c5128c48df3c 66719ee573ac
>>> Author: Ed Maste <emaste at FreeBSD.org>
>>> AuthorDate: 2021-09-08 01:05:51 +0000
>>> Commit: Ed Maste <emaste at FreeBSD.org>
>>> CommitDate: 2021-09-08 01:05:51 +0000
>>>
>>> openssh: update to OpenSSH v8.7p1
>>>
>>> Some notable changes, from upstream's release notes:
>>>
>>> - sshd(8): Remove support for obsolete "host/port" syntax.
>>> - ssh(1): When prompting whether to record a new host key, accept the key
>>> fingerprint as a synonym for "yes".
>>> - ssh-keygen(1): when acting as a CA and signing certificates with an RSA
>>> key, default to using the rsa-sha2-512 signature algorithm.
>>> - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
>>> (RSA/SHA1) algorithm from those accepted for certificate signatures.
>>> - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
>>> support to provide address-space isolation for token middleware
>>> libraries (including the internal one).
>>> - ssh(1): this release enables UpdateHostkeys by default subject to some
>>> conservative preconditions.
>>> - scp(1): this release changes the behaviour of remote to remote copies
>>> (e.g. "scp host-a:/path host-b:") to transfer through the local host
>>> by default.
>>> - scp(1): experimental support for transfers using the SFTP protocol as
>>> a replacement for the venerable SCP/RCP protocol that it has
>>> traditionally used.
>>>
>>> Additional integration work is needed to support FIDO/U2F in the base
>>> system.
>>>
>>> Deprecation Notice
>>> ------------------
>>>
>>> OpenSSH will disable the ssh-rsa signature scheme by default in the
>>> next release.
>>>
>>> Reviewed by: imp
>>> MFC after: 1 month
>>> Relnotes: Yes
>>> Sponsored by: The FreeBSD Foundation
>>> Differential Revision: https://reviews.freebsd.org/D29985
>>>
>>
>> While upgrading my current machines I encountered an issue with pam_ssh
>> which seems to be caused by this update.
>>
>> I filed a bug report with all the details:
>>
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258384
>>
>> Could you take a look?
>>
>> Seems to be caused by the ssh code trying to call a function available
>> only when FIDO/U2F support is enabled, which is not the case in our
>> source base.
>>
>> I tried a quick fix by adding some ifdefs, but it failed to make it
>> work, I'm still trying to find a solution myself.
>>
>
> Looks like the reference in openssh/sshkey.c... probably the correct
> thing to do is add ssh-sk.c to the secure/lib/libssh build; it still
> requires additional integration for FIDO/U2F, though.
>
You suggestion is correct, but adding only ssh-sk.c solved the error,
but unmassked more missing symbols, I ended up adding "ssh-sk.c
ssh-ecdsa-sk.c ssh-ed25519-sk.c".
Now things are back to normal for me.
I attached a patch to the bug report [1], I don't have any U2F/FIDO
hardware so I can't test that and, egoistically, don't need it, but this
patch at least fixes the regression, so I think it should be committed
to head.
I can send the patch as a review if required.
Thanks for your suggestion Kyle!
[1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258384
--
Guido Falsi <madpilot at FreeBSD.org>
More information about the dev-commits-src-main
mailing list