On Feb 11 22:25, Darren Tucker wrote:> On Fri, 11 Feb 2022 at 21:53, Corinna Vinschen <vinschen at redhat.com> wrote: > > > [...] > > I wonder why sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com is not in the > > above list of cert type offers. What explanation could that have? > > > > I've just updated our win10 cygwin test VM to current and will attempt to > reproduce with your config flags. > > --without-hardening > > > > Out of curiosity why do you need to disable the compiler hardening?Actually... I *think* there was a problem with an older gcc or libc version when trying to use FORTIFY_SOURCE and/or retpoline. I have to admit I don't remember exactly.> I > don't think it's going to make a difference in the failure case you noted, > but our build farm runs a VM with cygwin on win10 with the default > configure flags which enables hardening and it passes.I've just built OpenSSH without the above flag and it builds and packages fine. Thanks for pointing this out! I will certainly build with hardening in future. I also ran the hostkey-agent test again, but yeah, hardening doesn't change the result. Still bad SSH_CONNECTION key type sk-ssh-ed25519-cert-v01 at openssh.com I'm going to run the entire testsuite now, but I don't expect any other problem. Thanks, Corinna
On Feb 11 19:54, Corinna Vinschen wrote:> On Feb 11 22:25, Darren Tucker wrote: > > On Fri, 11 Feb 2022 at 21:53, Corinna Vinschen <vinschen at redhat.com> wrote: > > > > > [...] > > > I wonder why sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com is not in the > > > above list of cert type offers. What explanation could that have? > > > > > [...] > I've just built OpenSSH without the above flag and it builds and > packages fine. Thanks for pointing this out! I will certainly build > with hardening in future. > > I also ran the hostkey-agent test again, but yeah, hardening doesn't > change the result. Still > > bad SSH_CONNECTION key type sk-ssh-ed25519-cert-v01 at openssh.com > > I'm going to run the entire testsuite now, but I don't expect any > other problem.I just reproduced this problem on Fedora 35. It's actually a result of building in a dedicated build dir: $ uname -a Linux calimero 5.16.8-200.fc35.x86_64 #1 SMP PREEMPT Tue Feb 8 20:58:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux $ pwd /src/openssh/src $ mkdir ../build $ cd ../build $ ../src/configure --with-kerberos5 --with-libedit --with-xauth=/usr/bin/xauth --with-security-key-builtin [...] $ make t-exec LTESTS=hostkey-agent [...] run test hostkey-agent.sh ... key type ssh-ed25519 key type ssh-rsa key type ssh-dss key type ecdsa-sha2-nistp256 key type ecdsa-sha2-nistp384 key type ecdsa-sha2-nistp521 cert type ssh-ed25519-cert-v01 at openssh.com cert type sk-ssh-ed25519-cert-v01 at openssh.com cert type sk-ssh-ed25519-cert-v01 at openssh.com failed bad SSH_CONNECTION key type sk-ssh-ed25519-cert-v01 at openssh.com cert type ssh-rsa-cert-v01 at openssh.com cert type rsa-sha2-256-cert-v01 at openssh.com cert type rsa-sha2-512-cert-v01 at openssh.com cert type ssh-dss-cert-v01 at openssh.com cert type ecdsa-sha2-nistp256-cert-v01 at openssh.com cert type ecdsa-sha2-nistp384-cert-v01 at openssh.com cert type ecdsa-sha2-nistp521-cert-v01 at openssh.com cert type sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com cert type sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com failed bad SSH_CONNECTION key type sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com failed hostkey agent make[1]: *** [Makefile:221: t-exec] Error 1 make[1]: Leaving directory '/src/openssh/src/regress' make: *** [Makefile:727: t-exec] Error 2 Now building in the source dir: $ uname -a Linux calimero 5.16.8-200.fc35.x86_64 #1 SMP PREEMPT Tue Feb 8 20:58:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux $ pwd /src/openssh/src $ ./configure --with-kerberos5 --with-libedit --with-xauth=/usr/bin/xauth --with-security-key-builtin [...] $ make t-exec LTESTS=hostkey-agent [...] run test hostkey-agent.sh ... key type ssh-ed25519 key type sk-ssh-ed25519 at openssh.com key type ssh-rsa key type ssh-dss key type ecdsa-sha2-nistp256 key type ecdsa-sha2-nistp384 key type ecdsa-sha2-nistp521 key type sk-ecdsa-sha2-nistp256 at openssh.com cert type ssh-ed25519-cert-v01 at openssh.com cert type sk-ssh-ed25519-cert-v01 at openssh.com cert type ssh-rsa-cert-v01 at openssh.com cert type rsa-sha2-256-cert-v01 at openssh.com cert type rsa-sha2-512-cert-v01 at openssh.com cert type ssh-dss-cert-v01 at openssh.com cert type ecdsa-sha2-nistp256-cert-v01 at openssh.com cert type ecdsa-sha2-nistp384-cert-v01 at openssh.com cert type ecdsa-sha2-nistp521-cert-v01 at openssh.com cert type sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com ok hostkey agent make[1]: Leaving directory '/src/openssh/src/regress' all t-exec passed So the sk certs fail if builddir != srcdir, independent of the target. Corinna