openssh bugs - Feb 2020 - [Bug 3121] New: Without --with-security-key-builtin=yes, the tools give non-useful error logs

https://bugzilla.mindrot.org/show_bug.cgi?id=3121

            Bug ID: 3121
           Summary: Without --with-security-key-builtin=yes, the tools
                    give non-useful error logs
           Product: Portable OpenSSH
           Version: 8.2p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

In Fedora, we do not have the libfido2 so I built the OpenSSH without
--with-security-key-builtin=yes flag and when trying to use the tools,
one gets hard-to-decipher error messages:

$ ssh-keygen -t ecdsa-sk  -f /tmp/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Provider "" dlsym(sk_api_version) failed:
/usr/libexec/openssh/ssh-sk-helper: undefined symbol: sk_api_version
Key enrollment failed: invalid format


I think when there is no internal u2f support, no environment variable
provided and no -w provided we should fail earlier than when trying to
dlopen zero-lenght string.

I did not test other tools yet, but I assume they will be failing in
similar manner.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3121

--- Comment #1 from Jakub Jelen <jjelen at redhat.com> ---
Additionally, configuring with --with-security-key-builtin=yes works
even if there is no libfido2 installed, but fails as late as during
build, which would be something to fix in the configure:

cc -o ssh-sk-helper ssh-sk-helper.o ssh-sk.o sk-usbhid.o -L.
-Lopenbsd-compat/  -pie -z relro -z now -fstack-protector-strong  -lssh
-lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz 
-lcrypt -lresolv -lselinux -lfido2 -lcbor
/usr/bin/ld: cannot find -lfido2
/usr/bin/ld: cannot find -lcbor
collect2: error: ld returned 1 exit status
make: *** [Makefile:242: ssh-sk-helper] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.jVOzdy (%build)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3121

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
                 CC|                            |djm at mindrot.org,
                   |                            |dtucker at dtucker.net
   Attachment #3366|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Created attachment 3366
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3366&action=edit
autoconf checks for libfido2 and headers

I added a better error message for the no-builtin case a couple of
weeks ago. Here's a patch to improve the autoconf side of things.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3121

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |3117


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3117
[Bug 3117] Tracking bug for 8.3 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3121

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3366|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3121

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
This fix was accidentally committed in d081f017c2 rather than as its
own commit. Anyway, it's there now and will be in openssh-8.3

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3121

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.