On Feb 10 15:18, Damien Miller wrote:> Hi, > > OpenSSH 8.9p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release.Builds OOTB on Cygwin x86_64, almost all tests pass, except a single test in hostkey-agent: ------------- debug1: kex: host key algorithm: (no match) Unable to negotiate with UNKNOWN port 65535: no matching host key type found. Their offer: ssh-ed25519-cert-v01 at openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256- cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,e cdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com ,ecdsa-sha2-nistp521-cert-v01 at openssh.com^M FAIL: cert type sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com failed FAIL: bad SSH_CONNECTION key type sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com ------------- I wonder why sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com is not in the above list of cert type offers. What explanation could that have? I'm building OPenSSH exactly as if I create a distro build, using the following configuration options: --with-libedit --with-xauth=/usr/bin/xauth --disable-strip --without-hardening --with-security-key-builtin Thanks, Corinna
On Fri, 11 Feb 2022 at 21:53, Corinna Vinschen <vinschen at redhat.com> wrote:> [...] > I wonder why sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com is not in the > above list of cert type offers. What explanation could that have? >I've just updated our win10 cygwin test VM to current and will attempt to reproduce with your config flags. --without-hardening>Out of curiosity why do you need to disable the compiler hardening? I don't think it's going to make a difference in the failure case you noted, but our build farm runs a VM with cygwin on win10 with the default configure flags which enables hardening and it passes. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Fri, 11 Feb 2022, Corinna Vinschen wrote:> On Feb 10 15:18, Damien Miller wrote: > > Hi, > > > > OpenSSH 8.9p1 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This is a bugfix release. > > Builds OOTB on Cygwin x86_64, almost all tests pass, except a single > test in hostkey-agent: > > ------------- > FAIL: cert type sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com failed > FAIL: bad SSH_CONNECTION key type sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com > ------------- > > I'm building OPenSSH exactly as if I create a distro build, using the > following configuration options: > > --with-libedit > --with-xauth=/usr/bin/xauth > --disable-strip > --without-hardening > --with-security-key-builtinIt's passing for me with similar options (missing --with-libedit and --with-security-key-builtin). I'm using:> CYGWIN_NT-10.0 win10pro 3.2.0(0.340/5/3) 2021-03-29 08:42 x86_64 Cygwin> debug1: kex: host key algorithm: (no match) > Unable to negotiate with UNKNOWN port 65535: no matching host key type found. > Their offer: > ssh-ed25519-cert-v01 at openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256- > cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,e > cdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com > ,ecdsa-sha2-nistp521-cert-v01 at openssh.com^M > > I wonder why sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com is not in the > above list of cert type offers. What explanation could that have?It looks like the server offer is missing all SK keytypes. What does 'grep ENABLE_SK config.h' show? If it is disabled there, then config.log might have clues as to why. I'll try it again on an image with libfido2 just to rule that out, though AFAIK it's not in the path for any of this (we use sk-dummy.so in the tests). -d