Bug 3121 - Without --with-security-key-builtin=yes, the tools give non-useful error logs
Summary: Without --with-security-key-builtin=yes, the tools give non-useful error logs
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-keygen (show other bugs)
Version: 8.2p1
Hardware: Other Linux
: P5 enhancement
Assignee: Damien Miller
URL:
Keywords:
Depends on:
Blocks: V_8_3
  Show dependency treegraph
 
Reported: 2020-02-18 21:27 AEDT by Jakub Jelen
Modified: 2021-04-23 14:57 AEST (History)
2 users (show)

See Also:


Attachments
autoconf checks for libfido2 and headers (609 bytes, patch)
2020-03-13 14:58 AEDT, Damien Miller
dtucker: ok+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Jelen 2020-02-18 21:27:09 AEDT
In Fedora, we do not have the libfido2 so I built the OpenSSH without --with-security-key-builtin=yes flag and when trying to use the tools, one gets hard-to-decipher error messages:

$ ssh-keygen -t ecdsa-sk  -f /tmp/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Provider "" dlsym(sk_api_version) failed: /usr/libexec/openssh/ssh-sk-helper: undefined symbol: sk_api_version
Key enrollment failed: invalid format


I think when there is no internal u2f support, no environment variable provided and no -w provided we should fail earlier than when trying to dlopen zero-lenght string.

I did not test other tools yet, but I assume they will be failing in similar manner.
Comment 1 Jakub Jelen 2020-02-18 23:08:16 AEDT
Additionally, configuring with --with-security-key-builtin=yes works even if there is no libfido2 installed, but fails as late as during build, which would be something to fix in the configure:

cc -o ssh-sk-helper ssh-sk-helper.o ssh-sk.o sk-usbhid.o -L. -Lopenbsd-compat/  -pie -z relro -z now -fstack-protector-strong  -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz  -lcrypt -lresolv -lselinux -lfido2 -lcbor
/usr/bin/ld: cannot find -lfido2
/usr/bin/ld: cannot find -lcbor
collect2: error: ld returned 1 exit status
make: *** [Makefile:242: ssh-sk-helper] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.jVOzdy (%build)
Comment 2 Damien Miller 2020-03-13 14:58:42 AEDT
Created attachment 3366 [details]
autoconf checks for libfido2 and headers

I added a better error message for the no-builtin case a couple of weeks ago. Here's a patch to improve the autoconf side of things.
Comment 3 Damien Miller 2020-04-17 14:54:01 AEST
This fix was accidentally committed in d081f017c2 rather than as its own commit. Anyway, it's there now and will be in openssh-8.3
Comment 4 Damien Miller 2021-04-23 14:57:02 AEST
closing resolved bugs as of 8.6p1 release