In Fedora, we do not have the libfido2 so I built the OpenSSH without --with-security-key-builtin=yes flag and when trying to use the tools, one gets hard-to-decipher error messages: $ ssh-keygen -t ecdsa-sk -f /tmp/.ssh/id_ecdsa_sk Generating public/private ecdsa-sk key pair. You may need to touch your authenticator to authorize key generation. Provider "" dlsym(sk_api_version) failed: /usr/libexec/openssh/ssh-sk-helper: undefined symbol: sk_api_version Key enrollment failed: invalid format I think when there is no internal u2f support, no environment variable provided and no -w provided we should fail earlier than when trying to dlopen zero-lenght string. I did not test other tools yet, but I assume they will be failing in similar manner.
Additionally, configuring with --with-security-key-builtin=yes works even if there is no libfido2 installed, but fails as late as during build, which would be something to fix in the configure: cc -o ssh-sk-helper ssh-sk-helper.o ssh-sk.o sk-usbhid.o -L. -Lopenbsd-compat/ -pie -z relro -z now -fstack-protector-strong -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz -lcrypt -lresolv -lselinux -lfido2 -lcbor /usr/bin/ld: cannot find -lfido2 /usr/bin/ld: cannot find -lcbor collect2: error: ld returned 1 exit status make: *** [Makefile:242: ssh-sk-helper] Error 1 error: Bad exit status from /var/tmp/rpm-tmp.jVOzdy (%build)
Created attachment 3366 [details] autoconf checks for libfido2 and headers I added a better error message for the no-builtin case a couple of weeks ago. Here's a patch to improve the autoconf side of things.
This fix was accidentally committed in d081f017c2 rather than as its own commit. Anyway, it's there now and will be in openssh-8.3
closing resolved bugs as of 8.6p1 release