FS#59730 - [openssl] openssl 1.1.0.i-1 breaks ssh authentication agent

Attached to Project: Arch Linux
Opened by Maxime Wack (SataMaxx) - Monday, 20 August 2018, 23:59 GMT
Last edited by Toolybird (Toolybird) - Wednesday, 31 May 2023, 06:56 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture x86_64
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No



The recent update to openssl 1.1.0.i-1 breaks ssh public key authentication.
Every other packages are up to date.

When trying to connect to server using public key authentication, the connection fails with
Load key "/home/user/.ssh/id_rsa": invalid format
user@server: Permission denied (publickey).

$ ssh-add ~/.ssh/id_rsa
gives "Could not open a connection to your authentication agent"

Downgrading to openssl 1.1.0.h-1 corrects the behavior.
This task depends upon

Closed by  Toolybird (Toolybird)
Wednesday, 31 May 2023, 06:56 GMT
Reason for closing:  No response
Additional comments about closing:  Assuming fixed. But if still an issue, please report upstream.
Comment by Daniel M. Capella (polyzen) - Tuesday, 21 August 2018, 00:55 GMT
Haven't had any issues with it, here.
Comment by Maxime Wack (SataMaxx) - Tuesday, 21 August 2018, 11:58 GMT
The key is an ssh-rsa key with DEK-Info: AES-128-CBC.
The issue is reproduced on multiple different computers (using the same key)
Comment by Hi (raylz) - Tuesday, 21 August 2018, 14:21 GMT
Same issue here, can confirm this.
Comment by Pierre Schmitz (Pierre) - Tuesday, 21 August 2018, 14:29 GMT
SSH agent works for me here. I suggest to report this upstream as it is probably not a packaging issue.
Comment by mancha (mancha) - Tuesday, 28 August 2018, 21:15 GMT
OpenSSH doesn't officially support OpenSSL 1.1.0. Arch Linux patches OpenSSH to allow this configuration.

The problem some of you are encountering is due a change in how OpenSSL 1.1.0i handles empty passwords. You can read my analysis here: https://marc.info/?l=openssh-unix-dev&m=153548618712441&w=4.
Comment by Maxime Wack (SataMaxx) - Tuesday, 28 August 2018, 21:37 GMT
Thanks for the report @mancha!
Comment by loqs (loqs) - Tuesday, 28 August 2018, 23:07 GMT
Reverting 36d2517a97f6020049116492b4d5491d177e629c might be the fix with the least amount of code change.
Comment by Doron Behar (doronbehar) - Sunday, 16 September 2018, 14:25 GMT
I'm experiencing a problem with `isync` which stopped being able to sync my Gmail IMAP folder. It keeps giving me the error:

SSL error connecting imap.gmail.com ( self signed certificate

Since I sync my maildir with a systemd user service and timer, I've compared pacman's log with my journal and I've found that right after the openssl update, the errors started appear in the journal.
Comment by Eli Schwartz (eschwartz) - Sunday, 16 September 2018, 14:59 GMT
Please don't spam random bug reports mentioning openssl, especially since the issue is obviously isync instead. And especially since this bug report long predates your isync issue.

See  FS#60077  for your real problem.
Comment by Doron Behar (doronbehar) - Sunday, 16 September 2018, 17:31 GMT
Thanks Eli, I couldn't figure it out myself and I didn't find your bug for isync when I searched for open bugs.
Comment by Hi (raylz) - Wednesday, 26 September 2018, 12:45 GMT
PS: my keys have a passphrase set and it fails as well, even with the latest 1.1.1 version
Comment by Maxime Wack (SataMaxx) - Tuesday, 02 October 2018, 01:03 GMT
To those affected, I found a fix (at least in my situation). Turns out I created my ssh key with the old passphrase encryption, and changing it to the new, more secure password encryption format (see https://wiki.archlinux.org/index.php/SSH_keys#Changing_the_private_key.27s_passphrase_without_changing_the_key) fixed the compatibility problem with recent versions of openssl.

edit: you have to do this with openssl < 1.1.0.i, then upgrade to openssl 1.1.1
WARNING: now libcurl depends on the new openssl and you can get yourself in an unpleasant situation where curl is broken, hence pacman, so you'd have to manually replace libcurl.so.4 to get it working again and fix your mess.
If you need to downgrade from openssl 1.1.1 to accomplish this step, remember to downgrade curl too!
Comment by loqs (loqs) - Sunday, 21 October 2018, 16:11 GMT
Is the issue still present with openssh 7.9p1-1 which has official openssl 1.1.1 support?
If so please report the issue upstream to openssh.