FS#65513 - [openssh] new u2f functionality is broken
Attached to Project:
Arch Linux
Opened by Bret Towe (magnade) - Saturday, 15 February 2020, 22:13 GMT
Last edited by Gaetan Bisson (vesath) - Monday, 17 February 2020, 01:38 GMT
Opened by Bret Towe (magnade) - Saturday, 15 February 2020, 22:13 GMT
Last edited by Gaetan Bisson (vesath) - Monday, 17 February 2020, 01:38 GMT
|
Details
Description:
via this article: https://lwn.net/Articles/812537/ I saw that fido2/u2f support was added to ssh and I tried doing the ssh-keygen command they suggest and I see the following: ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk Generating public/private ecdsa-sk key pair. You may need to touch your authenticator to authorize key generation. Provider "" dlsym(sk_api_version) failed: /usr/lib/ssh/ssh-sk-helper: undefined symbol: sk_api_version Key enrollment failed: invalid format I did install libfido2 and libu2f also tried adding a -w /usr/lib/libfido2.so to the command and still no luck * package version(s) community/libu2f-host 1.1.10-2 [installed] community/libu2f-server 1.1.0-3 [installed] extra/libfido2 1.3.0-4 [installed] testing/openssh 8.2p1-1 [installed] |
This task depends upon
Closed by Gaetan Bisson (vesath)
Monday, 17 February 2020, 01:38 GMT
Reason for closing: Fixed
Additional comments about closing: openssh-8.2p1-3 in [core]
Monday, 17 February 2020, 01:38 GMT
Reason for closing: Fixed
Additional comments about closing: openssh-8.2p1-3 in [core]
If you rebuild the package passing --with-security-key-builtin to configure does ssh-keygen then function as expected?
I had ran: ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk -w /usr/lib/libfido2.so
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Provider "/usr/lib/libfido2.so" dlsym(sk_api_version) failed: /usr/lib/libfido2.so: undefined symbol: sk_api_version
Key enrollment failed: invalid format
but the output of that is:
ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk -w /usr/lib/libsk-libfido2.so
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Provider "/usr/lib/libsk-libfido2.so" implements unsupported version 0x00020000 (supported: 0x00040000)
Key enrollment failed: invalid format
I wasn't sure what the problem was, nor if it was openssh at fault or the support libs
part of why i filed the bug was cause the upstream changelog implied it was 'simple'
Since we are packaging openssh portable, support needs to be manually enabled with --with-security-key-builtin. This is all described in the changelog[1], if anyone bothered to read it.
The attached patch fixes the issue.
In the patch I made libfido2 an optional dependency. When it is not present and we try to generate an ecdsa-sk key, the output is rather ugly but it should be fine.
```
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
/usr/lib/ssh/ssh-sk-helper: error while loading shared libraries: libfido2.so.1: cannot open shared object file: No such file or directory
ssh_msg_recv: read header: Connection reset by peer
client_converse: receive: unexpected internal error
reap_helper: helper exited with non-zero exit status
Key enrollment failed: unexpected internal error
```
[1] https://www.openssh.com/txt/release-8.2