FS#65513 - [openssh] new u2f functionality is broken

Attached to Project: Arch Linux
Opened by Bret Towe (magnade) - Saturday, 15 February 2020, 22:13 GMT
Last edited by Gaetan Bisson (vesath) - Monday, 17 February 2020, 01:38 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To Gaetan Bisson (vesath)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 5
Private No

Details

Description:
via this article: https://lwn.net/Articles/812537/
I saw that fido2/u2f support was added to ssh and I tried doing the ssh-keygen command they suggest
and I see the following:

ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Provider "" dlsym(sk_api_version) failed: /usr/lib/ssh/ssh-sk-helper: undefined symbol: sk_api_version
Key enrollment failed: invalid format

I did install libfido2 and libu2f
also tried adding a -w /usr/lib/libfido2.so to the command and still no luck

* package version(s)

community/libu2f-host 1.1.10-2 [installed]
community/libu2f-server 1.1.0-3 [installed]
extra/libfido2 1.3.0-4 [installed]
testing/openssh 8.2p1-1 [installed]


This task depends upon

Closed by  Gaetan Bisson (vesath)
Monday, 17 February 2020, 01:38 GMT
Reason for closing:  Fixed
Additional comments about closing:  openssh-8.2p1-3 in [core]
Comment by loqs (loqs) - Sunday, 16 February 2020, 00:32 GMT
If you use -w /usr/lib/libsk-libfido2.so do you get 'Provider "/usr/lib/libsk-libfido2.so" implements unsupported version 0x00020000 (supported: 0x00040000)'?
If you rebuild the package passing --with-security-key-builtin to configure does ssh-keygen then function as expected?
Comment by Gaetan Bisson (vesath) - Sunday, 16 February 2020, 03:57 GMT
This does not appear to be a packaging problem since U2F is correctly enabled and built at compile time. Also I have virtually no knowledge on how this new feature is supposed to work. I suggest you consult upsteam's documentation as to how U2F should be used. And if it works differently in your experience than the documentation says it should, report this upstream. Cheers.
Comment by Bret Towe (magnade) - Sunday, 16 February 2020, 04:21 GMT
@loqs
I had ran: ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk -w /usr/lib/libfido2.so
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Provider "/usr/lib/libfido2.so" dlsym(sk_api_version) failed: /usr/lib/libfido2.so: undefined symbol: sk_api_version
Key enrollment failed: invalid format

but the output of that is:
ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk -w /usr/lib/libsk-libfido2.so
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Provider "/usr/lib/libsk-libfido2.so" implements unsupported version 0x00020000 (supported: 0x00040000)
Key enrollment failed: invalid format
Comment by Bret Towe (magnade) - Sunday, 16 February 2020, 04:24 GMT
@vesath
I wasn't sure what the problem was, nor if it was openssh at fault or the support libs
part of why i filed the bug was cause the upstream changelog implied it was 'simple'
Comment by Filipe Laíns (FFY00) - Sunday, 16 February 2020, 05:54 GMT
This is a packaging problem. Even though libfido2 provides /usr/lib/libsk-libfido2.so, the middleware has been moved to openssh. That was the whole point of the "new fido2" support in openssh, it already existed out of tree but it has now been upstreamed.

Since we are packaging openssh portable, support needs to be manually enabled with --with-security-key-builtin. This is all described in the changelog[1], if anyone bothered to read it.

The attached patch fixes the issue.

In the patch I made libfido2 an optional dependency. When it is not present and we try to generate an ecdsa-sk key, the output is rather ugly but it should be fine.
```
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
/usr/lib/ssh/ssh-sk-helper: error while loading shared libraries: libfido2.so.1: cannot open shared object file: No such file or directory
ssh_msg_recv: read header: Connection reset by peer
client_converse: receive: unexpected internal error
reap_helper: helper exited with non-zero exit status
Key enrollment failed: unexpected internal error
```

[1] https://www.openssh.com/txt/release-8.2
Comment by Gaetan Bisson (vesath) - Monday, 17 February 2020, 00:18 GMT
Thanks Filipe.

Loading...