On 09/09/21 16:33, Kyle Evans wrote:
On Thu, Sep 9, 2021 at 6:24 AM Guido Falsi <madpi...@freebsd.org> wrote:
On 08/09/21 03:07, Ed Maste wrote:
The branch main has been updated by emaste:
URL:
https://cgit.FreeBSD.org/src/commit/?id=19261079b74319502c6ffa1249920079f0f69a72
commit 19261079b74319502c6ffa1249920079f0f69a72
Merge: c5128c48df3c 66719ee573ac
Author: Ed Maste <ema...@freebsd.org>
AuthorDate: 2021-09-08 01:05:51 +0000
Commit: Ed Maste <ema...@freebsd.org>
CommitDate: 2021-09-08 01:05:51 +0000
openssh: update to OpenSSH v8.7p1
Some notable changes, from upstream's release notes:
- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the local host
by default.
- scp(1): experimental support for transfers using the SFTP protocol as
a replacement for the venerable SCP/RCP protocol that it has
traditionally used.
Additional integration work is needed to support FIDO/U2F in the base
system.
Deprecation Notice
------------------
OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.
Reviewed by: imp
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29985
While upgrading my current machines I encountered an issue with pam_ssh
which seems to be caused by this update.
I filed a bug report with all the details:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258384
Could you take a look?
Seems to be caused by the ssh code trying to call a function available
only when FIDO/U2F support is enabled, which is not the case in our
source base.
I tried a quick fix by adding some ifdefs, but it failed to make it
work, I'm still trying to find a solution myself.
Looks like the reference in openssh/sshkey.c... probably the correct
thing to do is add ssh-sk.c to the secure/lib/libssh build; it still
requires additional integration for FIDO/U2F, though.
You suggestion is correct, but adding only ssh-sk.c solved the error,
but unmassked more missing symbols, I ended up adding "ssh-sk.c
ssh-ecdsa-sk.c ssh-ed25519-sk.c".
Now things are back to normal for me.
I attached a patch to the bug report [1], I don't have any U2F/FIDO
hardware so I can't test that and, egoistically, don't need it, but this
patch at least fixes the regression, so I think it should be committed
to head.
I can send the patch as a review if required.
Thanks for your suggestion Kyle!
[1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258384
--
Guido Falsi <madpi...@freebsd.org>
_______________________________________________
dev-commits-src-main@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main
To unsubscribe, send any mail to "dev-commits-src-main-unsubscr...@freebsd.org"
