On Fri, 11 Feb 2022, Corinna Vinschen wrote: > On Feb 10 15:18, Damien Miller wrote: > > Hi, > > > > OpenSSH 8.9p1 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This is a bugfix release. > > Builds OOTB on Cygwin x86_64, almost all tests pass, except a single > test in hostkey-agent: > > ------------- > FAIL: cert type sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx failed > FAIL: bad SSH_CONNECTION key type sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx > ------------- > > I'm building OPenSSH exactly as if I create a distro build, using the > following configuration options: > > --with-libedit > --with-xauth=/usr/bin/xauth > --disable-strip > --without-hardening > --with-security-key-builtin It's passing for me with similar options (missing --with-libedit and --with-security-key-builtin). I'm using: > CYGWIN_NT-10.0 win10pro 3.2.0(0.340/5/3) 2021-03-29 08:42 x86_64 Cygwin > debug1: kex: host key algorithm: (no match) > Unable to negotiate with UNKNOWN port 65535: no matching host key type found. > Their offer: > ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-512-cert-v01@xxxxxxxxxxx,rsa-sha2-256- > cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-dss-cert-v01@xxxxxxxxxxx,e > cdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx > ,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx^M > > I wonder why sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx is not in the > above list of cert type offers. What explanation could that have? It looks like the server offer is missing all SK keytypes. What does 'grep ENABLE_SK config.h' show? If it is disabled there, then config.log might have clues as to why. I'll try it again on an image with libfido2 just to rule that out, though AFAIK it's not in the path for any of this (we use sk-dummy.so in the tests). -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
