On Feb 11 19:54, Corinna Vinschen wrote: > On Feb 11 22:25, Darren Tucker wrote: > > On Fri, 11 Feb 2022 at 21:53, Corinna Vinschen <vinschen@xxxxxxxxxx> wrote: > > > > > [...] > > > I wonder why sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx is not in the > > > above list of cert type offers. What explanation could that have? > > > > > [...] > I've just built OpenSSH without the above flag and it builds and > packages fine. Thanks for pointing this out! I will certainly build > with hardening in future. > > I also ran the hostkey-agent test again, but yeah, hardening doesn't > change the result. Still > > bad SSH_CONNECTION key type sk-ssh-ed25519-cert-v01@xxxxxxxxxxx > > I'm going to run the entire testsuite now, but I don't expect any > other problem. I just reproduced this problem on Fedora 35. It's actually a result of building in a dedicated build dir: $ uname -a Linux calimero 5.16.8-200.fc35.x86_64 #1 SMP PREEMPT Tue Feb 8 20:58:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux $ pwd /src/openssh/src $ mkdir ../build $ cd ../build $ ../src/configure --with-kerberos5 --with-libedit --with-xauth=/usr/bin/xauth --with-security-key-builtin [...] $ make t-exec LTESTS=hostkey-agent [...] run test hostkey-agent.sh ... key type ssh-ed25519 key type ssh-rsa key type ssh-dss key type ecdsa-sha2-nistp256 key type ecdsa-sha2-nistp384 key type ecdsa-sha2-nistp521 cert type ssh-ed25519-cert-v01@xxxxxxxxxxx cert type sk-ssh-ed25519-cert-v01@xxxxxxxxxxx cert type sk-ssh-ed25519-cert-v01@xxxxxxxxxxx failed bad SSH_CONNECTION key type sk-ssh-ed25519-cert-v01@xxxxxxxxxxx cert type ssh-rsa-cert-v01@xxxxxxxxxxx cert type rsa-sha2-256-cert-v01@xxxxxxxxxxx cert type rsa-sha2-512-cert-v01@xxxxxxxxxxx cert type ssh-dss-cert-v01@xxxxxxxxxxx cert type ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx cert type ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx cert type ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx cert type sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx cert type sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx failed bad SSH_CONNECTION key type sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx failed hostkey agent make[1]: *** [Makefile:221: t-exec] Error 1 make[1]: Leaving directory '/src/openssh/src/regress' make: *** [Makefile:727: t-exec] Error 2 Now building in the source dir: $ uname -a Linux calimero 5.16.8-200.fc35.x86_64 #1 SMP PREEMPT Tue Feb 8 20:58:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux $ pwd /src/openssh/src $ ./configure --with-kerberos5 --with-libedit --with-xauth=/usr/bin/xauth --with-security-key-builtin [...] $ make t-exec LTESTS=hostkey-agent [...] run test hostkey-agent.sh ... key type ssh-ed25519 key type sk-ssh-ed25519@xxxxxxxxxxx key type ssh-rsa key type ssh-dss key type ecdsa-sha2-nistp256 key type ecdsa-sha2-nistp384 key type ecdsa-sha2-nistp521 key type sk-ecdsa-sha2-nistp256@xxxxxxxxxxx cert type ssh-ed25519-cert-v01@xxxxxxxxxxx cert type sk-ssh-ed25519-cert-v01@xxxxxxxxxxx cert type ssh-rsa-cert-v01@xxxxxxxxxxx cert type rsa-sha2-256-cert-v01@xxxxxxxxxxx cert type rsa-sha2-512-cert-v01@xxxxxxxxxxx cert type ssh-dss-cert-v01@xxxxxxxxxxx cert type ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx cert type ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx cert type ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx cert type sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx ok hostkey agent make[1]: Leaving directory '/src/openssh/src/regress' all t-exec passed So the sk certs fail if builddir != srcdir, independent of the target. Corinna _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
