[This mail was hold back, awaiting moderator approval, because it had the "failed-*.log" files attached, so it was too big. I send it now again, just FTR, this time without the log files attached.] On Feb 14 17:41, Damien Miller wrote: > On Fri, 11 Feb 2022, Corinna Vinschen wrote: > > > On Feb 10 15:18, Damien Miller wrote: > > > Hi, > > > > > > OpenSSH 8.9p1 is almost ready for release, so we would appreciate testing > > > on as many platforms and systems as possible. This is a bugfix release. > > > > Builds OOTB on Cygwin x86_64, almost all tests pass, except a single > > test in hostkey-agent: > > > > ------------- > > FAIL: cert type sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx failed > > FAIL: bad SSH_CONNECTION key type sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx > > ------------- > > > > I'm building OPenSSH exactly as if I create a distro build, using the > > following configuration options: > > > > --with-libedit > > --with-xauth=/usr/bin/xauth > > --disable-strip > > --without-hardening > > --with-security-key-builtin > > It's passing for me with similar options (missing --with-libedit and > --with-security-key-builtin). I'm using: Hmm, this is puzzeling... Please note that kerberos support is built in, too. But this happens automatically, so there's no explicit configure option. > > CYGWIN_NT-10.0 win10pro 3.2.0(0.340/5/3) 2021-03-29 08:42 x86_64 Cygwin > > > debug1: kex: host key algorithm: (no match) > > Unable to negotiate with UNKNOWN port 65535: no matching host key type found. > > Their offer: > > ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-512-cert-v01@xxxxxxxxxxx,rsa-sha2-256- > > cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-dss-cert-v01@xxxxxxxxxxx,e > > cdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx > > ,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx^M > > > > I wonder why sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx is not in the > > above list of cert type offers. What explanation could that have? > > It looks like the server offer is missing all SK keytypes. What does > 'grep ENABLE_SK config.h' show? If it is disabled there, then config.log > might have clues as to why. Looks good to me: $ grep ENABLE_SK config.h #define ENABLE_SK /**/ #define ENABLE_SK_INTERNAL /**/ > I'll try it again on an image with libfido2 just to rule that out, though > AFAIK it's not in the path for any of this (we use sk-dummy.so in the > tests). I attached my failed-*.log files again. Curious: Despite defining TEST_SSH_UNSAFE_PERMISSIONS=1 in the environment. the failed-sshd.log file contains WARNING: UNPROTECTED PRIVATE KEY FILE! messages, plus lines like these: Unable to load host key "/home/corinna/tmp/openssh/openssh-8.9p0-1.x86_64/build/regress/agent-key.ecdsa-sha2-nistp521.pub": bad permissions However, these are pub files, not priv files. Is it possible that the test fails because srcdir != builddir? Thanks, Corinna _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
