Opened 3 years ago
Closed 3 years ago
#62890 closed defect (fixed)
openssh 8.4p1 does not compile with +fido2 variant
| Reported by: | iay (Ian Young) | Owned by: | iay (Ian Young) |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | |
| Keywords: | Cc: | Schamschula (Marius Schamschula) | |
| Port: | openssh |
Description
I wanted to investigate the +fido2 variant to experiment with GitHub's new support for security keys, per https://github.blog/2021-05-10-security-keys-supported-ssh-git-operations/
However, trying to install openssh +fido2 fails. This is the critical part of the log:
In file included from sk-usbhid.c:30:
/opt/local/include/sha2.h:57:16: error: redefinition of '_SHA2_CTX'
typedef struct _SHA2_CTX {
^
./openbsd-compat/sha2.h:66:16: note: previous definition is here
typedef struct _SHA2_CTX {
^
In file included from sk-usbhid.c:30:
/opt/local/include/sha2.h:64:3: error: typedef redefinition with different types ('struct (anonymous struct at /opt/local/include/sha2.h:57:16)' vs 'struct _SHA2_CTX')
} SHA2_CTX;
^
./openbsd-compat/sha2.h:73:3: note: previous definition is here
} SHA2_CTX;
^
Rather than trying to address this via a patch, I noted that we're a couple of releases behind as upstream is now at 8.6p1.
I have developed a PR for openssh which updates to 8.6p1; it does allow building with +fido2 and some basic experiments seem to confirm that functionality is working (not vs. GitHub yet, but against a local test machine running Ubuntu 20.04).
Copying Schamschula because he seems to be the most recently active on this no-maintainer project and also because my PR necessarily backs out one of his previous patches (which was explicitly labelled as to be removed on or after 8.5p1).
I will submit my PR probably later today.
Change History (6)
comment:1 Changed 3 years ago by Schamschula (Marius Schamschula)
comment:2 Changed 3 years ago by iay (Ian Young)
Be mindful, that an update to 8.6.p1 will likely break the gsskex variant.
You're right, the +gsskex variant patch does not apply against 8.6p1; I count 15 failed hunks against 11 different files. Some of them look easy to adjust, but some of them do not. As you say, this seems to be true from 8.5p1 forwards.
Worse, even if I was to figure out how to apply that patch it doesn't look like port test works on this port at all, either on the existing 8.4p1 or 8.6p1. Both seem to hang permanently in something running netcat. I don't know if there's some kind of test fixture required to get this working?
Without the ability to test even at that level, I can't be confident that it's actually working. If carrying the gsskex functionality would be a blocker for moving to 8.6, I guess there's no point in submitting the PR I was thinking of. Someone who actually understands this patch would have to resolve that issue first, and the other changes required to run 8.6p1 are very small by comparison.
FreeBSD FreshPorts skipped 8.5p1 for the same reason.
They seem to be on 8.6p1 now, does that help us in any way?
https://www.freshports.org/security/openssh-portable/
Any thoughts as to how to make progress? I can meet my personal need just by keeping my code in a fork so that I can use 8.6p1 +fido2 on my own machines, but it's hard to share with colleagues that way.
comment:3 Changed 3 years ago by Schamschula (Marius Schamschula)
Updating to 8.4p1 was a combination of tweaks to the patch. The FreshPorts patch was one of several sources. IIRC the other was Redhat Fedora (they're still @ 8.5.p1).
comment:4 Changed 3 years ago by iay (Ian Young)
Fixing the +gssex variant patch is out of my league, so I looked into fixing the much simpler compilation issue on 8.4p1. That turns out to be relatively easy to fix, although given what I did to make it work I have to say I don't understand why the same problem doesn't appear to come up with 8.6p1. However, that's a relatively uncontentious patch so I will make a PR for 8.4p1 and hopefully that can take us forward.
I also looked into the test failure issue. This seems to be down to failures in the sandbox that sshd is run in failing to initialise. It fails for one reason if there is no openssh port installed already (it references a file that is installed by the port itself, which I'd say was a no-no), and in a different way (operation not permitted) if one is. The latter case may be macOS version related, as I'm on Big Sur. I guess that's a separate ticket though, and again I'm not sure that I have the knowledge to move it forward. It may also be something that affects the upstream, as the upstream sandbox-darwin.c doesn't seem to have changed recently.
comment:5 Changed 3 years ago by iay (Ian Young)
comment:6 Changed 3 years ago by iay (Ian Young)
| Owner: | set to iay |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Be mindful, that an update to 8.6.p1 will likely break the
gsskexvariant. Updating the patch forgsskexis non-trivial. FreeBSD FreshPorts skipped 8.5p1 for the same reason.