Bug 1687230
Summary: | When using ssh-agent with ecdsa-sha2-nistp384 key on a security key (Yubikey 5 NC in this case) ssh-agent fails to sign and then seg faults. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Nick P <npope+rhbugzilla> |
Component: | openssh | Assignee: | Jakub Jelen <jjelen> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 29 | CC: | dwalsh, jfch, jjelen, lkundrak, mattias.ellert, npope+rhbugzilla, plautrba, tmraz, victor.andreasson |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openssh-8.0p1-1.fc30 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-05-04 00:16:33 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Nick P
2019-03-11 01:46:15 UTC
It looks like I can reproduce the issue with my yubikey 4. The ssh-agent support is still a bit clunky (bug #1609055) and the upstream rewrote [1] the ECDSA support from scratch recently so it should land in the next release in coming weeks or few months. Given these constraints, I do not think it makes sense to fix it in the current code, but I will make sure it will work with the next upstream release. In the meantime, you should be able to use either RSA keys or ECDSA keys not through the agent. [1] https://bugzilla.mindrot.org/show_bug.cgi?id=2474 Thanks for the quick confirmation. I'll keep my eye on this bugzilla and retest when there is a relevant update in the Fedora repos. This should be addressed by the rebase that I will be pushing to testing soon. See the bug #1701072 openssh-8.0p1-1.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-0f4190cdb0 openssh-8.0p1-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-0f4190cdb0 openssh-8.0p1-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. I've retested this on Fedora 30 and can confirm it works. $ cat /etc/fedora-release Fedora release 30 (Thirty) $ rpm -qa | grep -E 'ssh|opensc|yubico|piv' sshpass-1.06-7.fc30.x86_64 NetworkManager-ssh-1.2.9-1.fc30.x86_64 opensc-0.19.0-6.fc30.x86_64 openssh-8.0p1-1.fc30.x86_64 libssh2-1.8.2-1.fc30.x86_64 libssh-0.8.7-1.fc30.i686 yubico-piv-tool-1.7.0-1.fc30.x86_64 openssh-clients-8.0p1-1.fc30.x86_64 libssh-0.8.7-1.fc30.x86_64 fuse-sshfs-3.5.1-1.fc30.x86_64 openssh-server-8.0p1-1.fc30.x86_64 qemu-block-ssh-3.1.0-7.fc30.x86_64 NetworkManager-ssh-gnome-1.2.9-1.fc30.x86_64 Thank you. |