Date: Sun, 15 May 2022 14:14:15 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 263995] ssh: ssh-sk-helper hangs Message-ID: <bug-263995-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263995 Bug ID: 263995 Summary: ssh: ssh-sk-helper hangs Product: Base System Version: 13.1-STABLE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: naddy@FreeBSD.org FreeBSD 13.1-STABLE (03f6d8361af1869ee0ab3ad115a729e298527860) GENERIC amd64 uhid1: <Yubico YubiKey FIDO, class 0/0, rev 2.00/5.43, addr 14> on usbus0 I have started using FIDO-based ssh keys in earnest, with id_ed25519_sk loa= ded into ssh-agent. Every few authentications, ssh-agent stops responding and e= very command that queries the agent (e.g. "ssh host", "ssh-add -l") will hang. ssh-agent is unresponsive because ssh-sk-helper hangs. From "ps lwx": 1000 42272 42268 1 20 0 18352 6288 sbwait S+ 9 0:00.01 ssh-ag= ent -d 1000 42443 42272 3 20 0 18484 6296 select S+ 9 0:00.00 /usr/libexec/ssh-sk-helper Running "ssh-agent -d" shows this: debug1: new_socket: type =3D CONNECTION debug1: xcount 1 -> 2 debug3: fd 4 is O_NONBLOCK debug1: process_message: socket 1 (fd=3D4) type 11 debug2: process_request_identities: entering debug1: process_message: socket 1 (fd=3D4) type 13 debug1: process_sign_request2: entering Confirm user presence for key ED25519-SK SHA256:w+YEBmsQsODSx1FDLTKrIWSKZ8b9Kk1neKIwzc6EHSw debug3: start_helper: started pid=3D42443 debug3: Fssh_ssh_msg_send: type 5 debug3: ssh_msg_recv entering debug1: start_helper: starting /usr/libexec/ssh-sk-helper=20 debug1: process_sign: ready to sign with key ED25519-SK, provider internal:= msg len 218, compat 0x0 debug1: Fssh_sshsk_sign: provider "internal", key ED25519-SK, flags 0x01 debug1: sk_probe: 1 device(s) detected debug1: sk_probe: selecting sk by cred Strangely, when I try to "truss -p <pid>" the ssh-sk-helper process, it unblocks (although authentication fails): debug1: sk_open: fido_dev_open /dev/uhid1 failed: FIDO_ERR_RX debug1: sk_openv: sk_open failed debug1: sk_select_by_cred: sk_openv failed debug1: ssh_sk_sign: failed to find sk debug1: Fssh_sshsk_sign: sk_sign failed with code -1 debug1: ssh-sk-helper: Signing failed: invalid format debug1: main: reply len 8 debug3: Fssh_ssh_msg_send: type 5 debug1: Fssh_client_converse: helper returned error -4 debug3: reap_helper: pid=3D42443 process_sign_request2: sshkey_sign: invalid format User presence confirmed debug1: xcount 2 -> 1 I guess it's possible that the problem is in the underlying FIDO stack, but= the fact that attaching to the process with ptrace(2) unblocks it is weird. I have tried different USB ports as well as a second FIDO authenticator. Sa= me behavior. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-263995-227>