Date: Sat, 19 Apr 2025 03:22:21 +0000 From: Alastair Hogge <agh@riseup.net> To: current@freebsd.org Subject: 15-CURRENT /usr/lib/pam_ssh.so.6: /usr/lib/libprivatessh.so.5: Undefined symbol "Fssh_sshsk_sign" Message-ID: <640b7a090b6a9cf3c2ffbaebc36ed2a8@riseup.net>
index | next in thread | raw e-mail
Hello, After attempting to update from 168d873ae41fd8bd40555322a79c9f215cb4cb9c[1] (2025-04-17 19:08:02 +0000), to 7121e9414f294d116caeadd07ebd969136d3a631[2] (2025-04-18 00:30:11 +0000), I noticed that $(su -), $(doas su -), x11/slim, and physical login were not working, when pam_ssh is configured for login. I was still able to use $(doas some_cmd), so was able to git bisect. The following commit[3] is claimed to the the first offending commit from the git-bisect process: The branch main has been updated by jlduran: URL: https://cgit.FreeBSD.org/src/commit/?id=65d8491719bbc88ed45637d2381931c2d29cfe87 commit 65d8491719bbc88ed45637d2381931c2d29cfe87 Author: Jose Luis Duran <jlduran@FreeBSD.org> AuthorDate: 2025-04-17 19:08:02 +0000 Commit: Jose Luis Duran <jlduran@FreeBSD.org> CommitDate: 2025-04-17 19:12:39 +0000 secure: Adapt Makefile to ssh-sk-client everywhere Upstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client everywhere") adapted the Makefiles to ssh-sk-client. Do the same here. Reviewed by: emaste Approved by: emaste (mentor) Differential Revision: https://reviews.freebsd.org/D49795 --- I am not sure if security/opendoas needed to be rebuilt, I did not bother, because $(su -) threw the same error: su: pam_start: System error With the commit[3] of interest, dmesg produces the following, regarding slim: [12.609735] Apr 18 03:45:50 direwolf slim[42177]: in try_dlopen(): /usr/lib/pam_ssh.so.6: /usr/lib/libprivatessh.so.5: Undefined symbol "Fssh_sshsk_sign" [12.609775] Apr 18 03:45:50 direwolf slim[42177]: in openpam_load_module(): no pam_ssh.so found I noticed three interesting changes in the commit[3]: diff --git a/secure/lib/libssh/Makefile b/secure/lib/libssh/Makefile index f4c60c02c9eb..39083d007675 100644 --- a/secure/lib/libssh/Makefile +++ b/secure/lib/libssh/Makefile @@ -38,7 +38,6 @@ SRCS= ${LIBOPENSSH_SRCS} \ kexsntrup761x25519.c kexmlkem768x25519.c sntrup761.c kexgen.c \ sftp-realpath.c platform-pledge.c platform-tracing.c platform-misc.c \ sshbuf-io.c -SRCS+= ssh-sk-client.c I restored "SRCS+= ssh-sk-client.c" above. And I have restored all opendoas operations, slim, and physical access. diff --git a/secure/ssh.mk b/secure/ssh.mk index 641343ac993a..84d9a7f57032 100644 --- a/secure/ssh.mk +++ b/secure/ssh.mk @@ -5,6 +5,7 @@ SSHDIR= ${SRCTOP}/crypto/openssh SFTP_CLIENT_SRCS=sftp-common.c sftp-client.c sftp-glob.c +SKSRCS= ssh-sk-client.c CFLAGS+= -I${SSHDIR} -include ssh_namespace.h Above, ssh-sk-client.c is present in ssh.mk, should that enable Fssh_sshsk_sign symbol visibility? diff --git a/secure/usr.bin/ssh-keygen/Makefile b/secure/usr.bin/ssh-keygen/Makefile index 89e61e68ee55..c9205e71d219 100644 --- a/secure/usr.bin/ssh-keygen/Makefile +++ b/secure/usr.bin/ssh-keygen/Makefile @@ -2,8 +2,7 @@ .include "${SRCTOP}/secure/ssh.mk" PROG= ssh-keygen -# XXX ssh-sk-client.c in libssh maybe? -SRCS= ssh-keygen.c sshsig.c ssh-sk-client.c +SRCS= ssh-keygen.c sshsig.c $(SKSRCS) PACKAGE= ssh LIBADD= crypto ssh The XXX comment above seem to indicate there might be a problem with removing ssh-sk-client.c from libssh. 1: https://cgit.freebsd.org./src/commit/?id=168d873ae41fd8bd40555322a79c9f215cb4cb9c 2: https://cgit.freebsd.org./src/commit/?id=7121e9414f294d116caeadd07ebd969136d3a631 3: https://cgit.freebsd.org./src/commit/?id=65d8491719bbc88ed45637d2381931c2d29cfe87 -- To good health, Alastairhelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?640b7a090b6a9cf3c2ffbaebc36ed2a8>