From nobody Sat Apr 19 03:22:21 2025 X-Original-To: current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZfcPs3N2Tz5sdFF for ; Sat, 19 Apr 2025 03:22:25 +0000 (UTC) (envelope-from agh@riseup.net) Received: from mx0.riseup.net (mx0.riseup.net [198.252.153.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx0.riseup.net", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZfcPq42kwz3cMp for ; Sat, 19 Apr 2025 03:22:23 +0000 (UTC) (envelope-from agh@riseup.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=riseup.net header.s=squak header.b=ghqSB8M+; dmarc=pass (policy=none) header.from=riseup.net; spf=pass (mx1.freebsd.org: domain of agh@riseup.net designates 198.252.153.6 as permitted sender) smtp.mailfrom=agh@riseup.net Received: from fews01-sea.riseup.net (fews01-sea-pn.riseup.net [10.0.1.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx0.riseup.net (Postfix) with ESMTPS id 4ZfcPn5Xt0z9sZv for ; Sat, 19 Apr 2025 03:22:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1745032941; bh=mJqyrkSKNRQmQnGyW21NvFQt/soHxxAFqGxHIpvlAJs=; h=Date:From:To:Subject:From; b=ghqSB8M+iFQzxBl/5UYswamy8+YXpnU1bG96m9fpVuJTJ8iRerDdn6Rh5Pwta6GPw d64UCbPUYGWvQzslVEe3Jl773I7TVcW00eBp0BLNMGNpkGKaiVeeoEFsID+ZebvtpJ nWYYYDLAhqtTnhBhXpkczyFGhUweynv7LQnD2t/U= X-Riseup-User-ID: 49000A3B1B72107CB49A90DD8FA81866ADC669FFB1BBA147523FE90B758749F8 Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews01-sea.riseup.net (Postfix) with ESMTPSA id 4ZfcPn49cJzJqhf for ; Sat, 19 Apr 2025 03:22:21 +0000 (UTC) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 Date: Sat, 19 Apr 2025 03:22:21 +0000 From: Alastair Hogge To: current@freebsd.org Subject: 15-CURRENT /usr/lib/pam_ssh.so.6: /usr/lib/libprivatessh.so.5: Undefined symbol "Fssh_sshsk_sign" Message-ID: <640b7a090b6a9cf3c2ffbaebc36ed2a8@riseup.net> Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-3.68 / 15.00]; DWL_DNSWL_LOW(-1.00)[riseup.net:dkim]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.71)[-0.707]; NEURAL_SPAM_MEDIUM(0.52)[0.525]; DMARC_POLICY_ALLOW(-0.50)[riseup.net,none]; RWL_MAILSPIKE_EXCELLENT(-0.40)[198.252.153.6:from]; R_DKIM_ALLOW(-0.20)[riseup.net:s=squak]; R_SPF_ALLOW(-0.20)[+a:mx0.riseup.net]; RCVD_IN_DNSWL_LOW(-0.10)[198.252.153.6:from]; MIME_GOOD(-0.10)[text/plain]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RECEIVED_HELO_LOCALHOST(0.00)[]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; DKIM_TRACE(0.00)[riseup.net:+]; PREVIOUSLY_DELIVERED(0.00)[current@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[current@freebsd.org]; TO_DN_NONE(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:16652, ipnet:198.252.153.0/24, country:US]; RCVD_COUNT_TWO(0.00)[2]; MISSING_XM_UA(0.00)[] X-Rspamd-Queue-Id: 4ZfcPq42kwz3cMp X-Spamd-Bar: --- Hello, After attempting to update from 168d873ae41fd8bd40555322a79c9f215cb4cb9c[1] (2025-04-17 19:08:02 +0000), to 7121e9414f294d116caeadd07ebd969136d3a631[2] (2025-04-18 00:30:11 +0000), I noticed that $(su -), $(doas su -), x11/slim, and physical login were not working, when pam_ssh is configured for login. I was still able to use $(doas some_cmd), so was able to git bisect. The following commit[3] is claimed to the the first offending commit from the git-bisect process: The branch main has been updated by jlduran: URL: https://cgit.FreeBSD.org/src/commit/?id=65d8491719bbc88ed45637d2381931c2d29cfe87 commit 65d8491719bbc88ed45637d2381931c2d29cfe87 Author: Jose Luis Duran AuthorDate: 2025-04-17 19:08:02 +0000 Commit: Jose Luis Duran CommitDate: 2025-04-17 19:12:39 +0000 secure: Adapt Makefile to ssh-sk-client everywhere Upstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client everywhere") adapted the Makefiles to ssh-sk-client. Do the same here. Reviewed by: emaste Approved by: emaste (mentor) Differential Revision: https://reviews.freebsd.org/D49795 --- I am not sure if security/opendoas needed to be rebuilt, I did not bother, because $(su -) threw the same error: su: pam_start: System error With the commit[3] of interest, dmesg produces the following, regarding slim: [12.609735] Apr 18 03:45:50 direwolf slim[42177]: in try_dlopen(): /usr/lib/pam_ssh.so.6: /usr/lib/libprivatessh.so.5: Undefined symbol "Fssh_sshsk_sign" [12.609775] Apr 18 03:45:50 direwolf slim[42177]: in openpam_load_module(): no pam_ssh.so found I noticed three interesting changes in the commit[3]: diff --git a/secure/lib/libssh/Makefile b/secure/lib/libssh/Makefile index f4c60c02c9eb..39083d007675 100644 --- a/secure/lib/libssh/Makefile +++ b/secure/lib/libssh/Makefile @@ -38,7 +38,6 @@ SRCS= ${LIBOPENSSH_SRCS} \ kexsntrup761x25519.c kexmlkem768x25519.c sntrup761.c kexgen.c \ sftp-realpath.c platform-pledge.c platform-tracing.c platform-misc.c \ sshbuf-io.c -SRCS+= ssh-sk-client.c I restored "SRCS+= ssh-sk-client.c" above. And I have restored all opendoas operations, slim, and physical access. diff --git a/secure/ssh.mk b/secure/ssh.mk index 641343ac993a..84d9a7f57032 100644 --- a/secure/ssh.mk +++ b/secure/ssh.mk @@ -5,6 +5,7 @@ SSHDIR= ${SRCTOP}/crypto/openssh SFTP_CLIENT_SRCS=sftp-common.c sftp-client.c sftp-glob.c +SKSRCS= ssh-sk-client.c CFLAGS+= -I${SSHDIR} -include ssh_namespace.h Above, ssh-sk-client.c is present in ssh.mk, should that enable Fssh_sshsk_sign symbol visibility? diff --git a/secure/usr.bin/ssh-keygen/Makefile b/secure/usr.bin/ssh-keygen/Makefile index 89e61e68ee55..c9205e71d219 100644 --- a/secure/usr.bin/ssh-keygen/Makefile +++ b/secure/usr.bin/ssh-keygen/Makefile @@ -2,8 +2,7 @@ .include "${SRCTOP}/secure/ssh.mk" PROG= ssh-keygen -# XXX ssh-sk-client.c in libssh maybe? -SRCS= ssh-keygen.c sshsig.c ssh-sk-client.c +SRCS= ssh-keygen.c sshsig.c $(SKSRCS) PACKAGE= ssh LIBADD= crypto ssh The XXX comment above seem to indicate there might be a problem with removing ssh-sk-client.c from libssh. 1: https://cgit.freebsd.org./src/commit/?id=168d873ae41fd8bd40555322a79c9f215cb4cb9c 2: https://cgit.freebsd.org./src/commit/?id=7121e9414f294d116caeadd07ebd969136d3a631 3: https://cgit.freebsd.org./src/commit/?id=65d8491719bbc88ed45637d2381931c2d29cfe87 -- To good health, Alastair