[Bug 263995] ssh: ssh-sk-helper hangs

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 263995] ssh: ssh-sk-helper hangs"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 15 May 2022 14:14:15 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263995

            Bug ID: 263995
           Summary: ssh: ssh-sk-helper hangs
           Product: Base System
           Version: 13.1-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: naddy@FreeBSD.org

FreeBSD 13.1-STABLE (03f6d8361af1869ee0ab3ad115a729e298527860) GENERIC amd64
uhid1: <Yubico YubiKey FIDO, class 0/0, rev 2.00/5.43, addr 14> on usbus0


I have started using FIDO-based ssh keys in earnest, with id_ed25519_sk loaded
into ssh-agent. Every few authentications, ssh-agent stops responding and every
command that queries the agent (e.g. "ssh host", "ssh-add -l") will hang.

ssh-agent is unresponsive because ssh-sk-helper hangs. From "ps lwx":

1000 42272 42268 1  20  0    18352    6288 sbwait S+    9    0:00.01 ssh-agent
-d
1000 42443 42272 3  20  0    18484    6296 select S+    9    0:00.00
/usr/libexec/ssh-sk-helper

Running "ssh-agent -d" shows this:

debug1: new_socket: type = CONNECTION
debug1: xcount 1 -> 2
debug3: fd 4 is O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: process_request_identities: entering
debug1: process_message: socket 1 (fd=4) type 13
debug1: process_sign_request2: entering
Confirm user presence for key ED25519-SK
SHA256:w+YEBmsQsODSx1FDLTKrIWSKZ8b9Kk1neKIwzc6EHSw
debug3: start_helper: started pid=42443
debug3: Fssh_ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/libexec/ssh-sk-helper 
debug1: process_sign: ready to sign with key ED25519-SK, provider internal: msg
len 218, compat 0x0
debug1: Fssh_sshsk_sign: provider "internal", key ED25519-SK, flags 0x01
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by cred

Strangely, when I try to "truss -p <pid>" the ssh-sk-helper process, it
unblocks (although authentication fails):

debug1: sk_open: fido_dev_open /dev/uhid1 failed: FIDO_ERR_RX
debug1: sk_openv: sk_open failed
debug1: sk_select_by_cred: sk_openv failed
debug1: ssh_sk_sign: failed to find sk
debug1: Fssh_sshsk_sign: sk_sign failed with code -1
debug1: ssh-sk-helper: Signing failed: invalid format
debug1: main: reply len 8
debug3: Fssh_ssh_msg_send: type 5
debug1: Fssh_client_converse: helper returned error -4
debug3: reap_helper: pid=42443
process_sign_request2: sshkey_sign: invalid format
User presence confirmed
debug1: xcount 2 -> 1

I guess it's possible that the problem is in the underlying FIDO stack, but the
fact that attaching to the process with ptrace(2) unblocks it is weird.

I have tried different USB ports as well as a second FIDO authenticator. Same
behavior.

-- 
You are receiving this mail because:
You are the assignee for the bug.