From nobody Sun May 15 14:14:15 2022
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5750E1ADD235
	for <bugs@mlmmj.nyi.freebsd.org>; Sun, 15 May 2022 14:14:16 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4L1PWr170dz4lch
	for <bugs@FreeBSD.org>; Sun, 15 May 2022 14:14:16 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 037C15585
	for <bugs@FreeBSD.org>; Sun, 15 May 2022 14:14:16 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 24FEEFbV058893
	for <bugs@FreeBSD.org>; Sun, 15 May 2022 14:14:15 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 24FEEF1u058892
	for bugs@FreeBSD.org; Sun, 15 May 2022 14:14:15 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 263995] ssh: ssh-sk-helper hangs
Date: Sun, 15 May 2022 14:14:15 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: bin
X-Bugzilla-Version: 13.1-STABLE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: naddy@FreeBSD.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-263995-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@freebsd.org
MIME-Version: 1.0
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1652624056;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=130kck4bQIC/24XtjP4bJZgsiVISHwxKSbjgh8uVeZ8=;
	b=nrMBSpRZiGeM9i+e0IJ9hP+LetxmShQFOniVEVRvLWywajGrUfwOWBBAXHdoC1JXtzfPnR
	3KrPmjcjEw1qnMGwoXHcbkIYrsDNB6KlD9D056lsuP/qlP+2X5SdV/H61jSg+fbsL3qSoo
	cTX6vu0IV/AIVAhcTKRATBu9I0OL2P8UEdLWUdFZePKCnLdzs09K2UeXdxD41nUjT3SDvk
	3x4fq7johuiGO09HXO9gWHyIlzloxTrfbiy/ZplFhVMRxWrdCxF5NbVcs3hdaJEeMQzSFc
	75k0kKUlbCtDlILe6y9g+K/AQffc6WgyKbc6LxS+JJd5mltuVb1kgLPTlgtD4w==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1652624056; a=rsa-sha256; cv=none;
	b=H6clNTEPGOTRBOs2MPS+zlFTdHmY6OIWTfr0uOYq/aaKdSz1toD5obb+7bsR6m83qYFvPU
	QMcqUlvV4pRV9pzLv6aIP46HED1OW1C13+lgeqIPVG/e9HbafRTJZf/cEibZmUNB6MwB5h
	/7+AQn69fymbC4R7j8F0iKIpSVTshyj9a7udb6Usq1mK8qjHLj3cjn68bIHZAcNmfHQLOK
	K5cCB08sHJgDHaQVkHCtsvcfzdS6tgVB7dwJZLuxSAkrR1GD8MVVN13RhXUUe09kTrF1Rz
	JrVyX0gymkoLFzDaTCTT9MZ6XwOtYWs/gAW+4SeUzPaQ9ro1jtK7UWDoGPLg6A==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263995

            Bug ID: 263995
           Summary: ssh: ssh-sk-helper hangs
           Product: Base System
           Version: 13.1-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: naddy@FreeBSD.org

FreeBSD 13.1-STABLE (03f6d8361af1869ee0ab3ad115a729e298527860) GENERIC amd64
uhid1: <Yubico YubiKey FIDO, class 0/0, rev 2.00/5.43, addr 14> on usbus0


I have started using FIDO-based ssh keys in earnest, with id_ed25519_sk loa=
ded
into ssh-agent. Every few authentications, ssh-agent stops responding and e=
very
command that queries the agent (e.g. "ssh host", "ssh-add -l") will hang.

ssh-agent is unresponsive because ssh-sk-helper hangs. From "ps lwx":

1000 42272 42268 1  20  0    18352    6288 sbwait S+    9    0:00.01 ssh-ag=
ent
-d
1000 42443 42272 3  20  0    18484    6296 select S+    9    0:00.00
/usr/libexec/ssh-sk-helper

Running "ssh-agent -d" shows this:

debug1: new_socket: type =3D CONNECTION
debug1: xcount 1 -> 2
debug3: fd 4 is O_NONBLOCK
debug1: process_message: socket 1 (fd=3D4) type 11
debug2: process_request_identities: entering
debug1: process_message: socket 1 (fd=3D4) type 13
debug1: process_sign_request2: entering
Confirm user presence for key ED25519-SK
SHA256:w+YEBmsQsODSx1FDLTKrIWSKZ8b9Kk1neKIwzc6EHSw
debug3: start_helper: started pid=3D42443
debug3: Fssh_ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/libexec/ssh-sk-helper=20
debug1: process_sign: ready to sign with key ED25519-SK, provider internal:=
 msg
len 218, compat 0x0
debug1: Fssh_sshsk_sign: provider "internal", key ED25519-SK, flags 0x01
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by cred

Strangely, when I try to "truss -p <pid>" the ssh-sk-helper process, it
unblocks (although authentication fails):

debug1: sk_open: fido_dev_open /dev/uhid1 failed: FIDO_ERR_RX
debug1: sk_openv: sk_open failed
debug1: sk_select_by_cred: sk_openv failed
debug1: ssh_sk_sign: failed to find sk
debug1: Fssh_sshsk_sign: sk_sign failed with code -1
debug1: ssh-sk-helper: Signing failed: invalid format
debug1: main: reply len 8
debug3: Fssh_ssh_msg_send: type 5
debug1: Fssh_client_converse: helper returned error -4
debug3: reap_helper: pid=3D42443
process_sign_request2: sshkey_sign: invalid format
User presence confirmed
debug1: xcount 2 -> 1

I guess it's possible that the problem is in the underlying FIDO stack, but=
 the
fact that attaching to the process with ptrace(2) unblocks it is weird.

I have tried different USB ports as well as a second FIDO authenticator. Sa=
me
behavior.

--=20
You are receiving this mail because:
You are the assignee for the bug.=