Summary: | security/pam_ssh_agent_auth: fails at runtime after import of OpenSSL 3 (head only) | ||||||
---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Guido Falsi <madpilot> | ||||
Component: | Individual Port(s) | Assignee: | Matthew Seaman <matthew> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Only Me | CC: | Trond.Endrestol, agh, brnrd, dim, emaste, khorben, michael, pierre | ||||
Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(matthew) |
||||
Version: | Latest | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Bug Depends on: | |||||||
Bug Blocks: | 271656 | ||||||
Attachments: |
|
Description
Guido Falsi
2023-06-26 10:12:59 UTC
It looks like pam_ssh_agent_auth should be adjusted, since RSA_generate_key() has been deprecated since openssl 0.9.8, and has likely been removed after 1.1: # ifndef OPENSSL_NO_DEPRECATED_0_9_8 OSSL_DEPRECATEDIN_0_9_8 RSA *RSA_generate_key(int bits, unsigned long e, void (*callback) (int, int, void *), void *cb_arg); # endif The successor seems to be RSA_generate_key_ex(), but that is also deprecated for 3.0, so it is likely to go away similarly in the future: OSSL_DEPRECATEDIN_3_0 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); Instead, consumers are supposed to use the newer EVP APIs, as described in <https://wiki.openssl.org/index.php/EVP> and <https://www.openssl.org/docs/manmaster/man7/migration_guide.html>. (In reply to Dimitry Andric from comment #1) Thanks for the analysis! As a quick band aid moving to RSA_generate_key_ex() looks easier and faster. I was unable to find any code in upstream repo using newer APIs, unluckily. (In reply to Guido Falsi from comment #2) Upstream looks a bit like abandonware... lots of stuff has not been touched for ~10 years, except for fixes that you seen to have submitted. :) I wonder if it is really advisable to trust PAM authentication to this software. Maybe it should come with a Big Fat Warning? (In reply to Dimitry Andric from comment #3) You are correct, this is something I configured a long time ago, which was and still is suggested by various guides. Anyway it's good to let users know there is a problem with this software at present. Thanks for the report. I'll see what I can do about OpenSSL 3.x support, but as other commenters have said, it may be time to retire this port. I'm not aware of any alternatives that provide similar functionality which we could recommend instead of pam_ssh_agent_auth though. (In reply to Matthew Seaman from comment #5) Since I needed to have my machines working I've now simply removed this. I installed it a long time ago to support ansible "become" privilege escalation, I'm back to providing a password each time I run it. If upstream is not helpful, unless you want to take full responsibility for future maintenance there is no option except to retire the port. I thought I'd report the issue because making this kind of things known is always better also for users. I'm closing this as not accepted, since fixing it would require actually forking the project, which is out of the scope for the ports collection. Thanks for the feedback and help! Do any of the patches in the Debian port work? At work we use pam-ssh-agent-auth on Ubuntu 23.04 without issues, package says it depends on OpenSSL >= 3.0. It contains 2 patches containing lots of OPENSSL_VERSION_NUMBER ifdefs. And now I see that you (madpilot) sent those patches to Debian :D Apologies -- I got distracted by real life and didn't get round to looking at this PR. I'll try out the Debian patches at the weekend. (In reply to Bernard Spil from comment #9) I completely forgot about that...it was 5 years ago...A life has passed by since then! :) Anyway, those patches are already included in this port: https://cgit.freebsd.org/ports/commit/security/pam_ssh_agent_auth?id=7e4dd958073e372854ea99aa8522fa8cd11f2b47 https://cgit.freebsd.org/ports/commit/security/pam_ssh_agent_auth?id=eff6c06d3666cbaf4b56659ab71c27f9f701d514 A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=a97d608312ec78a1da88c6a43b060069845d8c5e commit a97d608312ec78a1da88c6a43b060069845d8c5e Author: Matthew Seaman <matthew@FreeBSD.org> AuthorDate: 2023-08-16 06:13:41 +0000 Commit: Matthew Seaman <matthew@FreeBSD.org> CommitDate: 2023-08-16 06:13:41 +0000 security/pam_ssh_agent_auth: mark as broken with OpenSSL 3.x While this compiles successfully, it doesn't produce a working pam_ssh_agent_auth.so PAM module. PR: 272220 Reported by: madpilot security/pam_ssh_agent_auth/Makefile | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) Created attachment 244138 [details]
security/pam_ssh_agent_auth/Makefile needs a slight tweak to be valid
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=42e570a18ef163863f79c2fbbdbfb375d58e82f8 commit 42e570a18ef163863f79c2fbbdbfb375d58e82f8 Author: Matthew Seaman <matthew@FreeBSD.org> AuthorDate: 2023-08-16 07:31:26 +0000 Commit: Matthew Seaman <matthew@FreeBSD.org> CommitDate: 2023-08-16 07:36:52 +0000 security/pam_ssh_agent_auth: Fix typo PR: 272220 Reported by: Freshports, Trond Endrestol security/pam_ssh_agent_auth/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) This module will work fine (compile and work at runtime) under 14, if the following are added to src/secure/lib/libcrypto/Makefile in base: SRCS+= rsa_depr.c SRCS+= dsa_depr.c I see that rsa_depr.c has already been added, so one way to fix this port is to add the dsa_depr.c to the appropriate section of the Makefile. I have also been able to get this module to load and run (but I have only tested RSA validation via the forwarded agent) by ripping all of the DSA code out of key.c in the module source code. However, that really necessitates a more thorough refactoring of the code in order to gracefully remove all DSA support and have the module log a message that DSA is no longer supported. It looks like all of the Linux distros (confirmed on a Debian host that I have) that have moved to openssl 3.x have done the former (add both rsa_depr.c and dsa_depr.c) to their base openssl packages in support of this (and possibly other) packages. And yes, I do agree that various <things> should probably stop supporting 1024-bit DSA, but there's probably some legacy stuff out there, and possibly some POLA issues involved. (In reply to Michael Sinatra from comment #15) From crypto/openssl/crypto/rsa/build.info: ``` IF[{- !$disabled{'deprecated-0.9.8'} -}] SOURCE[../../libcrypto]=rsa_depr.c ENDIF ``` The decision when importing OpenSSL 3 in base was to avoid OpenSSL's APIs that were already deprecated in 1.1.1, updating software to contemporary APIs in the process. Adding rsa_depr.c to the Makefile meant allowing some 0.9.8 functions to be reachable, but not all. We should definitely not remain in this in-between state. I am preparing a patch that will also add bn_depr.c, e_old.c, and dh_depr.c, which I believe should complete the support for OpenSSL's 0.9.8 API. (In reply to Pierre Pronchery from comment #16) I submitted a pull-up request on GitHub at https://github.com/freebsd/freebsd-src/pull/851. (Still a draft) (In reply to Pierre Pronchery from comment #17) From what I can tell, with this patch the port works again: ``` Sep 21 16:13:30 kwarx sudo[49935]: pam_ssh_agent_auth: matching key found: file/command /etc/ssh/sudo_authorized_keys, line 1 Sep 21 16:13:30 kwarx sudo[49935]: pam_ssh_agent_auth: Found matching RSA key: a2:a1:b5:1b:4f:9a:38:6a:c8:6a:d6:67:b2:71:1c:92 Sep 21 16:13:30 kwarx sudo[49935]: pam_ssh_agent_auth: Authenticated (agent): `khorben' as `khorben' using /etc/ssh/sudo_authorized_keys ``` sudo was still asking me for a password, but this is probably an issue with my local setup. (It's the first time I try to use this port) A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b15b39521644ebffdcc091bd283ed410b0ae9274 commit b15b39521644ebffdcc091bd283ed410b0ae9274 Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2023-09-21 11:42:06 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-09-21 15:07:24 +0000 libcrypto: complete the support for the 0.9.8 API When importing OpenSSL 3 in base, some but not all source files implementing the deprecated 0.9.8 API were imported. With this change, it becomes possible again to compile software targeting this API. PR: 272220 Fixes: b077aed33b7b ("Merge OpenSSL 3.0.9") Reviewed by: emaste MFC after: 3 days Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/851 secure/lib/libcrypto/Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) Nice. I'll update the port so it can build again on HEAD tonight. A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=f2fcda4b68540dc824a0a5d9338ae23e5148d5fc commit f2fcda4b68540dc824a0a5d9338ae23e5148d5fc Author: Matthew Seaman <matthew@FreeBSD.org> AuthorDate: 2023-09-21 21:16:43 +0000 Commit: Matthew Seaman <matthew@FreeBSD.org> CommitDate: 2023-09-22 18:14:49 +0000 security/pam_ssh_agent_auth: unbreak on HEAD, STABLE/14 After b15b39521644 systems with OpenSSL 3.x have the complete OpenSSL 0.9.8 API avaialable once more. This is slightly anticipating the MFC to STABLE/14. PR: 272220 Reported by: Pierre Pronchery security/pam_ssh_agent_auth/Makefile | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) Sorry about the delay. It took an inordinately long time to compile a 15-CURRENT system, but I can confirm that after b15b39521644e pam_ssh_agent_auth is working correctly on HEAD. I'm assuming this change is going to be MFC'd to 14-STABLE fairly soon, so I've de-restricted the port there too, although right now it will presumably produce a non-working result. > I'm assuming this change is going to be MFC'd to 14-STABLE fairly soon
Yes I will merge to stable/14 and request to merge to releng/14.0 over the weekend or at the beginning of next week.
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=ab64f100ca5ddd37029695646003abaf49c3065e commit ab64f100ca5ddd37029695646003abaf49c3065e Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2023-09-21 11:42:06 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-09-24 13:17:43 +0000 libcrypto: complete the support for the 0.9.8 API When importing OpenSSL 3 in base, some but not all source files implementing the deprecated 0.9.8 API were imported. With this change, it becomes possible again to compile software targeting this API. PR: 272220 Fixes: b077aed33b7b ("Merge OpenSSL 3.0.9") Reviewed by: emaste Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/851 (cherry picked from commit b15b39521644ebffdcc091bd283ed410b0ae9274) secure/lib/libcrypto/Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) A commit in branch releng/14.0 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=444eda0dda6407c56c80638f2218ce80e7c90a1f commit 444eda0dda6407c56c80638f2218ce80e7c90a1f Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2023-09-21 11:42:06 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-09-24 16:18:28 +0000 libcrypto: complete the support for the 0.9.8 API When importing OpenSSL 3 in base, some but not all source files implementing the deprecated 0.9.8 API were imported. With this change, it becomes possible again to compile software targeting this API. PR: 272220 Fixes: b077aed33b7b ("Merge OpenSSL 3.0.9") Reviewed by: emaste Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/851 (cherry picked from commit b15b39521644ebffdcc091bd283ed410b0ae9274) (cherry picked from commit ab64f100ca5ddd37029695646003abaf49c3065e) Approved by: re (gjb) secure/lib/libcrypto/Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) Fixed in all affected branches, thanks! |