openssh: 8.1p1 -> 8.2p1 #80196
openssh: 8.1p1 -> 8.2p1 #80196
Conversation
|
I just realized that gssapi patchset does not apply and we need to wait until the package is updated the debian (where we fetch the gssapi patch from). |
|
Or just disable the gssapi patchset. I don't think that should be a blocker for updating ssh. |
|
I added another change in 464890f which keeps version 8.1p1 for openssh_gssapi. I kept openssh_hpn for now, because it was fixed by version update in 025217a. If there is a reason to drop the |
|
@GrahamcOfBorg eval |
|
tested with fido2 and a titan security key, works like a charm 👍 |
|
Can anyone help with the eval failure? I don't see what's wrong here ... |
|
@prusnak can you please try to rebase on master? |
|
It looks like libfido2 needs IOKit if you haven't fixed it yet |
|
Eval problems solved by disabling libfido2 feature for Darwin. This was caused because the libfido2 package does not build for Darwin at the moment (simply adding IOKit to libfido2 darwin package did not do the trick). That's why I limited libfido2 feature only to Linux. Debian team meanwhile updated the gssapi patch for 8.2p1 so I also bumped openssh_gssapi to this version. All is set for review. Also, we definitively want this in 20.03 as well. |
|
I'm unable to work out a suitable fix, but just so folks are aware:
IIRC openssh+libfido2 causes eval infinite loop on musl-based
configurations, by means of NetBSD tool trying to fetch its source
via our fetchcvs which has openssh injected.
I'm not sure how to best resolve this, I tried a few things but
ultimately ran out of time and rebuild-power so it's on my "revisit"
pile.
Maybe gitMinimal doesn't need fido-enabled openssh?
* a144c0e
(this helps via different route, maybe?)
Since netbsd CVS source doesn't need openssh AFAIK,
openssh-less fetchcvs and use it for these:
* 86c261d
Or look at the problem and come up with a more coherent solution :).
Hope this helps, sorry can't tackle this myself for the next weeks :/.
…On Mon, 24 Feb 2020 10:01:40 -0800, Pavol Rusnak ***@***.***> wrote:
Since #80909 was just merged, I updated my PR to enable FIDO2 support for Darwin too (replaced `optional stdenv.isLinux` with `optional stdenv.isUnix`).
--
You are receiving this because your review was requested.
Reply to this email directly or view it on GitHub:
#80196 (comment) part: text/html
|
|
This PR does need to add back a withFido2 option, which I think was in an earlier commit. I can't find it, but it should be in @prusnak's reflog. The option should probably default to |
https://www.openssh.com/txt/release-8.2 add libfido2 to enable hardware tokens support added in this release
fix build failure
|
I reintroduced the |
|
@GrahamcOfBorg test openssh |
There was a problem hiding this comment.
Successfully tested using my Trezor device following this guide.
|
Given we need openssh 8.2 on the server side as well for these new features to work. I would like to propose to backport this into |
|
@mmahut should we just create a PR to 20.03 branch or what exactly is the process for proposing a backport? |
|
We discussed the possibility of backporting openssh 8.2p1 in #nixos-dev my feelings were well expressed in this comment https://logs.nix.samueldr.com/nixos-dev/2020-02-27#3113665; A question that was raised that would make the determination easier if answered was "how long will 8.1 get security updates?". |
|
@worldofpeace I'll ask among the OpenSSH folks what's their security update strategy is. |
|
@worldofpeace answer from Damien Miller of OpenSSH: "We don't do backported security fixes - we're a tiny team and so only maintain the current release." |
I guess this makes the decision easy 😄 |
|
@prusnak Let's do it. |
|
@worldofpeace Shall I prepare a PR? To which branch? |
release-20.03 |
|
Backport to 20.03 in #81368 |
Motivation for this change
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)