Bug#945295: Unnecessary "invalid attribute length" and "failed to fetch key" warnings with libsimple-tpm-pk11.so

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#945295: Unnecessary "invalid attribute length" and "failed to fetch key" warnings with libsimple-tpm-pk11.so
From: Didier 'OdyX' Raboud <odyx@debian.org>
Date: Fri, 22 Nov 2019 18:08:01 +0100
Message-id: <[🔎] 157444248126.81352.16025500171162025317.reportbug@gyllingar>
Reply-to: Didier 'OdyX' Raboud <odyx@debian.org>, 945295@bugs.debian.org

Package: openssh-client
Version: 1:8.1p1-1
Severity: normal

For some time now, ssh (openssh-client) unnecessarily warns for:

> invalid attribute length
> failed to fetch key

when SSH'ing to a host with libsimple-tpm-pk11.so as PKCS11Provider.

Relevant lines from a verbose connection:

$ ssh -vvv -oPKCS11Provider=libsimple-tpm-pk11.so ssh.example.com
…
debug1: Connecting to (…)
debug1: Connection established.
debug1: provider libsimple-tpm-pk11.so: manufacturerID <simple-tpm-pk11 manufacturer> cryptokiVersion 0.1 libraryDescription <simple-tpm-pk11 library> libraryVersion 0.1
debug1: provider libsimple-tpm-pk11.so slot 0: label <Simple-TPM-PK11 token> manufacturerID <manuf id> model <model> serial <serial> flags 0x400
debug1: have 1 keys
invalid attribute length
failed to fetch key
…
debug1: Will attempt key: libsimple-tpm-pk11.so RSA SHA256:(xxx-hash-of-my-tpm-key-xxx) token
…

This was initially reported at https://github.com/ThomasHabets/simple-tpm-pk11/issues/48,
and brought to Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1710832,
which fixed it.

Perhaps it also needs fixing in simple-tpm-pk11, but let's start with a
bugreport where the warning is emitted.

Cheers,
	OdyX

-- System Information:
Debian Release: bullseye/sid
  APT prefers buildd-unstable
  APT policy: (990, 'buildd-unstable'), (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (100, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.3.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CH:fr (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-client depends on:
ii  adduser           3.118
ii  dpkg              1.19.7
ii  libc6             2.29-3
ii  libedit2          3.1-20191025-1
ii  libgssapi-krb5-2  1.17-6
ii  libselinux1       2.9-3+b1
ii  libssl1.1         1.1.1d-2
ii  passwd            1:4.7-2
ii  zlib1g            1:1.2.11.dfsg-1+b1

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.10-1

Versions of packages openssh-client suggests:
pn  keychain                   <none>
ii  ksshaskpass [ssh-askpass]  4:5.14.5-1
pn  libpam-ssh                 <none>
pn  monkeysphere               <none>
ii  ssh-askpass                1:1.2.4.1-10+b1

-- no debconf information

Reply to:

Follow-Ups:
- Bug#945295: Unnecessary "invalid attribute length" and "failed to fetch key" warnings with libsimple-tpm-pk11.so
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Bug#944314: marked as done (ssh wishlist: Allow to disable SendEnv by NoSendEnv via ~/.ssh/config)
Next by Date: Bug#945295: Unnecessary "invalid attribute length" and "failed to fetch key" warnings with libsimple-tpm-pk11.so
Previous by thread: Bug#944314: marked as done (ssh wishlist: Allow to disable SendEnv by NoSendEnv via ~/.ssh/config)
Next by thread: Bug#945295: Unnecessary "invalid attribute length" and "failed to fetch key" warnings with libsimple-tpm-pk11.so
Index(es):
- Date
- Thread