Your message dated Fri, 06 Dec 2019 17:27:58 +0100 with message-id <2558205.N1cWzzXmaZ@odyx.org> and subject line Re: Bug#945295: Unnecessary "invalid attribute length" and "failed to fetch key" warnings with libsimple-tpm-pk11.so has caused the Debian Bug report #945295, regarding Unnecessary "invalid attribute length" and "failed to fetch key" warnings with libsimple-tpm-pk11.so to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 945295: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945295 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: Unnecessary "invalid attribute length" and "failed to fetch key" warnings with libsimple-tpm-pk11.so
- From: Didier 'OdyX' Raboud <odyx@debian.org>
- Date: Fri, 22 Nov 2019 18:08:01 +0100
- Message-id: <157444248126.81352.16025500171162025317.reportbug@gyllingar>
Package: openssh-client Version: 1:8.1p1-1 Severity: normal For some time now, ssh (openssh-client) unnecessarily warns for: > invalid attribute length > failed to fetch key when SSH'ing to a host with libsimple-tpm-pk11.so as PKCS11Provider. Relevant lines from a verbose connection: $ ssh -vvv -oPKCS11Provider=libsimple-tpm-pk11.so ssh.example.com … debug1: Connecting to (…) debug1: Connection established. debug1: provider libsimple-tpm-pk11.so: manufacturerID <simple-tpm-pk11 manufacturer> cryptokiVersion 0.1 libraryDescription <simple-tpm-pk11 library> libraryVersion 0.1 debug1: provider libsimple-tpm-pk11.so slot 0: label <Simple-TPM-PK11 token> manufacturerID <manuf id> model <model> serial <serial> flags 0x400 debug1: have 1 keys invalid attribute length failed to fetch key … debug1: Will attempt key: libsimple-tpm-pk11.so RSA SHA256:(xxx-hash-of-my-tpm-key-xxx) token … This was initially reported at https://github.com/ThomasHabets/simple-tpm-pk11/issues/48, and brought to Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1710832, which fixed it. Perhaps it also needs fixing in simple-tpm-pk11, but let's start with a bugreport where the warning is emitted. Cheers, OdyX -- System Information: Debian Release: bullseye/sid APT prefers buildd-unstable APT policy: (990, 'buildd-unstable'), (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (100, 'experimental'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.3.0-2-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CH:fr (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssh-client depends on: ii adduser 3.118 ii dpkg 1.19.7 ii libc6 2.29-3 ii libedit2 3.1-20191025-1 ii libgssapi-krb5-2 1.17-6 ii libselinux1 2.9-3+b1 ii libssl1.1 1.1.1d-2 ii passwd 1:4.7-2 ii zlib1g 1:1.2.11.dfsg-1+b1 Versions of packages openssh-client recommends: ii xauth 1:1.0.10-1 Versions of packages openssh-client suggests: pn keychain <none> ii ksshaskpass [ssh-askpass] 4:5.14.5-1 pn libpam-ssh <none> pn monkeysphere <none> ii ssh-askpass 1:1.2.4.1-10+b1 -- no debconf information
--- End Message ---
--- Begin Message ---
- To: Colin Watson <cjwatson@debian.org>
- Cc: 945295-done@bugs.debian.org
- Subject: Re: Bug#945295: Unnecessary "invalid attribute length" and "failed to fetch key" warnings with libsimple-tpm-pk11.so
- From: Didier 'OdyX' Raboud <odyx@debian.org>
- Date: Fri, 06 Dec 2019 17:27:58 +0100
- Message-id: <2558205.N1cWzzXmaZ@odyx.org>
- In-reply-to: <20191122173106.GD3701@riva.ucam.org>
- References: <157444248126.81352.16025500171162025317.reportbug@gyllingar> <20191122173106.GD3701@riva.ucam.org>
Le vendredi, 22 novembre 2019, 18.31:07 h CET Colin Watson a écrit : > On Fri, Nov 22, 2019 at 06:08:01PM +0100, Didier 'OdyX' Raboud wrote: > > For some time now, ssh (openssh-client) unnecessarily warns for: > > > invalid attribute length > > > failed to fetch key > > > > when SSH'ing to a host with libsimple-tpm-pk11.so as PKCS11Provider. > > > > Relevant lines from a verbose connection: > > > > $ ssh -vvv -oPKCS11Provider=libsimple-tpm-pk11.so ssh.example.com > > … > > debug1: Connecting to (…) > > debug1: Connection established. > > debug1: provider libsimple-tpm-pk11.so: manufacturerID <simple-tpm-pk11 > > manufacturer> cryptokiVersion 0.1 libraryDescription <simple-tpm-pk11 > > library> libraryVersion 0.1 debug1: provider libsimple-tpm-pk11.so slot > > 0: label <Simple-TPM-PK11 token> manufacturerID <manuf id> model <model> > > serial <serial> flags 0x400 debug1: have 1 keys > > invalid attribute length > > failed to fetch key > > … > > debug1: Will attempt key: libsimple-tpm-pk11.so RSA > > SHA256:(xxx-hash-of-my-tpm-key-xxx) token … > > > > This was initially reported at > > https://github.com/ThomasHabets/simple-tpm-pk11/issues/48, and brought to > > Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1710832, which fixed > > it. > > I haven't looked very far into this yet, but as far as I can tell that > Fedora bug is *not* the same thing. Fedora carries a patch set that > asks for the CKA_LABEL attribute, and that bug was because it was > (apparently incorrectly) requiring that attribute to have non-zero > length. > > However, Debian does not carry that patch. If you're seeing these > errors in the RSA case, it's because at least one of CKA_MODULES or > CKA_PUBLIC_EXPONENT is coming back as empty. I have now adopted simple-tpm-pk11 and backported some upstream patches; The combination of OpenSSH and simple-tpm-pk11 doesn't spit the superfluous warnings anymore now. Hereby closing, and thanks for the attention you have put to this bug. :-) Cheers, OdyXAttachment: signature.asc
Description: This is a digitally signed message part.
--- End Message ---