[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#945295: marked as done (Unnecessary "invalid attribute length" and "failed to fetch key" warnings with libsimple-tpm-pk11.so)

Your message dated Fri, 06 Dec 2019 17:27:58 +0100
with message-id <2558205.N1cWzzXmaZ@odyx.org>
and subject line Re: Bug#945295: Unnecessary "invalid attribute length" and "failed to fetch key" warnings with libsimple-tpm-pk11.so
has caused the Debian Bug report #945295,
regarding Unnecessary "invalid attribute length" and "failed to fetch key" warnings with libsimple-tpm-pk11.so
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
945295: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945295
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-client
Version: 1:8.1p1-1
Severity: normal

For some time now, ssh (openssh-client) unnecessarily warns for:

> invalid attribute length
> failed to fetch key

when SSH'ing to a host with libsimple-tpm-pk11.so as PKCS11Provider.

Relevant lines from a verbose connection:

$ ssh -vvv -oPKCS11Provider=libsimple-tpm-pk11.so ssh.example.com
…
debug1: Connecting to (…)
debug1: Connection established.
debug1: provider libsimple-tpm-pk11.so: manufacturerID <simple-tpm-pk11 manufacturer> cryptokiVersion 0.1 libraryDescription <simple-tpm-pk11 library> libraryVersion 0.1
debug1: provider libsimple-tpm-pk11.so slot 0: label <Simple-TPM-PK11 token> manufacturerID <manuf id> model <model> serial <serial> flags 0x400
debug1: have 1 keys
invalid attribute length
failed to fetch key
…
debug1: Will attempt key: libsimple-tpm-pk11.so RSA SHA256:(xxx-hash-of-my-tpm-key-xxx) token
…

This was initially reported at https://github.com/ThomasHabets/simple-tpm-pk11/issues/48,
and brought to Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1710832,
which fixed it.

Perhaps it also needs fixing in simple-tpm-pk11, but let's start with a
bugreport where the warning is emitted.

Cheers,
	OdyX

-- System Information:
Debian Release: bullseye/sid
  APT prefers buildd-unstable
  APT policy: (990, 'buildd-unstable'), (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (100, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.3.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CH:fr (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-client depends on:
ii  adduser           3.118
ii  dpkg              1.19.7
ii  libc6             2.29-3
ii  libedit2          3.1-20191025-1
ii  libgssapi-krb5-2  1.17-6
ii  libselinux1       2.9-3+b1
ii  libssl1.1         1.1.1d-2
ii  passwd            1:4.7-2
ii  zlib1g            1:1.2.11.dfsg-1+b1

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.10-1

Versions of packages openssh-client suggests:
pn  keychain                   <none>
ii  ksshaskpass [ssh-askpass]  4:5.14.5-1
pn  libpam-ssh                 <none>
pn  monkeysphere               <none>
ii  ssh-askpass                1:1.2.4.1-10+b1

-- no debconf information

--- End Message ---
--- Begin Message --- 
Le vendredi, 22 novembre 2019, 18.31:07 h CET Colin Watson a écrit :
> On Fri, Nov 22, 2019 at 06:08:01PM +0100, Didier 'OdyX' Raboud wrote:
> > For some time now, ssh (openssh-client) unnecessarily warns for:
> > > invalid attribute length
> > > failed to fetch key
> > 
> > when SSH'ing to a host with libsimple-tpm-pk11.so as PKCS11Provider.
> > 
> > Relevant lines from a verbose connection:
> > 
> > $ ssh -vvv -oPKCS11Provider=libsimple-tpm-pk11.so ssh.example.com
> > …
> > debug1: Connecting to (…)
> > debug1: Connection established.
> > debug1: provider libsimple-tpm-pk11.so: manufacturerID <simple-tpm-pk11
> > manufacturer> cryptokiVersion 0.1 libraryDescription <simple-tpm-pk11
> > library> libraryVersion 0.1 debug1: provider libsimple-tpm-pk11.so slot
> > 0: label <Simple-TPM-PK11 token> manufacturerID <manuf id> model <model>
> > serial <serial> flags 0x400 debug1: have 1 keys
> > invalid attribute length
> > failed to fetch key
> > …
> > debug1: Will attempt key: libsimple-tpm-pk11.so RSA
> > SHA256:(xxx-hash-of-my-tpm-key-xxx) token …
> > 
> > This was initially reported at
> > https://github.com/ThomasHabets/simple-tpm-pk11/issues/48, and brought to
> > Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1710832, which fixed
> > it.
> 
> I haven't looked very far into this yet, but as far as I can tell that
> Fedora bug is *not* the same thing.  Fedora carries a patch set that
> asks for the CKA_LABEL attribute, and that bug was because it was
> (apparently incorrectly) requiring that attribute to have non-zero
> length.
> 
> However, Debian does not carry that patch.  If you're seeing these
> errors in the RSA case, it's because at least one of CKA_MODULES or
> CKA_PUBLIC_EXPONENT is coming back as empty.

I have now adopted simple-tpm-pk11 and backported some upstream patches; The 
combination of OpenSSH and simple-tpm-pk11 doesn't spit the superfluous 
warnings anymore now.

Hereby closing, and thanks for the attention you have put to this bug. :-)

Cheers,
    OdyX

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
Reply to: