Created attachment 475938 [details] emerge --info If openssh is compiled with USE="libressl ldns pie", it segfaults in record_hostkey(), when `ssh ip` is called. See backtrace and log. If compiled with USE="libressl ldns" or USE="libressl pie", no segfault occurs. Other, i think, not relevant USE-flags are: debug hpn libedit ssl. After some searches, i think https://bugzilla.mindrot.org/show_bug.cgi?id=2702 is kind of relevant.
Created attachment 475940 [details] backtrace of ssh hidden.tld
Created attachment 475942 [details] output of ssh -vvv hidden.tld
I can confirm this bug. Could you please increase the priority or at least block this combination? It also affects sshd, possible blocking remote access to a server, IMHO making this a critical bug.
I just hit this with net-misc/openssh-7.6_p1-r3 and switching off USE=pie didn't work out, I had to turn off USE=ldns and ldns was a nice feature, I will miss it.
Why don't you add a block to bug #561854?
See how this was fixed in FreeBSD: https://svnweb.freebsd.org/ports?view=revision&revision=452358
I cannot reproduce this with libressl-2.6.0 or 2.6.4 which are the latest stable. Please try the latest OpenSSH and LibreSSL. If you still have issues please let us know.
Yes, it still segfaults. openssh 7.7_p1-r1 libressl 2.6.4 USE="X ldns libressl pam pie ssl -X509 -audit -bindist -debug -hpn -kerberos (-ldap) -libedit -livecd -sctp (-selinux) -skey -static {-test}"
I am also still getting segfaults w/ both openssh-7.6_p1-r5 & openssh-7.7_p1-r1 in the Gentoo Portage tree w/ USE="libressl ldns". However, based on the FreeBSD fix referenced in comment #6 I have patched ebuilds in my local overlay that do not segfault. All I changed was $(use_with ldns) to $(use_with ldns ldns ${EROOT}). For some reason this makes configure omit the extra/repeated -l flags (e.g. -lcrypto gets repeated) that per the FreeBSD fix cause the segfaults.
Created attachment 528064 [details, diff] Patch for openssh-7.6_p1-r5.ebuild
Created attachment 528066 [details, diff] Patch for openssh-7.7_p1-r1.ebuild
Got segfault on "ssh <ip>" with USE="libressl ldns". net-misc/openssh-7.9_p1-r3, dev-libs/libressl-2.8.3.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=249dd650a66c66d870bf264aa146dad33c23527b commit 249dd650a66c66d870bf264aa146dad33c23527b Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-03-06 23:11:53 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-03-06 23:55:55 +0000 net-misc/openssh: fix ldns overlinking when LibreSSL is used Link: https://svnweb.freebsd.org/ports?view=revision&revision=452358 Bug: https://bugs.gentoo.org/621428 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-misc/openssh/openssh-7.9_p1-r4.ebuild | 468 ++++++++++++++++++++++++++++++ 1 file changed, 468 insertions(+)
Please test =net-misc/openssh/openssh-7.9_p1-r4.
Thank you Thomas! Unfortunately I could not yet get DNSSEC (and SSHFP) to work, but at least it does not segfault now, just debug3: verify_host_key_dns DNS lookup error: general failure and then authentication goes as usual.
I see > DNS lookup error: general failure in debug log when trying to connect to a non-DNSSEC enabled host when using OpenSSL, too. So this could be normal.
Confirmed, > DNS lookup error: general failure is not an error in code. Just the error returned when the requested DNS entries are missing.
It seems to me that OpenSSH is now able to validate DNSSEC records in Linux even without ldns. I use systemd-resolved as system resolver.
Actually, it's more like ssh client now trusts secure flag received from resolver which it didn't trust before and asked for confirmation to add server key to .known_hosts.