Hi, OpenSSH 6.7 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a big release containing a number of features, a lot of internal refactoring and some potentially-incompatible changes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via anonymous CVS using the instructions at http://www.openssh.com/portable.html#cvs or via Git at https://anongit.mindrot.org/openssh.git/ Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: $ ./configure && make tests Live testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org. Below is a summary of changes. More detail may be found in the ChangeLog in the portable OpenSSH tarballs. Thanks to the many people who contributed to this release. Changes since OpenSSH 6.6 ======================== Potentially-incompatible changes * sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options. * sshd(8): Support for tcpwrappers/libwrap has been removed. * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the curve25519-sha256 at libssh.org KEX exchange method to fail when connecting with something that implements the specification correctly. OpenSSH 6.7 disables this KEX method when speaking to one of the affected versions. New Features * Major internal refactoring to begin to make part of OpenSSH usable as a library. So far the wire parsing, key handling and KRL code has been refactored. Please note that we do not consider the API stable yet, nor do we offer the library in separable form. * ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519 key types. * sftp(1): Allow resumption of interrupted uploads. * ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is the same as the one sent during initial key exchange; bz#2154 * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when GatewayPorts=no; allows client to choose address family; bz#2222 * sshd(8): Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option; bz#2160 * ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that expands to a unique identifer based on a hash of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding miserly pathname limits for Unix domain sockets in multiplexing control paths; bz#2220 * sshd(8): Make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199 * Added unit and fuzz tests for refactored code. These are run automatically in portable OpenSSH via the "make tests" target. Bugfixes * sshd(8): Fix remote fwding with same listen port but different listen address. * ssh(1): Fix inverted test that caused PKCS#11 keys that were explicitly listed in ssh_config or on the commandline not to be preferred. * ssh-keygen(1): Fix bug in KRL generation: multiple consecutive revoked certificate serial number ranges could be serialised to an invalid format. Readers of a broken KRL caused by this bug will fail closed, so no should-have-been-revoked key will be accepted. * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in exit status. Previously we were always returning 0; bz#2255 * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the randomart border; bz#2247 * ssh-agent(1): Only cleanup agent socket in the main agent process and not in any subprocesses it may have started (e.g. forked askpass). Fixes agent sockets being zapped when askpass processes fatal(); bz#2236 * ssh-add(1): Make stdout line-buffered; saves partial output getting lost when ssh-add fatal()s part-way through (e.g. when listing keys from an agent that supports key types that ssh-add doesn't); bz#2234 * ssh-keygen(1): When hashing or removing hosts, don't choke on @revoked markers and don't remove @cert-authority markers; bz#2241 * ssh(1): Don't fatal when hostname canonicalisation fails and a ProxyCommand is in use; continue and allow the ProxyCommand to connect anyway (e.g. to a host with a name outside the DNS behind a bastion) * scp(1): When copying local->remote fails during read, don't send uninitialised heap to the remote end. * sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing filenames with a single quote char somewhere in the string; bz#2238 * ssh-keyscan(1): Scan for Ed25519 keys by default. * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down- convert any certificate keys to plain keys and attempt SSHFP resolution. Prevents a server from skipping SSHFP lookup and forcing a new-hostkey dialog by offering only certificate keys. * sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225 * Fix some strict-alignment errors. Portable OpenSSH * Portable OpenSSH now supports building against libressl-portable. * Portable OpenSSH now requires openssl 0.9.8f or greater. Older versions are no longer supported. * In the OpenSSL version check, allow fix version upgrades (but not downgrades. Debian bug #748150. * sshd(8): On Cygwin, determine privilege separation user at runtime, since it may need to be a domain account. * sshd(8): Don't attempt to use vhangup on Linux. It doens't work for non-root users, and for them it just messes up the tty settings. * Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is available. It takes into account time spent suspended, thereby ensuring timeouts (e.g. for expiring agent keys) fire correctly. bz#2228 * Add support for ed25519 to opensshd.init init script. * sftp-server(8): On platforms that support it, use prctl() to prevent sftp-server from accessing /proc/self/{mem,maps} Reporting Bugs: ============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
Op 18 aug. 2014, om 03:23 heeft Damien Miller <djm at mindrot.org> het volgende geschreven: With this fix:> * ssh(1): Fix inverted test that caused PKCS#11 keys that were > explicitly listed in ssh_config or on the commandline not to be > preferred.A fairly broad range of pin-keypad readers as often used in healthcare have sprung to live. Would be nice if you could also apply patch below. The gist of this change is that it will revert PIN entry to the keypad of the reader if such is available/mandatory. Thanks, Dw. * Allow for PIN/password entry on the keypad of the chipcard reader. diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index c96be3b..83b5f3a 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -255,21 +255,27 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, si = &k11->provider->slotinfo[k11->slotidx]; if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { if (!pkcs11_interactive) { - error("need pin"); + error("need pin entry%s", + (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? " on reader keypad" : ""); return (-1); } - snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", - si->token.label); - pin = read_passphrase(prompt, RP_ALLOW_EOF); - if (pin == NULL) - return (-1); /* bail out */ - if ((rv = f->C_Login(si->session, CKU_USER, - (u_char *)pin, strlen(pin))) != CKR_OK) { - free(pin); + if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) { + verbose("Deferring PIN entry to keypad of chipcard reader."); + pin = NULL; + } else { + snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", + si->token.label); + pin = read_passphrase(prompt, RP_ALLOW_EOF); + if (pin == NULL) + return (-1); /* bail out */ + }; + if ((rv = f->C_Login(si->session, CKU_USER, pin, pin ? strlen(pin): 0)) + != CKR_OK) { + if (pin) free(pin); error("C_Login failed: %lu", rv); return (-1); } - free(pin); + if (pin) free(pin); si->logged_in = 1; } key_filter[1].pValue = k11->keyid;
Hi, [2014-08-18 11:23:41 +1000] Damien Miller:> OpenSSH 6.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible.(Not that this is important, but) running `make tests` I get: run test connect.sh ... nologin: invalid option -- 'c' Usage: nologin [options] Options: -h, --help display this help and exit -V, --version output version information and exit For more details see nologin(8). ssh connect with protocol 1 failed My nologin binary identifies itself as: $ nologin --version nologin from util-linux 2.25 I got it straight from my distro (Arch Linux). Other than that, I have experienced no regression so far with openssh-SNAP-20140818; but if I do I will report them here... Cheers. -- Gaetan
On Aug 18 11:23, Damien Miller wrote:> Hi, > > OpenSSH 6.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release > containing a number of features, a lot of internal refactoring and some > potentially-incompatible changes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/I tested from CVS HEAD and there's a bug in serverloop.c. On systems not defining NO_IPPORT_RESERVED_CONCEPT, a stray "||" leads to a syntax error. Here's a patch: Index: serverloop.c ==================================================================RCS file: /cvs/openssh/serverloop.c,v retrieving revision 1.181 diff -u -p -r1.181 serverloop.c --- serverloop.c 18 Jul 2014 04:11:26 -0000 1.181 +++ serverloop.c 18 Aug 2014 12:33:02 -0000 @@ -1173,9 +1173,9 @@ server_input_global_request(int type, u_ /* check permissions */ if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || no_port_forwarding_flag || - (!want_reply && fwd.listen_port == 0) || + (!want_reply && fwd.listen_port == 0) #ifndef NO_IPPORT_RESERVED_CONCEPT - (fwd.listen_port != 0 && fwd.listen_port < IPPORT_RESERVED && + || (fwd.listen_port != 0 && fwd.listen_port < IPPORT_RESERVED && pw->pw_uid != 0) #endif ) { Also, I can't run the testsuite on Cygwin anymore: $ make tests [ -d `pwd`/regress ] || mkdir -p `pwd`/regress [ -d `pwd`/regress/unittests ] || mkdir -p `pwd`/regress/unittests [ -d `pwd`/regress/unittests/test_helper ] || \ mkdir -p `pwd`/regress/unittests/test_helper [ -d `pwd`/regress/unittests/sshbuf ] || \ mkdir -p `pwd`/regress/unittests/sshbuf [ -d `pwd`/regress/unittests/sshkey ] || \ mkdir -p `pwd`/regress/unittests/sshkey [ -f `pwd`/regress/Makefile ] || \ ln -s `cd ../src && pwd`/regress/Makefile `pwd`/regress/Makefile (cd openbsd-compat && make) make[1]: Entering directory '/home/corinna/src/openssh/build/openbsd-compat' make[1]: Nothing to be done for 'all'. make[1]: Leaving directory '/home/corinna/src/openssh/build/openbsd-compat' gcc -g -O2 [...options...] -o regress/modpipe.exe ../src/regress/modpipe.c \ -L. -Lopenbsd-compat/ -fstack-protector-all -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz /usr/lib/textreadmode.o -lcrypt gcc -g -O2 [...options...] -o regress/setuid-allowed.exe ../src/regress/setuid-allowed.c \ -L. -Lopenbsd-compat/ -fstack-protector-all -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz /usr/lib/textreadmode.o -lcrypt make: *** No rule to make target 'regress/unittests/sshbuf/tests.o', needed by 'regress/unittests/sshbuf/test_sshbuf.exe'. Stop. This is using GNU make. I'm not sure what's missing. Is that because I'm not building in the source dir, by any chance? Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140818/a12441c2/attachment-0001.bin>
Ugh - so, forgot to RT the list ... and another failed buildhost ... I know these are legacy OS version - but they're still in use here so ... OS Build_Target CC OpenSSL BUILD TEST =========== ================= ============ ============= ====================Centos 2.1 i386-redhat-linux gcc 2.9.6 0.9.6b-engine FAIL*1 RHEL 3.4 i386-redhat-linux gcc 3.2.3-47 0.9.7a FAIL*1 make[1]: Entering directory `/usr/src/openssh/openbsd-compat' gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -std=gnu99 -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c arc4random.c In file included from ../buffer.h:24, from ../entropy.h:30, from ../includes.h:177, from arc4random.c:27: ../sshbuf.h:25:24: openssl/ec.h: No such file or directory make[1]: *** [arc4random.o] Error 1 make[1]: Leaving directory `/usr/src/openssh/openbsd-compat' make: *** [openbsd-compat/libopenbsd-compat.a] Error 2 [root at localhost openssh]# find ec.h find: ec.h: No such file or directory On Sun, Aug 17, 2014 at 6:23 PM, Damien Miller <djm at mindrot.org> wrote:> Hi, > > OpenSSH 6.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release > containing a number of features, a lot of internal refactoring and some > potentially-incompatible changes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Git at https://anongit.mindrot.org/openssh.git/ > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 6.6 > ========================> > Potentially-incompatible changes > > * sshd(8): The default set of ciphers and MACs has been altered to > remove unsafe algorithms. In particular, CBC ciphers and arcfour* > are disabled by default. > > The full set of algorithms remains available if configured > explicitly via the Ciphers and MACs sshd_config options. > > * sshd(8): Support for tcpwrappers/libwrap has been removed. > > * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections > using the curve25519-sha256 at libssh.org KEX exchange method to fail > when connecting with something that implements the specification > correctly. OpenSSH 6.7 disables this KEX method when speaking to > one of the affected versions. > > New Features > > * Major internal refactoring to begin to make part of OpenSSH usable > as a library. So far the wire parsing, key handling and KRL code > has been refactored. Please note that we do not consider the API > stable yet, nor do we offer the library in separable form. > > * ssh(1), sshd(8): Add support for Unix domain socket forwarding. > A remote TCP port may be forwarded to a local Unix domain socket > and vice versa or both ends may be a Unix domain socket. > > * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for > ED25519 key types. > > * sftp(1): Allow resumption of interrupted uploads. > > * ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it > is the same as the one sent during initial key exchange; bz#2154 > > * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind > addresses when GatewayPorts=no; allows client to choose address > family; bz#2222 > > * sshd(8): Add a sshd_config PermitUserRC option to control whether > ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys > option; bz#2160 > > * ssh(1): Add a %C escape sequence for LocalCommand and ControlPath > that expands to a unique identifer based on a hash of the tuple of > (local host, remote user, hostname, port). Helps avoid exceeding > miserly pathname limits for Unix domain sockets in multiplexing > control paths; bz#2220 > > * sshd(8): Make the "Too many authentication failures" message > include the user, source address, port and protocol in a format > similar to the authentication success / failure messages; bz#2199 > > * Added unit and fuzz tests for refactored code. These are run > automatically in portable OpenSSH via the "make tests" target. > > Bugfixes > > * sshd(8): Fix remote fwding with same listen port but different > listen address. > > * ssh(1): Fix inverted test that caused PKCS#11 keys that were > explicitly listed in ssh_config or on the commandline not to be > preferred. > > * ssh-keygen(1): Fix bug in KRL generation: multiple consecutive > revoked certificate serial number ranges could be serialised to an > invalid format. Readers of a broken KRL caused by this bug will > fail closed, so no should-have-been-revoked key will be accepted. > > * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in > exit status. Previously we were always returning 0; bz#2255 > > * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the > randomart border; bz#2247 > > * ssh-agent(1): Only cleanup agent socket in the main agent process > and not in any subprocesses it may have started (e.g. forked > askpass). Fixes agent sockets being zapped when askpass processes > fatal(); bz#2236 > > * ssh-add(1): Make stdout line-buffered; saves partial output getting > lost when ssh-add fatal()s part-way through (e.g. when listing keys > from an agent that supports key types that ssh-add doesn't); > bz#2234 > > * ssh-keygen(1): When hashing or removing hosts, don't choke on > @revoked markers and don't remove @cert-authority markers; bz#2241 > > * ssh(1): Don't fatal when hostname canonicalisation fails and a > ProxyCommand is in use; continue and allow the ProxyCommand to > connect anyway (e.g. to a host with a name outside the DNS behind > a bastion) > > * scp(1): When copying local->remote fails during read, don't send > uninitialised heap to the remote end. > > * sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing > filenames with a single quote char somewhere in the string; > bz#2238 > > * ssh-keyscan(1): Scan for Ed25519 keys by default. > > * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down- > convert any certificate keys to plain keys and attempt SSHFP > resolution. Prevents a server from skipping SSHFP lookup and > forcing a new-hostkey dialog by offering only certificate keys. > > * sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225 > > * Fix some strict-alignment errors. > > Portable OpenSSH > > * Portable OpenSSH now supports building against libressl-portable. > > * Portable OpenSSH now requires openssl 0.9.8f or greater. Older > versions are no longer supported. > > * In the OpenSSL version check, allow fix version upgrades (but not > downgrades. Debian bug #748150. > > * sshd(8): On Cygwin, determine privilege separation user at runtime, > since it may need to be a domain account. > > * sshd(8): Don't attempt to use vhangup on Linux. It doens't work for > non-root users, and for them it just messes up the tty settings. > > * Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is > available. It takes into account time spent suspended, thereby > ensuring timeouts (e.g. for expiring agent keys) fire correctly. > bz#2228 > > * Add support for ed25519 to opensshd.init init script. > > * sftp-server(8): On platforms that support it, use prctl() to > prevent sftp-server from accessing /proc/self/{mem,maps} > > Reporting Bugs: > ==============> > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and > Ben Lindstrom. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >-- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott at gmail.com> */
NetBSD-current amd64 gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -I. -I. -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ssh-dss.c -o ssh-dss.o ssh-dss.c: In function 'ssh_dss_sign': ssh-dss.c:50:2: error: unknown type name 'DSA_SIG' DSA_SIG *sig = NULL; -- Hisashi T Fujinaka - htodd at twofifty.com BSEE(6/86) + BSChem(3/95) + BAEnglish(8/95) + MSCS(8/03) + $2.50 = latte
On Mon, Aug 18, 2014 at 11:23:41 +1000, Damien Miller wrote:> Hi, > > OpenSSH 6.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release > containing a number of features, a lot of internal refactoring and some > potentially-incompatible changes. >The 20140819 snapshot successfully builds and passes the tests on RHEL 6.5/x86_64 w/OpenSSL 1.0.1i. Regarding the removal of TCP wrapper support, it would be good to remove references to it in the contrib/*/openssh.spec files: % egrep -i 'netkit|wrapper|tcpd' */openssh.spec caldera/openssh.spec: --with-tcp-wrappers \ redhat/openssh.spec:BuildRequires: perl, openssl-devel, tcp_wrappers redhat/openssh.spec: --with-tcp-wrappers \ suse/openssh.spec:# TCP Wrappers (tcpd-devel), suse/openssh.spec:BuildPrereq: tcpd-devel suse/openssh.spec:- Added flag to configure daemon with TCP Wrappers support suse/openssh.spec: --with-tcp-wrappers \ There are also references to tcpd or libwrap in INSTALL and contrib/cygwin/README that should probably be removed or revised. -- Iain Morgan
On Mon, Aug 18, 2014 at 11:23:41 +1000, Damien Miller wrote:> Potentially-incompatible changes > > * sshd(8): The default set of ciphers and MACs has been altered to > remove unsafe algorithms. In particular, CBC ciphers and arcfour* > are disabled by default. >Is this really true? I just ran "$PWD/sshd -f /dev/null -T" in my build directory, and it lists the full set of ciphers -- not the trimmed-down default list indicated in sshd_config(5). -- Iain Morgan
It fails under SPARC Solaris 10, running a recent patch set, with our locally build OpenSSL 1.0.0n, and SUN Studio 12. The test_sshbuf binary dumps core with an error code of 139: cd ./regress || exit $?; \ make \ .OBJDIR="${BUILDDIR}/regress" \ .CURDIR="`pwd`" \ BUILDDIR="${BUILDDIR}" \ OBJ="${BUILDDIR}/regress/" \ PATH="${BUILDDIR}:${PATH}" \ TEST_ENV=MALLOC_OPTIONS="" \ TEST_SHELL="${TEST_SHELL}" \ TEST_SSH_SCP="${TEST_SSH_SCP}" \ TEST_SSH_SSH="${TEST_SSH_SSH}" \ TEST_SSH_SSHD="${TEST_SSH_SSHD}" \ TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}" \ TEST_SSH_SSHADD="${TEST_SSH_SSHADD}" \ TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" \ TEST_SSH_SSHPKCS11HELPER="${TEST_SSH_SSHPKCS11HELPER}" \ TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" \ TEST_SSH_SFTP="${TEST_SSH_SFTP}" \ TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}" \ TEST_SSH_PLINK="${TEST_SSH_PLINK}" \ TEST_SSH_PUTTYGEN="${TEST_SSH_PUTTYGEN}" \ TEST_SSH_CONCH="${TEST_SSH_CONCH}" \ TEST_SSH_IPV6="${TEST_SSH_IPV6}" \ TEST_SSH_ECC="${TEST_SSH_ECC}" \ EXEEXT="" \ tests && echo all tests passed set -e ; if test -z "" ; then \ /opt/src/sys/openssh/openssh-SNAP-20140820/regress/unittests/sshbuf/test_sshbuf ; \ /opt/src/sys/openssh/openssh-SNAP-20140820/regress/unittests/sshkey/test_sshkey \ -d /opt/src/sys/openssh/openssh-SNAP-20140820/regress//unittests/sshkey/testdata ; \ fi *** Error code 139 make: Fatal error: Command failed for target `unit' Current working directory /opt/src/sys/openssh/openssh-SNAP-20140820/regress *** Error code 1 make: Fatal error: Command failed for target `tests' Damien Miller wrote:> Hi, > > OpenSSH 6.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release > containing a number of features, a lot of internal refactoring and some > potentially-incompatible changes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Git at https://anongit.mindrot.org/openssh.git/ > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 6.6 > ========================> > Potentially-incompatible changes > > * sshd(8): The default set of ciphers and MACs has been altered to > remove unsafe algorithms. In particular, CBC ciphers and arcfour* > are disabled by default. > > The full set of algorithms remains available if configured > explicitly via the Ciphers and MACs sshd_config options. > > * sshd(8): Support for tcpwrappers/libwrap has been removed. > > * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections > using the curve25519-sha256 at libssh.org KEX exchange method to fail > when connecting with something that implements the specification > correctly. OpenSSH 6.7 disables this KEX method when speaking to > one of the affected versions. > > New Features > > * Major internal refactoring to begin to make part of OpenSSH usable > as a library. So far the wire parsing, key handling and KRL code > has been refactored. Please note that we do not consider the API > stable yet, nor do we offer the library in separable form. > > * ssh(1), sshd(8): Add support for Unix domain socket forwarding. > A remote TCP port may be forwarded to a local Unix domain socket > and vice versa or both ends may be a Unix domain socket. > > * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for > ED25519 key types. > > * sftp(1): Allow resumption of interrupted uploads. > > * ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it > is the same as the one sent during initial key exchange; bz#2154 > > * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind > addresses when GatewayPorts=no; allows client to choose address > family; bz#2222 > > * sshd(8): Add a sshd_config PermitUserRC option to control whether > ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys > option; bz#2160 > > * ssh(1): Add a %C escape sequence for LocalCommand and ControlPath > that expands to a unique identifer based on a hash of the tuple of > (local host, remote user, hostname, port). Helps avoid exceeding > miserly pathname limits for Unix domain sockets in multiplexing > control paths; bz#2220 > > * sshd(8): Make the "Too many authentication failures" message > include the user, source address, port and protocol in a format > similar to the authentication success / failure messages; bz#2199 > > * Added unit and fuzz tests for refactored code. These are run > automatically in portable OpenSSH via the "make tests" target. > > Bugfixes > > * sshd(8): Fix remote fwding with same listen port but different > listen address. > > * ssh(1): Fix inverted test that caused PKCS#11 keys that were > explicitly listed in ssh_config or on the commandline not to be > preferred. > > * ssh-keygen(1): Fix bug in KRL generation: multiple consecutive > revoked certificate serial number ranges could be serialised to an > invalid format. Readers of a broken KRL caused by this bug will > fail closed, so no should-have-been-revoked key will be accepted. > > * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in > exit status. Previously we were always returning 0; bz#2255 > > * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the > randomart border; bz#2247 > > * ssh-agent(1): Only cleanup agent socket in the main agent process > and not in any subprocesses it may have started (e.g. forked > askpass). Fixes agent sockets being zapped when askpass processes > fatal(); bz#2236 > > * ssh-add(1): Make stdout line-buffered; saves partial output getting > lost when ssh-add fatal()s part-way through (e.g. when listing keys > from an agent that supports key types that ssh-add doesn't); > bz#2234 > > * ssh-keygen(1): When hashing or removing hosts, don't choke on > @revoked markers and don't remove @cert-authority markers; bz#2241 > > * ssh(1): Don't fatal when hostname canonicalisation fails and a > ProxyCommand is in use; continue and allow the ProxyCommand to > connect anyway (e.g. to a host with a name outside the DNS behind > a bastion) > > * scp(1): When copying local->remote fails during read, don't send > uninitialised heap to the remote end. > > * sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing > filenames with a single quote char somewhere in the string; > bz#2238 > > * ssh-keyscan(1): Scan for Ed25519 keys by default. > > * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down- > convert any certificate keys to plain keys and attempt SSHFP > resolution. Prevents a server from skipping SSHFP lookup and > forcing a new-hostkey dialog by offering only certificate keys. > > * sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225 > > * Fix some strict-alignment errors. > > Portable OpenSSH > > * Portable OpenSSH now supports building against libressl-portable. > > * Portable OpenSSH now requires openssl 0.9.8f or greater. Older > versions are no longer supported. > > * In the OpenSSL version check, allow fix version upgrades (but not > downgrades. Debian bug #748150. > > * sshd(8): On Cygwin, determine privilege separation user at runtime, > since it may need to be a domain account. > > * sshd(8): Don't attempt to use vhangup on Linux. It doens't work for > non-root users, and for them it just messes up the tty settings. > > * Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is > available. It takes into account time spent suspended, thereby > ensuring timeouts (e.g. for expiring agent keys) fire correctly. > bz#2228 > > * Add support for ed25519 to opensshd.init init script. > > * sftp-server(8): On platforms that support it, use prctl() to > prevent sftp-server from accessing /proc/self/{mem,maps} > > Reporting Bugs: > ==============> > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and > Ben Lindstrom. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > >-- Jeff Wieland | Purdue University Network Systems Administrator | ITIS UNIX Platforms Voice: (765)496-8234 | 155 S. Grant Street FAX: (765)494-6620 | West Lafayette, IN 47907
On 18/08/14 03:23, Damien Miller wrote:> Hi, > > OpenSSH 6.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release > containing a number of features, a lot of internal refactoring and some > potentially-incompatible changes. >It fails to build on IRIX 6.2: cc-1020 cc: ERROR File = sftp-server.c, Line = 1536 The identifier "PR_SET_DUMPABLE" is undefined. if (prctl(PR_SET_DUMPABLE, 0) != 0) ^ 1 error detected in the compilation of "sftp-server.c". AFAIK no version of IRIX has PR_SET_DUMPABLE. Fixing that, the build completes. The sshkey unit test fails: test_sshkey: ........................... regress/unittests/sshkey/test_sshkey.c:338 test #28 "nested certificate" ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1"), &k1), 0) failed: sshkey_load_cert(test_data_file("rsa_1"), &k1) = -4 0 = 0 make[1]: *** [unit] Error 134 The rest of the testsuite is running now but so far it looks like the problems there are the same as previous releases. -tgc
Hi there Tested openssh-SNAP-20140823.tar.gz on FreeBSD versions: FreeBSD 10.0-RELEASE-p6 #0 r267862 FreeBSD 9.3-RELEASE #0 r268564 with generic kernel. All tests passed. Fred On 2014-08-18 02:23, Damien Miller wrote:> Hi, > > OpenSSH 6.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release > containing a number of features, a lot of internal refactoring and some > potentially-incompatible changes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Git at https://anongit.mindrot.org/openssh.git/ > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the > ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 6.6 > ========================> > Potentially-incompatible changes > > * sshd(8): The default set of ciphers and MACs has been altered to > remove unsafe algorithms. In particular, CBC ciphers and arcfour* > are disabled by default. > > The full set of algorithms remains available if configured > explicitly via the Ciphers and MACs sshd_config options. > > * sshd(8): Support for tcpwrappers/libwrap has been removed. > > * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections > using the curve25519-sha256 at libssh.org KEX exchange method to fail > when connecting with something that implements the specification > correctly. OpenSSH 6.7 disables this KEX method when speaking to > one of the affected versions. > > New Features > > * Major internal refactoring to begin to make part of OpenSSH usable > as a library. So far the wire parsing, key handling and KRL code > has been refactored. Please note that we do not consider the API > stable yet, nor do we offer the library in separable form. > > * ssh(1), sshd(8): Add support for Unix domain socket forwarding. > A remote TCP port may be forwarded to a local Unix domain socket > and vice versa or both ends may be a Unix domain socket. > > * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for > ED25519 key types. > > * sftp(1): Allow resumption of interrupted uploads. > > * ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it > is the same as the one sent during initial key exchange; bz#2154 > > * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind > addresses when GatewayPorts=no; allows client to choose address > family; bz#2222 > > * sshd(8): Add a sshd_config PermitUserRC option to control whether > ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys > option; bz#2160 > > * ssh(1): Add a %C escape sequence for LocalCommand and ControlPath > that expands to a unique identifer based on a hash of the tuple of > (local host, remote user, hostname, port). Helps avoid exceeding > miserly pathname limits for Unix domain sockets in multiplexing > control paths; bz#2220 > > * sshd(8): Make the "Too many authentication failures" message > include the user, source address, port and protocol in a format > similar to the authentication success / failure messages; bz#2199 > > * Added unit and fuzz tests for refactored code. These are run > automatically in portable OpenSSH via the "make tests" target. > > Bugfixes > > * sshd(8): Fix remote fwding with same listen port but different > listen address. > > * ssh(1): Fix inverted test that caused PKCS#11 keys that were > explicitly listed in ssh_config or on the commandline not to be > preferred. > > * ssh-keygen(1): Fix bug in KRL generation: multiple consecutive > revoked certificate serial number ranges could be serialised to an > invalid format. Readers of a broken KRL caused by this bug will > fail closed, so no should-have-been-revoked key will be accepted. > > * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in > exit status. Previously we were always returning 0; bz#2255 > > * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the > randomart border; bz#2247 > > * ssh-agent(1): Only cleanup agent socket in the main agent process > and not in any subprocesses it may have started (e.g. forked > askpass). Fixes agent sockets being zapped when askpass processes > fatal(); bz#2236 > > * ssh-add(1): Make stdout line-buffered; saves partial output getting > lost when ssh-add fatal()s part-way through (e.g. when listing keys > from an agent that supports key types that ssh-add doesn't); > bz#2234 > > * ssh-keygen(1): When hashing or removing hosts, don't choke on > @revoked markers and don't remove @cert-authority markers; bz#2241 > > * ssh(1): Don't fatal when hostname canonicalisation fails and a > ProxyCommand is in use; continue and allow the ProxyCommand to > connect anyway (e.g. to a host with a name outside the DNS behind > a bastion) > > * scp(1): When copying local->remote fails during read, don't send > uninitialised heap to the remote end. > > * sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing > filenames with a single quote char somewhere in the string; > bz#2238 > > * ssh-keyscan(1): Scan for Ed25519 keys by default. > > * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down- > convert any certificate keys to plain keys and attempt SSHFP > resolution. Prevents a server from skipping SSHFP lookup and > forcing a new-hostkey dialog by offering only certificate keys. > > * sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225 > > * Fix some strict-alignment errors. > > Portable OpenSSH > > * Portable OpenSSH now supports building against libressl-portable. > > * Portable OpenSSH now requires openssl 0.9.8f or greater. Older > versions are no longer supported. > > * In the OpenSSL version check, allow fix version upgrades (but not > downgrades. Debian bug #748150. > > * sshd(8): On Cygwin, determine privilege separation user at runtime, > since it may need to be a domain account. > > * sshd(8): Don't attempt to use vhangup on Linux. It doens't work for > non-root users, and for them it just messes up the tty settings. > > * Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is > available. It takes into account time spent suspended, thereby > ensuring timeouts (e.g. for expiring agent keys) fire correctly. > bz#2228 > > * Add support for ed25519 to opensshd.init init script. > > * sftp-server(8): On platforms that support it, use prctl() to > prevent sftp-server from accessing /proc/self/{mem,maps} > > Reporting Bugs: > ==============> > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice > and > Ben Lindstrom. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
On Mon, Aug 18, 2014 at 11:23:41AM +1000, Damien Miller wrote:> > OpenSSH 6.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release > containing a number of features, a lot of internal refactoring and some > potentially-incompatible changes.No problems with regression tests with snapshot-20140830 on Slackware 14.1. --mancha -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140829/f63aa08d/attachment.bin>
On Aug 17, 2014, at 9:23 PM, Damien Miller <djm at mindrot.org> wrote:> Hi, > > OpenSSH 6.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release > containing a number of features, a lot of internal refactoring and some > potentially-incompatible changes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/All tests pass with openssh-SNAP-20140901 on Mac OS X Mavericks. jd -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2446 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140901/0904cbf7/attachment.bin>
On Aug 18 11:23, Damien Miller wrote:> Hi, > > OpenSSH 6.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release > containing a number of features, a lot of internal refactoring and some > potentially-incompatible changes.Btw., I'm getting two new warnings during build: gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -Wno-attributes -I. -I../src -I/usr/include/editline -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/sbin/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/sbin/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/sbin/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/sbin/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ../src/sshbuf.c -o sshbuf.o ../src/sshbuf.c:34:0: warning: "__predict_true" redefined [enabled by default] #define __predict_true(exp) __builtin_expect(((exp) != 0), 1) ^ In file included from /usr/include/features.h:14:0, from /usr/include/sys/socket.h:15, from ../src/includes.h:26, from ../src/sshbuf.c:19: /usr/lib/gcc/x86_64-pc-cygwin/4.8.3/include-fixed/sys/cdefs.h:445:0: note: this is the location of the previous definition #define __predict_true(exp) __builtin_expect((exp), 1) ^ ../src/sshbuf.c:35:0: warning: "__predict_false" redefined [enabled by default] #define __predict_false(exp) __builtin_expect(((exp) != 0), 0) ^ In file included from /usr/include/features.h:14:0, from /usr/include/sys/socket.h:15, from ../src/includes.h:26, from ../src/sshbuf.c:19: /usr/lib/gcc/x86_64-pc-cygwin/4.8.3/include-fixed/sys/cdefs.h:446:0: note: this is the location of the previous definition #define __predict_false(exp) __builtin_expect((exp), 0) ^ Shouldn't these be avoided by only defining them if they are not already defined? Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140902/ac71b691/attachment.bin>
On Mon, Aug 18, 2014 at 11:23:41AM +1000, Damien Miller wrote:> Hi, > > OpenSSH 6.7 is almost ready for release, so we would appreciate > testing on as many platforms and systems as possible.Hi. If there's still time it would be good to ensure nuking the source seed in OpenSSH-Portable's arc4random rs_stir: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/crypt/arc4random.c.diff?r1=1.28&r2=1.29 --mancha -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140903/0a33fbd6/attachment.bin>
Phil Pennock
2014-Sep-11 06:31 UTC
MacOS; Unix sockets & man (Re: Call for testing: OpenSSH 6.7)
On 2014-08-18 at 11:23 +1000, Damien Miller wrote:> OpenSSH 6.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release > containing a number of features, a lot of internal refactoring and some > potentially-incompatible changes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/Downloaded openssh-SNAP-20140911.tar.gz onto MacOS 10.8.5, using Clang (Apple LLVM version 5.1 (clang-503.0.40) (based on LLVM 3.4svn)). Configured with: ./configure --with-libedit --with-pam --with-kerberos5 \ --prefix=/opt/openssh --sysconfdir=/etc/ssh \ --with-ssl-dir=/usr/local/Cellar/openssl/1.0.1i \ --with-ldns stolen/derived from the Homebrew configuration: so I think this will match a common configuration profile on this platform (everything except the --prefix value chosen). "all tests passed". The Unix port forwarding appears to be undocumented. From reading the code, presence of a '/' anywhere in the PORT field causes parse_fwd_field() to mark the item as a path. When I supply an absolute path, this works and works great! :) If I supply a relative path, then it's passed to the server as a path but fails, triggering a warning message: Warning: remote port forwarding failed for listen path tmp/FRED The server-side debug logs: ----------------------------8< cut here >8------------------------------ debug1: server_input_global_request: rtype streamlocal-forward at openssh.com want_reply 1 debug1: server_input_global_request: streamlocal-forward listen path usr/fred debug3: channel_setup_fwd_listener_streamlocal: type 19 path usr/fred bind: Permission denied unix_listener: cannot bind to path: usr/fred ----------------------------8< cut here >8------------------------------ This is with client and server both on the same MacOS box. Since I'm not sure if it's only supposed to work if the path _starts_ with a slash, or if it _should_ work for _contains_ a slash, I'm not offering a documentation patch; I'll note that I'd expect to see this documented under -L, -R or the ssh_config options, or perhaps in a new section in ssh(1) "Port Forwarding" and cut down on a bunch of the duplication by referring to a full spec in that. (If you want an nroff patch and say what the behaviour should be, I'd be happy to contribute). To finish off, compilation warnings until the end of the email, so if not interested in these, then there's nothing else to read here. Thanks, -Phil I'll list them all for completeness, despite the lack of visible replacements for some deprecation-warning items: * `getrrsetbyname-ldns.c` had complaints on multiple lines of the form: ----------------------------8< cut here >8------------------------------ getrrsetbyname-ldns.c:92:6: warning: variable 'ldns_res' is used uninitialized whenever 'if' condition is true ----------------------------8< cut here >8------------------------------ Always for `ldns_res`. These were classed as `-Wsometimes-uninitialized` warnings. * Lots of ranlib complaints of files having no symbols; which I suspect come down to not defining things like USE_BUILTIN_RIJNDAEL so these are just noise * Two complaints of daemon() deprecation in ssh.c, lines 1288 & 1300; also in sshd.c:1892: ----------------------------8< cut here >8------------------------------ ssh.c:1288:2: warning: 'daemon' is deprecated: first deprecated in OS X 10.5 [-Wdeprecated-declarations] ----------------------------8< cut here >8------------------------------ Man-page daemon(3) says nothing about a deprecation; stdlib.h just has: ----------------------------8< cut here >8------------------------------ int daemon(int, int) __DARWIN_1050(daemon) __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_0, __MAC_10_5, __IPHONE_2_0, __IPHONE_2_0); ----------------------------8< cut here >8------------------------------ and I'm not seeing what replaces it, unless the answer is just "use launchd". * Many of these: ----------------------------8< cut here >8------------------------------ clang: warning: argument unused during compilation: '-pie' ----------------------------8< cut here >8------------------------------ * loginrec.c : `struct utmp` and the `login()`, `logout()` and `logwtmp()` functions are triggering deprecation warnings: ----------------------------8< cut here >8------------------------------ loginrec.c:188:49: warning: 'utmp' is deprecated [-Wdeprecated-declarations] void set_utmp_time(struct logininfo *li, struct utmp *ut); ----------------------------8< cut here >8------------------------------ The function at least has a deprecated-since label of 10.5: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_0,__MAC_10_5,__IPHONE_NA,__IPHONE_NA); * sandbox-darwin.c warnings and deprecations: ----------------------------8< cut here >8------------------------------ sandbox-darwin.c:43:25: warning: declaration of 'struct monitor' will not be visible outside of this function [-Wvisibility] ssh_sandbox_init(struct monitor *monitor) ^ sandbox-darwin.c:65:6: warning: 'sandbox_init' is deprecated: first deprecated in OS X 10.8 [-Wdeprecated-declarations] if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED, ^ /usr/include/sandbox.h:65:5: note: 'sandbox_init' declared here int sandbox_init(const char *profile, uint64_t flags, char **errorbuf); ^ sandbox-darwin.c:65:19: warning: 'kSBXProfilePureComputation' is deprecated: first deprecated in OS X 10.8 [-Wdeprecated-declarations] if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED, ^ /usr/include/sandbox.h:97:19: note: 'kSBXProfilePureComputation' declared here extern const char kSBXProfilePureComputation[]; ^ 3 warnings generated. ----------------------------8< cut here >8------------------------------