Hi, OpenSSH 6.8 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains some substantial new features and a number of bugfixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via anonymous CVS using the instructions at http://www.openssh.com/portable.html#cvs or via Git at https://anongit.mindrot.org/openssh.git/ Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: $ ./configure && make tests Live testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org. Below is a summary of changes. More detail may be found in the ChangeLog in the portable OpenSSH tarballs. Thanks to the many people who contributed to this release. Changes since OpenSSH 6.7 ======================== This is a major release, containing a number of new features as well as a large internal re-factoring. Potentially-incompatible changes -------------------------------- * sshd(8): UseDNS now defaults to 'no'. Configurations that match against the client host name (via sshd_config or authorized_keys) may need to re-enable it or convert to matching against addresses. New Features ------------ * Much of OpenSSH's internal code has been re-factored to be more library-like. These changes are mostly not user-visible, but have greatly improved OpenSSH's testability and internal layout. * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent command-line flags to the other tools to control algorithm used for key fingerprints. The default changes from MD5 to SHA256 and format from hex to base64. Fingerprints now have the hash algorithm prepended. An example of the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE Please note that visual host keys will also be different. * ssh(1), sshd(8): Host key rotation support. Add a protocol extension for a server to inform a client of all its available host keys after authentication has completed. The client may record the keys in known_hosts, allowing it to upgrade to better host key algorithms and a server to gracefully rotate its keys. The client side of this is controlled by a UpdateHostkeys config option (default on). * ssh(1): Add a ssh_config HostbasedKeyType option to control which host public key types are tried during host-based authentication. * ssh(1), sshd(8): fix connection-killing host key mismatch errors when sshd offers multiple ECDSA keys of different lengths. * ssh(1): when host name canonicalisation is enabled, try to parse host names as addresses before looking them up for canonicalisation. fixes bz#2074 and avoiding needless DNS lookups in some cases. * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer require OpenSSH to be compiled with OpenSSL support. * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based authentication. * sshd(8): SSH protocol v.1 workaround for the Meyer, et al, Bleichenbacher Side Channel Attack. Fake up a bignum key before RSA decryption. * sshd(8): Remember which public keys have been used for authentication and refuse to accept previously-used keys. This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ public keys. * sshd(8): add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. * sshd(8): Don't count partial authentication success as a failure against MaxAuthTries. * ssh(1): Add RevokedHostKeys option for the client to allow text-file or KRL-based revocation of host keys. * ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by serial number or key ID without scoping to a particular CA. * ssh(1): Add a "Match canonical" criteria that allows ssh_config Match blocks to trigger only in the second config pass. * ssh(1): Add a -G option to ssh that causes it to parse its configuration and dump the result to stdout, similar to "sshd -T". * ssh(1): Allow Match criteria to be negated. E.g. "Match !host". * The regression test suite has been extended to cover more OpenSSH features. The unit tests have been expanded and now cover key exchange. Bugfixes -------- * ssh-keyscan(1): ssh-keyscan has been made much more robust again servers that hang or violate the SSH protocol. * ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were being lost as comment fields. * ssh(1): Allow ssh_config Port options set in the second config parse phase to be applied (they were being ignored). bz#2286 * ssh(1): Tweak config re-parsing with host canonicalisation - make the second pass through the config files always run when host name canonicalisation is enabled (and not whenever the host name changes) bz#2267 * ssh(1): Fix passing of wildcard forward bind addresses when connection multiplexing is in use; bz#2324; * ssh-keygen(1): Fix broken private key conversion from non-OpenSSH formats; bz#2345. * ssh-keygen(1): Fix KRL generation bug when multiple CAs are in use. * Various fixed to manual pages: bz#2288, bz#2316, bz#2273 Portable OpenSSH ---------------- * Support --without-openssl at configure time Disables and removes dependency on OpenSSL. Many features, including SSH protocol 1 are not supported and the set of crypto options is greatly restricted. This will only work on system with native arc4random or /dev/urandom. Considered highly experimental for now. * Support --without-ssh1 option at configure time Allows disabling support for SSH protocol 1. Still experimental - not all regression and unit tests have been been adapted for the absence of SSH protocol 1. * sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296 * Allow custom service name for sshd on Cygwin. Permits the use of multiple sshd running with different service names. Reporting Bugs: ============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
On Fri, 20 Feb 2015, Damien Miller wrote:> Hi, > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes....> * ssh(1), sshd(8): Host key rotation support. Add a protocol > extension for a server to inform a client of all its available > host keys after authentication has completed. The client may > record the keys in known_hosts, allowing it to upgrade to better > host key algorithms and a server to gracefully rotate its keys. > > The client side of this is controlled by a UpdateHostkeys config > option (default on).Actually, the default is off. You can enable it using UpdateHostKeys=yes or UpdateHostKeys=ask -d
Hi, On Fri, Feb 20, 2015 at 12:21 AM, Damien Miller <djm at mindrot.org> wrote:> Hi, > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes.All tests pass on my Linux box. But https://bugzilla.mindrot.org/show_bug.cgi?id=2342 is a notable regression. Regards, ismail
On Fri, 20 Feb 2015, ?smail D?nmez wrote:> Hi, > > On Fri, Feb 20, 2015 at 12:21 AM, Damien Miller <djm at mindrot.org> wrote: > > Hi, > > > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This release contains > > some substantial new features and a number of bugfixes. > > All tests pass on my Linux box. But > https://bugzilla.mindrot.org/show_bug.cgi?id=2342 is a notable > regression.hm, I can't replicate this problem: [djm at fuyu openssh]$ mkdir x [djm at fuyu openssh]$ cd x [djm at fuyu x]$ ../ssh-keygen -t ed25519 -f key -N '' -q [djm at fuyu x]$ ../ssh-keygen -lf ^C [djm at fuyu x]$ rm key ; mv key.pub key [djm at fuyu x]$ ../ssh-keygen -lf key 256 SHA256:0UH+G0Bw+ZP3rqTwxsio5CUTrKkS/kcJ26RwV3Twbyw djm at fuyu (ED25519) -d
Hi Damien, On Feb 20 09:21, Damien Miller wrote:> Hi, > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Git at https://anongit.mindrot.org/openssh.git/ > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make testsBuilding on 64 bit Cygwin works out of the box. However, I have trouble with the testsuite. As usual, I'm building outside the source tree: - Building the testsuite fails: Assembler messages: Fatal error: can't create regress/unittests/bitmap/tests.o: No such file or directory Makefile:152: recipe for target 'regress/unittests/bitmap/tests.o' failed The testsuite apparently misses creating the regress/unittests/bitmap subdir prior to running the test. Same for the "hostkeys" and "kex" subdirs. If I create these dirs by hand, the build succeeds. Some mkdir -p calls for these three dirs would probably help. - The failing last loop in the "forwarding" script as reported back during 6.7 testing is still failing for me more often than not. It's always the same reason, the script tries to use in-use port numbers. Reducing the forwarding script to only this last test loop succeeds every time, but is quite a hack for testing. - Last but not least, all tests in hostkey-agent.sh fail and I don't understand what's the problem here. I attached the log files for this problem to this mail. Maybe you see what's going wrong? Thanks, Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: hostkey-agent-logs.tgz Type: application/gzip Size: 5476 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150221/fc657bfa/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150221/fc657bfa/attachment-0001.bin>
On Fri, 20 Feb 2015, Damien Miller wrote:> OpenSSH 6.8 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. > > $ ./configure && make testsNetBSD-current on amd64, NetBSD-7 on amd64 and i386 seem to work fine. MacOS X Yosemite required "--without-openssl-header-check". -- Hisashi T Fujinaka - htodd at twofifty.com BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee
Corinna Vinschen wrote:> [SNIP] > - Last but not least, all tests in hostkey-agent.sh fail and I don't > understand what's the problem here. I attached the log files for this > problem to this mail. Maybe you see what's going wrong?Test cannot load host keys .... please see attached file Roumen -- Get SSH with X.509 certificate support http://roumenpetrov.info/openssh/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-test-regress-hostkey-agent.sh-outside-source-tree.patch Type: text/x-diff Size: 923 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150221/14d4aebc/attachment.bin>
On Sat, 21 Feb 2015, Corinna Vinschen wrote:> Building on 64 bit Cygwin works out of the box. However, I have trouble > with the testsuite. As usual, I'm building outside the source tree: > > - Building the testsuite fails: > > Assembler messages: > Fatal error: can't create regress/unittests/bitmap/tests.o: No such file or directory > Makefile:152: recipe for target 'regress/unittests/bitmap/tests.o' failed > > The testsuite apparently misses creating the regress/unittests/bitmap > subdir prior to running the test. Same for the "hostkeys" and "kex" > subdirs. If I create these dirs by hand, the build succeeds. Some > mkdir -p calls for these three dirs would probably help.Done - thanks.> - The failing last loop in the "forwarding" script as reported back > during 6.7 testing is still failing for me more often than not. It's > always the same reason, the script tries to use in-use port numbers. > Reducing the forwarding script to only this last test loop succeeds > every time, but is quite a hack for testing.Is it colliding with itself or with other services running on your test host? (especially with ones windows starts itself)> - Last but not least, all tests in hostkey-agent.sh fail and I don't > understand what's the problem here. I attached the log files for this > problem to this mail. Maybe you see what's going wrong?Did Roumen's config fix (applied to HEAD already) unbreak this? -d
openssh-SNAP-20150224, Solaris 10, GCC Configure command line: ./configure CC=gcc --prefix=/opt/local --sysconfdir=/etc/ssh --with-prngd-socket=/var/run/egd-pool --with-zlib=/opt/local --with-rpath Have to manually edit 'config.h': diff config.h.orig config.h 783c783 < #define HAVE_MKDTEMP 1 ---> /* #undef HAVE_MKDTEMP */as Solaris does not have 'mkdtemp'. Compile fails at: gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -I. -I. -I/opt/local/include -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/opt/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/opt/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/opt/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/opt/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c canohost.c -o canohost.o In file included from packet.h:45, from canohost.c:33: dispatch.h:46: warning: type defaults to `int' in declaration of `sig_atomic_t' dispatch.h:46: error: syntax error before '*' token dispatch.h:47: warning: type defaults to `int' in declaration of `sig_atomic_t' dispatch.h:47: error: syntax error before '*' token make: *** [canohost.o] Error 1 Mike -- Mike Peterson Information Security Analyst - Audit E-mail: mikep at noc.utoronto.ca WWW: http://www.noc.utoronto.ca/ Tel: 416-978-5230 Fax: 416-978-6620
On Mon, 23 Feb 2015, mikep at noc.utoronto.ca wrote:> openssh-SNAP-20150224, Solaris 10, GCCThanks for testing.> Configure command line: > > ./configure CC=gcc --prefix=/opt/local --sysconfdir=/etc/ssh > --with-prngd-socket=/var/run/egd-pool --with-zlib=/opt/local --with-rpath > > Have to manually edit 'config.h': > > diff config.h.orig config.h > 783c783 > < #define HAVE_MKDTEMP 1 > --- > > /* #undef HAVE_MKDTEMP */ > > as Solaris does not have 'mkdtemp'.That's strange - it's finding it somewhere. Could I ask you to rummage through config.log to see what it is detecting?> Compile fails at: > > gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare > -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv > -fno-builtin-memset -I. -I. -I/opt/local/include -DSSHDIR=\"/etc/ssh\" > -D_PATH_SSH_PROGRAM=\"/opt/local/bin/ssh\" > -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/local/libexec/ssh-askpass\" > -D_PATH_SFTP_SERVER=\"/opt/local/libexec/sftp-server\" > -D_PATH_SSH_KEY_SIGN=\"/opt/local/libexec/ssh-keysign\" > -D_PATH_SSH_PKCS11_HELPER=\"/opt/local/libexec/ssh-pkcs11-helper\" > -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" > -DHAVE_CONFIG_H -c canohost.c -o canohost.o > In file included from packet.h:45, > from canohost.c:33: > dispatch.h:46: warning: type defaults to `int' in declaration of > `sig_atomic_t' > dispatch.h:46: error: syntax error before '*' token > dispatch.h:47: warning: type defaults to `int' in declaration of > `sig_atomic_t' > dispatch.h:47: error: syntax error before '*' token > make: *** [canohost.o] Error 1Does this help? diff --git a/dispatch.h b/dispatch.h index cd51dbc..2bcdc91 100644 --- a/dispatch.h +++ b/dispatch.h @@ -27,6 +27,8 @@ #ifndef DISPATCH_H #define DISPATCH_H +#include <signal.h> /* for sig_atomic_t */ + #define DISPATCH_MAX 255 enum {
On 19/02/15 23:21, Damien Miller wrote:> Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ >I tried building openssh-SNAP-20150224.tar.gz on Solaris 2.6, 7, 8 and 9. All failed because they do not have <sys/queue.h>. Here's how it looks on Solaris 9/SPARC with gcc 4.9.2: ... In file included from ssh_api.c:21:0: ssh_api.h:21:23: fatal error: sys/queue.h: No such file or directory #include <sys/queue.h> ^ compilation terminated. gmake: *** [ssh_api.o] Error 1 -tgc
On Mon, 23 Feb 2015, Tom G. Christensen wrote:> On 19/02/15 23:21, Damien Miller wrote: > > Snapshot releases for portable OpenSSH are available from > > http://www.mindrot.org/openssh_snap/ > > > > I tried building openssh-SNAP-20150224.tar.gz on Solaris 2.6, 7, 8 and 9. > All failed because they do not have <sys/queue.h>. > Here's how it looks on Solaris 9/SPARC with gcc 4.9.2: > ... > In file included from ssh_api.c:21:0: > ssh_api.h:21:23: fatal error: sys/queue.h: No such file or directory > #include <sys/queue.h>Thanks - I just committed a fix: diff --git a/ssh_api.h b/ssh_api.h index a7e14e0..642acd5 100644 --- a/ssh_api.h +++ b/ssh_api.h @@ -18,10 +18,11 @@ #ifndef API_H #define API_H -#include <sys/queue.h> #include <sys/types.h> #include <signal.h> +#include "openbsd-compat/sys-queue.h" + #include "cipher.h" #include "sshkey.h" #include "kex.h"
I've found the following problem with really old gccs (definitely 2.7.2.1 and 2.95.3 but possibly others). I believe it's due to variadic macros when given only 1 arg. channels.c: In function `channel_input_port_forward_request?: channels.c:3442: parse error before `;? The line is pretty simple: if (fwd.connect_port == 0) packet_disconnect("Dynamic forwarding denied."); As part of the new API, packet_disconnect() became a macro: #define packet_disconnect(fmt, args...) \ ssh_packet_disconnect(active_state, (fmt), ##args) If I do -save-temps, the preprocessed source is (note unbalanced parens): if (fwd.connect_port == 0) ssh_packet_disconnect(active_state, ( "Dynamic forwarding denied." ) ; If I change the source to: if (fwd.connect_port == 0) packet_disconnect("%s", "Dynamic forwarding denied."); then it'll work. Question is: what to do? a) nothing. I'll either retire the affected test platforms or upgrade the compiler depending on how enthusiastic I get. b) add the "%s" c) make packet_disconnect a real function. d) ??? Comments? On Thu, Feb 19, 2015 at 5:21 PM, Damien Miller <djm at mindrot.org> wrote:> Hi, > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Git at https://anongit.mindrot.org/openssh.git/ > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 6.7 > ========================> > This is a major release, containing a number of new features as > well as a large internal re-factoring. > > Potentially-incompatible changes > -------------------------------- > > * sshd(8): UseDNS now defaults to 'no'. Configurations that match > against the client host name (via sshd_config or authorized_keys) > may need to re-enable it or convert to matching against addresses. > > New Features > ------------ > > * Much of OpenSSH's internal code has been re-factored to be more > library-like. These changes are mostly not user-visible, but > have greatly improved OpenSSH's testability and internal layout. > > * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent > command-line flags to the other tools to control algorithm used > for key fingerprints. The default changes from MD5 to SHA256 and > format from hex to base64. > > Fingerprints now have the hash algorithm prepended. An example of > the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE > Please note that visual host keys will also be different. > > * ssh(1), sshd(8): Host key rotation support. Add a protocol > extension for a server to inform a client of all its available > host keys after authentication has completed. The client may > record the keys in known_hosts, allowing it to upgrade to better > host key algorithms and a server to gracefully rotate its keys. > > The client side of this is controlled by a UpdateHostkeys config > option (default on). > > * ssh(1): Add a ssh_config HostbasedKeyType option to control which > host public key types are tried during host-based authentication. > > * ssh(1), sshd(8): fix connection-killing host key mismatch errors > when sshd offers multiple ECDSA keys of different lengths. > > * ssh(1): when host name canonicalisation is enabled, try to > parse host names as addresses before looking them up for > canonicalisation. fixes bz#2074 and avoiding needless DNS > lookups in some cases. > > * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer > require OpenSSH to be compiled with OpenSSL support. > > * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based > authentication. > > * sshd(8): SSH protocol v.1 workaround for the Meyer, et al, > Bleichenbacher Side Channel Attack. Fake up a bignum key before > RSA decryption. > > * sshd(8): Remember which public keys have been used for > authentication and refuse to accept previously-used keys. > This allows AuthenticationMethods=publickey,publickey to require > that users authenticate using two _different_ public keys. > > * sshd(8): add sshd_config HostbasedAcceptedKeyTypes and > PubkeyAcceptedKeyTypes options to allow sshd to control what > public key types will be accepted. Currently defaults to all. > > * sshd(8): Don't count partial authentication success as a failure > against MaxAuthTries. > > * ssh(1): Add RevokedHostKeys option for the client to allow > text-file or KRL-based revocation of host keys. > > * ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by > serial number or key ID without scoping to a particular CA. > > * ssh(1): Add a "Match canonical" criteria that allows ssh_config > Match blocks to trigger only in the second config pass. > > * ssh(1): Add a -G option to ssh that causes it to parse its > configuration and dump the result to stdout, similar to "sshd -T". > > * ssh(1): Allow Match criteria to be negated. E.g. "Match !host". > > * The regression test suite has been extended to cover more OpenSSH > features. The unit tests have been expanded and now cover key > exchange. > > Bugfixes > -------- > > * ssh-keyscan(1): ssh-keyscan has been made much more robust again > servers that hang or violate the SSH protocol. > > * ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were > being lost as comment fields. > > * ssh(1): Allow ssh_config Port options set in the second config > parse phase to be applied (they were being ignored). bz#2286 > > * ssh(1): Tweak config re-parsing with host canonicalisation - make > the second pass through the config files always run when host name > canonicalisation is enabled (and not whenever the host name > changes) bz#2267 > > * ssh(1): Fix passing of wildcard forward bind addresses when > connection multiplexing is in use; bz#2324; > > * ssh-keygen(1): Fix broken private key conversion from non-OpenSSH > formats; bz#2345. > > * ssh-keygen(1): Fix KRL generation bug when multiple CAs are in > use. > > * Various fixed to manual pages: bz#2288, bz#2316, bz#2273 > > Portable OpenSSH > ---------------- > > * Support --without-openssl at configure time > > Disables and removes dependency on OpenSSL. Many features, > including SSH protocol 1 are not supported and the set of crypto > options is greatly restricted. This will only work on system with > native arc4random or /dev/urandom. > > Considered highly experimental for now. > > * Support --without-ssh1 option at configure time > > Allows disabling support for SSH protocol 1. > > Still experimental - not all regression and unit tests have been > been adapted for the absence of SSH protocol 1. > > * sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296 > > * Allow custom service name for sshd on Cygwin. Permits the use of > multiple sshd running with different service names. > > Reporting Bugs: > ==============> > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and > Ben Lindstrom. > >-- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Darren Tucker wrote:> Question is: what to do? > c) make packet_disconnect a real function.I say c. //Peter
Stock - Debian GNU/Linux 7.8 (wheezy) - all tests passed build failure on: * AIX 6.1 (6100-09-03-1415) IBM XL C/C++ Compiler (11.1.0.16) * AIX 7.1 (7100-03-04-1441) IBM XL C/C++ Compiler (12.1.0.6) ./configure && make tests ... xlc_r -g -I. -I. -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ssh_api.c -o ssh_api.o "ssh_api.c", line 143.19: 1506-068 (W) Operation between types "struct key_entry*" and "int" is not allowed. "ssh_api.c", line 149.19: 1506-068 (W) Operation between types "struct key_entry*" and "int" is not allowed. "ssh_api.c", line 440.45: 1506-045 (S) Undeclared identifier next. "ssh_api.c", line 440.51: 1506-277 (S) Syntax error: possible missing ';' or ','? "ssh_api.c", line 455.46: 1506-045 (S) Undeclared identifier next. "ssh_api.c", line 455.52: 1506-277 (S) Syntax error: possible missing ';' or ','? "ssh_api.c", line 470.45: 1506-045 (S) Undeclared identifier next. "ssh_api.c", line 470.51: 1506-277 (S) Syntax error: possible missing ';' or ','? "ssh_api.c", line 505.53: 1506-045 (S) Undeclared identifier next. "ssh_api.c", line 505.59: 1506-277 (S) Syntax error: possible missing ';' or ','? make: 1254-004 The error code from the last command is 1. On Thu, Feb 19, 2015 at 2:21 PM, Damien Miller <djm at mindrot.org> wrote:> Hi, > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Git at https://anongit.mindrot.org/openssh.git/ > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 6.7 > ========================> > This is a major release, containing a number of new features as > well as a large internal re-factoring. > > Potentially-incompatible changes > -------------------------------- > > * sshd(8): UseDNS now defaults to 'no'. Configurations that match > against the client host name (via sshd_config or authorized_keys) > may need to re-enable it or convert to matching against addresses. > > New Features > ------------ > > * Much of OpenSSH's internal code has been re-factored to be more > library-like. These changes are mostly not user-visible, but > have greatly improved OpenSSH's testability and internal layout. > > * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent > command-line flags to the other tools to control algorithm used > for key fingerprints. The default changes from MD5 to SHA256 and > format from hex to base64. > > Fingerprints now have the hash algorithm prepended. An example of > the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE > Please note that visual host keys will also be different. > > * ssh(1), sshd(8): Host key rotation support. Add a protocol > extension for a server to inform a client of all its available > host keys after authentication has completed. The client may > record the keys in known_hosts, allowing it to upgrade to better > host key algorithms and a server to gracefully rotate its keys. > > The client side of this is controlled by a UpdateHostkeys config > option (default on). > > * ssh(1): Add a ssh_config HostbasedKeyType option to control which > host public key types are tried during host-based authentication. > > * ssh(1), sshd(8): fix connection-killing host key mismatch errors > when sshd offers multiple ECDSA keys of different lengths. > > * ssh(1): when host name canonicalisation is enabled, try to > parse host names as addresses before looking them up for > canonicalisation. fixes bz#2074 and avoiding needless DNS > lookups in some cases. > > * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer > require OpenSSH to be compiled with OpenSSL support. > > * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based > authentication. > > * sshd(8): SSH protocol v.1 workaround for the Meyer, et al, > Bleichenbacher Side Channel Attack. Fake up a bignum key before > RSA decryption. > > * sshd(8): Remember which public keys have been used for > authentication and refuse to accept previously-used keys. > This allows AuthenticationMethods=publickey,publickey to require > that users authenticate using two _different_ public keys. > > * sshd(8): add sshd_config HostbasedAcceptedKeyTypes and > PubkeyAcceptedKeyTypes options to allow sshd to control what > public key types will be accepted. Currently defaults to all. > > * sshd(8): Don't count partial authentication success as a failure > against MaxAuthTries. > > * ssh(1): Add RevokedHostKeys option for the client to allow > text-file or KRL-based revocation of host keys. > > * ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by > serial number or key ID without scoping to a particular CA. > > * ssh(1): Add a "Match canonical" criteria that allows ssh_config > Match blocks to trigger only in the second config pass. > > * ssh(1): Add a -G option to ssh that causes it to parse its > configuration and dump the result to stdout, similar to "sshd -T". > > * ssh(1): Allow Match criteria to be negated. E.g. "Match !host". > > * The regression test suite has been extended to cover more OpenSSH > features. The unit tests have been expanded and now cover key > exchange. > > Bugfixes > -------- > > * ssh-keyscan(1): ssh-keyscan has been made much more robust again > servers that hang or violate the SSH protocol. > > * ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were > being lost as comment fields. > > * ssh(1): Allow ssh_config Port options set in the second config > parse phase to be applied (they were being ignored). bz#2286 > > * ssh(1): Tweak config re-parsing with host canonicalisation - make > the second pass through the config files always run when host name > canonicalisation is enabled (and not whenever the host name > changes) bz#2267 > > * ssh(1): Fix passing of wildcard forward bind addresses when > connection multiplexing is in use; bz#2324; > > * ssh-keygen(1): Fix broken private key conversion from non-OpenSSH > formats; bz#2345. > > * ssh-keygen(1): Fix KRL generation bug when multiple CAs are in > use. > > * Various fixed to manual pages: bz#2288, bz#2316, bz#2273 > > Portable OpenSSH > ---------------- > > * Support --without-openssl at configure time > > Disables and removes dependency on OpenSSL. Many features, > including SSH protocol 1 are not supported and the set of crypto > options is greatly restricted. This will only work on system with > native arc4random or /dev/urandom. > > Considered highly experimental for now. > > * Support --without-ssh1 option at configure time > > Allows disabling support for SSH protocol 1. > > Still experimental - not all regression and unit tests have been > been adapted for the absence of SSH protocol 1. > > * sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296 > > * Allow custom service name for sshd on Cygwin. Permits the use of > multiple sshd running with different service names. > > Reporting Bugs: > ==============> > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and > Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >-- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott at gmail.com> */
Neglected to mention - this is using openssh-SNAP-20150224.tar.gz On Mon, Feb 23, 2015 at 1:28 PM, Kevin Brott <kevin.brott at gmail.com> wrote:> Stock - Debian GNU/Linux 7.8 (wheezy) - all tests passed > > > build failure on: > * AIX 6.1 (6100-09-03-1415) IBM XL C/C++ Compiler (11.1.0.16) > * AIX 7.1 (7100-03-04-1441) IBM XL C/C++ Compiler (12.1.0.6) > > ./configure && make tests > > ... > > xlc_r -g -I. -I. -DSSHDIR=\"/usr/local/etc\" > -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" > -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" > -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" > -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" > -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" > -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" > -DHAVE_CONFIG_H -c ssh_api.c -o ssh_api.o > "ssh_api.c", line 143.19: 1506-068 (W) Operation between types "struct > key_entry*" and "int" is not allowed. > "ssh_api.c", line 149.19: 1506-068 (W) Operation between types "struct > key_entry*" and "int" is not allowed. > "ssh_api.c", line 440.45: 1506-045 (S) Undeclared identifier next. > "ssh_api.c", line 440.51: 1506-277 (S) Syntax error: possible missing ';' > or ','? > "ssh_api.c", line 455.46: 1506-045 (S) Undeclared identifier next. > "ssh_api.c", line 455.52: 1506-277 (S) Syntax error: possible missing ';' > or ','? > "ssh_api.c", line 470.45: 1506-045 (S) Undeclared identifier next. > "ssh_api.c", line 470.51: 1506-277 (S) Syntax error: possible missing ';' > or ','? > "ssh_api.c", line 505.53: 1506-045 (S) Undeclared identifier next. > "ssh_api.c", line 505.59: 1506-277 (S) Syntax error: possible missing ';' > or ','? > make: 1254-004 The error code from the last command is 1. > > > > On Thu, Feb 19, 2015 at 2:21 PM, Damien Miller <djm at mindrot.org> wrote: > >> Hi, >> >> OpenSSH 6.8 is almost ready for release, so we would appreciate testing >> on as many platforms and systems as possible. This release contains >> some substantial new features and a number of bugfixes. >> >> Snapshot releases for portable OpenSSH are available from >> http://www.mindrot.org/openssh_snap/ >> >> The OpenBSD version is available in CVS HEAD: >> http://www.openbsd.org/anoncvs.html >> >> Portable OpenSSH is also available via anonymous CVS using the >> instructions at http://www.openssh.com/portable.html#cvs or >> via Git at https://anongit.mindrot.org/openssh.git/ >> >> Running the regression tests supplied with Portable OpenSSH does not >> require installation and is a simply: >> >> $ ./configure && make tests >> >> Live testing on suitable non-production systems is also >> appreciated. Please send reports of success or failure to >> openssh-unix-dev at mindrot.org. >> >> Below is a summary of changes. More detail may be found in the ChangeLog >> in the portable OpenSSH tarballs. >> >> Thanks to the many people who contributed to this release. >> >> Changes since OpenSSH 6.7 >> ========================>> >> This is a major release, containing a number of new features as >> well as a large internal re-factoring. >> >> Potentially-incompatible changes >> -------------------------------- >> >> * sshd(8): UseDNS now defaults to 'no'. Configurations that match >> against the client host name (via sshd_config or authorized_keys) >> may need to re-enable it or convert to matching against addresses. >> >> New Features >> ------------ >> >> * Much of OpenSSH's internal code has been re-factored to be more >> library-like. These changes are mostly not user-visible, but >> have greatly improved OpenSSH's testability and internal layout. >> >> * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent >> command-line flags to the other tools to control algorithm used >> for key fingerprints. The default changes from MD5 to SHA256 and >> format from hex to base64. >> >> Fingerprints now have the hash algorithm prepended. An example of >> the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE >> Please note that visual host keys will also be different. >> >> * ssh(1), sshd(8): Host key rotation support. Add a protocol >> extension for a server to inform a client of all its available >> host keys after authentication has completed. The client may >> record the keys in known_hosts, allowing it to upgrade to better >> host key algorithms and a server to gracefully rotate its keys. >> >> The client side of this is controlled by a UpdateHostkeys config >> option (default on). >> >> * ssh(1): Add a ssh_config HostbasedKeyType option to control which >> host public key types are tried during host-based authentication. >> >> * ssh(1), sshd(8): fix connection-killing host key mismatch errors >> when sshd offers multiple ECDSA keys of different lengths. >> >> * ssh(1): when host name canonicalisation is enabled, try to >> parse host names as addresses before looking them up for >> canonicalisation. fixes bz#2074 and avoiding needless DNS >> lookups in some cases. >> >> * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer >> require OpenSSH to be compiled with OpenSSL support. >> >> * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based >> authentication. >> >> * sshd(8): SSH protocol v.1 workaround for the Meyer, et al, >> Bleichenbacher Side Channel Attack. Fake up a bignum key before >> RSA decryption. >> >> * sshd(8): Remember which public keys have been used for >> authentication and refuse to accept previously-used keys. >> This allows AuthenticationMethods=publickey,publickey to require >> that users authenticate using two _different_ public keys. >> >> * sshd(8): add sshd_config HostbasedAcceptedKeyTypes and >> PubkeyAcceptedKeyTypes options to allow sshd to control what >> public key types will be accepted. Currently defaults to all. >> >> * sshd(8): Don't count partial authentication success as a failure >> against MaxAuthTries. >> >> * ssh(1): Add RevokedHostKeys option for the client to allow >> text-file or KRL-based revocation of host keys. >> >> * ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by >> serial number or key ID without scoping to a particular CA. >> >> * ssh(1): Add a "Match canonical" criteria that allows ssh_config >> Match blocks to trigger only in the second config pass. >> >> * ssh(1): Add a -G option to ssh that causes it to parse its >> configuration and dump the result to stdout, similar to "sshd -T". >> >> * ssh(1): Allow Match criteria to be negated. E.g. "Match !host". >> >> * The regression test suite has been extended to cover more OpenSSH >> features. The unit tests have been expanded and now cover key >> exchange. >> >> Bugfixes >> -------- >> >> * ssh-keyscan(1): ssh-keyscan has been made much more robust again >> servers that hang or violate the SSH protocol. >> >> * ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were >> being lost as comment fields. >> >> * ssh(1): Allow ssh_config Port options set in the second config >> parse phase to be applied (they were being ignored). bz#2286 >> >> * ssh(1): Tweak config re-parsing with host canonicalisation - make >> the second pass through the config files always run when host name >> canonicalisation is enabled (and not whenever the host name >> changes) bz#2267 >> >> * ssh(1): Fix passing of wildcard forward bind addresses when >> connection multiplexing is in use; bz#2324; >> >> * ssh-keygen(1): Fix broken private key conversion from non-OpenSSH >> formats; bz#2345. >> >> * ssh-keygen(1): Fix KRL generation bug when multiple CAs are in >> use. >> >> * Various fixed to manual pages: bz#2288, bz#2316, bz#2273 >> >> Portable OpenSSH >> ---------------- >> >> * Support --without-openssl at configure time >> >> Disables and removes dependency on OpenSSL. Many features, >> including SSH protocol 1 are not supported and the set of crypto >> options is greatly restricted. This will only work on system with >> native arc4random or /dev/urandom. >> >> Considered highly experimental for now. >> >> * Support --without-ssh1 option at configure time >> >> Allows disabling support for SSH protocol 1. >> >> Still experimental - not all regression and unit tests have been >> been adapted for the absence of SSH protocol 1. >> >> * sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296 >> >> * Allow custom service name for sshd on Cygwin. Permits the use of >> multiple sshd running with different service names. >> >> Reporting Bugs: >> ==============>> >> - Please read http://www.openssh.com/report.html >> Security bugs should be reported directly to openssh at openssh.com >> >> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, >> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and >> Ben Lindstrom. >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > > > > -- > # include <stddisclaimer.h> > /* Kevin Brott <Kevin.Brott at gmail.com> */ > >-- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott at gmail.com> */
On Mon, 23 Feb 2015, Kevin Brott wrote:> Stock - Debian GNU/Linux 7.8 (wheezy) - all tests passed > > > build failure on: > * AIX 6.1 (6100-09-03-1415) IBM XL C/C++ Compiler (11.1.0.16) > * AIX 7.1 (7100-03-04-1441) IBM XL C/C++ Compiler (12.1.0.6) > > ./configure && make tests > > -DHAVE_CONFIG_H -c ssh_api.c -o ssh_api.o > "ssh_api.c", line 143.19: 1506-068 (W) Operation between types "structThe last lot of include fixes (sys/queue.h -> local sys-queue.h) should fix this. Thanks -d
Next thing I ran into: fake-rfc2553 doesn't have AI_NUMERICSERV. By my read it never attempts to return a non-numeric service so I think all that's need is this. OK? diff --git a/openbsd-compat/fake-rfc2553.h b/openbsd-compat/fake-rfc2553.h index 3e9090f..6426f7b 100644 --- a/openbsd-compat/fake-rfc2553.h +++ b/openbsd-compat/fake-rfc2553.h @@ -109,6 +109,9 @@ struct sockaddr_in6 { #ifndef AI_NUMERICHOST # define AI_NUMERICHOST (1<<2) #endif +#ifndef AI_NUMERICSERV +# define AI_NUMERICSERV (1<<3) +#endif #ifndef NI_MAXSERV # define NI_MAXSERV 32 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Tue, 24 Feb 2015, Darren Tucker wrote:> Next thing I ran into: fake-rfc2553 doesn't have AI_NUMERICSERV. > > By my read it never attempts to return a non-numeric service so I think > all that's need is this. OK?well, getnameinfo always returns a numeric service name but AI_NUMERICSERV is for getaddrinfo. fortunately, we deal with this case too; getaddrinfo tries to parse the port numerically before getservbyname ok djm> diff --git a/openbsd-compat/fake-rfc2553.h b/openbsd-compat/fake-rfc2553.h > index 3e9090f..6426f7b 100644 > --- a/openbsd-compat/fake-rfc2553.h > +++ b/openbsd-compat/fake-rfc2553.h > @@ -109,6 +109,9 @@ struct sockaddr_in6 { > #ifndef AI_NUMERICHOST > # define AI_NUMERICHOST (1<<2) > #endif > +#ifndef AI_NUMERICSERV > +# define AI_NUMERICSERV (1<<3) > +#endif > > #ifndef NI_MAXSERV > # define NI_MAXSERV 32 > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. >
On 02/19/2015 11:21 PM, Damien Miller wrote:> Hi, > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes.Tested openssh-SNAP-20150224 on current Fedora with GCC5 on x86_64. Builds fine, test passes. Also tested on Fedora on aarch64 with same results. Jakub
I noticed this error log spam on the tinderbox when looking at one of the failures. It happens with Unix domain socket forwarding is requested: debug1: channel 1: new [forwarded-streamlocal at openssh.com] get_socket_address: getnameinfo 1 failed: ai_family not supported get_sock_port: getnameinfo NI_NUMERICSERV failed: ai_family not supported I don't think it's contributing to the problem I'm looking at, but I imagine it'd be pretty annoying for anyone who uses socket forwarding in anger. I haven't had time to look at what could reasonably be done to mitigate it. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Thu, 26 Feb 2015, Darren Tucker wrote:> I noticed this error log spam on the tinderbox when looking at one of the > failures. It happens with Unix domain socket forwarding is requested: > > debug1: channel 1: new [forwarded-streamlocal at openssh.com] > get_socket_address: getnameinfo 1 failed: ai_family not supported > get_sock_port: getnameinfo NI_NUMERICSERV failed: ai_family not supportedThat's strange, because we do: if (addr.ss_family == AF_UNIX) { /* Get the Unix domain socket path. */ return xstrdup(((struct sockaddr_un *)&addr)->sun_path); } so AF_UNIX should never get to getnameinfo...
I see some issues on Solaris 11.2 (fresh git pull from master, commit bd58853102cee739f0e115e6d4b5334332ab1442): First, linking fails as the system version of OpenSSL does not have EC_KEY_free (it's oddly only in the FIPS version...): cc -m64 -xO5 -xtarget=ivybridge -xarch=sse4_2 -xarch=avx_i -xarch=aes -I. -I. -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c kex.c -o kex.o "kex.c", line 98: warning: initializer will be sign-extended: -1 "kex.c", line 436: warning: implicit function declaration: EC_KEY_free ... cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o roaming_common.o roaming_client.o -L. -Lopenbsd-compat/ -m64 -xO5 -xtarget=ivybridge -xarch=sse4_2 -xarch=avx_i -xarch=aes -lssh -lopenbsd-compat -lresolv -lcrypto -lz -lsocket -lnsl ld: warning: symbol 'umac_ctx' has differing sizes: (file ./libssh.a(umac.o) value=0x5f8; file ./libssh.a(umac128.o) value=0x690); ./libssh.a(umac128.o) definition taken Undefined first referenced symbol in file EC_KEY_free ./libssh.a(kex.o) If I force the usage of a clean openssl-1.0.1k, it builds, but I still see: ld: warning: symbol 'umac_ctx' has differing sizes: (file ./libssh.a(umac.o) value=0x5f8; file ./libssh.a(umac128.o) value=0x690); ./libssh.a(umac128.o) definition taken which worries me... Forcing netcat.c to compile by adding -D_XPG4_2 -D__EXTENSIONS__ (as it seems the msghdr fixes haven't been commited yet) allows the tests to run. All tests pass except for hostkey-rotate, which triggers grep errors: run test hostkey-rotate.sh ... learn hostkey with StrictHostKeyChecking=no learn additional hostkeys learn additional hostkeys, type=ssh-ed25519 learn additional hostkeys, type=ssh-rsa learn additional hostkeys, type=ssh-dss learn additional hostkeys, type=ecdsa-sha2-nistp256 learn additional hostkeys, type=ecdsa-sha2-nistp384 learn additional hostkeys, type=ecdsa-sha2-nistp521 learn changed non-primary hostkey learn new primary hostkey grep: RE error 41: No remembered search string. current key missing grep: RE error 41: No remembered search string. new key missing rotate primary hostkey check rotate primary hostkey failed hostkey rotate gmake[1]: *** [t-exec] Error 1 Forcing GNU grep first in PATH allows it to succeed. Switching to the Solaris fgrep also allows it to succeed. diff --git a/regress/hostkey-rotate.sh b/regress/hostkey-rotate.sh index d964b35..10ea1e9 100644 --- a/regress/hostkey-rotate.sh +++ b/regress/hostkey-rotate.sh @@ -42,7 +42,7 @@ check_key_present() { test "x$_kfile" = "x" && _kfile="$OBJ/hkr.${_type}.pub" _ktext=`awk "/ $_type / { $_prog }" < $OBJ/known_hosts` || \ fatal "awk failed" - grep -q "$_ktext" $_kfile + fgrep "$_ktext" $_kfile >/dev/null } cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
OpenSSH has been configured with the following options: User binaries: /opt/bin System binaries: /opt/sbin Configuration files: /opt/etc Askpass program: /opt/libexec/ssh-askpass Manual pages: /opt/share/man/manX PID file: /opt/etc Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/opt/bin Manpage format: man PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no MD5 password support: no libedit support: no Solaris process contract support: no Solaris project support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: rlimit Host: powerpc-ibm-aix5.3.0.0 Compiler: cc -qlanglvl=extc89 Compiler flags: -g Preprocessor flags: Linker flags: -blibpath:/usr/lib:/lib Libraries: -lcrypto -lz Just one example - they are all like this: cc -qlanglvl=extc89 -g -I. -I. -DSSHDIR=\"/opt/etc\" -D_PATH_SSH_PROGRAM=\"/opt/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/opt/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/opt/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/opt/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/opt/etc\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c dns.c -o dns.o "/usr/include/stdarg.h", line 89.9: 1506-236 (W) Macro name va_copy has been redefined. "/usr/include/stdarg.h", line 89.9: 1506-358 (I) "va_copy" is defined on line 838 of defines.h. ... ranlib libssh.a cc -qlanglvl=extc89 -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o roaming_common.o roaming_client.o -L. -Lopenbsd-compat/ -blibpath:/usr/lib:/lib -lssh -lopenbsd-compat -lcrypto -lz ld: 0711-317 ERROR: Undefined symbol: .va_copy ld: 0711-317 ERROR: Undefined symbol: .EC_KEY_free ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information. The error above is a bit unusual. 1) It has been seen before that with -qlanglvl=extc89 that va_copy is not found. This is clear, I think, from the stdarg.h file: +88 #ifdef _ISOC99_SOURCE +89 #define va_copy(__list1,__list2) ((void)(__list1 = __list2)) +90 #endif +91 +92 #endif /* _ANSI_C_SOURCE */ I would think that _ISOC99_SOURCE would not be defined with -qlanglvl=extc89. 2) Simple test: cat c89.c #include <stdarg.h> /* * test what gets defined with flag -qlanglvl=extc89 and -qlanglvl=extc99 */ c89(void *a, void *b) { #ifdef _ANSI_C_SOURCE #ifdef _ISOC99_SOURCE va_copy(a,b); #else fake_ansi_copy(a,b); #endif #endif #ifndef _ANSI_C_SOURCE fake_noansi_copy(a,b); #endif } main() { char a[4], b[4]; c89(a,b); } root at x064:[/data/prj/openbsd/openssh/openssh]cc -qlanglvl=extc89 -E c89.c #line 62 "/usr/include/va_list.h" typedef char *va_list; #line 7 "c89.c" c89(void *a, void *b) { #line 12 va_copy(a,b); #line 20 } main() { char a[4], b[4]; c89(a,b); #line 29 } root at x064:[/data/prj/openbsd/openssh/openssh]cc -qlanglvl=extc89 c89.c ld: 0711-317 ERROR: Undefined symbol: .va_copy ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information. root at x064:[/data/prj/openbsd/openssh/openssh]cc -qlanglvl=extc99 -E c89.c #line 62 "/usr/include/va_list.h" typedef char *va_list; #line 7 "c89.c" c89(void *a, void *b) { #line 12 __builtin_va_copy(a,b); #line 20 } main() { char a[4], b[4]; c89(a,b); #line 29 } 3) Repeating above steps - prefixed with CC=xlc export CC configure: creating ./config.status config.status: creating Makefile config.status: creating buildpkg.sh config.status: creating opensshd.init config.status: creating openssh.xml config.status: creating openbsd-compat/Makefile config.status: creating openbsd-compat/regress/Makefile config.status: creating survey.sh config.status: creating config.h config.status: config.h is unchanged OpenSSH has been configured with the following options: User binaries: /opt/bin System binaries: /opt/sbin Configuration files: /opt/etc Askpass program: /opt/libexec/ssh-askpass Manual pages: /opt/share/man/manX PID file: /opt/etc Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/opt/bin Manpage format: man PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no MD5 password support: no libedit support: no Solaris process contract support: no Solaris project support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: rlimit Host: powerpc-ibm-aix5.3.0.0 Compiler: xlc Compiler flags: -g Preprocessor flags: Linker flags: -blibpath:/usr/lib:/lib Libraries: -lcrypto -lz gets rid of all the complaints about va_copy being redefined - but still end missing .EC_KEY_free xlc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o roaming_common.o roaming_client.o -L. -Lopenbsd-compat/ -blibpath:/usr/lib:/lib -lssh -lopenbsd-compat -lcrypto -lz ld: 0711-317 ERROR: Undefined symbol: .EC_KEY_free ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information. make: *** [ssh] Error 8 No idea where this should be coming from (the check in configure is for 0.9.8k as minimum, and that is the level installed) root at x064:[/data/prj/openbsd/openssh/openssh]lslpp -L | grep openssl openssl.base 0.9.8.1101 C F Open Secure Socket Layer openssl.license 0.9.8.1101 C F Open Secure Socket License So this would be building against openssl-0.9.8k (because k is 11th letter) Conclusion: regarding CC value: when using IBM C - force to xlc when CC seems to be cc No idea re: EC_KEY_free (newer openssl needed?) On Thu, Feb 19, 2015 at 11:21 PM, Damien Miller <djm at mindrot.org> wrote:> Hi, > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Git at https://anongit.mindrot.org/openssh.git/ > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 6.7 > ========================> > This is a major release, containing a number of new features as > well as a large internal re-factoring. > > Potentially-incompatible changes > -------------------------------- > > * sshd(8): UseDNS now defaults to 'no'. Configurations that match > against the client host name (via sshd_config or authorized_keys) > may need to re-enable it or convert to matching against addresses. > > New Features > ------------ > > * Much of OpenSSH's internal code has been re-factored to be more > library-like. These changes are mostly not user-visible, but > have greatly improved OpenSSH's testability and internal layout. > > * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent > command-line flags to the other tools to control algorithm used > for key fingerprints. The default changes from MD5 to SHA256 and > format from hex to base64. > > Fingerprints now have the hash algorithm prepended. An example of > the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE > Please note that visual host keys will also be different. > > * ssh(1), sshd(8): Host key rotation support. Add a protocol > extension for a server to inform a client of all its available > host keys after authentication has completed. The client may > record the keys in known_hosts, allowing it to upgrade to better > host key algorithms and a server to gracefully rotate its keys. > > The client side of this is controlled by a UpdateHostkeys config > option (default on). > > * ssh(1): Add a ssh_config HostbasedKeyType option to control which > host public key types are tried during host-based authentication. > > * ssh(1), sshd(8): fix connection-killing host key mismatch errors > when sshd offers multiple ECDSA keys of different lengths. > > * ssh(1): when host name canonicalisation is enabled, try to > parse host names as addresses before looking them up for > canonicalisation. fixes bz#2074 and avoiding needless DNS > lookups in some cases. > > * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer > require OpenSSH to be compiled with OpenSSL support. > > * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based > authentication. > > * sshd(8): SSH protocol v.1 workaround for the Meyer, et al, > Bleichenbacher Side Channel Attack. Fake up a bignum key before > RSA decryption. > > * sshd(8): Remember which public keys have been used for > authentication and refuse to accept previously-used keys. > This allows AuthenticationMethods=publickey,publickey to require > that users authenticate using two _different_ public keys. > > * sshd(8): add sshd_config HostbasedAcceptedKeyTypes and > PubkeyAcceptedKeyTypes options to allow sshd to control what > public key types will be accepted. Currently defaults to all. > > * sshd(8): Don't count partial authentication success as a failure > against MaxAuthTries. > > * ssh(1): Add RevokedHostKeys option for the client to allow > text-file or KRL-based revocation of host keys. > > * ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by > serial number or key ID without scoping to a particular CA. > > * ssh(1): Add a "Match canonical" criteria that allows ssh_config > Match blocks to trigger only in the second config pass. > > * ssh(1): Add a -G option to ssh that causes it to parse its > configuration and dump the result to stdout, similar to "sshd -T". > > * ssh(1): Allow Match criteria to be negated. E.g. "Match !host". > > * The regression test suite has been extended to cover more OpenSSH > features. The unit tests have been expanded and now cover key > exchange. > > Bugfixes > -------- > > * ssh-keyscan(1): ssh-keyscan has been made much more robust again > servers that hang or violate the SSH protocol. > > * ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were > being lost as comment fields. > > * ssh(1): Allow ssh_config Port options set in the second config > parse phase to be applied (they were being ignored). bz#2286 > > * ssh(1): Tweak config re-parsing with host canonicalisation - make > the second pass through the config files always run when host name > canonicalisation is enabled (and not whenever the host name > changes) bz#2267 > > * ssh(1): Fix passing of wildcard forward bind addresses when > connection multiplexing is in use; bz#2324; > > * ssh-keygen(1): Fix broken private key conversion from non-OpenSSH > formats; bz#2345. > > * ssh-keygen(1): Fix KRL generation bug when multiple CAs are in > use. > > * Various fixed to manual pages: bz#2288, bz#2316, bz#2273 > > Portable OpenSSH > ---------------- > > * Support --without-openssl at configure time > > Disables and removes dependency on OpenSSL. Many features, > including SSH protocol 1 are not supported and the set of crypto > options is greatly restricted. This will only work on system with > native arc4random or /dev/urandom. > > Considered highly experimental for now. > > * Support --without-ssh1 option at configure time > > Allows disabling support for SSH protocol 1. > > Still experimental - not all regression and unit tests have been > been adapted for the absence of SSH protocol 1. > > * sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296 > > * Allow custom service name for sshd on Cygwin. Permits the use of > multiple sshd running with different service names. > > Reporting Bugs: > ==============> > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and > Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
p.s. test was from openssh-SNAP-20150227.tar.gz On Thu, Feb 19, 2015 at 11:21 PM, Damien Miller <djm at mindrot.org> wrote:> Hi, > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Git at https://anongit.mindrot.org/openssh.git/ > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 6.7 > ========================> > This is a major release, containing a number of new features as > well as a large internal re-factoring. > > Potentially-incompatible changes > -------------------------------- > > * sshd(8): UseDNS now defaults to 'no'. Configurations that match > against the client host name (via sshd_config or authorized_keys) > may need to re-enable it or convert to matching against addresses. > > New Features > ------------ > > * Much of OpenSSH's internal code has been re-factored to be more > library-like. These changes are mostly not user-visible, but > have greatly improved OpenSSH's testability and internal layout. > > * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent > command-line flags to the other tools to control algorithm used > for key fingerprints. The default changes from MD5 to SHA256 and > format from hex to base64. > > Fingerprints now have the hash algorithm prepended. An example of > the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE > Please note that visual host keys will also be different. > > * ssh(1), sshd(8): Host key rotation support. Add a protocol > extension for a server to inform a client of all its available > host keys after authentication has completed. The client may > record the keys in known_hosts, allowing it to upgrade to better > host key algorithms and a server to gracefully rotate its keys. > > The client side of this is controlled by a UpdateHostkeys config > option (default on). > > * ssh(1): Add a ssh_config HostbasedKeyType option to control which > host public key types are tried during host-based authentication. > > * ssh(1), sshd(8): fix connection-killing host key mismatch errors > when sshd offers multiple ECDSA keys of different lengths. > > * ssh(1): when host name canonicalisation is enabled, try to > parse host names as addresses before looking them up for > canonicalisation. fixes bz#2074 and avoiding needless DNS > lookups in some cases. > > * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer > require OpenSSH to be compiled with OpenSSL support. > > * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based > authentication. > > * sshd(8): SSH protocol v.1 workaround for the Meyer, et al, > Bleichenbacher Side Channel Attack. Fake up a bignum key before > RSA decryption. > > * sshd(8): Remember which public keys have been used for > authentication and refuse to accept previously-used keys. > This allows AuthenticationMethods=publickey,publickey to require > that users authenticate using two _different_ public keys. > > * sshd(8): add sshd_config HostbasedAcceptedKeyTypes and > PubkeyAcceptedKeyTypes options to allow sshd to control what > public key types will be accepted. Currently defaults to all. > > * sshd(8): Don't count partial authentication success as a failure > against MaxAuthTries. > > * ssh(1): Add RevokedHostKeys option for the client to allow > text-file or KRL-based revocation of host keys. > > * ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by > serial number or key ID without scoping to a particular CA. > > * ssh(1): Add a "Match canonical" criteria that allows ssh_config > Match blocks to trigger only in the second config pass. > > * ssh(1): Add a -G option to ssh that causes it to parse its > configuration and dump the result to stdout, similar to "sshd -T". > > * ssh(1): Allow Match criteria to be negated. E.g. "Match !host". > > * The regression test suite has been extended to cover more OpenSSH > features. The unit tests have been expanded and now cover key > exchange. > > Bugfixes > -------- > > * ssh-keyscan(1): ssh-keyscan has been made much more robust again > servers that hang or violate the SSH protocol. > > * ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were > being lost as comment fields. > > * ssh(1): Allow ssh_config Port options set in the second config > parse phase to be applied (they were being ignored). bz#2286 > > * ssh(1): Tweak config re-parsing with host canonicalisation - make > the second pass through the config files always run when host name > canonicalisation is enabled (and not whenever the host name > changes) bz#2267 > > * ssh(1): Fix passing of wildcard forward bind addresses when > connection multiplexing is in use; bz#2324; > > * ssh-keygen(1): Fix broken private key conversion from non-OpenSSH > formats; bz#2345. > > * ssh-keygen(1): Fix KRL generation bug when multiple CAs are in > use. > > * Various fixed to manual pages: bz#2288, bz#2316, bz#2273 > > Portable OpenSSH > ---------------- > > * Support --without-openssl at configure time > > Disables and removes dependency on OpenSSL. Many features, > including SSH protocol 1 are not supported and the set of crypto > options is greatly restricted. This will only work on system with > native arc4random or /dev/urandom. > > Considered highly experimental for now. > > * Support --without-ssh1 option at configure time > > Allows disabling support for SSH protocol 1. > > Still experimental - not all regression and unit tests have been > been adapted for the absence of SSH protocol 1. > > * sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296 > > * Allow custom service name for sshd on Cygwin. Permits the use of > multiple sshd running with different service names. > > Reporting Bugs: > ==============> > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and > Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Update - for AIX 6.1 TL9 - configure: creating ./config.status config.status: creating Makefile config.status: creating buildpkg.sh config.status: creating opensshd.init config.status: creating openssh.xml config.status: creating openbsd-compat/Makefile config.status: creating openbsd-compat/regress/Makefile config.status: creating survey.sh config.status: creating config.h OpenSSH has been configured with the following options: User binaries: /opt/bin System binaries: /opt/sbin Configuration files: /opt/etc Askpass program: /opt/libexec/ssh-askpass Manual pages: /opt/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/opt/bin Manpage format: man PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no MD5 password support: no libedit support: no Solaris process contract support: no Solaris project support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: rlimit Host: powerpc-ibm-aix6.1.0.0 Compiler: xlc Compiler flags: -g Preprocessor flags: Linker flags: -blibpath:/usr/lib:/lib Libraries: -lcrypto -lz michael at x071:[/home/michael]lslpp -L | grep ssl openssl.base 1.0.1.510 C F Open Secure Socket Layer openssl.man.en_US 1.0.1.510 C F Open Secure Socket Layer ... tests && echo all tests passed make[1]: Entering directory `/data/prj/openbsd/openssh/openssh/regress' set -e ; if test -z "" ; then \ /data/prj/openbsd/openssh/openssh/regress/unittests/sshbuf/test_sshbuf ; \ /data/prj/openbsd/openssh/openssh/regress/unittests/sshkey/test_sshkey \ -d /data/prj/openbsd/openssh/openssh/regress/unittests/sshkey/testdata ; \ /data/prj/openbsd/openssh/openssh/regress/unittests/bitmap/test_bitmap ; \ /data/prj/openbsd/openssh/openssh/regress/unittests/kex/test_kex ; \ /data/prj/openbsd/openssh/openssh/regress/unittests/hostkeys/test_hostkeys \ -d /data/prj/openbsd/openssh/openssh/regress/unittests/hostkeys/testdata ; \ fi test_sshbuf: ................................................................................................... 100 tests ok test_sshkey: ............................................................................................. ... many minutes later ... ... learn new primary hostkey rotate primary hostkey check rotate primary hostkey ok hostkey rotate make[1]: Leaving directory `/data/prj/openbsd/openssh/openssh/regress' all tests passed On Thu, Feb 19, 2015 at 11:45 PM, Damien Miller <djm at mindrot.org> wrote:> On Fri, 20 Feb 2015, Damien Miller wrote: > > > Hi, > > > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This release contains > > some substantial new features and a number of bugfixes. > > ... > > > * ssh(1), sshd(8): Host key rotation support. Add a protocol > > extension for a server to inform a client of all its available > > host keys after authentication has completed. The client may > > record the keys in known_hosts, allowing it to upgrade to better > > host key algorithms and a server to gracefully rotate its keys. > > > > The client side of this is controlled by a UpdateHostkeys config > > option (default on). > > Actually, the default is off. You can enable it using UpdateHostKeys=yes > or UpdateHostKeys=ask > > -d > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
On Fri, Feb 27, 2015 at 7:12 AM, Michael Felt <aixtools at gmail.com> wrote:> > ld: 0711-317 ERROR: Undefined symbol: .va_copy > ld: 0711-317 ERROR: Undefined symbol: .EC_KEY_free >Which object files contain references to those symbols? (running each through "nm" should show you).> ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more > information. > > The error above is a bit unusual. > 1) It has been seen before that with -qlanglvl=extc89 that va_copy is not > found. This is clear, I think, from the stdarg.h file: > > +88 #ifdef _ISOC99_SOURCE > +89 #define va_copy(__list1,__list2) ((void)(__list1 = __list2)) > +90 #endif > +91 > +92 #endif /* _ANSI_C_SOURCE */ >There's a definition of va_copy in defines.h which should be activated when the platform doesn't have it: #ifndef HAVE_VA_COPY # ifdef HAVE___VA_COPY # define va_copy(dest, src) __va_copy(dest, src) # else # define va_copy(dest, src) (dest) = (src) # endif #endif I suspect there's a file which should have includes.h at the top but doesn't. I think the EC_KEY_free should be fixed by this: diff --git a/kex.c b/kex.c index 2618e22..cf04574 100644 --- a/kex.c +++ b/kex.c @@ -432,8 +432,10 @@ kex_free(struct kex *kex) #ifdef WITH_OPENSSL if (kex->dh) DH_free(kex->dh); +# ifdef OPENSSL_HAS_ECC if (kex->ec_client_key) EC_KEY_free(kex->ec_client_key); I should be able to reproduce the problem by building against the exact openssl version you have. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On 19/02/15 23:21, Damien Miller wrote:> OpenSSH 6.8 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. >I've now tested using revision 1ad3a77 and it passes the testsuite on Solaris 2.6, 7, 8 and 9 (using gcc and openssl 1.0.1k). Only one little nit prevents 'all tests passed': gmake[1]: Entering directory `/export/home/tgc/buildpkg/openssh/src/openssh-git/regress' test "x" != "x" && mkdir -p /export/home/tgc/buildpkg/openssh/src/openssh-git/regress//valgrind-out gmake[1]: *** [prep] Error 1 Reversing the test to = and || instead will fix it. -tgc
On Sat, 28 Feb 2015, Tom G. Christensen wrote:> On 19/02/15 23:21, Damien Miller wrote: > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. > > > > I've now tested using revision 1ad3a77 and it passes the testsuite on Solaris > 2.6, 7, 8 and 9 (using gcc and openssl 1.0.1k). > > Only one little nit prevents 'all tests passed': > gmake[1]: Entering directory > `/export/home/tgc/buildpkg/openssh/src/openssh-git/regress' > test "x" != "x" && mkdir -p > /export/home/tgc/buildpkg/openssh/src/openssh-git/regress//valgrind-out > gmake[1]: *** [prep] Error 1 > > Reversing the test to = and || instead will fix it.committed - thanks for persisting with the tests. -d
Re-testing 'openssh-SNAP-20150305' on Solaris 10, with 'gcc': Configure, 'make' complete; 'make tests' fails at: run test sftp-perm.sh ... sftp permissions: read-only upload sftp permissions: read-only setstat postcondition check failed: setstat readonly sftp permissions: read-only rm sftp permissions: read-only mkdir sftp permissions: read-only rmdir sftp permissions: read-only posix-rename sftp permissions: read-only oldrename sftp permissions: read-only symlink sftp permissions: read-only hardlink sftp permissions: explicit open sftp permissions: explicit read sftp permissions: explicit write sftp permissions: explicit lstat sftp permissions: explicit opendir sftp permissions: explicit readdir sftp permissions: explicit setstat postcondition check failed: setstat blacklisted postcondition check failed: setstat not in whitelist sftp permissions: explicit remove sftp permissions: explicit mkdir sftp permissions: explicit rmdir sftp permissions: explicit posix-rename sftp permissions: explicit rename sftp permissions: explicit symlink sftp permissions: explicit hardlink sftp permissions: explicit statvfs failed sftp permissions make[1]: *** [t-exec] Error 1 make[1]: Leaving directory `/opt/local/src/security/openssh/regress' make: *** [tests] Error 2 'regress.log' shows: trace: sftp permissions: explicit statvfs 'failed-regress.log' shows: trace: sftp permissions: read-only setstat FAIL: postcondition check failed: setstat readonly trace: sftp permissions: explicit setstat FAIL: postcondition check failed: setstat blacklisted trace: sftp permissions: explicit setstat FAIL: postcondition check failed: setstat blacklisted FAIL: postcondition check failed: setstat not in whitelist Mike -- Mike Peterson Information Security Analyst - Audit E-mail: mikep at noc.utoronto.ca WWW: http://www.noc.utoronto.ca/ Tel: 416-978-5230 Fax: 416-978-6620
On Wed, 4 Mar 2015, mikep at noc.utoronto.ca wrote:> Re-testing 'openssh-SNAP-20150305' on Solaris 10, with 'gcc': > > Configure, 'make' complete; 'make tests' fails at: > > postcondition check failed: setstat readonlyI couldn't reporoduce this on an illumos zone that I had access to, will try installing solaris10 next. -d
on Ubuntu 14.04 with openssh-SNAP-20150306.tar.gz with gcc, libz-dev, and libssl-dev configure; make; make tests fails at: test_hostkeys: regress/unittests/hostkeys/test_iterate.c:124 test #1 "hostkeys_iterate all with key parse" - entry 5/61, file line 5 ASSERT_PTR_EQ(l->key, NULL) failed: l->key = 0x2b14c2d7af80 NULL = (nil) Aborted make[1]: *** [unit] Error 134 make[1]: Leaving directory `/home/hpcmhech/tmp/openssh/regress' make: *** [tests] Error 2 I have also tried to run make install in-between, and created new host-keys, but tests didn't pass at the same point. OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: doc PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no MD5 password support: no libedit support: no Solaris process contract support: no Solaris project support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: seccomp_filter Host: x86_64-unknown-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE Preprocessor flags: Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-all -pie Libraries: -lcrypto -ldl -lutil -lz -lnsl -lcrypt -lresolv On 02/19/2015 11:21 PM, Damien Miller wrote:> Hi, > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Git at https://anongit.mindrot.org/openssh.git/ > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 6.7 > ========================> > This is a major release, containing a number of new features as > well as a large internal re-factoring. > > Potentially-incompatible changes > -------------------------------- > > * sshd(8): UseDNS now defaults to 'no'. Configurations that match > against the client host name (via sshd_config or authorized_keys) > may need to re-enable it or convert to matching against addresses. > > New Features > ------------ > > * Much of OpenSSH's internal code has been re-factored to be more > library-like. These changes are mostly not user-visible, but > have greatly improved OpenSSH's testability and internal layout. > > * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent > command-line flags to the other tools to control algorithm used > for key fingerprints. The default changes from MD5 to SHA256 and > format from hex to base64. > > Fingerprints now have the hash algorithm prepended. An example of > the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE > Please note that visual host keys will also be different. > > * ssh(1), sshd(8): Host key rotation support. Add a protocol > extension for a server to inform a client of all its available > host keys after authentication has completed. The client may > record the keys in known_hosts, allowing it to upgrade to better > host key algorithms and a server to gracefully rotate its keys. > > The client side of this is controlled by a UpdateHostkeys config > option (default on). > > * ssh(1): Add a ssh_config HostbasedKeyType option to control which > host public key types are tried during host-based authentication. > > * ssh(1), sshd(8): fix connection-killing host key mismatch errors > when sshd offers multiple ECDSA keys of different lengths. > > * ssh(1): when host name canonicalisation is enabled, try to > parse host names as addresses before looking them up for > canonicalisation. fixes bz#2074 and avoiding needless DNS > lookups in some cases. > > * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer > require OpenSSH to be compiled with OpenSSL support. > > * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based > authentication. > > * sshd(8): SSH protocol v.1 workaround for the Meyer, et al, > Bleichenbacher Side Channel Attack. Fake up a bignum key before > RSA decryption. > > * sshd(8): Remember which public keys have been used for > authentication and refuse to accept previously-used keys. > This allows AuthenticationMethods=publickey,publickey to require > that users authenticate using two _different_ public keys. > > * sshd(8): add sshd_config HostbasedAcceptedKeyTypes and > PubkeyAcceptedKeyTypes options to allow sshd to control what > public key types will be accepted. Currently defaults to all. > > * sshd(8): Don't count partial authentication success as a failure > against MaxAuthTries. > > * ssh(1): Add RevokedHostKeys option for the client to allow > text-file or KRL-based revocation of host keys. > > * ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by > serial number or key ID without scoping to a particular CA. > > * ssh(1): Add a "Match canonical" criteria that allows ssh_config > Match blocks to trigger only in the second config pass. > > * ssh(1): Add a -G option to ssh that causes it to parse its > configuration and dump the result to stdout, similar to "sshd -T". > > * ssh(1): Allow Match criteria to be negated. E.g. "Match !host". > > * The regression test suite has been extended to cover more OpenSSH > features. The unit tests have been expanded and now cover key > exchange. > > Bugfixes > -------- > > * ssh-keyscan(1): ssh-keyscan has been made much more robust again > servers that hang or violate the SSH protocol. > > * ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were > being lost as comment fields. > > * ssh(1): Allow ssh_config Port options set in the second config > parse phase to be applied (they were being ignored). bz#2286 > > * ssh(1): Tweak config re-parsing with host canonicalisation - make > the second pass through the config files always run when host name > canonicalisation is enabled (and not whenever the host name > changes) bz#2267 > > * ssh(1): Fix passing of wildcard forward bind addresses when > connection multiplexing is in use; bz#2324; > > * ssh-keygen(1): Fix broken private key conversion from non-OpenSSH > formats; bz#2345. > > * ssh-keygen(1): Fix KRL generation bug when multiple CAs are in > use. > > * Various fixed to manual pages: bz#2288, bz#2316, bz#2273 > > Portable OpenSSH > ---------------- > > * Support --without-openssl at configure time > > Disables and removes dependency on OpenSSL. Many features, > including SSH protocol 1 are not supported and the set of crypto > options is greatly restricted. This will only work on system with > native arc4random or /dev/urandom. > > Considered highly experimental for now. > > * Support --without-ssh1 option at configure time > > Allows disabling support for SSH protocol 1. > > Still experimental - not all regression and unit tests have been > been adapted for the absence of SSH protocol 1. > > * sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296 > > * Allow custom service name for sshd on Cygwin. Permits the use of > multiple sshd running with different service names. > > Reporting Bugs: > ==============> > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and > Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- Dr. Martin Hecht High Performance Computing Center Stuttgart (HLRS) Office 0.051, HPCN Production, IT-Security University of Stuttgart Nobelstra?e 19, 70569 Stuttgart, Germany Tel: +49(0)711/685-65799 Fax: -55799 Mail: hecht at hlrs.de Web: http://www.hlrs.de/people/hecht/ PGP Key Fingerprint: 41BB 33E9 7170 3864 D5B3 44AD 5490 010B 96C2 6E4A
On 03/06/2015 11:17 AM, Martin Hecht wrote:> on Ubuntu 14.04 with openssh-SNAP-20150306.tar.gz with gcc, libz-dev, > and libssl-devanother thing: if I uninstall libssl-dev and run configure --without-openssl it is happy, but make fails afterwards with (cd openbsd-compat && make) make[1]: Entering directory `/home/hpcmhech/tmp/openssh/openbsd-compat' gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c arc4random.c In file included from ../entropy.h:30:0, from ../includes.h:180, from arc4random.c:27: ../buffer.h:50:29: fatal error: openssl/objects.h: No such file or directory #include <openssl/objects.h> ^ compilation terminated. make[1]: *** [arc4random.o] Error 1 make[1]: Leaving directory `/home/hpcmhech/tmp/openssh/openbsd-compat' make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
On 03/06/2015 11:17 AM, Martin Hecht wrote:> on Ubuntu 14.04 with openssh-SNAP-20150306.tar.gz with gcc, libz-dev, > and libssl-dev > > configure; make; make tests > > fails at: > > test_hostkeys: > regress/unittests/hostkeys/test_iterate.c:124 test #1 "hostkeys_iterate > all with key parse" - entry 5/61, file line 5 > ASSERT_PTR_EQ(l->key, NULL) failed: > l->key = 0x2b14c2d7af80 > NULL = (nil) > Aborted > make[1]: *** [unit] Error 134 > make[1]: Leaving directory `/home/hpcmhech/tmp/openssh/regress' > make: *** [tests] Error 2I could reproduce this on a redhat-clone, as well, and: openssh-SNAP-20150305.tar.gz ran through smoothly - so this regression has been introduced very recently (Mar 5): hpcmhech at localhost(512):~/tmp/openssh-20150306/openssh> ls -la regress/unittests/hostkeys/test_iterate.c -rw-r--r-- 1 hpcmhech users 25308 Mar 5 00:39 regress/unittests/hostkeys/test_iterate.c I'm running my system at CET (+0100)
On Fri, 6 Mar 2015, Martin Hecht wrote:> on Ubuntu 14.04 with openssh-SNAP-20150306.tar.gz with gcc, libz-dev, > and libssl-dev > > configure; make; make tests > > fails at: > > test_hostkeys: > regress/unittests/hostkeys/test_iterate.c:124 test #1 "hostkeys_iterate > all with key parse" - entry 5/61, file line 5 > ASSERT_PTR_EQ(l->key, NULL) failed: > l->key = 0x2b14c2d7af80 > NULL = (nil)Already fixed in HEAD: diff --git sshkey.c sshkey.c index 2c67809..680c707 100644 --- sshkey.c +++ sshkey.c @@ -2464,6 +2464,7 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca) break; default: ret = SSH_ERR_INVALID_ARGUMENT; + goto out; } /* -v01 certs have a serial number next */