Hi, OpenSSH 8.4p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a bugfix release. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at http://www.openssh.com/portable.html#cvs At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: https://github.com/openssh/openssh-portable Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: $ ./configure && make tests Live testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org. Security bugs should be reported directly to openssh at openssh.com. Below is a summary of changes. More detail may be found in the ChangeLog in the portable OpenSSH tarballs. Thanks to the many people who contributed to this release. Security ======= * ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys. When signing messages in ssh-agent using a FIDO key that has an application string that does not start with "ssh:", ensure that the message being signed is one of the forms expected for the SSH protocol (currently public key authentication and sshsig signatures). This prevents ssh-agent forwarding on a host that has FIDO keys attached granting the ability for the remote side to sign challenges for web authentication using those keys too. Note that the converse case of web browsers signing SSH challenges is already precluded because no web RP can have the "ssh:" prefix in the application string that we require. * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating a FIDO resident key. The recent FIDO 2.1 Client to Authenticator Protocol introduced a "credProtect" feature to better protect resident keys. We use this option to require a PIN prior to all operations that may retrieve a resident key from a FIDO token. Potentially-incompatible changes =============================== This release includes a number of changes that may affect existing configurations: * For FIDO/U2F support, OpenSSH recommends the use of libfido2 1.5.0 or greater. Older libraries have limited support at the expense of disabling particular features. These include resident keys, PIN- required keys and multiple attached tokens. * ssh-keygen(1): the format of the attestation information optionally recorded when a FIDO key is generated has changed. It now includes the authenticator data needed to validate attestation signatures. * The API between OpenSSH and the FIDO token middleware has changed and the SSH_SK_VERSION_MAJOR version has been incremented as a result. Third-party middleware libraries must support the current API version (7) to work with OpenSSH 8.4. * The portable OpenSSH distribution now requires automake to rebuild the configure script and supporting files. This is not required when simply building portable OpenSSH from a release tar file. Changes since OpenSSH 8.3 ======================== New features ------------ * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for each use. These keys may be generated using ssh-keygen using a new "verify-required" option. When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation. * sshd(8): authorized_keys now supports a new "verify-required" option to require FIDO signatures assert that the token verified that the user was present before making the signature. The FIDO protocol supports multiple methods for user-verification, but currently OpenSSH only supports PIN verification. * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn signatures. Webauthn is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. * ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. bz#3140 * ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling and disabling its use. bz#69 * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time limit for keys in addition to its current flag options. Time- limited keys will automatically be removed from ssh-agent after their expiry time has passed. * scp(1), sftp(1): allow the -A flag to explicitly enable agent forwarding in scp and sftp. The default remains to not forward an agent, even when ssh_config enables it. * ssh(1): add a '%k' TOKEN that expands to the effective HostKey of the destination. This allows, e.g., keeping host keys in individual files using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654 * ssh(1): add %-TOKEN, environment variable and tilde expansion to the UserKnownHostsFile directive, allowing the path to be completed by the configuration (e.g. bz#1654) * ssh-keygen(1): allow "ssh-add -d -" to read keys to be deleted from stdin. bz#3180 * sshd(8): improve logging for MaxStartups connection throttling. sshd will now log when it starts and stops throttling and periodically while in this state. bz#3055 Bugfixes -------- * ssh(1), ssh-keygen(1): better support for multiple attached FIDO tokens. In cases where OpenSSH cannot unambiguously determine which token to direct a request to, the user is now required to select a token by touching it. In cases of operations that require a PIN to be verified, this avoids sending the wrong PIN to the wrong token and incrementing the token's PIN failure counter (tokens effectively erase their keys after too many PIN failures). * sshd(8): fix Include before Match in sshd_config; bz#3122 * ssh(1), sshd(8): limit the amount of channel input data buffered, avoiding peers that advertise large windows but are slow to read from causing high memory consumption. * ssh-agent(1): handle multiple requests sent in a single write() to the agent. * sshd(8): allow sshd_config longer than 256k * sshd(8): avoid spurious "Unable to load host key" message when sshd load a private key but no public counterpart * ssh(1): prefer the default hostkey algorithm list whenever we have a hostkey that matches its best-preference algorithm. * sshd(1): when ordering the hostkey algorithms to request from a server, prefer certificate types if the known_hosts files contain a key marked as a @cert-authority; bz#3157 * ssh(1): perform host key fingerprint comparisons for the "Are you sure you want to continue connecting (yes/no/[fingerprint])?" prompt with case sensitivity. * sshd(8): ensure that address/masklen mismatches in sshd_config yield fatal errors at daemon start time rather than later when they are evaluated. * ssh-keygen(1): ensure that certificate extensions are lexically sorted. Previously if the user specified a custom extension then the everything would be in order except the custom ones. bz#3198 * ssh(1): also compare username when checking for JumpHost loops. bz#3057 * ssh-keygen(1): preserve group/world read permission on known_hosts files across runs of "ssh-keygen -Rf /path". The old behaviour was to remove all rights for group/other. bz#3146 * ssh-keygen(1): Mention the [-a rounds] flag in the ssh-keygen manual page and usage(). * sshd(8): explicitly construct path to ~/.ssh/rc rather than relying on it being relative to the current directory, so that it can still be found if the shell startup changes its directory. bz#3185 * sshd(8): when redirecting sshd's log output to a file, undo this redirection after the session child process is forked(). Fixes missing log messages when using this feature under some circumstances. * sshd(8): start ClientAliveInterval bookkeeping before first pass through select() loop; fixed theoretical case where busy sshd may ignore timeouts from client. * ssh(1): only reset the ServerAliveInterval check when we receive traffic from the server and ignore traffic from a port forwarding client, preventing a client from keeping a connection alive when it should be terminated. bz#2265 * ssh-keygen(1): avoid spurious error message when ssh-keygen creates files outside ~/.ssh * sftp-client(1): fix off-by-one error that caused sftp downloads to make one more concurrent request that desired. This prevented using sftp(1) in unpipelined request/response mode, which is useful when debugging. bz#3054 * ssh(1), sshd(8): handle EINTR in waitfd() and timeout_connect() helpers. bz#3071 * ssh(1), ssh-keygen(1): defer creation of ~/.ssh until we attempt to write to it so we don't leave an empty .ssh directory when it's not needed. bz#3156 * ssh(1), sshd(8): fix multiplier when parsing time specifications when handling seconds after other units. bz#3171 Portability ----------- * sshd(8): always send any PAM account messages. If the PAM account stack returns any messages, always send them to the user and not just if the check succeeds. bz#2049 * Implement some backwards compatibility for libfido2 libraries older than 1.5.0. Note that use of an older library will result in the loss of certain features including resident key support, PIN support and support for multiple attached tokens. * configure fixes for XCode 12 * gnome-ssh-askpass3: ensure the "close" button is not focused by default for SSH_ASKPASS_PROMPT=none prompts. Avoids space/enter accidentally dismissing FIDO touch notifications. * gnome-ssh-askpass3: allow some control over textarea colour via $GNOME_SSH_ASKPASS_FG_COLOR and $GNOME_SSH_ASKPASS_BG_COLOR environment variables. * sshd(8): document another PAM spec problem in a frustrated comment * sshd(8): support NetBSD's utmpx.ut_ss address field. bz#960 * Add the ssh-sk-helper binary and its manpage to the RPM spec file * Detect the Frankenstein monster of Linux/X32 and allow the sandbox to function there. bz#3085 OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
On 9/19/20 11:02 PM, Damien Miller wrote:> Hi, > > OpenSSH 8.4p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. >Debian GNU/Linux 10 (buster) gcc version 8.3.0 (Debian 8.3.0-6) OpenSSL 1.1.1d? 10 Sep 2019 Hang on conch ciphers test - had to ^C the process: ./configure && make tests ..... run test putty-kex.sh ... putty KEX: kex dh-gex-sha1 putty KEX: kex dh-group1-sha1 putty KEX: kex dh-group14-sha1 putty KEX: kex ecdh ok putty KEX run test conch-ciphers.sh ... conch ciphers: cipher aes256-ctr user ?? 6828? 6164? 0 08:59 pts/10?? 00:00:00 sh /home/user/sandbox/openssh/regress/test-exec.sh /home/user/sandbox/openssh/regress /home/user/sandbox/openssh/regress/conch-ciphers.sh user ?? 6896? 6828? 0 08:59 pts/10?? 00:00:00 /usr/bin/python2 /usr/bin/conch --identity /home/user/sandbox/openssh/regress/ssh-rsa --port 4242 --user user -e none --known-hosts /home/user/sandbox/openssh/regress/known_hosts --notty --noagent --nox11 -n 127.0.0.1 cat /home/user/sandbox/openssh/regress/data user?? 11095 11073? 0 09:24 pts/11?? 00:00:00 grep conch -- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott at GMail.com> */
On Sun, Sep 20, 2020 at 09:34:50AM -0700, Kevin Brott wrote:> On 9/19/20 11:02 PM, Damien Miller wrote: > > OpenSSH 8.4p1 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This is a bugfix release. > > Debian GNU/Linux 10 (buster) > gcc version 8.3.0 (Debian 8.3.0-6) > OpenSSL 1.1.1d? 10 Sep 2019 > > Hang on conch ciphers test - had to ^C the process:This might be https://twistedmatrix.com/trac/ticket/9515, which was fixed in Twisted 19.2.0; Debian 10 has an older version. I forget what the original symptoms of that bug were, but it seems plausible. Try applying this workaround patch? https://salsa.debian.org/ssh-team/openssh/-/blob/debian/1%258.3p1-1/debian/patches/conch-old-privkey-format.patch (I haven't advocated for this to be applied to OpenSSH upstream, since the proper fix was in Twisted.) -- Colin Watson (he/him) [cjwatson at debian.org]
I wonder if I'm doing something wrong on NetBSD. From configure I see: checking if cc supports -Werror... yes ./configure: 5480: Syntax error: Word "-pipe" unexpected (expecting ")") -- Hisashi T Fujinaka - htodd at twofifty.com BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee
On September 20, 2020 2:02 AM, Damien Miller wrote:> OpenSSH 8.4p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release.I will be testing this shortly on HPE NonStop platforms. Side question: We now have access to the hardware random generator and can decouple for PRNGD. Any guidance on how to do that would be appreciated. We would be happy to contribute the platform changes as well associated with this and the port changes. Thanks, Randall -- Brief whoami: NonStop developer since approximately 211288444200000000 UNIX developer since approximately 421664400 -- In my real life, I talk too much.
On Mon, 21 Sep 2020 at 03:04, Hisashi T Fujinaka <htodd at twofifty.com> wrote:> I wonder if I'm doing something wrong on NetBSD. From configure I see: > > checking if cc supports -Werror... yes > ./configure: 5480: Syntax error: Word "-pipe" unexpected (expecting ")")I've seen that when aclocal (from automake, which is a new dependency if you're not using a snapshot or release tarball) failed to create aclocal.m4. Did you check out the source yourself, and if so did you get any errors when you ran "autoreconf"? -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Sun, Sep 20, 2020 at 03:13:28PM -0400, Randall S. Becker wrote:> On September 20, 2020 2:02 AM, Damien Miller wrote: > > OpenSSH 8.4p1 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This is a bugfix release. > > I will be testing this shortly on HPE NonStop platforms. > > Side question: We now have access to the hardware random generator and can > decouple for PRNGD. Any guidance on how to do that would be appreciated. We > would be happy to contribute the platform changes as well associated with > this and the port changes. >Is this suppose to be openssl 3.0 ready?> Thanks, > Randall > > -- Brief whoami: > NonStop developer since approximately 211288444200000000 > UNIX developer since approximately 421664400 > -- In my real life, I talk too much. > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b USA call a Nov 3 2020 referndum to dissolve the Union and dissolve!!
On Sun, 20 Sep 2020, Randall S. Becker wrote:> On September 20, 2020 2:02 AM, Damien Miller wrote: > > OpenSSH 8.4p1 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This is a bugfix release. > > I will be testing this shortly on HPE NonStop platforms. > > Side question: We now have access to the hardware random generator and can > decouple for PRNGD. Any guidance on how to do that would be appreciated. We > would be happy to contribute the platform changes as well associated with > this and the port changes.If you add support for the hardware RNG to libcrypto then OpenSSH will use it automatically (assuming you haven't built --without-openssl). This would also have the benefit of everything else that uses libcrypto/libssl pick up support too. -d
OK, NetBSD-current amd64, NetBSD-9-amd64, and NetBSD-9-i386 all pass all tests. MacOS, well, I always try it but it has problems. On Sun, 20 Sep 2020, Damien Miller wrote:> Hi, > > OpenSSH 8.4p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via git using the > instructions at http://www.openssh.com/portable.html#cvs > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev at mindrot.org. Security bugs should be reported > directly to openssh at openssh.com. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Security > =======> > * ssh-agent(1): restrict ssh-agent from signing web challenges for > FIDO/U2F keys. > > When signing messages in ssh-agent using a FIDO key that has an > application string that does not start with "ssh:", ensure that the > message being signed is one of the forms expected for the SSH protocol > (currently public key authentication and sshsig signatures). > > This prevents ssh-agent forwarding on a host that has FIDO keys > attached granting the ability for the remote side to sign challenges > for web authentication using those keys too. > > Note that the converse case of web browsers signing SSH challenges is > already precluded because no web RP can have the "ssh:" prefix in the > application string that we require. > > * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating > a FIDO resident key. > > The recent FIDO 2.1 Client to Authenticator Protocol introduced a > "credProtect" feature to better protect resident keys. We use this > option to require a PIN prior to all operations that may retrieve > a resident key from a FIDO token. > > Potentially-incompatible changes > ===============================> > This release includes a number of changes that may affect existing > configurations: > > * For FIDO/U2F support, OpenSSH recommends the use of libfido2 1.5.0 > or greater. Older libraries have limited support at the expense of > disabling particular features. These include resident keys, PIN- > required keys and multiple attached tokens. > > * ssh-keygen(1): the format of the attestation information optionally > recorded when a FIDO key is generated has changed. It now includes > the authenticator data needed to validate attestation signatures. > > * The API between OpenSSH and the FIDO token middleware has changed > and the SSH_SK_VERSION_MAJOR version has been incremented as a > result. Third-party middleware libraries must support the current > API version (7) to work with OpenSSH 8.4. > > * The portable OpenSSH distribution now requires automake to rebuild > the configure script and supporting files. This is not required when > simply building portable OpenSSH from a release tar file. > > Changes since OpenSSH 8.3 > ========================> > New features > ------------ > > * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for > each use. These keys may be generated using ssh-keygen using a new > "verify-required" option. When a PIN-required key is used, the user > will be prompted for a PIN to complete the signature operation. > > * sshd(8): authorized_keys now supports a new "verify-required" > option to require FIDO signatures assert that the token verified > that the user was present before making the signature. The FIDO > protocol supports multiple methods for user-verification, but > currently OpenSSH only supports PIN verification. > > * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn > signatures. Webauthn is a standard for using FIDO keys in web > browsers. These signatures are a slightly different format to plain > FIDO signatures and thus require explicit support. > > * ssh(1): allow some keywords to expand shell-style ${ENV} > environment variables. The supported keywords are CertificateFile, > ControlPath, IdentityAgent and IdentityFile, plus LocalForward and > RemoteForward when used for Unix domain socket paths. bz#3140 > > * ssh(1), ssh-agent(1): allow some additional control over the use of > ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, > including forcibly enabling and disabling its use. bz#69 > > * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time > limit for keys in addition to its current flag options. Time- > limited keys will automatically be removed from ssh-agent after > their expiry time has passed. > > * scp(1), sftp(1): allow the -A flag to explicitly enable agent > forwarding in scp and sftp. The default remains to not forward an > agent, even when ssh_config enables it. > > * ssh(1): add a '%k' TOKEN that expands to the effective HostKey of > the destination. This allows, e.g., keeping host keys in individual > files using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654 > > * ssh(1): add %-TOKEN, environment variable and tilde expansion to > the UserKnownHostsFile directive, allowing the path to be > completed by the configuration (e.g. bz#1654) > > * ssh-keygen(1): allow "ssh-add -d -" to read keys to be deleted > from stdin. bz#3180 > > * sshd(8): improve logging for MaxStartups connection throttling. > sshd will now log when it starts and stops throttling and periodically > while in this state. bz#3055 > > Bugfixes > -------- > > * ssh(1), ssh-keygen(1): better support for multiple attached FIDO > tokens. In cases where OpenSSH cannot unambiguously determine which > token to direct a request to, the user is now required to select a > token by touching it. In cases of operations that require a PIN to > be verified, this avoids sending the wrong PIN to the wrong token > and incrementing the token's PIN failure counter (tokens > effectively erase their keys after too many PIN failures). > > * sshd(8): fix Include before Match in sshd_config; bz#3122 > > * ssh(1), sshd(8): limit the amount of channel input data buffered, > avoiding peers that advertise large windows but are slow to read > from causing high memory consumption. > > * ssh-agent(1): handle multiple requests sent in a single write() to > the agent. > > * sshd(8): allow sshd_config longer than 256k > > * sshd(8): avoid spurious "Unable to load host key" message when sshd > load a private key but no public counterpart > > * ssh(1): prefer the default hostkey algorithm list whenever we have > a hostkey that matches its best-preference algorithm. > > * sshd(1): when ordering the hostkey algorithms to request from a > server, prefer certificate types if the known_hosts files contain a key > marked as a @cert-authority; bz#3157 > > * ssh(1): perform host key fingerprint comparisons for the "Are you > sure you want to continue connecting (yes/no/[fingerprint])?" > prompt with case sensitivity. > > * sshd(8): ensure that address/masklen mismatches in sshd_config > yield fatal errors at daemon start time rather than later when > they are evaluated. > > * ssh-keygen(1): ensure that certificate extensions are lexically > sorted. Previously if the user specified a custom extension then > the everything would be in order except the custom ones. bz#3198 > > * ssh(1): also compare username when checking for JumpHost loops. > bz#3057 > > * ssh-keygen(1): preserve group/world read permission on known_hosts > files across runs of "ssh-keygen -Rf /path". The old behaviour was > to remove all rights for group/other. bz#3146 > > * ssh-keygen(1): Mention the [-a rounds] flag in the ssh-keygen > manual page and usage(). > > * sshd(8): explicitly construct path to ~/.ssh/rc rather than > relying on it being relative to the current directory, so that it > can still be found if the shell startup changes its directory. > bz#3185 > > * sshd(8): when redirecting sshd's log output to a file, undo this > redirection after the session child process is forked(). Fixes > missing log messages when using this feature under some > circumstances. > > * sshd(8): start ClientAliveInterval bookkeeping before first pass > through select() loop; fixed theoretical case where busy sshd may > ignore timeouts from client. > > * ssh(1): only reset the ServerAliveInterval check when we receive > traffic from the server and ignore traffic from a port forwarding > client, preventing a client from keeping a connection alive when > it should be terminated. bz#2265 > > * ssh-keygen(1): avoid spurious error message when ssh-keygen > creates files outside ~/.ssh > > * sftp-client(1): fix off-by-one error that caused sftp downloads to > make one more concurrent request that desired. This prevented using > sftp(1) in unpipelined request/response mode, which is useful when > debugging. bz#3054 > > * ssh(1), sshd(8): handle EINTR in waitfd() and timeout_connect() > helpers. bz#3071 > > * ssh(1), ssh-keygen(1): defer creation of ~/.ssh until we attempt to > write to it so we don't leave an empty .ssh directory when it's not > needed. bz#3156 > > * ssh(1), sshd(8): fix multiplier when parsing time specifications > when handling seconds after other units. bz#3171 > > Portability > ----------- > > * sshd(8): always send any PAM account messages. If the PAM account > stack returns any messages, always send them to the user and not > just if the check succeeds. bz#2049 > > * Implement some backwards compatibility for libfido2 libraries > older than 1.5.0. Note that use of an older library will result > in the loss of certain features including resident key support, > PIN support and support for multiple attached tokens. > > * configure fixes for XCode 12 > > * gnome-ssh-askpass3: ensure the "close" button is not focused by > default for SSH_ASKPASS_PROMPT=none prompts. Avoids space/enter > accidentally dismissing FIDO touch notifications. > > * gnome-ssh-askpass3: allow some control over textarea colour via > $GNOME_SSH_ASKPASS_FG_COLOR and $GNOME_SSH_ASKPASS_BG_COLOR > environment variables. > > * sshd(8): document another PAM spec problem in a frustrated comment > > * sshd(8): support NetBSD's utmpx.ut_ss address field. bz#960 > > * Add the ssh-sk-helper binary and its manpage to the RPM spec file > > * Detect the Frankenstein monster of Linux/X32 and allow the sandbox > to function there. bz#3085 > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, > Tim Rice and Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >-- Hisashi T Fujinaka - htodd at twofifty.com BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee
On Mon, 21 Sep 2020 at 09:53, Hisashi T Fujinaka <htodd at twofifty.com> wrote:> OK, NetBSD-current amd64, NetBSD-9-amd64, and NetBSD-9-i386 all pass all > tests. MacOS, well, I always try it but it has problems.What's the problem on OS X? We test on it regularly (El Capitan and High Sierra) and the only problem I'm aware of is that the native libcrypto on High Sierra is extremely slow[0] (I'm told this is going to be fixed, but as of today the libcrypto I have is still slow). [0] https://marc.info/?l=openssh-unix-dev&m=153138346004439&w=2 -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On 9/20/20 8:02 AM, Damien Miller wrote:> Hi, > > OpenSSH 8.4p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release.Basic tests in Fedora 32 passed. Running some more now. For the release, can we consider also pulling the various fixes for ssh-copy-id, which recently received some care: https://gitlab.com/phil_hands/ssh-copy-id Thanks, -- Jakub Jelen Senior Software Engineer Crypto Team, Security Engineering Red Hat, Inc.
On Mon, 21 Sep 2020, Jakub Jelen wrote:> On 9/20/20 8:02 AM, Damien Miller wrote: > > Hi, > > > > OpenSSH 8.4p1 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This is a bugfix release. > > Basic tests in Fedora 32 passed. Running some more now. > > For the release, can we consider also pulling the various fixes for > ssh-copy-id, which recently received some care: > > https://gitlab.com/phil_hands/ssh-copy-idI've synced with rev f0da1a1b7d8 -d
On 9/19/20 11:02 PM, Damien Miller wrote:> Hi, > > OpenSSH 8.4p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. >====openssh-SNAP-20200923.tar.gz AIX: 7200-04-02-2028 xlc_r 12.1.0.18 OpenSSL 1.0.2t? 10 Sep 2019 ./configure && make tests ... ??????? xlc_r -O2 -qarch=ppc -qalloca -I/usr/include -I/opt/freeware/include?? -I. -I. -O2 -qarch=ppc -qalloca -I/usr/include -I/opt/freeware/include -DSSHDIR=\"/usr/local/etc\"? -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"? -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"? -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"? -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\"? -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\"? -D_PATH_SSH_SK_HELPER=\"/usr/local/libexec/ssh-sk-helper\"? -D_PATH_SSH_PIDDIR=\"/var/run\"? -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -fPIC -shared -o regress/misc/sk-dummy/sk-dummy.so regress/misc/sk-dummy/sk-dummy.lo? regress/misc/sk-dummy/fatal.lo? ed25519.lo hash.lo ge25519.lo fe25519.lo sc25519.lo verify.lo? -L. -Lopenbsd-compat -lopenbsd-compat -L. -Lopenbsd-compat/ -L/usr/lib -L/usr/ccs/lib -blibpath:/usr/lib:/lib? -lcrypto -lz -lpthread xlc_r: 1501-218 (W) file regress/misc/sk-dummy/sk-dummy.lo contains an incorrect file suffix xlc_r: 1501-218 (W) file regress/misc/sk-dummy/fatal.lo contains an incorrect file suffix xlc_r: 1501-218 (W) file ed25519.lo contains an incorrect file suffix xlc_r: 1501-218 (W) file hash.lo contains an incorrect file suffix xlc_r: 1501-218 (W) file ge25519.lo contains an incorrect file suffix xlc_r: 1501-218 (W) file fe25519.lo contains an incorrect file suffix xlc_r: 1501-218 (W) file sc25519.lo contains an incorrect file suffix xlc_r: 1501-218 (W) file verify.lo contains an incorrect file suffix ld: 0706-005 Cannot find or open file: PIC ??????? ld:fopen(): A file or directory in the path name does not exist. ld: 0706-012 The -h flag is not recognized. ld: 0706-012 The -a flag is not recognized. make: The error code from the last command is 255. ==== openssh-SNAP-20200923.tar.gz AIX: 7200-04-02-2028 gcc (GCC) 8.3.0 OpenSSL 1.0.2t? 10 Sep 2019 ./configure && make tests .... all tests passed -- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott at GMail.com> */
On Tue, 22 Sep 2020, Kevin Brott wrote:> On 9/19/20 11:02 PM, Damien Miller wrote: > > Hi, > > > > OpenSSH 8.4p1 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This is a bugfix release. > > > > ====> openssh-SNAP-20200923.tar.gz > AIX: 7200-04-02-2028 > xlc_r 12.1.0.18 > OpenSSL 1.0.2t? 10 Sep 2019 > > ./configure && make tests[snip] I think Darren was looking at getting sk-dummy.so to compile on AIX using the native toolchain. Until it is working, you might have to manually remove it from the "regress-binaries:" target in Makefile - delete or comment out the $(SK_DUMMY_LIBRARY) line there. If you do that and rerun "make tests" they should work as expected (though without testing FIDO functionality). -d