Hi, OpenSSH 9.1p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a bugfix release. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at http://www.openssh.com/portable.html#cvs At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: https://github.com/openssh/openssh-portable Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: $ ./configure && make tests Live testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org. Security bugs should be reported directly to openssh at openssh.com. Below is a summary of changes. More detail may be found in the ChangeLog in the portable OpenSSH tarballs. Thanks to the many people who contributed to this release. Potentially-incompatible changes -------------------------------- * The portable OpenSSH project now signs commits and release tags using git's recent SSH signature support. The list of developer signing keys is included in the repository as .git_allowed_signers and is cross-signed using the PGP key that is still used to sign release artifacts: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). ssh(1) will terminate a connection if the server offers an RSA key that falls below this limit, as the SSH protocol does not include the ability to retry a failed key exchange. * sftp-server(8): add a "users-groups-by-id at openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id at openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path at openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 Bugfixes -------- * ssh-keygen(1): implement the "verify-required" certificate option. This was already documented when support for user-verified FIDO keys was added, but the ssh-keygen(1) code was missing. * ssh-agent(1): hook up the restrict_websafe command-line flag; previously the flag was accepted but never actually used. * sftp(1): improve filename tab completions: never try to complete names to non-existent commands, and better match the completion type (local or remote filename) against the argument position being completed. * ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO key handling, especially relating to keys that request user-verification. These should reduce the number of unnecessary PIN prompts for keys that support intrinsic user verification. GHPR302, GHPR329 * ssh-keygen(1): when enrolling a FIDO resident key, check if a credential with matching application and user ID strings already exists and, if so, prompt the user for confirmation before overwriting the credential. GHPR329 * sshd(8): improve logging of errors when opening authorized_keys files. bz2042 * ssh(1): avoid multiplexing operations that could cause SIGPIPE from causing the client to exit early. bz3454 * ssh_config(5), sshd_config(5): clarify that the RekeyLimit directive applies to both transmitted and received data. GHPR328 * ssh-keygen(1): avoid double fclose() in error path. * sshd(8): log an error if pipe() fails while accepting a connection. bz3447 * ssh(1), ssh-keygen(1): fix possible NULL deref when built without FIDO support. bz3443 * ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage. GHPR294. * sshd(8): ensure that authentication passwords are cleared from memory in error paths. GHPR286 * ssh(1), ssh-agent(1): avoid possibility of notifier code executing kill(-1). GHPR286 * ssh_config(5): note that the ProxyJump directive also accepts the same tokens as ProxyCommand. GHPR305. * scp(1): do not not ftruncate(3) files early when in sftp mode. The previous behaviour of unconditionally truncating the destination file would cause "scp ~/foo localhost:foo" and the reverse "scp localhost:foo ~/foo" to delete all the contents of their destination. bz3431 * ssh-keygen(1): improve error message when 'ssh-keygen -Y sign' is unable to load a private key; bz3429 * sftp(1), scp(1): when performing operations that glob(3) a remote path, ensure that the implicit working directory used to construct that path escapes glob(3) characters. This prevents glob characters from being processed in places they shouldn't, e.g. "cd /tmp/a*/", "get *.txt" should have the get operation treat the path "/tmp/a*" literally and not attempt to expand it. * ssh(1), sshd(8): be stricter in which characters will be accepted in specifying a mask length; allow only 0-9. GHPR278 * ssh-keygen(1): avoid printing hash algorithm twice when dumping a KRL * ssh(1), sshd(8): continue running local I/O for open channels during SSH transport rekeying. This should make ~-escapes work in the client (e.g. to exit) if the connection happened to have stalled during a rekey event. * ssh(1), sshd(8): avoid potential poll() spin during rekeying * Further hardening for sshbuf internals: disallow "reparenting" a hierarchical sshbuf and zero the entire buffer if reallocation fails. GHPR287 Portability ----------- * ssh(1), ssh-keygen(1), sshd(8): automatically enable the built-in FIDO security key support if libfido2 is found and usable, unless --without-security-key-builtin was requested. * ssh(1), ssh-keygen(1), sshd(8): many fixes to make the WinHello FIDO device usable on Cygwin. The windows://hello FIDO device will be automatically used by default on this platform unless requested otherwise, or when probing resident FIDO credentials (an operation not currently supported by WinHello). * Portable OpenSSH: remove workarounds for obsolete and unsupported versions of OpenSSL libcrypto. In particular, this release removes fallback support for OpenSSL that lacks AES-CTR or AES-GCM. Those AES cipher modes were added to OpenSSL prior to the minimum version currently supported by OpenSSH, so this is not expected to impact any currently supported configurations. * sshd(8): fix SANDBOX_SECCOMP_FILTER_DEBUG on current Linux/glibc * All: resync and clean up internal CSPRNG code. * scp(1), sftp(1), sftp-server(8): avoid linking these programs with unnecessary libraries. They are no longer linked against libz and libcrypto. This may be of benefit to space constrained systems using any of those components in isolation. * sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox architectures. * configure: remove special casing of crypt(). configure will no longer search for crypt() in libcrypto, as it was removed from there years ago. configure will not only search libc and libcrypt. * configure: refuse to use OpenSSL 3.0.4 due to potential RCE in its RSA implementation (CVE-2022-2274) on x86_64. * All: request 1.1x API compatibility for OpenSSL >=3.x; GHPR#322 * ssh(1), ssh-keygen(1), sshd(8): fix a number of missing includes required by the XMSS code on some platforms. * sshd(8): cache timezone data in capsicum sandbox. Reporting Bugs: ============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
Hi Damien, I want to report success on OpenIndida OS: :; ssh -V OpenSSH_9.1p1-snap20220928, OpenSSL 1.1.1q? 5 Jul 2022 Compiled with GCC 10 (with custom OpenSSL and MIT Kerberos-5 compilation) Tested server and client (briefly, for functionality used to use on everyday tasks) -- all works fine... Thanks and regards On 28.09.2022 02:03, Damien Miller wrote:> Hi, > > OpenSSH 9.1p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via git using the > instructions at http://www.openssh.com/portable.html#cvs > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev at mindrot.org. Security bugs should be reported > directly to openssh at openssh.com. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Potentially-incompatible changes > -------------------------------- > > * The portable OpenSSH project now signs commits and release tags > using git's recent SSH signature support. The list of developer > signing keys is included in the repository as .git_allowed_signers > and is cross-signed using the PGP key that is still used to sign > release artifacts: > https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc > > * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config > are now first-match-wins to match other directives. Previously > if an environment variable was multiply specified the last set > value would have been used. bz3438 > > * ssh-keygen(8): ssh-keygen -A (generate all default host key types) > will no longer generate DSA keys, as these are insecure and have > not been used by default for some years. > > New features > ------------ > > * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum > RSA key length. Keys below this length will be ignored for user > authentication and for host authentication in sshd(8). > > ssh(1) will terminate a connection if the server offers an RSA key > that falls below this limit, as the SSH protocol does not include > the ability to retry a failed key exchange. > > * sftp-server(8): add a "users-groups-by-id at openssh.com" extension > request that allows the client to obtain user/group names that > correspond to a set of uids/gids. > > * sftp(1): use "users-groups-by-id at openssh.com" sftp-server > extension (when available) to fill in user/group names for > directory listings. > > * sftp-server(8): support the "home-directory" extension request > defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps > a bit with the existing "expand-path at openssh.com", but some other > clients support it. > > * ssh-keygen(1), sshd(8): allow certificate validity intervals, > sshsig verification times and authorized_keys expiry-time options > to accept dates in the UTC time zone in addition to the default > of interpreting them in the system time zone. YYYYMMDD and > YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed > with a 'Z' character. > > Also allow certificate validity intervals to be specified in raw > seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This > is intended for use by regress tests and other tools that call > ssh-keygen as part of a CA workflow. bz3468 > > * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D > "/usr/libexec/sftp-server -el debug3" > > * ssh-keygen(1): allow the existing -U (use agent) flag to work > with "-Y sign" operations, where it will be interpreted to require > that the private keys is hosted in an agent; bz3429 > > Bugfixes > -------- > > * ssh-keygen(1): implement the "verify-required" certificate option. > This was already documented when support for user-verified FIDO > keys was added, but the ssh-keygen(1) code was missing. > > * ssh-agent(1): hook up the restrict_websafe command-line flag; > previously the flag was accepted but never actually used. > > * sftp(1): improve filename tab completions: never try to complete > names to non-existent commands, and better match the completion > type (local or remote filename) against the argument position > being completed. > > * ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO key > handling, especially relating to keys that request > user-verification. These should reduce the number of unnecessary > PIN prompts for keys that support intrinsic user verification. > GHPR302, GHPR329 > > * ssh-keygen(1): when enrolling a FIDO resident key, check if a > credential with matching application and user ID strings already > exists and, if so, prompt the user for confirmation before > overwriting the credential. GHPR329 > > * sshd(8): improve logging of errors when opening authorized_keys > files. bz2042 > > * ssh(1): avoid multiplexing operations that could cause SIGPIPE from > causing the client to exit early. bz3454 > > * ssh_config(5), sshd_config(5): clarify that the RekeyLimit > directive applies to both transmitted and received data. GHPR328 > > * ssh-keygen(1): avoid double fclose() in error path. > > * sshd(8): log an error if pipe() fails while accepting a > connection. bz3447 > > * ssh(1), ssh-keygen(1): fix possible NULL deref when built without > FIDO support. bz3443 > > * ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage. > GHPR294. > > * sshd(8): ensure that authentication passwords are cleared from > memory in error paths. GHPR286 > > * ssh(1), ssh-agent(1): avoid possibility of notifier code executing > kill(-1). GHPR286 > > * ssh_config(5): note that the ProxyJump directive also accepts the > same tokens as ProxyCommand. GHPR305. > > * scp(1): do not not ftruncate(3) files early when in sftp mode. The > previous behaviour of unconditionally truncating the destination > file would cause "scp ~/foo localhost:foo" and the reverse > "scp localhost:foo ~/foo" to delete all the contents of their > destination. bz3431 > > * ssh-keygen(1): improve error message when 'ssh-keygen -Y sign' is > unable to load a private key; bz3429 > > * sftp(1), scp(1): when performing operations that glob(3) a remote > path, ensure that the implicit working directory used to construct > that path escapes glob(3) characters. This prevents glob characters > from being processed in places they shouldn't, e.g. "cd /tmp/a*/", > "get *.txt" should have the get operation treat the path "/tmp/a*" > literally and not attempt to expand it. > > * ssh(1), sshd(8): be stricter in which characters will be accepted > in specifying a mask length; allow only 0-9. GHPR278 > > * ssh-keygen(1): avoid printing hash algorithm twice when dumping a > KRL > > * ssh(1), sshd(8): continue running local I/O for open channels > during SSH transport rekeying. This should make ~-escapes work in > the client (e.g. to exit) if the connection happened to have > stalled during a rekey event. > > * ssh(1), sshd(8): avoid potential poll() spin during rekeying > > * Further hardening for sshbuf internals: disallow "reparenting" a > hierarchical sshbuf and zero the entire buffer if reallocation > fails. GHPR287 > > Portability > ----------- > > * ssh(1), ssh-keygen(1), sshd(8): automatically enable the built-in > FIDO security key support if libfido2 is found and usable, unless > --without-security-key-builtin was requested. > > * ssh(1), ssh-keygen(1), sshd(8): many fixes to make the WinHello > FIDO device usable on Cygwin. The windows://hello FIDO device will > be automatically used by default on this platform unless requested > otherwise, or when probing resident FIDO credentials (an operation > not currently supported by WinHello). > > * Portable OpenSSH: remove workarounds for obsolete and unsupported > versions of OpenSSL libcrypto. In particular, this release removes > fallback support for OpenSSL that lacks AES-CTR or AES-GCM. > > Those AES cipher modes were added to OpenSSL prior to the minimum > version currently supported by OpenSSH, so this is not expected to > impact any currently supported configurations. > > * sshd(8): fix SANDBOX_SECCOMP_FILTER_DEBUG on current Linux/glibc > > * All: resync and clean up internal CSPRNG code. > > * scp(1), sftp(1), sftp-server(8): avoid linking these programs with > unnecessary libraries. They are no longer linked against libz and > libcrypto. This may be of benefit to space constrained systems > using any of those components in isolation. > > * sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox > architectures. > > * configure: remove special casing of crypt(). configure will no > longer search for crypt() in libcrypto, as it was removed from > there years ago. configure will not only search libc and libcrypt. > > * configure: refuse to use OpenSSL 3.0.4 due to potential RCE in its > RSA implementation (CVE-2022-2274) on x86_64. > > * All: request 1.1x API compatibility for OpenSSL >=3.x; GHPR#322 > > * ssh(1), ssh-keygen(1), sshd(8): fix a number of missing includes > required by the XMSS code on some platforms. > > * sshd(8): cache timezone data in capsicum sandbox. > > Reporting Bugs: > ==============> > - Please read https://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, > Tim Rice and Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- Predrag Ze?evi? predrag.zecevic.1961 at googlemail.com
Damien Miller on Tuesday, September 27, 2022 8:04 PM wrote:>Hi, >OpenSSH 9.1p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a bugfix release. >Snapshot releases for portable OpenSSH are available from >https://urldefense.com/v3/__http://www.mindrot.org/openssh_snap/__;!!OToaGQ!pwFIR7u2kD0yMvH4QSV6dVI5vt82UjRpT1pGOxKJGVsNa6vRX_BB6jBgXDoret_XwsttY6pXM0yK9Hw$ ><skip> ><skip> >Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: > ./configure && make tests >Live testing on suitable non-production systems is also appreciated. >Please send reports of success or failure to openssh-unix-dev at mindrot.org. Security bugs should be reported directly to openssh at openssh.com. ><zkip> >AIX 7.1 TL5 SP9 For a number of releases since introducing OpenSSH ver. 8, AIX experiencing a problem configuring OpenSSH with static OpenSSL libs ver. 1.1.1.(x). The "configure" command finishes with error: ./configure --prefix=/usr/local/openssh --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/zlib --without-openssl-header-check --with-cflags=-q64 --with-ldflags=-q64 <skip> ... checking whether snprintf can declare const char *fmt... yes checking if getaddrinfo seems to work... yes checking whether AI_NUMERICSERV is declared... yes checking if SA_RESTARTed signals interrupt select()... yes checking for getpgrp... yes checking if getpgrp accepts zero args... yes configure: error: *** working libcrypto not found, check config.log The remedy is to add --with-libs=-lpthread argument into "configure" command. It is not clear how "libpthread" affects "configure" command's ability to locate "libcrypto". It all related to the initial env config. Looks like it is a sort of misleading info provided by "configure" output by displaying the error with "libcrypto" while in fact "config.log" contains lines with ".pthread" errors just before "libcrypto" error (could it be a 'side' effect of ".pthread" symbols being not found - ?). Additional info: cc -qlanglvl=extc99 supports C99-style variadic macros... yes cc option to enable C99 features... -qlanglvl=extc99 system type... powerpc-ibm-aix7.1.5.0 run the C preprocessor... cc -qlanglvl=extc99 -E "config.log" contains the following errors: ===============================================================| /* Override any GCC internal prototype to avoid an error. | Use char because int might match the return type of a GCC | builtin and then its argument prototype would still apply. */ | char daemon (); | int | main (void) | { | return daemon (); | ; | return 0; | } configure:14478: result: no configure:14490: checking for getpagesize configure:14490: result: yes configure:14544: checking whether snprintf correctly terminates long strings configure:14570: cc -qlanglvl=extc99 -o conftest -g -q64 -I/usr/local/zlib/include -L/usr/local/zlib/lib -q64 conftest.c >&5 configure:14570: $? = 0 configure:14570: ./conftest configure:14570: $? = 0 configure:14572: result: yes configure:14592: checking whether snprintf understands %zu configure:14621: cc -qlanglvl=extc99 -o conftest -g -q64 -I/usr/local/zlib/include -L/usr/local/zlib/lib -q64 conftest.c >&5 configure:14621: $? = 0 configure:14621: ./conftest configure:14621: $? = 0 configure:14623: result: yes configure:14643: checking whether vsnprintf returns correct values on overflow configure:14684: cc -qlanglvl=extc99 -o conftest -g -q64 -I/usr/local/zlib/include -L/usr/local/zlib/lib -q64 conftest.c >&5 configure:14684: $? = 0 configure:14684: ./conftest configure:14684: $? = 0 configure:14686: result: yes configure:14708: checking whether snprintf can declare const char *fmt configure:14726: cc -qlanglvl=extc99 -c -g -q64 -I/usr/local/zlib/include conftest.c >&5 configure:14726: $? = 0 configure:14728: result: yes configure:14944: checking if getaddrinfo seems to work configure:15004: cc -qlanglvl=extc99 -o conftest -g -q64 -I/usr/local/zlib/include -L/usr/local/zlib/lib -q64 conftest.c >&5 configure:15004: $? = 0 configure:15004: ./conftest configure:15004: $? = 0 configure:15007: result: yes configure:15028: checking whether AI_NUMERICSERV is declared configure:15028: cc -qlanglvl=extc99 -c -g -q64 -I/usr/local/zlib/include conftest.c >&5 configure:15028: $? = 0 configure:15028: result: yes configure:15132: checking if SA_RESTARTed signals interrupt select() configure:15181: cc -qlanglvl=extc99 -o conftest -g -q64 -I/usr/local/zlib/include -L/usr/local/zlib/lib -q64 conftest.c >&5 configure:15181: $? = 0 configure:15181: ./conftest configure:15181: $? = 0 configure:15183: result: yes configure:15200: checking for getpgrp configure:15200: cc -qlanglvl=extc99 -o conftest -g -q64 -I/usr/local/zlib/include -L/usr/local/zlib/lib -q64 conftest.c >&5 configure:15200: $? = 0 configure:15200: result: yes configure:15205: checking if getpgrp accepts zero args configure:15218: cc -qlanglvl=extc99 -c -g -q64 -I/usr/local/zlib/include conftest.c >&5 configure:15218: $? = 0 configure:15220: result: yes configure:15328: cc -qlanglvl=extc99 -o conftest -g -q64 -I/usr/local/openssl/include -I/usr/local/zlib/include -L/usr/local/openssl/lib -L/usr/local/zlib/lib -q64 conftest.c -lcrypto >&5 ld: 0711-317 ERROR: Undefined symbol: .deflate ld: 0711-317 ERROR: Undefined symbol: .zError ld: 0711-317 ERROR: Undefined symbol: .deflateInit_ ld: 0711-317 ERROR: Undefined symbol: .inflate ld: 0711-317 ERROR: Undefined symbol: .inflateInit_ ld: 0711-317 ERROR: Undefined symbol: .inflateEnd ld: 0711-317 ERROR: Undefined symbol: .deflateEnd ld: 0711-317 ERROR: Undefined symbol: .pthread_atfork ld: 0711-317 ERROR: Undefined symbol: .pthread_once ld: 0711-317 ERROR: Undefined symbol: .pthread_self ld: 0711-317 ERROR: Undefined symbol: .pthread_key_delete ld: 0711-317 ERROR: Undefined symbol: .pthread_setspecific ld: 0711-317 ERROR: Undefined symbol: .pthread_getspecific ld: 0711-317 ERROR: Undefined symbol: .pthread_key_create ld: 0711-317 ERROR: Undefined symbol: .pthread_rwlock_unlock ld: 0711-317 ERROR: Undefined symbol: .pthread_rwlock_wrlock ld: 0711-317 ERROR: Undefined symbol: .pthread_rwlock_rdlock ld: 0711-317 ERROR: Undefined symbol: .pthread_rwlock_init ld: 0711-317 ERROR: Undefined symbol: .pthread_rwlock_destroy ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information. configure:15328: $? = 8 configure: failed program was: | /* confdefs.h */ <skip> <skip> | /* Override any GCC internal prototype to avoid an error. | Use char because int might match the return type of a GCC | builtin and then its argument prototype would still apply. */ | char RAND_add (); | int | main (void) | { | return RAND_add (); | ; | return 0; | } configure:15332: error: *** working libcrypto not found, check config.log =============================================================== Thanks, Val Baranov Val.baranov at duke.edu
On Wed, Sep 28, 2022 at 10:03:37AM +1000, Damien Miller wrote:> $ ./configure && make tests"all tests passed" on Raspberry Pi OS with snapshot 20220930. The binary made an ssh connection to a server running 9.0. Nicolai
20:10, Damien Miller <djm at mindrot.org> wrote:> > Hi, > > OpenSSH 9.1p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release.On my FreeBSD 13/14ish laptop something's wrong with ./configure - HAVE_FIDO_DEV_IS_WINHELLO is not getting set in config.h and then building fails with: sk-usbhid.c:386:1: error: static declaration of 'fido_dev_is_winhello' follows non-static declaration fido_dev_is_winhello(const fido_dev_t *fdev) ^ /usr/local/include/fido.h:220:6: note: previous declaration is here bool fido_dev_is_winhello(const fido_dev_t *); config.log shows it being detected correctly though: configure:16481: checking for fido_dev_is_winhello configure:16481: cc -o conftest -g -O2 -pipe -Wunknown-warning-option -Qunused-arguments -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -Wmisleading-indentation -fno-strict-aliasing -mretpoline -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -I/usr/local/include -Wl,-z,retpolineplt -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong conftest.c -lcrypto -lutil -L/usr/local/lib -lfido2 >&5 configure:16481: $? = 0 configure:16481: result: yes I will look into that, but in any case with a straightforward workaround for that the tests do run. They end up stalling, waiting on input: ... run test conch-ciphers.sh ... conch ciphers: cipher aes256-ctr emaste at 127.0.0.1's password: I removed conch-ciphers for now, and the tests finish with: all tests passed There are also a few FreeBSD changes / issues that are still waiting: https://marc.info/?l=openssh-unix-dev&m=163034560831808&w=2 https://marc.info/?l=openssh-unix-dev&m=165236928625750&w=2 https://marc.info/?l=openssh-unix-dev&m=165289778115816&w=2
On Tue, Sep 27, 2022 at 05:03:37PM PDT, Damien Miller wrote:>Hi, > >OpenSSH 9.1p1 is almost ready for release, so we would appreciate testing >on as many platforms and systems as possible. This is a bugfix release. > >Snapshot releases for portable OpenSSH are available from >http://www.mindrot.org/openssh_snap/ > >The OpenBSD version is available in CVS HEAD: >http://www.openbsd.org/anoncvs.html > >Portable OpenSSH is also available via git using the >instructions at http://www.openssh.com/portable.html#cvs >At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: >https://github.com/openssh/openssh-portable > >Running the regression tests supplied with Portable OpenSSH does not >require installation and is a simply: > >$ ./configure && make tests > >Live testing on suitable non-production systems is also appreciated. >Please send reports of success or failure to >openssh-unix-dev at mindrot.org. Security bugs should be reported >directly to openssh at openssh.com. >All tests pass with git commit b51f3f172d87 on Void Linux (kernel 5.18.19, gcc 10.2.1, glibc 2.32, openssl 1.1.1q). Zev