Hi, We are preparing to release another stable OpenSSH soon, so once again we are asking for your help in testing CVS snapshots. Changes include: * ssh(1) now allows the optional specification of an address to bind to in port forwarding connections (local, remote and dynamic). See the -L, -R options in the ssh(1) man page as well as LocalForward and RemoteForward options in ssh_config(5). (Bugzilla #413) * To control remote bindings while retaining backwards compatibility, sshd(8)'s GatewayPorts option has been extended. To allow client specified bind addresses for remote (-R) port forwardings, the server must be configured with "GatewayPorts clientspecified". * To support better selection of binding addresses for remote port forwardings, sshd(8) now supports the new address specification methods in draft-ietf-secsh-connect-24.txt section 7.1. In particular, the empty "" address_to_bind is recognised as meaning a wildcard bind for all supported protocols (IPv4 and IPv6) whereas "localhost" means an all-protocols loopback bind. * ssh(1) and ssh-keyscan(1) now support hashing of host names and addresses added to known_hosts files, controlled by the ssh(1) HashKnownHosts configuration directive. This option improves user privacy by hiding which hosts have been visited. For this release the option will be off by default, but may be turned on once it receives sufficient testing. * Add options for managing keys in known_hosts files to ssh-keygen(1), including the ability to search for hosts by name, delete hosts by name and convert an unhashed known_hosts file into one with hashed names. These are particularly useful for managing known_hosts files with hashed hostnames. * Improve account and password expiry support in sshd(8). Ther server will now warn in advance for both account and password expiry. * sshd(8) will now log the source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups (Bugzilla #909) * Added AddressFamily option to sshd(8), to allow global control over IPv4/IPv6 usage. (Bugzilla #989) * Improved sftp(1) client, including bugfixes and optimisations for the ``ls'' command and command history and editing support using libedit. This may be enabled using the --with-libedit configure argument * Improved the handling of bad data in authorized_keys files, eliminating fatal errors on corrupt or very large keys. (Bugzilla #884) * Improved connection multiplexing support in ssh(1). Several bugs have been fixed and a new "command mode" has been added to allow the control of a running multiplexing master connection, including checking that it is up, determining its PID and asking it to exit. * Have scp(1) and sftp(1) wait for the spawned ssh to exit before they exit themselves. This prevents ssh from being unable to restore terminal modes (not normally a problem on OpenBSD but common with -Portable on POSIX platforms). (Bugzilla #950) * Portable OpenSSH: - Add *EXPERIMENTAL* BSM audit support for Solaris systems (Bugzilla #125) - Enable IPv6 on AIX where possible (see README.platform for details), working around a misfeature of AIX's getnameinfo. (Bugzilla #835) - Teach sshd(8) to write failed login records to btmp for failed auth attempts (currently only for password, kbdint and C/R, only on Linux and HP-UX) - sshd(8) now sends output from failing PAM session modules to the user before exiting, similar to the way /etc/nologin is handled - Store credentials from gssapi-with-mic authentication early enough to be available to PAM session modules when privsep=yes. * Many bug fixes and improvements, for details see the ChangeLog and http://bugzilla.mindrot.org/show_bug.cgi?id=914 The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable snapshots are available at: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ or one of its mirrors listed at http://www.openssh.com/portable.html#ftp Please test! Running the regression tests supplied with Portable does not require installation and is a simply: $ ./configure && make tests Testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org.
Damien Miller wrote:> We are preparing to release another stable OpenSSH soon, so once > again we are asking for your help in testing CVS snapshots.One thing not in Damien's list: OpenSSH Portable now has a (completely voluntary) configuration survey. It will collect information about the platform and the options OpenSSH was configured with and mail it to an archive. We tried to be careful not to collect anything that might be considered sensitive, however if anyone has any issues with the data collected then please let us know). The raw data will be available only to the development team, however we may publish summary data at some point in the future. This will help us support your platform! It will allow us to (among other things) know which combinations of options are valid on which plaforms and better target testing. This would allow us to answer questions like (and these are real examples of things we've need to know in the past): * If we make changes to realpath(), which platforms will that affect? * Are there any platforms currently in use that don't have fchdir()? * Do any platforms have both PAM and BSDauth? * and so on... You can view the data that is collected by running "make survey" and looking at the file "survey" in the build dir. The data is not sent until you explicitly request it ("make send-survey"). If you have any doubts at all then ask us (or then don't send it). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Mar 3 09:54, Damien Miller wrote:> Hi, > > We are preparing to release another stable OpenSSH soon, so once > again we are asking for your help in testing CVS snapshots.I can't test the latest from CVS, because the CVS server suddenly requires a password: $ cvs up openssh at anoncvs.be.openbsd.org's password: The home page of portable OpenSSH still tells me that no password is required. Is something broken? Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc.
On Mar 3 09:54, Damien Miller wrote:> Hi, > > We are preparing to release another stable OpenSSH soon, so once > again we are asking for your help in testing CVS snapshots.Built and regress-tested on Cygwin. Looks pretty good with just one exception: - The reexec.sh test is broken on Cygwin, because the test tries to copy and cmp /bin/ls, while there's only a /bin/ls.exe. This is arguably a problem in the Cygwin environment. Changing the test so that /bin/ls.exe is used let the test work just fine, so no worries here. Also one problem with the survey: There's no such command as `oslevel' on Cygwin. FWIW, I didn't find this command on Linux, too. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc.
Hi all, Please find attached file "readconf-SendEnv.patch". This small patch allow ssh to collect variables from the local environment that should be sent to the server only from the ssh_config section to this host/server. sample ssh_config: Host test1 SendEnv TEST1 Host test2 SendEnv TEST2 Without patch ssh will send TEST1 and TEST2 to all servers. Note that variables from SendEnv in global defaults for all hosts ('HOST *' section) and command line are always sent. Damien Miller wrote:> Hi, > > We are preparing to release another stable OpenSSH soon, so once > again we are asking for your help in testing CVS snapshots. > > Changes include: > > [SNIP]-------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: readconf-SendEnv.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050303/1704acc5/attachment.ksh
Damien Miller <djm at mindrot.org> wrote:> We are preparing to release another stable OpenSSH soon, so once > again we are asking for your help in testing CVS snapshots.Test results for openssh-SNAP-20050303.tar.gz: Debian GNU/Linux 3.1 i686: PASS ./configure --with-pam --with-kerberos5=/usr --with-privsep-path=/var/run/sshd make tests passes. PAM authentication looks good. Kerberos GSSAPI authentication and credential delegation looks good. Red Hat Enterprise Linux AS release 3 (Taroon Update 3) ia64: PASS ./configure --with-pam --with-kerberos5=/usr/kerberos make tests passes PAM authentication looks good. Kerberos GSSAPI authentication and credential delegation looks good. (Tested PAM and Kerberos for SNAP ssh but not SNAP sshd on this machine.) Mac OS X 10.3.8 PowerPC G4 Darwin Kernel Version 7.8.0: FAIL ./configure && make tests fails: run test multiplex.sh ... test connection multiplexing: envpass test connection multiplexing: transfer test connection multiplexing: status 0 test connection multiplexing: status 1 test connection multiplexing: status 4 test connection multiplexing: status 5 test connection multiplexing: status 44 Master running (pid=18137) Exit request sent. exit command failed cat: /Users/jbasney/testing/openssh/regress/pidfile: No such file or directory no sshd running failed connection multiplexing make[1]: *** [t-exec] Error 1 make: *** [tests] Error 2 Running ./configure && make tests for openssh-3.9p1.tar.gz on this machine passes.
> Please test! Running the regression tests supplied with Portable > does not require installation and is a simply: > > $ ./configure && make tests >Built on Solaris 9 with Krb5-1.4.0 in AFS Had to make one change to regress/muliplex.sh since AFS does not support a socket. --- ,multiplex.sh Mon Dec 6 06:12:15 2004 +++ multiplex.sh Thu Mar 3 14:12:37 2005 @@ -1,7 +1,7 @@ # $OpenBSD: multiplex.sh,v 1.9 2004/11/07 00:32:41 djm Exp $ # Placed in the Public Domain. -CTL=$OBJ/ctl-sock +CTL=/tmp/openssh.regress.ctl-sock tid="connection multiplexing" Tested the ssh using gssspi to a 3.8 system, and it looks good. so far.> Testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > >-- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
Roumen Petrov wrote:> Hi all, > > Please find attached file "readconf-SendEnv.patch". > This small patch allow ssh to collect variables from the local > environment that should be sent to the server only from the ssh_config > section to this host/server.Patch applied, thanks! -d
Once upon a time, Damien Miller <djm at mindrot.org> said:> We are preparing to release another stable OpenSSH soon, so once > again we are asking for your help in testing CVS snapshots.I tested SNAP-20050304 on Tru64 with Enhanced Security and it passes the regression tests once I set BIN_SH=xpg4 (otherwise the reconfigure.sh gets stuck in a loop; it and the Tru64 version of the Bourne shell don't agree). Setting BIN_SH=xpg4 makes calls to /bin/sh get a POSIX compliant shell (actually Korn shell). I remember we talked about a good way to fix this before, but I guess nothing ever changed. Suggestions? -- Chris Adams <cmadams at hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Hi, I've tested the 20050304 snapshot on the following platforms: Solaris 9 IRIX 6.5.24 RHEL 3 (x86) RHEL 3 (SGI Altix) All platforms except IRIX tested successfully. On IRIX, make tests fails in the following manner: run test connect.sh ... @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA1 host key has just been changed. The fingerprint for the RSA1 key sent by the remote host is b8:88:7d:90:c3:2e:cb:b6:24:4c:ce:17:29:9a:3f:88. Please contact your system administrator. Add correct host key in /u/wk/imorgan/src/openssh/openssh/regress/known_hosts to get rid of this message. Offending key in /u/wk/imorgan/src/openssh/openssh/regress/known_hosts:2 RSA1 host key for localhost-with-alias has changed and you have requested strict checking. Host key verification failed. ssh connect with protocol 1 failed failed simple connect *** Error code 1 (bu21) *** Error code 1 (bu21) This happens with both gcc and the MIPSpro compiler. -- Iain Morgan
Hi guys, Seems like there is an issue with the login grace timeout on Sourcemage Linux. I downloaded and tried: openssh-SNAP-20050305.tar.gz and the results are as follows: System information [Sourcemage/test] # uname -a Linux ordo 2.6.8.1 #1 Sun Aug 22 01:32:14 SGT 2004 i686 unknown unknown GNU/Linux openssl 0.9.7e bash 3.0 ------------- ok try ciphers run test yes-head.sh ... ok yes pipe head run test login-timeout.sh ... ssh: connect to host 127.0.0.1 port 4242: Connection refused ssh connect after login grace timeout failed without privsep failed connect after login grace timeout make[1]: *** [t-exec] Error 1 make[1]: Leaving directory `/home/tusker/openssh/regress' make: *** [tests] Error 2 Looking at netstat, there seems to be lingering connection for a short while... but it goes quite quickly... root at ordo:~# netstat -an | grep 4242 tcp 0 0 127.0.0.1:32938 127.0.0.1:4242 TIME_WAIT tcp 0 0 127.0.0.1:4242 127.0.0.1:32937 TIME_WAIT root at ordo:~# netstat -an | grep 4242 Damien
I have tested the openssh snapshot on HP-UX 11.0, HP-UX 11.11 and HP-UX 11.23 The Results on the platforms 11.11, 11.23 PI Total tests : 35 Total number of tests passed : 32 Total number of tests skipped : 03 Total number of tests failed : 0 The Results on the platform 11.0 Total tests : 35 Total number of tests passed : 31 Total number of tests skipped : 03 Total number of tests failed : 1 The test failed on 11.0 in "login-timeout.sh" in the following line in the package. "(echo SSH-2.0-fake; sleep 60) | telnet localhost ${PORT}" The failure occurs due to the re-execution feature of sshd. It takes long time to connect to the server when re-exec is enabled. When re-execution feature is diabled, the test passes. Thanks -logu
Logu wrote:> I have tested the openssh snapshot on HP-UX 11.0, HP-UX 11.11 and HP-UX > 11.23Thanks. [...]> The failure occurs due to the re-execution feature of sshd. It takes > long time to connect to the server when re-exec is enabled. When > re-execution feature is diabled, the test passes.This is likely to be the reseeding of the RNG causing this. You can try running ssh-random-helper with -vvv and see if any of the entropy gathering commands take disproportionately longer than the others. If this proves to be the case then you can modify or remove that command in ssh_prng_cmds. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.