Hi, OpenSSH 5.4 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a big release, with a number of major new features and many bug fixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via anonymous CVS using the instructions at http://www.openssh.com/portable.html#cvs Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: $ ./configure && make tests Live testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org. Below is a summary of changes. More detail may be found in the ChangeLog in the portable OpenSSH tarballs. Thanks to the many people who contributed to this release. ------------------------------- Changes since OpenSSH 5.3 ======================== Features: * After a transition period of about 10 years, this release disables SSH protocol 1 by default. Clients and servers that need to use the legacy protocol must explicitly enable it in ssh_config / sshd_config or on the command-line. * Deprecate the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. PKCS#11 support is automatically enabled on all platforms that support dlopen(3) and was inspired by patches written by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1) manpages * Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (not X.509). Certificates contain a public key, identity information and some validity constraints and are signed with a standard SSH public key using ssh-keygen(1). CA keys may be marked as trusted in authorized_keys (for user authentication) or known_hosts (for host authentication). Documentation for certificate support may be found in ssh-keygen(1), sshd(8) and ssh(1) and a description of the protocol changes in PROTOCOL.certkeys. * Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers. bz#1618 * Rewrite the ssh(1) multiplexing support to support non-blocking operation of the mux master, improve the resilience of the master to malformed messages sent to it by the slave and add support for requesting port- forwardings via the multiplex protocol. The new stdio-to-local forward mode ("ssh -W host:port ...") is also supported. The revised multiplexing protocol is documented in the file PROTOCOL.mux in the source distribution. * Add a 'read-only' mode to sftp-server(8) that disables open in write mode and all other fs-modifying protocol methods. bz#430 * Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has. bz#1229 * Many improvements to the sftp(1) client, many of which were implemented by Carlos Silva through the Google Summer of Code program: - Support the "-h" (human-readable units) flag for ls - Implement tab-completion of commands, local and remote filenames - Support most of scp(1)'s commandline arguments in sftp(1), as a first step towards making sftp(1) a drop-in replacement for scp(1). Note that the rarely-used "-P sftp_server_path" option has been moved to "-D sftp_server_path" to make way for "-P port" to match scp(1). - Add recursive transfer support for get/put and on the commandline * New RSA keys will be generated with a public exponent of RSA_F4 = (2**16)+1 == 65537 instead of the previous value 35. * Passphrase-protected SSH protocol 2 private keys are now protected with AES-128 instead of 3DES. This applied to freshly-generated keys as well as keys that are reencrypted (e.g. by changing their passphrase). Bugfixes: * When using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot and not outside (bz#1679) * Cache user and group name lookups in sftp-server using user_from_[ug]id(3) to improve performance on hosts where these operations are slow (e.g. NIS or LDAP). bz#1495 * Fix problem that prevented passphrase reading from being interrupted in some circumstances; bz#1590 * Ignore and log any Protocol 1 keys where the claimed size is not equal to the actual size. * Make HostBased authentication work with a ProxyCommand. bz#1569 * Avoid run-time failures when specifying hostkeys via a relative path by prepending the current working directory in these cases. bz#1290 * Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug. bz#1693 * Document that the PubkeyAuthentication directive is allowed in a sshd_config(5) Match block. bz#1577 * When converting keys, truncate key comments at 72 chars as per RFC4716. bz#1630 * Do not allow logins if /etc/nologin exists but is not readable by the user logging in. * Output a debug log if sshd(8) can't open an existing authorized_keys. bz#1694 * Quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we usually don't actually have a tty to read/set; bz#1686 * Prevent sftp from crashing when given a "-" without a command. Also, allow whitespace to follow a "-". bz#1691 * After sshd receives a SIGHUP, ignore subsequent HUPs while sshd re-execs itself. Prevents two HUPs in quick succession from resulting in sshd dying. bz#1692 * Clarify in sshd_config(5) that StrictModes does not apply to ChrootDirectory. Permissions and ownership are always checked when chrooting. bz#1532 * Set close-on-exec on various descriptors so they don't get leaked to child processes. bz#1643 * Fix very rare race condition in x11/agent channel allocation: don't read after the end of the select read/write fdset and make sure a reused FD is not touched before the pre-handlers are called. * Fix incorrect exit status when multiplexing and channel ID 0 is recycled. bz#1570 * Fail with an error when an attempt is made to connect to a server with ForceCommand=internal-sftp with a shell session (i.e. not a subsystem session). Avoids stuck client when attempting to ssh to such a service. bz#1606: * Warn but do not fail if stat()ing the subsystem binary fails. This helps with chrootdirectory+forcecommand=sftp-server and restricted shells. bz #1599 * Change "Connecting to host..." message to "Connected to host." and delay it until after the sftp protocol connection has been established. Avoids confusing sequence of messages when the underlying ssh connection experiences problems. bz#1588 * Use the HostKeyAlias rather than the hostname specified on the commandline when prompting for passwords. bz#1039 * Correct off-by-one in percent_expand(): we would fatal() when trying to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually work. Note that nothing in OpenSSH actually uses close to this limit at present. bz#1607 * Fix passing of empty options from scp(1) and sftp(1) to the underlying ssh(1). Also add support for the stop option "--". * Fix an incorrect magic number and typo in PROTOCOL; bz#1688 * Don't escape backslashes when displaying the SSH2 banner. bz#1533 * Don't unnecessarily dup() the in and out fds for sftp-server. bz#1566 * Force use of the correct hash function for random-art signature display as it was inheriting the wrong one when bubblebabble signatures were activated. bz#1611 * Do not fall back to adding keys without contraints (ssh-add -c / -t ...) when the agent refuses the constrained add request. bz#1612 * Fix a race condition in ssh-agent that could result in a wedged or spinning agent. bz#1633 * Flush stdio before exec() to ensure that everying (motd in particular) has made it out before the streams go away. bz#1596 * Set FD_CLOEXEC on in/out sockets in sshd(8). bz#1706 Portable OpenSSH Bugfixes: * Use system's kerberos principal name on AIX if it's available. bz#1583 * Disable OOM-killing of the listening sshd on Linux. bz#1740 * Use pkg-config for opensc config if it's available. bz#1160 * Unbreak Redhat spec to allow building without askpass. bz#1677 * If PidFile is set in sshd_config, use it in SMF init file. bz#1628 * Print error and usage() when ssh-rand-helper is passed command- line arguments as none are supported. bz#1568 * Add missing setsockopt() to set IPV6_V6ONLY for local forwarding with GatwayPorts=yes. bz#1648 * Make GNOME 2 askpass dialog desktop-modal. bz#1645 * If SELinux is enabled set the security context to "sftpd_t" before running the internal sftp server. bz#1637 * Correctly check libselinux for necessary SELinux functions; bz#1713
Hi Damien, On Feb 27 18:25, Damien Miller wrote:> Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes.Can you please check in the patch from http://marc.info/?l=openssh-unix-dev&m=126660110606035&w=2 for 5.4? And what about http://marc.info/?l=openssh-unix-dev&m=126505289206175&w=2 After the first mail, none of the core developers replied to this issue. There were several suggestions to fix the problem, but without feedback it's hard to come to a sufficient solution. Thanks, Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat
On Sat, Feb 27, 2010 at 06:25:38PM +1100, Damien Miller wrote:> OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes.It's been a number of years since I've done this, so please excuse me if I'm lacking information in my report On CentOS 5.4 32bit Linux mercury 2.6.18-164.11.1.el5PAE #1 SMP Wed Jan 20 08:16:13 EST 2010 i686 i686 i386 GNU/Linux % gcc -v Using built-in specs. Target: i386-redhat-linux Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-libgcj-multifile --enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk --disable-dssi --enable-plugin --with-java-home=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre --with-cpu=generic --host=i386-redhat-linux Thread model: posix gcc version 4.1.2 20080704 (Red Hat 4.1.2-46) OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: doc PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no TCP Wrappers support: no MD5 password support: no libedit support: no Solaris process contract support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Host: i686-pc-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -std=gnu99 Preprocessor flags: Linker flags: -fstack-protector-all Libraries: -lresolv -lcrypto -ldl -lutil -lz -lnsl -lcrypt Commands to reproduce: cvs get openssh cd openssh autoreconf ./configure make tests [....] gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -std=gnu99 -I. -I. -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c ssh-pkcs11-helper.c gcc -o ssh-pkcs11-helper ssh-pkcs11-helper.o ssh-pkcs11.o -L. -Lopenbsd-compat/ -fstack-protector-all -lssh -lopenbsd-compat -lresolv -lcrypto -ldl -lutil -lz -lnsl -lcrypt openbsd-compat//libopenbsd-compat.a(bsd-arc4random.o): In function `arc4random': /home/sweh/ssh_testing/openssh/openbsd-compat/bsd-arc4random.c:50: undefined reference to `seed_rng' collect2: ld returned 1 exit status make: *** [ssh-pkcs11-helper] Error 1 -- rgds Stephen
On Sat, 28 Feb 2010 Damien Miller wrote:> OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes.Is there any chance this could be fixed for 5.4? http://marc.info/?l=openssh-unix-dev&m=126533947629149&w=2 I just retested with the 20100228 SNAP and see the same results as in the above link. I've added a bug report: https://bugzilla.mindrot.org/show_bug.cgi?id=1719
Daniel Kahn Gillmor
2010-Feb-27 20:03 UTC
OpenSSH PKI [was: Re: Call for testing: OpenSSH-5.4]
Hi Damien-- On 02/27/2010 02:25 AM, Damien Miller wrote:> OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes.This is exciting news, thanks! As a contributor to the Monkeysphere (OpenPGP certificates for SSH and TLS [0]), i'm particularly interested in this bit:> * Add support for certificate authentication of users and hosts using a > new, minimal OpenSSH certificate format (not X.509). Certificates > contain a public key, identity information and some validity > constraints and are signed with a standard SSH public key using > ssh-keygen(1). CA keys may be marked as trusted in authorized_keys > (for user authentication) or known_hosts (for host authentication). > > Documentation for certificate support may be found in ssh-keygen(1), > sshd(8) and ssh(1) and a description of the protocol changes in > PROTOCOL.certkeys.My initial reaction is surprise -- i had no idea that this was in the works. Where would i have found out that this was being proposed if i wanted to contribute to the work here? I don't see any mention of it in the bug tracker, and if there was discussion about it on this list then i missed it somehow. Should i be subscribed to some other discussion list to get a heads-up about this sort of thing? Is there something else i should follow? I have some concerns about the model and the implementation, based on what i've read from PROTOCOL.certkeys and the various referenced man pages in cvs HEAD: 0) Yet another certificate format, introducing a novel PKI -- seems like this opens the door to a lot of potential trouble. Simplicity is a good reason to avoid PKI entirely, and OpenSSH has done right by this model so far. But the PKI-less model has its limitations, and when the need for a PKI seems apparent, there are at least two well-known PKIs (OpenPGP and X.509) with decent communities who can contribute insights on what might work and what might cause trouble down the line. The model proposed here is simpler than either existing PKI, but it also seems to have had far less scrutiny, and is OpenSSH-specific, as far as i can tell. OpenSSH doesn't rely on novel/unique asymmetric crypto algorithms, symmetric ciphers, or message digests. Why should certificate formats and PKI be different? 1) Revocations -- there is no room in the infrastructure i can see for revocations. What should a certificate authority do if it discovers that the private key belonging to a certificate has been compromised, and the certificate is not yet expired? What should a server operator do who knows this situation, but currently relies on other certifications from that CA? 2) Tight coupling of authentication and authorization -- there are sometimes good reasons to do this, but it makes certification more difficult, and makes policy much more inflexible for system administrators. One example of the added complexity the conflation creates is a combinatoric one: say i should be allowed to ssh to dkg at example.com to do whatever i want with my account. But i should *also* be allowed access to our organization's SVN repository over ssh at svn at example.com constrained by a ForceCommand that only allows certain subversion operations. i don't think that's representable in this certificate format. More generally, a local machine administrator might be fine relying on an external authority to identify remote parties, but might want to authorize different commands for local accounts based on that authentication. Having this tightly coupled model means those local administrators must either accept authorization information from the CAs, or not use certificates at all. 3) Multiple certs over the same key from different issuers -- Say i use the same key to identify myself to machines from multiple domains. if each of those domains runs their own internal certificate authority, i'll have two different versions of id_rsa_cert.pub, right? i see no documentation to indicate how to choose between them in ssh(1) or ssh_config(5). 4) definition of "valid principals" seems underdeveloped in PROTOCOL.certkeys -- For example, there was discussion on-list recently about case insensitivity on some systems (cygwin at least) -- are these expected to match the name of the remote account entirely? If i certify a key for "foo" does that work on all "foo" accounts on every machine that trusts my CA? Can user accounts be specified targetted to a specific machine (e.g. "foo at server3.example.net")? if so, how would sshd make authorization decisions based on the hostname part of the user name? 5) interaction with ssh-agent -- does the agent know about certificates? Can it offer them to a compatible ssh client process? If not, how should a user take advantage of both features? If so, is this a change in the ssh-agent protocol that compatible ssh-agent implementations should be made aware of? Anyway, these are my immediate reactions to this proposal of new certificate formats for OpenSSH. My current thinking is that this particular change should be pushed back to a later version for more discussion, but of course that's not my call to make. I'd appreciate any feedback on the thoughts and concerns raised above. As always, thanks for all the work on this excellent tool. Regards, --dkg [0] http://web.monkeysphere.info/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 891 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20100227/0eb768a6/attachment-0001.bin>
On Sat, Feb 27, 2010 at 06:25:38PM +1100, Damien Miller wrote:> Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. >I do have 2 suggestions only 1 I can recall. 1st is to check if poll is an available option on a system and if not anyone here has an idea for compensating around it? -- Member - Liberal International This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! http://twitter.com/rootnl2k http://www.facebook.com/dyadallee USenet NEwsgroups is the ULTIMATE form of blogging and social networking!
On Feb 27 18:25, Damien Miller wrote:> Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org.Including the latest Cygwin-specific changes, OpenSSH from CVS builds fine on Cygwin 1.7. The testsuite runs successfully with a single exception. The exception is sftp-glob.sh, which is an expected failure on Cygwin due to the slash/backslash weirdness on Windows. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat
> > OpenSSH 5.4 is almost ready for release, so we would appreciatetesting> on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. >Passes all tests on Mandriva One 2010.0 32-bit.
failing on opensolaris snv_133 SunOS scrub 5.11 snv_133 i86pc i386 i86pc gcc version 3.4.3 (csl-sol210-3_4-20050802) gunzip openssh-SNAP-20100302.tar.gz tar tvf openssh-SNAP-20100302.tar tar xvf openssh-SNAP-20100302.tar cd openssh ./configure make tests [...] run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure certified host keys: test host cert connect cert expired expect failure certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key ok certified host keys run test cert-userkey.sh ... certified user keys: sign user rsa cert certified user keys: sign user dsa cert certified user keys: user rsa cert connect privsep yes Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user dsa cert connect privsep yes Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user rsa cert connect privsep no Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user dsa cert connect privsep no Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: ensure CA key does not authenticate user ssh cert connect with CA key succeeded unexpectedly certified user keys: test user cert connect host-certificate expect failure certified user keys: test user cert connect empty principals expect success ssh cert connect empty principals failed unexpectedly certified user keys: test user cert connect wrong principals expect failure certified user keys: test user cert connect cert not yet valid expect failure certified user keys: test user cert connect cert expired expect failure certified user keys: test user cert connect cert valid interval expect success ssh cert connect cert valid interval failed unexpectedly certified user keys: test user cert connect wrong source-address expect failure certified user keys: test user cert connect force-command expect failure failed certified user keys *** Error code 1 The following command caused the error: if [ "xconnect.sh proxy-connect.sh connect-privsep.sh proto-version.sh proto-mismatch.sh exit-status.sh envpass.sh transfer.sh banner.sh rekey.sh stderr-data.sh stderr-after-eof.sh broken-pipe.sh try-ciphers.sh yes-head.sh login-timeout.sh agent.sh agent-getpeereid.sh agent-timeout.sh agent-ptrace.sh keyscan.sh keygen-change.sh keygen-convert.sh key-options.sh scp.sh sftp.sh sftp-cmds.sh sftp-badcmds.sh sftp-batch.sh sftp-glob.sh reconfigure.sh dynamic-forward.sh forwarding.sh multiplex.sh reexec.sh brokenkeys.sh cfgmatch.sh addrmatch.sh localcommand.sh forcecommand.sh portnum.sh cert-hostkey.sh cert-userkey.sh" = "x" ]; then exit 0; fi; \ for TEST in ""connect.sh proxy-connect.sh connect-privsep.sh proto-version.sh proto-mismatch.sh exit-status.sh envpass.sh transfer.sh banner.sh rekey.sh stderr-data.sh stderr-after-eof.sh broken-pipe.sh try-ciphers.sh yes-head.sh login-timeout.sh agent.sh agent-getpeereid.sh agent-timeout.sh agent-ptrace.sh keyscan.sh keygen-change.sh keygen-convert.sh key-options.sh scp.sh sftp.sh sftp-cmds.sh sftp-badcmds.sh sftp-batch.sh sftp-glob.sh reconfigure.sh dynamic-forward.sh forwarding.sh multiplex.sh reexec.sh brokenkeys.sh cfgmatch.sh addrmatch.sh localcommand.sh forcecommand.sh portnum.sh cert-hostkey.sh cert-userkey.sh; do \ echo "run test ${TEST}" ... 1>&2; \ (env SUDO= TEST_ENV="MALLOC_OPTIONS=AFGJPRX" sh /export/home/iqbala/Download/openssh/regress/test-exec.sh /export/home/iqbala/Download/openssh/regress /export/home/iqbala/Download/openssh/regress/${TEST}) || exit $?; \ done make: Fatal error: Command failed for target `t-exec' Current working directory /export/home/iqbala/Download/openssh/regress *** Error code 1 make: Fatal error: Command failed for target `tests' On Sat, Feb 27, 2010 at 2:25 AM, Damien Miller <djm at mindrot.org> wrote:> Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > ------------------------------- > > Changes since OpenSSH 5.3 > ========================> > Features: > > ?* After a transition period of about 10 years, this release disables > ? SSH protocol 1 by default. Clients and servers that need to use the > ? legacy protocol must explicitly enable it in ssh_config / sshd_config > ? or on the command-line. > > ?* Deprecate the libsectok/OpenSC-based smartcard code and add > ? support for PKCS#11 tokens. PKCS#11 support is automatically enabled > ? on all platforms that support dlopen(3) and was inspired by patches > ? written by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1) > ? manpages > > ?* Add support for certificate authentication of users and hosts using a > ? new, minimal OpenSSH certificate format (not X.509). Certificates > ? contain a public key, identity information and some validity > ? constraints and are signed with a standard SSH public key using > ? ssh-keygen(1). CA keys may be marked as trusted in authorized_keys > ? (for user authentication) or known_hosts (for host authentication). > > ? Documentation for certificate support may be found in ssh-keygen(1), > ? sshd(8) and ssh(1) and a description of the protocol changes in > ? PROTOCOL.certkeys. > > ?* Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects > ? stdio on the client to a single port forward on the server. This > ? allows, for example, using ssh as a ProxyCommand to route connections > ? via intermediate servers. bz#1618 > > ?* Rewrite the ssh(1) multiplexing support to support non-blocking > ? operation of the mux master, improve the resilience of the master to > ? malformed messages sent to it by the slave and add support for > ? requesting port- forwardings via the multiplex protocol. The new > ? stdio-to-local forward mode ("ssh -W host:port ...") is also > ? supported. The revised multiplexing protocol is documented in the > ? file PROTOCOL.mux in the source distribution. > > ?* Add a 'read-only' mode to sftp-server(8) that disables open in write > ? mode and all other fs-modifying protocol methods. bz#430 > > ?* Allow setting an explicit umask on the sftp-server(8) commandline to > ? override whatever default the user has. bz#1229 > > ?* Many improvements to the sftp(1) client, many of which were > ? implemented by Carlos Silva through the Google Summer of Code > ? program: > ? - Support the "-h" (human-readable units) flag for ls > ? - Implement tab-completion of commands, local and remote filenames > ? - Support most of scp(1)'s commandline arguments in sftp(1), as a > ? ? first step towards making sftp(1) a drop-in replacement for scp(1). > ? ? Note that the rarely-used "-P sftp_server_path" option has been > ? ? moved to "-D sftp_server_path" to make way for "-P port" to match > ? ? scp(1). > ? - Add recursive transfer support for get/put and on the commandline > > ?* New RSA keys will be generated with a public exponent of RSA_F4 => ? (2**16)+1 == 65537 instead of the previous value 35. > > ?* Passphrase-protected SSH protocol 2 private keys are now protected > ? with AES-128 instead of 3DES. This applied to freshly-generated keys > ? as well as keys that are reencrypted (e.g. by changing their > ? passphrase). > > Bugfixes: > > ?* When using ChrootDirectory, make sure we test for the existence of > ? the user's shell inside the chroot and not outside (bz#1679) > ?* Cache user and group name lookups in sftp-server using > ? user_from_[ug]id(3) to improve performance on hosts where these > ? operations are slow (e.g. NIS or LDAP). bz#1495 > ?* Fix problem that prevented passphrase reading from being interrupted > ? in some circumstances; bz#1590 > ?* Ignore and log any Protocol 1 keys where the claimed size is not > ? equal to the actual size. > ?* Make HostBased authentication work with a ProxyCommand. bz#1569 > ?* Avoid run-time failures when specifying hostkeys via a relative > ? path by prepending the current working directory in these cases. > ? bz#1290 > ?* Do not prompt for a passphrase if we fail to open a keyfile, and log > ? the reason why the open failed to debug. bz#1693 > ?* Document that the PubkeyAuthentication directive is allowed in a > ? sshd_config(5) Match block. bz#1577 > ?* When converting keys, truncate key comments at 72 chars as per > ? RFC4716. bz#1630 > ?* Do not allow logins if /etc/nologin exists but is not readable by the > ? user logging in. > ?* Output a debug log if sshd(8) can't open an existing authorized_keys. > ? bz#1694 > ?* Quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we > ? usually don't actually have a tty to read/set; bz#1686 > ?* Prevent sftp from crashing when given a "-" without a command. > ? Also, allow whitespace to follow a "-". bz#1691 > ?* After sshd receives a SIGHUP, ignore subsequent HUPs while sshd > ? re-execs itself. Prevents two HUPs in quick succession from resulting > ? in sshd dying. bz#1692 > ?* Clarify in sshd_config(5) that StrictModes does not apply to > ? ChrootDirectory. Permissions and ownership are always checked when > ? chrooting. bz#1532 > ?* Set close-on-exec on various descriptors so they don't get leaked to > ? child processes. bz#1643 > ?* Fix very rare race condition in x11/agent channel allocation: don't > ? read after the end of the select read/write fdset and make sure a > ? reused FD is not touched before the pre-handlers are called. > ?* Fix incorrect exit status when multiplexing and channel ID 0 is > ? recycled. bz#1570 > ?* Fail with an error when an attempt is made to connect to a server > ? with ForceCommand=internal-sftp with a shell session (i.e. not a > ? subsystem session). Avoids stuck client when attempting to ssh to > ? such a service. bz#1606: > ?* Warn but do not fail if stat()ing the subsystem binary fails. This > ? helps with chrootdirectory+forcecommand=sftp-server and restricted > ? shells. bz #1599 > ?* Change "Connecting to host..." message to "Connected to host." > ? and delay it until after the sftp protocol connection has been > ? established. Avoids confusing sequence of messages when the > ? underlying ssh connection experiences problems. bz#1588 > ?* Use the HostKeyAlias rather than the hostname specified on the > ? commandline when prompting for passwords. bz#1039 > ?* Correct off-by-one in percent_expand(): we would fatal() when trying > ? to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to > ? actually work. Note that nothing in OpenSSH actually uses close to > ? this limit at present. bz#1607 > ?* Fix passing of empty options from scp(1) and sftp(1) to the > ? underlying ssh(1). Also add support for the stop option "--". > ?* Fix an incorrect magic number and typo in PROTOCOL; bz#1688 > ?* Don't escape backslashes when displaying the SSH2 banner. bz#1533 > ?* Don't unnecessarily dup() the in and out fds for sftp-server. bz#1566 > ?* Force use of the correct hash function for random-art signature > ? display as it was inheriting the wrong one when bubblebabble > ? signatures were activated. bz#1611 > ?* Do not fall back to adding keys without contraints (ssh-add -c / > ? -t ...) when the agent refuses the constrained add request. bz#1612 > ?* Fix a race condition in ssh-agent that could result in a wedged or > ? spinning agent. bz#1633 > ?* Flush stdio before exec() to ensure that everying (motd > ? in particular) has made it out before the streams go away. bz#1596 > ?* Set FD_CLOEXEC on in/out sockets in sshd(8). bz#1706 > > Portable OpenSSH Bugfixes: > > ?* Use system's kerberos principal name on AIX if it's available. > ? bz#1583 > ?* Disable OOM-killing of the listening sshd on Linux. bz#1740 > ?* Use pkg-config for opensc config if it's available. bz#1160 > ?* Unbreak Redhat spec to allow building without askpass. bz#1677 > ?* If PidFile is set in sshd_config, use it in SMF init file. bz#1628 > ?* Print error and usage() when ssh-rand-helper is passed command- > ? line arguments as none are supported. bz#1568 > ?* Add missing setsockopt() to set IPV6_V6ONLY for local forwarding > ? with GatwayPorts=yes. bz#1648 > ?* Make GNOME 2 askpass dialog desktop-modal. bz#1645 > ?* If SELinux is enabled set the security context to "sftpd_t" before > ? running the internal sftp server. bz#1637 > ?* Correctly check libselinux for necessary SELinux functions; bz#1713 > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
In article <alpine.BSO.2.00.1002271127510.1818 at fuyu.mindrot.org>, Damien Miller wrote:>Running the regression tests supplied with Portable OpenSSH does not >require installation and is a simply: > >$ ./configure && make testsI built this from CVS on Ubuntu 10.04 (in development). I used configure options which closely approximate those we use for the Debian package, omitting a couple that go along with Debian patches: ./configure --build=i486-linux-gnu --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib/openssh --mandir=/usr/share/man --disable-strip --with-mantype=doc --with-4in6 --with-privsep-path=/var/run/sshd --without-rand-helper --with-tcp-wrappers --with-pam --with-libedit --with-ssl-engine --with-selinux --with-xauth=/usr/bin/X11/xauth --with-default-path=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11 --with-cflags='-O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT' --with-ldflags='-Wl,--as-needed -fPIE -pie -Wl,-z,relro -Wl,-z,now' There were a few compiler warnings most of which I don't think are particularly new, although I don't recognise the one in openssl-compat.c. I don't know if you care about all of these but I'll list them for completeness. All regression tests passed. I haven't done serious testing beyond that, although I confirmed that sftp's tab-completion seemed to be working. gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c openssl-compat.c openssl-compat.c: In function ???ssh_SSLeay_add_all_algorithms???: openssl-compat.c:70: warning: implicit declaration of function ???OPENSSL_config??? gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c bindresvport.c bindresvport.c: In function ???bindresvport_sa???: bindresvport.c:71: warning: dereferencing pointer ???sa??? does break strict-aliasing rules bindresvport.c:66: note: initialized from here gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c readpassphrase.c readpassphrase.c: In function ???readpassphrase???: readpassphrase.c:127: warning: ignoring return value of ???write???, declared with attribute warn_unused_result readpassphrase.c:146: warning: ignoring return value of ???write???, declared with attribute warn_unused_result gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c channels.c channels.c: In function ???channel_decode_socks5???: channels.c:1235: warning: dereferencing type-punned pointer will break strict-aliasing rules gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c log.c log.c: In function ???do_log???: log.c:388: warning: ignoring return value of ???write???, declared with attribute warn_unused_result gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c packet.c packet.c: In function ???packet_connection_is_ipv4???: packet.c:441: warning: dereferencing pointer ???to.48??? does break strict-aliasing rules packet.c:441: note: initialized from here packet.c:441: warning: dereferencing pointer ???to.48??? does break strict-aliasing rules packet.c:441: note: initialized from here packet.c:441: warning: dereferencing pointer ???to.48??? does break strict-aliasing rules packet.c:441: note: initialized from here gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c monitor_fdpass.c monitor_fdpass.c: In function ???mm_send_fd???: monitor_fdpass.c:74: warning: dereferencing type-punned pointer will break strict-aliasing rules monitor_fdpass.c: In function ???mm_receive_fd???: monitor_fdpass.c:175: warning: dereferencing type-punned pointer will break strict-aliasing rules gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c umac.c umac.c: In function ???pdf_gen_xor???: umac.c:254: warning: dereferencing type-punned pointer will break strict-aliasing rules umac.c:257: warning: dereferencing type-punned pointer will break strict-aliasing rules umac.c:258: warning: dereferencing type-punned pointer will break strict-aliasing rules umac.c:260: warning: dereferencing type-punned pointer will break strict-aliasing rules umac.c:261: warning: dereferencing type-punned pointer will break strict-aliasing rules gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c schnorr.c schnorr.c: In function ???debug3_bn???: schnorr.c:468: warning: ignoring return value of ???vasprintf???, declared with attribute warn_unused_result schnorr.c: In function ???debug3_buf???: schnorr.c:493: warning: ignoring return value of ???vasprintf???, declared with attribute warn_unused_result gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c sshd.c sshd.c: In function ???main???: sshd.c:1742: warning: ignoring return value of ???chdir???, declared with attribute warn_unused_result gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c serverloop.c serverloop.c: In function ???notify_parent???: serverloop.c:151: warning: ignoring return value of ???write???, declared with attribute warn_unused_result gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c ssh-agent.c ssh-agent.c: In function ???main???: ssh-agent.c:1258: warning: ignoring return value of ???chdir???, declared with attribute warn_unused_result gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c scp.c scp.c: In function ???lostconn???: scp.c:1289: warning: ignoring return value of ???write???, declared with attribute warn_unused_result gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c ssh-rand-helper.c ssh-rand-helper.c: In function ???get_random_bytes_prngd???: ssh-rand-helper.c:167: warning: dereferencing pointer ???addr_in??? does break strict-aliasing rules ssh-rand-helper.c:166: warning: dereferencing pointer ???addr_in??? does break strict-aliasing rules ssh-rand-helper.c:168: warning: dereferencing pointer ???addr_in??? does break strict-aliasing rules ssh-rand-helper.c:150: note: initialized from here ssh-rand-helper.c:171: warning: dereferencing pointer ???addr_un??? does break strict-aliasing rules ssh-rand-helper.c:151: note: initialized from here gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c sftp.c sftp.c: In function ???cmd_interrupt???: sftp.c:219: warning: ignoring return value of ???write???, declared with attribute warn_unused_result Thanks, -- Colin Watson [cjwatson at debian.org]
> -----Original Message----- > From: Scott Neugroschl > Sent: Monday, March 01, 2010 1:18 PM > To: openssh-unix-dev at mindrot.org > Subject: RE: Call for testing: OpenSSH-5.4 > > > > > OpenSSH 5.4 is almost ready for release, so we would appreciate > testing > > on as many platforms and systems as possible. This is a big release, > > with a number of major new features and many bug fixes. > > > > Passes all tests on Mandriva One 2010.0 32-bit.Addendum: This was the 20100302 snapshot.
On Sat, Feb 27, 2010 at 01:25:38 -0600, Damien Miller wrote:> Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. >The 20100302 snapshot builds and tests successfully on the following platforms: RHEL 5 (x86_64) SLES 10 (x86_64) SLES 10 (ia64) On OS X (Intel), the snapshot builds but fails the regression tests: run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure Invalid certificate time 20200101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert expired expect failure Invalid certificate time 19800101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key failed certified host keys make[1]: *** [t-exec] Error 1 make: *** [tests] Error 2 And on Solaris 9 (SPARC/gcc) the tests likewise fail: run test cert-userkey.sh ... certified user keys: sign user rsa cert certified user keys: sign user dsa cert certified user keys: user rsa cert connect privsep yes Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user dsa cert connect privsep yes Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user rsa cert connect privsep no Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user dsa cert connect privsep no Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: ensure CA key does not authenticate user ssh cert connect with CA key succeeded unexpectedly certified user keys: test user cert connect host-certificate expect failure certified user keys: test user cert connect empty principals expect success ssh cert connect empty principals failed unexpectedly certified user keys: test user cert connect wrong principals expect failure certified user keys: test user cert connect cert not yet valid expect failure certified user keys: test user cert connect cert expired expect failure certified user keys: test user cert connect cert valid interval expect success ssh cert connect cert valid interval failed unexpectedly certified user keys: test user cert connect wrong source-address expect failure certified user keys: test user cert connect force-command expect failure failed certified user keys *** Error code 1 make: Fatal error: Command failed for target `t-exec' Current working directory /u/wk/imorgan/src/openssh/openssh/regress *** Error code 1 make: Fatal error: Command failed for target 'tests' -- Iain Morgan
On Mon, 1 Mar 2010, The Doctor wrote:> I do have 2 suggestions only 1 I can recall. > > 1st is to check if poll is an available option on a system and if not > anyone here has an idea for compensating around it?We do already, see openbsd-compat/bsd-poll.c -d
On Mac OS X 10.5.8 (Intel) $ ./configure && make tests ... run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure Invalid certificate time 20200101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert expired expect failure Invalid certificate time 19800101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key failed certified host keys make[1]: *** [t-exec] Error 1 make: *** [tests] Error 2 $ Application of Tim Rice's patch to regress/cert-hostkey.sh lets things get a bit further... $ make tests ... run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure Invalid certificate time 20200101 certified host keys: test host cert connect cert expired expect failure Invalid certificate time 19800101 certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key ok certified host keys run test cert-userkey.sh ... certified user keys: sign user rsa cert certified user keys: sign user dsa cert certified user keys: user rsa cert connect privsep yes Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user dsa cert connect privsep yes Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user rsa cert connect privsep no Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user dsa cert connect privsep no Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: ensure CA key does not authenticate user ssh cert connect with CA key succeeded unexpectedly certified user keys: test user cert connect host-certificate expect failure certified user keys: test user cert connect empty principals expect success ssh cert connect empty principals failed unexpectedly certified user keys: test user cert connect wrong principals expect failure certified user keys: test user cert connect cert not yet valid expect failure Invalid certificate time 20200101 couldn't sign cert_user_key_rsa certified user keys: test user cert connect cert expired expect failure Invalid certificate time 19800101 couldn't sign cert_user_key_rsa certified user keys: test user cert connect cert valid interval expect success ssh cert connect cert valid interval failed unexpectedly certified user keys: test user cert connect wrong source-address expect failure certified user keys: test user cert connect force-command expect failure failed certified user keys make[1]: *** [t-exec] Error 1 make: *** [tests] Error 2 $ -- Mark
Please forgive if I'm "doin it wrong" ... but here's what I've got so far in our lab environment ... Using openssh-SNAP-20100303.tar.gz ==== Red Hat Linux 6.2 (Zoot) Kernel: 2.2.14-6.0 i686 egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) - Target: i686-pc-linux-gnu OpenSSL 0.9.8j 07 Jan 2009 ./configure && make tests ... run test agent-ptrace.sh ... [had to kill -9 the gdb process after 10 minutes without any activity] gdb failed: exit code 0 ** Inserting 'exit 0' at the beginning of agent-ptrace.sh and re-running 'make tests' lets the rest of the tests complete ... all tests passed ** Note: the ssh/sshd binaries appear to be fully functional ***PARTIAL SUCCESS*** ==== Red Hat Enterprise Linux ES release 4 (Nahant Update 5) Kernel: 2.6.9-55.0.2.ELsmp i686 gcc version 3.4.6 20060404 (Red Hat 3.4.6-8) - Target: i686-pc-linux-gnu OpenSSL 0.9.7a Feb 19 2003 ./configure --without-zlib-version-check && make tests ssh-keygen.c: In function `parse_cert_times': ssh-keygen.c:1287: error: `BSDoptarg' undeclared (first use in this function) ssh-keygen.c:1287: error: (Each undeclared identifier is reported only once ssh-keygen.c:1287: error: for each function it appears in.) make: *** [ssh-keygen.o] Error 1 # rpmbuild -bb ./contrib/redhat/openssh.spec error: parse error in expression error: /usr/src/openssh/contrib/redhat/openssh.spec:77: parseExpressionBoolean returns -1 error: Group field must be present in package: (main package) error: License field must be present in package: (main package) ** spec file broken ***FAILED*** ==== Red Hat Enterprise Linux Server release 5.4 (Tikanga) Kernel: 2.6.18-128.2.1.el5 x86_64 gcc version 4.1.2 20080704 (Red Hat 4.1.2-46) - Target: x86_64-redhat-linux OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 ./configure && make tests all tests passed # rpmbuild -bb contrib/redhat/openssh.spec error: parse error in expression error: /usr/src/openssh/contrib/redhat/openssh.spec:77: parseExpressionBoolean returns -1 error: Group field must be present in package: (main package) error: License field must be present in package: (main package) ** spec file broken ***SUCCESS*** ==== Ubuntu 9.10 (karmic) x86_64 Kernel: 2.6.31-19-generic gcc version 4.4.1 (Ubuntu 4.4.1-4ubuntu9) - Target: x86_64-linux-gnu OpenSSL 0.9.8g 19 Oct 2007 ./configure && make tests all tests passed ***SUCCESS*** ==== HP-UX B.11.23 gcc version 4.1.1 - Target: ia64-hp-hpux11.23 OpenSSL 0.9.7m 23 Feb 2007 ./configure && gmake tests loginrec.c:725: warning: 'struct utmpx' declared inside parameter list loginrec.c:725: warning: its scope is only this definition or declaration, which is probably not what you want loginrec.c:736: warning: 'struct utmpx' declared inside parameter list loginrec.c: In function 'construct_utmpx': loginrec.c:741: error: dereferencing pointer to incomplete type loginrec.c:750: error: dereferencing pointer to incomplete type loginrec.c:753: error: dereferencing pointer to incomplete type loginrec.c:756: error: dereferencing pointer to incomplete type loginrec.c:756: error: dereferencing pointer to incomplete type loginrec.c:757: warning: passing argument 2 of 'set_utmpx_time' from incompatible pointer type loginrec.c:758: error: dereferencing pointer to incomplete type loginrec.c:761: error: dereferencing pointer to incomplete type loginrec.c:762: error: dereferencing pointer to incomplete type loginrec.c:762: error: dereferencing pointer to incomplete type loginrec.c: At top level: loginrec.c:987: warning: 'struct utmpx' declared inside parameter list loginrec.c: In function 'utmpx_write_library': loginrec.c:989: warning: implicit declaration of function 'setutxent' loginrec.c:990: warning: implicit declaration of function 'pututxline' loginrec.c:993: warning: implicit declaration of function 'endutxent' loginrec.c: In function 'utmpx_perform_login': loginrec.c:1012: error: storage size of 'utx' isn't known loginrec.c:1012: warning: unused variable 'utx' loginrec.c: In function 'utmpx_perform_logout': loginrec.c:1033: error: storage size of 'utx' isn't known loginrec.c:1033: warning: unused variable 'utx' loginrec.c: In function 'record_failed_login': loginrec.c:1628: warning: unused variable 'a6' gmake: *** [loginrec.o] Error 1 gmake clean && ./configure --disable-utmpx --disable-wtmpx && make tests ... run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure Invalid certificate time 20200101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert expired expect failure Invalid certificate time 19800101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key failed certified host keys gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/compile/build/openssh/regress' make: *** [tests] Error 2 ***FAILED*** ==== HP-UX B.11.31 ia64 gcc version 4.3.3 (GCC) - Target: ia64-hp-hpux11.31 OpenSSL 0.9.8l 5 Nov 2009 ./configure && gmake tests ... run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure Invalid certificate time 20200101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert expired expect failure Invalid certificate time 19800101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key failed certified host keys gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/usr/src/openssh/regress' gmake: *** [tests] Error 2 ***FAILED*** ==== HP-UX B.11.31 ia64 cc: HP C/aC++ B3910B A.06.20 [May 13 2008] OpenSSL 0.9.8l 5 Nov 2009 ./configure && gmake tests ... run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure Invalid certificate time 20200101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert expired expect failure Invalid certificate time 19800101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key failed certified host keys gmake: *** [t-exec] Error 1 *** Error exit code 2 Stop. ***FAILED*** ==== AIX 5.3sp7 (5300-07-02-0806) gcc version 4.2.0 - Target: powerpc-ibm-aix5.3.0.0 OpenSSL 0.9.8k 25 Mar 2009 ./configure && gmake tests ... run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure Invalid certificate time 20200101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert expired expect failure Invalid certificate time 19800101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key failed certified host keys gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/lppdir/build/phs-openssh/openssh/regress' gmake: *** [tests] Error 2 ***FAILED*** ==== AIX 6.1sp4 (6100-04-00-0000) - gcc version 4.2.0 - Target: powerpc-ibm-aix6.1.0.0 OpenSSL 0.9.8k 25 Mar 2009 ./configure && gmake tests ... run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure Invalid certificate time 20200101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert expired expect failure Invalid certificate time 19800101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key failed certified host keys gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/lppdir/build/phs-openssh/openssh/regress' gmake: *** [tests] Error 2 ***FAILED*** ==== Not yet sure why the AIX/HP-UX boxes are failing on cert-hostkey.sh. Trying to get sensibly verbose output out of the test script. Suspecting a bsd/linux/gnu difference in command syntax/output vs AIX/HP-UX in the test script. -- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott at gmail.com> */
On Sat, Feb 27, 2010 at 01:25:38 -0600, Damien Miller wrote:> Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. >The 20100304 snapshot now builds and tests successfully on the following platforms: Solaris 9 (SPARC) OS X 10.5 (Intel) AIX 5.3 -- Iain Morgan
On 02/27/2010 02:25 AM, Damien Miller wrote:> Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > ------------------------------- > > Changes since OpenSSH 5.3 > ========================> > Features: > > * After a transition period of about 10 years, this release disables > SSH protocol 1 by default. Clients and servers that need to use the > legacy protocol must explicitly enable it in ssh_config / sshd_config > or on the command-line. > > * Deprecate the libsectok/OpenSC-based smartcard code and add > support for PKCS#11 tokens. PKCS#11 support is automatically enabled > on all platforms that support dlopen(3) and was inspired by patches > written by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1) > manpages > > * Add support for certificate authentication of users and hosts using a > new, minimal OpenSSH certificate format (not X.509). Certificates > contain a public key, identity information and some validity > constraints and are signed with a standard SSH public key using > ssh-keygen(1). CA keys may be marked as trusted in authorized_keys > (for user authentication) or known_hosts (for host authentication). > > Documentation for certificate support may be found in ssh-keygen(1), > sshd(8) and ssh(1) and a description of the protocol changes in > PROTOCOL.certkeys. > > * Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects > stdio on the client to a single port forward on the server. This > allows, for example, using ssh as a ProxyCommand to route connections > via intermediate servers. bz#1618 > > * Rewrite the ssh(1) multiplexing support to support non-blocking > operation of the mux master, improve the resilience of the master to > malformed messages sent to it by the slave and add support for > requesting port- forwardings via the multiplex protocol. The new > stdio-to-local forward mode ("ssh -W host:port ...") is also > supported. The revised multiplexing protocol is documented in the > file PROTOCOL.mux in the source distribution. > > * Add a 'read-only' mode to sftp-server(8) that disables open in write > mode and all other fs-modifying protocol methods. bz#430 > > * Allow setting an explicit umask on the sftp-server(8) commandline to > override whatever default the user has. bz#1229 > > * Many improvements to the sftp(1) client, many of which were > implemented by Carlos Silva through the Google Summer of Code > program: > - Support the "-h" (human-readable units) flag for ls > - Implement tab-completion of commands, local and remote filenames > - Support most of scp(1)'s commandline arguments in sftp(1), as a > first step towards making sftp(1) a drop-in replacement for scp(1). > Note that the rarely-used "-P sftp_server_path" option has been > moved to "-D sftp_server_path" to make way for "-P port" to match > scp(1). > - Add recursive transfer support for get/put and on the commandline > > * New RSA keys will be generated with a public exponent of RSA_F4 => (2**16)+1 == 65537 instead of the previous value 35. > > * Passphrase-protected SSH protocol 2 private keys are now protected > with AES-128 instead of 3DES. This applied to freshly-generated keys > as well as keys that are reencrypted (e.g. by changing their > passphrase). > > Bugfixes: > > * When using ChrootDirectory, make sure we test for the existence of > the user's shell inside the chroot and not outside (bz#1679) > * Cache user and group name lookups in sftp-server using > user_from_[ug]id(3) to improve performance on hosts where these > operations are slow (e.g. NIS or LDAP). bz#1495 > * Fix problem that prevented passphrase reading from being interrupted > in some circumstances; bz#1590 > * Ignore and log any Protocol 1 keys where the claimed size is not > equal to the actual size. > * Make HostBased authentication work with a ProxyCommand. bz#1569 > * Avoid run-time failures when specifying hostkeys via a relative > path by prepending the current working directory in these cases. > bz#1290 > * Do not prompt for a passphrase if we fail to open a keyfile, and log > the reason why the open failed to debug. bz#1693 > * Document that the PubkeyAuthentication directive is allowed in a > sshd_config(5) Match block. bz#1577 > * When converting keys, truncate key comments at 72 chars as per > RFC4716. bz#1630 > * Do not allow logins if /etc/nologin exists but is not readable by the > user logging in. > * Output a debug log if sshd(8) can't open an existing authorized_keys. > bz#1694 > * Quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we > usually don't actually have a tty to read/set; bz#1686 > * Prevent sftp from crashing when given a "-" without a command. > Also, allow whitespace to follow a "-". bz#1691 > * After sshd receives a SIGHUP, ignore subsequent HUPs while sshd > re-execs itself. Prevents two HUPs in quick succession from resulting > in sshd dying. bz#1692 > * Clarify in sshd_config(5) that StrictModes does not apply to > ChrootDirectory. Permissions and ownership are always checked when > chrooting. bz#1532 > * Set close-on-exec on various descriptors so they don't get leaked to > child processes. bz#1643 > * Fix very rare race condition in x11/agent channel allocation: don't > read after the end of the select read/write fdset and make sure a > reused FD is not touched before the pre-handlers are called. > * Fix incorrect exit status when multiplexing and channel ID 0 is > recycled. bz#1570 > * Fail with an error when an attempt is made to connect to a server > with ForceCommand=internal-sftp with a shell session (i.e. not a > subsystem session). Avoids stuck client when attempting to ssh to > such a service. bz#1606: > * Warn but do not fail if stat()ing the subsystem binary fails. This > helps with chrootdirectory+forcecommand=sftp-server and restricted > shells. bz #1599 > * Change "Connecting to host..." message to "Connected to host." > and delay it until after the sftp protocol connection has been > established. Avoids confusing sequence of messages when the > underlying ssh connection experiences problems. bz#1588 > * Use the HostKeyAlias rather than the hostname specified on the > commandline when prompting for passwords. bz#1039 > * Correct off-by-one in percent_expand(): we would fatal() when trying > to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to > actually work. Note that nothing in OpenSSH actually uses close to > this limit at present. bz#1607 > * Fix passing of empty options from scp(1) and sftp(1) to the > underlying ssh(1). Also add support for the stop option "--". > * Fix an incorrect magic number and typo in PROTOCOL; bz#1688 > * Don't escape backslashes when displaying the SSH2 banner. bz#1533 > * Don't unnecessarily dup() the in and out fds for sftp-server. bz#1566 > * Force use of the correct hash function for random-art signature > display as it was inheriting the wrong one when bubblebabble > signatures were activated. bz#1611 > * Do not fall back to adding keys without contraints (ssh-add -c / > -t ...) when the agent refuses the constrained add request. bz#1612 > * Fix a race condition in ssh-agent that could result in a wedged or > spinning agent. bz#1633 > * Flush stdio before exec() to ensure that everying (motd > in particular) has made it out before the streams go away. bz#1596 > * Set FD_CLOEXEC on in/out sockets in sshd(8). bz#1706 > > Portable OpenSSH Bugfixes: > > * Use system's kerberos principal name on AIX if it's available. > bz#1583 > * Disable OOM-killing of the listening sshd on Linux. bz#1740 > * Use pkg-config for opensc config if it's available. bz#1160 > * Unbreak Redhat spec to allow building without askpass. bz#1677 > * If PidFile is set in sshd_config, use it in SMF init file. bz#1628 > * Print error and usage() when ssh-rand-helper is passed command- > line arguments as none are supported. bz#1568 > * Add missing setsockopt() to set IPV6_V6ONLY for local forwarding > with GatwayPorts=yes. bz#1648 > * Make GNOME 2 askpass dialog desktop-modal. bz#1645 > * If SELinux is enabled set the security context to "sftpd_t" before > running the internal sftp server. bz#1637 > * Correctly check libselinux for necessary SELinux functions; bz#1713 > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >openSUSE 11.2 (x86_64) VERSION = 11.2 Linux allison 2.6.31.12-0.1-desktop #1 SMP PREEMPT 2010-01-27 08:20:11 +0100 x86_64 x86_64 x86_64 GNU/Linux Passed all tests with snapshot, openssh-SNAP-20100303.tar.gz LDB
openSUSE 11.2 (x86_64) VERSION = 11.2 Linux allison 2.6.31.12-0.1-desktop #1 SMP PREEMPT 2010-01-27 08:20:11 +0100 x86_64 x86_64 x86_64 GNU/Linux Passed all tests with snapshot, openssh-SNAP-20100303.tar.gz LDB
Going for brevity here - full test results/output are available on request ... Using openssh-SNAP-20100304.tar.gz Summary: + Ubunto 6.10 i686 - gcc 4.1.3 - OpenSSL 0.9.8m - build OK - all tests passed + Ubuntu 9.10 x86_64 - gcc 4.4.1 - OpenSSL 0.9.8g - build OK - all tests passed + AIX 5.2 sp10 power - gcc 3.3.2 - OpenSSL 0.9.8f - build OK - all tests passed + AIX 5.3 sp7 power - gcc 4.2.0 - OpenSSL 0.9.8k - build OK - all tests passed + AIX 6.1 sp4 power - gcc 4.2.0 - OpenSSL 0.9.8k - build OK - all tests passed + HP-UX 11.11 hppa2 - gcc 4.1.1 - OpenSSL 0.9.7m - build OK - all tests passed + HP-UX 11.23 ia64 - gcc 4.1.1 - OpenSSL 0.9.7m - build OK**1* - all tests passed + HP-UX 11.31 ia64 - gcc 4.3.3 - OpenSSL 0.9.8l - build OK**1* - all tests passed + HP-UX 11.31 ia64 - HP C/aC++ A.06.20 - OpenSSL 0.9.8l - build OK - all tests passed + RH 6.2 i686 - egcs-2.91.66 - OpenSSL 0.9.8j - build OK - all tests passed**2* + RH 8.0 i686 - gcc 3.2.2 - OpenSSL 0.9.7a - build OK - all tests passed + RHEL 2.1 i686 - gcc 2.9.6 - OpenSSL 0.9.8m - build OK - all tests passed + RHEL 3.0 TU6 i686 - gcc 2.9.6 - OpenSSL 0.9.8m - build OK - all tests passed - RHEL 4.0 NU5 i686 - gcc 3.4.6 - OpenSSL 0.9.7a - *build FAIL* - **3* + RHEL 5.4 x86_64 - gcc 4.1.2 - OpenSSL 0.9.8e-fips-rhel5 - build OK - all tests passed **1 ::* HP-UX 11.23/11.31 systems using gcc apparently must './configure --disable-utmpx' or compile aborts here, (interesting to note that the HP Ansi C/C++ compiler doesn't have this problem): loginrec.c:725: warning: 'struct utmpx' declared inside parameter list loginrec.c:725: warning: its scope is only this definition or declaration, which is probably not what you want loginrec.c:736: warning: 'struct utmpx' declared inside parameter list loginrec.c: In function 'construct_utmpx': loginrec.c:741: error: dereferencing pointer to incomplete type loginrec.c:750: error: dereferencing pointer to incomplete type loginrec.c:753: error: dereferencing pointer to incomplete type loginrec.c:756: error: dereferencing pointer to incomplete type loginrec.c:756: error: dereferencing pointer to incomplete type loginrec.c:757: warning: passing argument 2 of 'set_utmpx_time' from incompatible pointer type loginrec.c:758: error: dereferencing pointer to incomplete type loginrec.c:761: error: dereferencing pointer to incomplete type loginrec.c:762: error: dereferencing pointer to incomplete type loginrec.c:762: error: dereferencing pointer to incomplete type loginrec.c: At top level: loginrec.c:987: warning: 'struct utmpx' declared inside parameter list loginrec.c: In function 'utmpx_write_library': loginrec.c:989: warning: implicit declaration of function 'setutxent' loginrec.c:990: warning: implicit declaration of function 'pututxline' loginrec.c:993: warning: implicit declaration of function 'endutxent' loginrec.c: In function 'utmpx_perform_login': loginrec.c:1012: error: storage size of 'utx' isn't known loginrec.c:1012: warning: unused variable 'utx' loginrec.c: In function 'utmpx_perform_logout': loginrec.c:1033: error: storage size of 'utx' isn't known loginrec.c:1033: warning: unused variable 'utx' loginrec.c: In function 'record_failed_login': loginrec.c:1628: warning: unused variable 'a6' gmake: *** [loginrec.o] Error 1 **2 ::* On Red Hat 6.2 openssh builds cleanly and appears to work fine, but test 'regress/agent-ptrace.sh' hangs hard and requires a 'kill -9' of the gdb process to continue - hacking the script to exit 0 at the beginning works around this. Still investigating what's wrong here. **3 ::* replicated this on three different servers running these releases - maybe there's something wrong with how configure is identifying these boxes? OPSYS: Red Hat Enterprise Linux AS release 4 (Nahant Update 6) KERNEL: 2.6.9-67.ELsmp i686 CC: gcc version 3.4.6 20060404 (Red Hat 3.4.6-9) TARGET: i686-pc-linux-gnu SSL: OpenSSL 0.9.7a Feb 19 2003 OPSYS: Red Hat Enterprise Linux ES release 4 (Nahant Update 5) KERNEL: 2.6.9-55.0.2.ELsmp i686 CC: gcc version 3.4.6 20060404 (Red Hat 3.4.6-8) TARGET: i686-pc-linux-gnu SSL: OpenSSL 0.9.7a Feb 19 2003 ./configure --with-zlib=/var/tmp/zlib && make tests ... OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: doc PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no TCP Wrappers support: no MD5 password support: no libedit support: no Solaris process contract support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Host: i686-pc-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-builtin-memset -std=gnu99 Preprocessor flags: -I/var/tmp/zlib/include Linker flags: -L/var/tmp/zlib/lib Libraries: -lcrypto -ldl -lutil -lz -lnsl -lcrypt ... ssh-keygen.c: In function `parse_cert_times': ssh-keygen.c:1303: error: `BSDoptarg' undeclared (first use in this function) ssh-keygen.c:1303: error: (Each undeclared identifier is reported only once ssh-keygen.c:1303: error: for each function it appears in.) make: *** [ssh-keygen.o] Error 1 Looks to be this bit here: if (to == NULL || from == to || *(to + 1) == '\0')>>> fatal("Invalid certificate life specification %s", optarg);*to++ = '\0'; -- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott at gmail.com> */
Once upon a time, Damien Miller <djm at mindrot.org> said:> OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes.Hmm, build of 20100304 fails on Tru64 (ignore the "long long" info messages): cc -I/usr/local/include -O -ieee -std1 -arch generic -tune ev67 -I. -I. -DSSHDIR=\"/usr/local/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty/sshd\" -DSSH_RAND_HELPER=\"/usr/local/libexec/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c ssh-keygen.c cc: Info: ssh-keygen.c, line 116: The integer constant is of type "unsigned long long", which is a new feature of C99 might not be portable. (longlongsufx) u_int64_t cert_valid_to = ~0ULL; ---------------------------^ cc: Info: openbsd-compat/openbsd-compat.h, line 106: In this declaration, type "long long" is a new feature in C99. (longlongtype) int fmt_scaled(long long number, char *result); -------------------^ cc: Info: openbsd-compat/openbsd-compat.h, line 184: In this declaration, type "long long" is a new feature in C99. (longlongtype) long long strtoll(const char *, char **, int); ^ cc: Info: openbsd-compat/openbsd-compat.h, line 188: In this declaration, type "long long" is a new feature in C99. (longlongtype) long long strtonum(const char *, long long, long long, const char **); ^ cc: Info: openbsd-compat/openbsd-compat.h, line 188: In this declaration, type "long long" is a new feature in C99. (longlongtype) long long strtonum(const char *, long long, long long, const char **); ---------------------------------^ cc: Info: openbsd-compat/openbsd-compat.h, line 188: In this declaration, type "long long" is a new feature in C99. (longlongtype) long long strtonum(const char *, long long, long long, const char **); --------------------------------------------^ cc: Error: ssh-keygen.c, line 1303: In this statement, "BSDoptarg" is not declared. (undeclared) fatal("Invalid certificate life specification %s", optarg); -------------------------------------------------------------------^ make: *** [ssh-keygen.o] Error 1 -- Chris Adams <cmadams at hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
The openssh 5.4 snap 20100302 compiles on fedora rawhide. -- JFCh
On Sat, Feb 27, 2010 at 01:25:38 -0600, Damien Miller wrote:> Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. >The 20100305 snapshot built and tested successfuly on the following: RHEL 5 (x86_64) SLES 10 (x86_64) SLES 10 (ia64) AIX 5.3 Solaris 9 (SPARC) OS X 10.5 (Intel) -- Iain Morgan
On Fri, Feb 26, 2010 at 23:25, Damien Miller <djm at mindrot.org> wrote:> Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. > >Using openssh-SNAP-20100306.tar.gz new issue on RHEL 5.4 x86_64: with SUDO set .. ... run test agent.sh ... sudo: sorry, you must have a tty to run sudo ssh_exchange_identification: Connection closed by remote host agent fwd proto 1 failed (exit code 0) sudo: sorry, you must have a tty to run sudo ssh_exchange_identification: Connection closed by remote host agent fwd proto 2 failed (exit code 0) failed simple agent test gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress' gmake: *** [tests] Error 2 Caused by: http://kbase.redhat.com/faq/docs/15839 ... The /etc/sudoers file in Red Hat Enterprise Linux 5 has a default flag 'requiretty'. With this flag set, only logged in users can execute commands through sudo. This will disallow execution of sudo commands remotely through rsh or ssh. The rsh and ssh utilities do not allocate a tty. It is recommended to keep this flag to prevent a user from entering a visible password. With ssh, use -t to force pseudo-tty allocation My proposed fix ... *** regress/agent.sh 2010-03-05 14:01:13.000000000 -0800 --- regress/agent.sh.orig 2008-03-12 05:58:56.000000000 -0700 *************** *** 45,51 **** trace "simple connect via agent" for p in 1 2; do ! ${SSH} -t -$p -F $OBJ/ssh_proxy somehost exit 5$p if [ $? -ne 5$p ]; then fail "ssh connect with protocol $p failed (exit code $?)" fi --- 45,51 ---- trace "simple connect via agent" for p in 1 2; do ! ${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p if [ $? -ne 5$p ]; then fail "ssh connect with protocol $p failed (exit code $?)" fi *************** *** 53,63 **** trace "agent forwarding" for p in 1 2; do ! ${SSH} -t -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 if [ $? -ne 0 ]; then fail "ssh-add -l via agent fwd proto $p failed (exit code $?)" fi ! ${SSH} -t -A -$p -F $OBJ/ssh_proxy somehost \ "${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p" if [ $? -ne 5$p ]; then fail "agent fwd proto $p failed (exit code $?)" --- 53,63 ---- trace "agent forwarding" for p in 1 2; do ! ${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 if [ $? -ne 0 ]; then fail "ssh-add -l via agent fwd proto $p failed (exit code $?)" fi ! ${SSH} -A -$p -F $OBJ/ssh_proxy somehost \ "${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p" if [ $? -ne 5$p ]; then fail "agent fwd proto $p failed (exit code $?)" Once this is applied - all tests passed -- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott at gmail.com> */
On Fri, Feb 26, 2010 at 23:25, Damien Miller <djm at mindrot.org> wrote:> Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. > >Using openssh-SNAP-20100306.tar.gz Summary: lx1072 + Ubunto 6.10 i686 - builds - all tests passed hobbes + Ubuntu 9.10 x86_64 - builds - all tests passed ux0643 + AIX 5.2 sp10 power - builds - all tests passed ux9039 + AIX 5.3 sp7 power - builds - all tests passed ux9001 + AIX 6.1 sp4 power - builds - all tests passed ux1090 + HP-UX 11.11 hppa2 - builds - all tests passed ux1025 + HP-UX 11.23 ia64 - builds - tests *PARTIAL FAIL *1* ux9115 + HP-UX 11.31 ia64 gcc - builds - tests *FAIL: *2* ux9115 + HP-UX 11.31 ia64 aCC - builds - all tests passed phswaora01 + RH 6.2 i686 - builds - tests *PATRIAL FAIL *3* lx1030 + RH 8.0 i686 - builds - all tests passed lx0527 + RHEL 2.1 i686 - builds - tests *PATRIAL FAIL *4* lx1098 + RHEL 3.0 tu8 i686 - builds - all tests passed lx9002 + RHEL 4.0 nu5 i686 - builds - all tests passed lx9003 + RHEL 5.4 i686 - builds - all tests passed * *5* *1 :: Tests run as non-root user ... export SUDO=`which sudo` ... run test connect.sh ... Password: cat: Cannot open /var/tmp/ssh/openssh/regress/pidfile: Permission denied (root:sys 0600) no sshd running ok simple connect run test proxy-connect.sh ... cat: Cannot open /var/tmp/ssh/openssh/regress/pidfile: Permission denied no sshd running ok proxy connect ...etc... run test reconfigure.sh ... cat: Cannot open /var/tmp/ssh/openssh/regress/pidfile: Permission denied usage: kill [ -signo ] pid ... FATAL: sshd did not restart gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress' gmake: *** [tests] Error 2 stale sshd process running from build dir - killed it unset SUDO ... run test connect.sh ... Permission denied. ssh connect with protocol 1 failed Permission denied (publickey,password,keyboard-interactive). ssh connect with protocol 2 failed failed simple connect gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress' gmake: *** [tests] Error 2 :: Run as root user, or 'sudo gmake tests' - all tests passed *2 :: Tests fail (root/non-root): ... run test agent-ptrace.sh ... ptrace succeeded?: exit code 1 failed disallow agent ptrace attach gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress' gmake: *** [tests] Error 2 *3 :: Tests fail as non-root user (w/out SUDO) at: ... run test connect.sh ... Connection closed by 127.0.0.1 ssh connect with protocol 1 failed Read from socket failed: Broken pipe ssh connect with protocol 2 failed failed simple connect gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress' gmake: *** [tests] Error 2 :: export SUDO=`which sudo` ... all(-1) tests passed (agent-ptrace.sh which still hangs in gdb) *4 :: Tests fail as non-root user (w/wout SUDO) at ... run test agent-getpeereid.sh ... ssh-add did not fail for nobody: 1 < 2 failed disallow agent attach from other uid gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress' gmake: *** [tests] Error 2 :: Run as root user, or 'sudo gmake tests' - all tests passed *5 :: patch of regress/agents.sh required. See previous email. -- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott at gmail.com> */
> > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests >all tests passed on mac-osx logu at logu-osx: openssh$ uname -a Darwin logu-osx.local 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15 16:55:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_I386 i386 logu at logu-osx: openssh$ gcc i686-apple-darwin9-gcc-4.0.1: no input files