openssh unix dev - Feb 2010 - Call for testing: OpenSSH-5.4

Hi,

OpenSSH 5.4 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a big release,
with a number of major new features and many bug fixes.

Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable OpenSSH is also available via anonymous CVS using the
instructions at http://www.openssh.com/portable.html#cvs

Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:

$ ./configure && make tests

Live testing on suitable non-production systems is also
appreciated. Please send reports of success or failure to
openssh-unix-dev at mindrot.org.

Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.

Thanks to the many people who contributed to this release.

-------------------------------

Changes since OpenSSH 5.3
========================
Features:

 * After a transition period of about 10 years, this release disables
   SSH protocol 1 by default. Clients and servers that need to use the
   legacy protocol must explicitly enable it in ssh_config / sshd_config
   or on the command-line.

 * Deprecate the libsectok/OpenSC-based smartcard code and add
   support for PKCS#11 tokens. PKCS#11 support is automatically enabled
   on all platforms that support dlopen(3) and was inspired by patches
   written by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1)
   manpages

 * Add support for certificate authentication of users and hosts using a
   new, minimal OpenSSH certificate format (not X.509). Certificates
   contain a public key, identity information and some validity
   constraints and are signed with a standard SSH public key using
   ssh-keygen(1). CA keys may be marked as trusted in authorized_keys
   (for user authentication) or known_hosts (for host authentication).

   Documentation for certificate support may be found in ssh-keygen(1),
   sshd(8) and ssh(1) and a description of the protocol changes in
   PROTOCOL.certkeys.

 * Added a 'netcat mode' to ssh(1): "ssh -W host:port ..."
This connects
   stdio on the client to a single port forward on the server. This
   allows, for example, using ssh as a ProxyCommand to route connections
   via intermediate servers. bz#1618

 * Rewrite the ssh(1) multiplexing support to support non-blocking
   operation of the mux master, improve the resilience of the master to
   malformed messages sent to it by the slave and add support for
   requesting port- forwardings via the multiplex protocol. The new
   stdio-to-local forward mode ("ssh -W host:port ...") is also
   supported. The revised multiplexing protocol is documented in the
   file PROTOCOL.mux in the source distribution.

 * Add a 'read-only' mode to sftp-server(8) that disables open in write
   mode and all other fs-modifying protocol methods. bz#430

 * Allow setting an explicit umask on the sftp-server(8) commandline to
   override whatever default the user has. bz#1229

 * Many improvements to the sftp(1) client, many of which were
   implemented by Carlos Silva through the Google Summer of Code
   program:
   - Support the "-h" (human-readable units) flag for ls
   - Implement tab-completion of commands, local and remote filenames
   - Support most of scp(1)'s commandline arguments in sftp(1), as a
     first step towards making sftp(1) a drop-in replacement for scp(1).
     Note that the rarely-used "-P sftp_server_path" option has been
     moved to "-D sftp_server_path" to make way for "-P
port" to match
     scp(1).
   - Add recursive transfer support for get/put and on the commandline

 * New RSA keys will be generated with a public exponent of RSA_F4 =   (2**16)+1
== 65537 instead of the previous value 35.

 * Passphrase-protected SSH protocol 2 private keys are now protected
   with AES-128 instead of 3DES. This applied to freshly-generated keys
   as well as keys that are reencrypted (e.g. by changing their
   passphrase).

Bugfixes:

 * When using ChrootDirectory, make sure we test for the existence of
   the user's shell inside the chroot and not outside (bz#1679)
 * Cache user and group name lookups in sftp-server using
   user_from_[ug]id(3) to improve performance on hosts where these
   operations are slow (e.g. NIS or LDAP). bz#1495
 * Fix problem that prevented passphrase reading from being interrupted
   in some circumstances; bz#1590
 * Ignore and log any Protocol 1 keys where the claimed size is not
   equal to the actual size.
 * Make HostBased authentication work with a ProxyCommand. bz#1569
 * Avoid run-time failures when specifying hostkeys via a relative
   path by prepending the current working directory in these cases.
   bz#1290
 * Do not prompt for a passphrase if we fail to open a keyfile, and log
   the reason why the open failed to debug. bz#1693
 * Document that the PubkeyAuthentication directive is allowed in a
   sshd_config(5) Match block. bz#1577
 * When converting keys, truncate key comments at 72 chars as per
   RFC4716. bz#1630
 * Do not allow logins if /etc/nologin exists but is not readable by the
   user logging in.
 * Output a debug log if sshd(8) can't open an existing authorized_keys.
   bz#1694
 * Quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we
   usually don't actually have a tty to read/set; bz#1686
 * Prevent sftp from crashing when given a "-" without a command.
   Also, allow whitespace to follow a "-". bz#1691
 * After sshd receives a SIGHUP, ignore subsequent HUPs while sshd
   re-execs itself. Prevents two HUPs in quick succession from resulting
   in sshd dying. bz#1692
 * Clarify in sshd_config(5) that StrictModes does not apply to
   ChrootDirectory. Permissions and ownership are always checked when
   chrooting. bz#1532
 * Set close-on-exec on various descriptors so they don't get leaked to
   child processes. bz#1643
 * Fix very rare race condition in x11/agent channel allocation: don't
   read after the end of the select read/write fdset and make sure a
   reused FD is not touched before the pre-handlers are called.
 * Fix incorrect exit status when multiplexing and channel ID 0 is
   recycled. bz#1570
 * Fail with an error when an attempt is made to connect to a server
   with ForceCommand=internal-sftp with a shell session (i.e. not a
   subsystem session). Avoids stuck client when attempting to ssh to
   such a service. bz#1606:
 * Warn but do not fail if stat()ing the subsystem binary fails. This
   helps with chrootdirectory+forcecommand=sftp-server and restricted
   shells. bz #1599
 * Change "Connecting to host..." message to "Connected to
host."
   and delay it until after the sftp protocol connection has been
   established. Avoids confusing sequence of messages when the
   underlying ssh connection experiences problems. bz#1588
 * Use the HostKeyAlias rather than the hostname specified on the
   commandline when prompting for passwords. bz#1039
 * Correct off-by-one in percent_expand(): we would fatal() when trying
   to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to
   actually work. Note that nothing in OpenSSH actually uses close to
   this limit at present. bz#1607
 * Fix passing of empty options from scp(1) and sftp(1) to the
   underlying ssh(1). Also add support for the stop option "--".
 * Fix an incorrect magic number and typo in PROTOCOL; bz#1688
 * Don't escape backslashes when displaying the SSH2 banner. bz#1533
 * Don't unnecessarily dup() the in and out fds for sftp-server. bz#1566
 * Force use of the correct hash function for random-art signature
   display as it was inheriting the wrong one when bubblebabble
   signatures were activated. bz#1611
 * Do not fall back to adding keys without contraints (ssh-add -c /
   -t ...) when the agent refuses the constrained add request. bz#1612
 * Fix a race condition in ssh-agent that could result in a wedged or
   spinning agent. bz#1633
 * Flush stdio before exec() to ensure that everying (motd
   in particular) has made it out before the streams go away. bz#1596
 * Set FD_CLOEXEC on in/out sockets in sshd(8). bz#1706

Portable OpenSSH Bugfixes:

 * Use system's kerberos principal name on AIX if it's available.
   bz#1583
 * Disable OOM-killing of the listening sshd on Linux. bz#1740
 * Use pkg-config for opensc config if it's available. bz#1160
 * Unbreak Redhat spec to allow building without askpass. bz#1677
 * If PidFile is set in sshd_config, use it in SMF init file. bz#1628
 * Print error and usage() when ssh-rand-helper is passed command-
   line arguments as none are supported. bz#1568
 * Add missing setsockopt() to set IPV6_V6ONLY for local forwarding
   with GatwayPorts=yes. bz#1648
 * Make GNOME 2 askpass dialog desktop-modal. bz#1645
 * If SELinux is enabled set the security context to "sftpd_t" before
   running the internal sftp server. bz#1637
 * Correctly check libselinux for necessary SELinux functions; bz#1713

Hi Damien,

On Feb 27 18:25, Damien Miller wrote:
> Hi,
> 
> OpenSSH 5.4 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release,
> with a number of major new features and many bug fixes.
Can you please check in the patch from
http://marc.info/?l=openssh-unix-dev&m=126660110606035&w=2 for 5.4?

And what about
http://marc.info/?l=openssh-unix-dev&m=126505289206175&w=2
After the first mail, none of the core developers replied to this issue.
There were several suggestions to fix the problem, but without feedback
it's hard to come to a sufficient solution.


Thanks,
Corinna

-- 
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat

On Sat, Feb 27, 2010 at 06:25:38PM +1100, Damien Miller
wrote:
> OpenSSH 5.4 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release,
> with a number of major new features and many bug fixes.
It's been a number of years since I've done this, so please excuse me if
I'm lacking information in my report

On CentOS 5.4 32bit
Linux mercury 2.6.18-164.11.1.el5PAE #1 SMP Wed Jan 20 08:16:13 EST 2010 i686
i686 i386 GNU/Linux
% gcc -v
Using built-in specs.
Target: i386-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --enable-shared --enable-threads=posix
--enable-checking=release --with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions --enable-libgcj-multifile
--enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk
--disable-dssi --enable-plugin
--with-java-home=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre --with-cpu=generic
--host=i386-redhat-linux
Thread model: posix
gcc version 4.1.2 20080704 (Red Hat 4.1.2-46)

OpenSSH has been configured with the following options:
                     User binaries: /usr/local/bin
                   System binaries: /usr/local/sbin
               Configuration files: /usr/local/etc
                   Askpass program: /usr/local/libexec/ssh-askpass
                      Manual pages: /usr/local/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/empty
            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
                    Manpage format: doc
                       PAM support: no
                   OSF SIA support: no
                 KerberosV support: no
                   SELinux support: no
                 Smartcard support:
                     S/KEY support: no
              TCP Wrappers support: no
              MD5 password support: no
                   libedit support: no
  Solaris process contract support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: yes
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY

              Host: i686-pc-linux-gnu
          Compiler: gcc
    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all
-std=gnu99
Preprocessor flags:
      Linker flags:  -fstack-protector-all
         Libraries: -lresolv -lcrypto -ldl -lutil -lz -lnsl  -lcrypt



Commands to reproduce:
  cvs get openssh
  cd openssh
  autoreconf
  ./configure
  make tests

[....]

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all
-std=gnu99  -I. -I.  -DSSHDIR=\"/usr/local/etc\"
-D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"
-DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\"
-DHAVE_CONFIG_H -c ssh-pkcs11-helper.c
gcc -o ssh-pkcs11-helper ssh-pkcs11-helper.o ssh-pkcs11.o -L. -Lopenbsd-compat/ 
-fstack-protector-all -lssh -lopenbsd-compat -lresolv -lcrypto -ldl -lutil -lz
-lnsl  -lcrypt
openbsd-compat//libopenbsd-compat.a(bsd-arc4random.o): In function
`arc4random':
/home/sweh/ssh_testing/openssh/openbsd-compat/bsd-arc4random.c:50: undefined
reference to `seed_rng'
collect2: ld returned 1 exit status
make: *** [ssh-pkcs11-helper] Error 1

-- 

rgds
Stephen

On Sat, 28 Feb 2010 Damien Miller wrote:
> OpenSSH 5.4 is almost ready for release, so we would appreciate testing 
> on as many platforms and systems as possible. This is a big release, 
> with a number of major new features and many bug fixes.
Is there any chance this could be fixed for 5.4?

   http://marc.info/?l=openssh-unix-dev&m=126533947629149&w=2

I just retested with the 20100228 SNAP and see the same results as in the 
above link.

I've added a bug report:

   https://bugzilla.mindrot.org/show_bug.cgi?id=1719

Hi Damien--

On 02/27/2010 02:25 AM, Damien Miller wrote:
> OpenSSH 5.4 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release,
> with a number of major new features and many bug fixes.
This is exciting news, thanks!

As a contributor to the Monkeysphere (OpenPGP certificates for SSH and
TLS [0]), i'm particularly interested in this bit:
>  * Add support for certificate authentication of users and hosts using a
>    new, minimal OpenSSH certificate format (not X.509). Certificates
>    contain a public key, identity information and some validity
>    constraints and are signed with a standard SSH public key using
>    ssh-keygen(1). CA keys may be marked as trusted in authorized_keys
>    (for user authentication) or known_hosts (for host authentication).
> 
>    Documentation for certificate support may be found in ssh-keygen(1),
>    sshd(8) and ssh(1) and a description of the protocol changes in
>    PROTOCOL.certkeys.
My initial reaction is surprise -- i had no idea that this was in the
works.  Where would i have found out that this was being proposed if i
wanted to contribute to the work here?  I don't see any mention of it in
the bug tracker, and if there was discussion about it on this list then
i missed it somehow.  Should i be subscribed to some other discussion
list to get a heads-up about this sort of thing?  Is there something
else i should follow?

I have some concerns about the model and the implementation, based on
what i've read from PROTOCOL.certkeys and the various referenced man
pages in cvs HEAD:

 0) Yet another certificate format, introducing a novel PKI -- seems
like this opens the door to a lot of potential trouble.  Simplicity is a
good reason to avoid PKI entirely, and OpenSSH has done right by this
model so far.  But the PKI-less model has its limitations, and when the
need for a PKI seems apparent, there are at least two well-known PKIs
(OpenPGP and X.509) with decent communities who can contribute insights
on what might work and what might cause trouble down the line.  The
model proposed here is simpler than either existing PKI, but it also
seems to have had far less scrutiny, and is OpenSSH-specific, as far as
i can tell.  OpenSSH doesn't rely on novel/unique asymmetric crypto
algorithms, symmetric ciphers, or message digests.  Why should
certificate formats and PKI be different?

 1) Revocations -- there is no room in the infrastructure i can see for
revocations.  What should a certificate authority do if it discovers
that the private key belonging to a certificate has been compromised,
and the certificate is not yet expired?  What should a server operator
do who knows this situation, but currently relies on other
certifications from that CA?

 2) Tight coupling of authentication and authorization -- there are
sometimes good reasons to do this, but it makes certification more
difficult, and makes policy much more inflexible for system
administrators.  One example of the added complexity the conflation
creates is a combinatoric one: say i should be allowed to ssh to
dkg at example.com to do whatever i want with my account.  But i should
*also* be allowed access to our organization's SVN repository over ssh
at svn at example.com constrained by a ForceCommand that only allows
certain subversion operations.  i don't think that's representable in
this certificate format.   More generally, a local machine administrator
might be fine relying on an external authority to identify remote
parties, but might want to authorize different commands for local
accounts based on that authentication.  Having this tightly coupled
model means those local administrators must either accept authorization
information from the CAs, or not use certificates at all.

 3) Multiple certs over the same key from different issuers -- Say i use
the same key to identify myself to machines from multiple domains.  if
each of those domains runs their own internal certificate authority,
i'll have two different versions of id_rsa_cert.pub, right?  i see no
documentation to indicate how to choose between them in ssh(1) or
ssh_config(5).

 4) definition of "valid principals" seems underdeveloped in
PROTOCOL.certkeys -- For example, there was discussion on-list recently
about case insensitivity on some systems (cygwin at least) -- are these
expected to match the name of the remote account entirely?  If i certify
a key for "foo" does that work on all "foo" accounts on
every machine
that trusts my CA?  Can user accounts be specified targetted to a
specific machine (e.g. "foo at server3.example.net")?  if so, how
would
sshd make authorization decisions based on the hostname part of the user
name?

 5) interaction with ssh-agent -- does the agent know about
certificates?  Can it offer them to a compatible ssh client process?  If
not, how should a user take advantage of both features?  If so, is this
a change in the ssh-agent protocol that compatible ssh-agent
implementations should be made aware of?

Anyway, these are my immediate reactions to this proposal of new
certificate formats for OpenSSH.  My current thinking is that this
particular change should be pushed back to a later version for more
discussion, but of course that's not my call to make.

I'd appreciate any feedback on the thoughts and concerns raised above.

As always, thanks for all the work on this excellent tool.

Regards,

	--dkg

[0] http://web.monkeysphere.info/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20100227/0eb768a6/attachment-0001.bin>

On Sat, Feb 27, 2010 at 06:25:38PM +1100, Damien Miller
wrote:
> Hi,
> 
> OpenSSH 5.4 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release,
> with a number of major new features and many bug fixes.
> 
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
> 
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
> 
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs
> 
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> 
> $ ./configure && make tests
> 
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
> 
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
> 
> Thanks to the many people who contributed to this release.
> 

I do have 2 suggestions only 1 I can recall.

1st is to check if poll is an available option on a system and if not
anyone here has an idea for compensating around it?

-- 
Member - Liberal International	This is doctor at nl2k.ab.ca Ici doctor at
nl2k.ab.ca
God, Queen and country! Never Satan President Republic! Beware AntiChrist
rising!
http://twitter.com/rootnl2k http://www.facebook.com/dyadallee
USenet NEwsgroups is the ULTIMATE form of blogging and social networking!

On Feb 27 18:25, Damien Miller wrote:
> Hi,
> 
> OpenSSH 5.4 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release,
> with a number of major new features and many bug fixes.
> 
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
> 
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
> 
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs
> 
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> 
> $ ./configure && make tests
> 
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
Including the latest Cygwin-specific changes, OpenSSH from CVS builds
fine on Cygwin 1.7.  The testsuite runs successfully with a single
exception.  The exception is sftp-glob.sh, which is an expected failure
on Cygwin due to the slash/backslash weirdness on Windows.


Corinna

-- 
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat

> 
> OpenSSH 5.4 is almost ready for release, so we would appreciate
testing
> on as many platforms and systems as possible. This is a big release,
> with a number of major new features and many bug fixes.
> 
Passes all tests on Mandriva One 2010.0 32-bit.

failing on opensolaris snv_133

SunOS scrub 5.11 snv_133 i86pc i386 i86pc

gcc version 3.4.3 (csl-sol210-3_4-20050802)


gunzip openssh-SNAP-20100302.tar.gz
tar tvf openssh-SNAP-20100302.tar
tar xvf openssh-SNAP-20100302.tar
cd openssh
./configure
make tests
[...]
run test cert-hostkey.sh ...
certified host keys: sign host rsa cert
certified host keys: sign host dsa cert
certified host keys: host rsa cert connect privsep yes
certified host keys: host dsa cert connect privsep yes
certified host keys: host rsa cert connect privsep no
certified host keys: host dsa cert connect privsep no
certified host keys: test host cert connect user-certificate expect failure
certified host keys: test host cert connect empty principals expect success
certified host keys: test host cert connect wrong principals expect failure
certified host keys: test host cert connect cert not yet valid expect failure
certified host keys: test host cert connect cert expired expect failure
certified host keys: test host cert connect cert valid interval expect success
certified host keys: test host cert connect cert has constraints expect failure
certified host keys: host rsa cert downgrade to raw key
certified host keys: host dsa cert downgrade to raw key
ok certified host keys
run test cert-userkey.sh ...
certified user keys: sign user rsa cert
certified user keys: sign user dsa cert
certified user keys: user rsa cert connect privsep yes
Permission denied (publickey,password,keyboard-interactive).
ssh cert connect failed
certified user keys: user dsa cert connect privsep yes
Permission denied (publickey,password,keyboard-interactive).
ssh cert connect failed
certified user keys: user rsa cert connect privsep no
Permission denied (publickey,password,keyboard-interactive).
ssh cert connect failed
certified user keys: user dsa cert connect privsep no
Permission denied (publickey,password,keyboard-interactive).
ssh cert connect failed
certified user keys: ensure CA key does not authenticate user
ssh cert connect with CA key succeeded unexpectedly
certified user keys: test user cert connect host-certificate expect failure
certified user keys: test user cert connect empty principals expect success
ssh cert connect empty principals failed unexpectedly
certified user keys: test user cert connect wrong principals expect failure
certified user keys: test user cert connect cert not yet valid expect failure
certified user keys: test user cert connect cert expired expect failure
certified user keys: test user cert connect cert valid interval expect success
ssh cert connect cert valid interval failed unexpectedly
certified user keys: test user cert connect wrong source-address expect failure
certified user keys: test user cert connect force-command expect failure
failed certified user keys
*** Error code 1
The following command caused the error:
if [ "xconnect.sh proxy-connect.sh connect-privsep.sh proto-version.sh
proto-mismatch.sh exit-status.sh envpass.sh transfer.sh banner.sh
rekey.sh stderr-data.sh stderr-after-eof.sh broken-pipe.sh
try-ciphers.sh yes-head.sh login-timeout.sh agent.sh
agent-getpeereid.sh agent-timeout.sh agent-ptrace.sh keyscan.sh
keygen-change.sh keygen-convert.sh key-options.sh scp.sh sftp.sh
sftp-cmds.sh sftp-badcmds.sh sftp-batch.sh sftp-glob.sh reconfigure.sh
dynamic-forward.sh forwarding.sh multiplex.sh reexec.sh brokenkeys.sh
cfgmatch.sh addrmatch.sh localcommand.sh forcecommand.sh portnum.sh
cert-hostkey.sh cert-userkey.sh" = "x" ]; then exit 0; fi; \
for TEST in ""connect.sh proxy-connect.sh connect-privsep.sh
proto-version.sh proto-mismatch.sh exit-status.sh envpass.sh
transfer.sh banner.sh rekey.sh stderr-data.sh stderr-after-eof.sh
broken-pipe.sh try-ciphers.sh yes-head.sh login-timeout.sh agent.sh
agent-getpeereid.sh agent-timeout.sh agent-ptrace.sh keyscan.sh
keygen-change.sh keygen-convert.sh key-options.sh scp.sh sftp.sh
sftp-cmds.sh sftp-badcmds.sh sftp-batch.sh sftp-glob.sh reconfigure.sh
dynamic-forward.sh forwarding.sh multiplex.sh reexec.sh brokenkeys.sh
cfgmatch.sh addrmatch.sh localcommand.sh forcecommand.sh portnum.sh
cert-hostkey.sh cert-userkey.sh; do \
	echo "run test ${TEST}" ... 1>&2; \
	(env SUDO= TEST_ENV="MALLOC_OPTIONS=AFGJPRX" sh
/export/home/iqbala/Download/openssh/regress/test-exec.sh
/export/home/iqbala/Download/openssh/regress
/export/home/iqbala/Download/openssh/regress/${TEST}) || exit $?; \
done
make: Fatal error: Command failed for target `t-exec'
Current working directory /export/home/iqbala/Download/openssh/regress
*** Error code 1
make: Fatal error: Command failed for target `tests'


On Sat, Feb 27, 2010 at 2:25 AM, Damien Miller <djm at mindrot.org>
wrote:
> Hi,
>
> OpenSSH 5.4 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release,
> with a number of major new features and many bug fixes.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> -------------------------------
>
> Changes since OpenSSH 5.3
> ========================>
> Features:
>
> ?* After a transition period of about 10 years, this release disables
> ? SSH protocol 1 by default. Clients and servers that need to use the
> ? legacy protocol must explicitly enable it in ssh_config / sshd_config
> ? or on the command-line.
>
> ?* Deprecate the libsectok/OpenSC-based smartcard code and add
> ? support for PKCS#11 tokens. PKCS#11 support is automatically enabled
> ? on all platforms that support dlopen(3) and was inspired by patches
> ? written by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1)
> ? manpages
>
> ?* Add support for certificate authentication of users and hosts using a
> ? new, minimal OpenSSH certificate format (not X.509). Certificates
> ? contain a public key, identity information and some validity
> ? constraints and are signed with a standard SSH public key using
> ? ssh-keygen(1). CA keys may be marked as trusted in authorized_keys
> ? (for user authentication) or known_hosts (for host authentication).
>
> ? Documentation for certificate support may be found in ssh-keygen(1),
> ? sshd(8) and ssh(1) and a description of the protocol changes in
> ? PROTOCOL.certkeys.
>
> ?* Added a 'netcat mode' to ssh(1): "ssh -W host:port
..." This connects
> ? stdio on the client to a single port forward on the server. This
> ? allows, for example, using ssh as a ProxyCommand to route connections
> ? via intermediate servers. bz#1618
>
> ?* Rewrite the ssh(1) multiplexing support to support non-blocking
> ? operation of the mux master, improve the resilience of the master to
> ? malformed messages sent to it by the slave and add support for
> ? requesting port- forwardings via the multiplex protocol. The new
> ? stdio-to-local forward mode ("ssh -W host:port ...") is also
> ? supported. The revised multiplexing protocol is documented in the
> ? file PROTOCOL.mux in the source distribution.
>
> ?* Add a 'read-only' mode to sftp-server(8) that disables open in
write
> ? mode and all other fs-modifying protocol methods. bz#430
>
> ?* Allow setting an explicit umask on the sftp-server(8) commandline to
> ? override whatever default the user has. bz#1229
>
> ?* Many improvements to the sftp(1) client, many of which were
> ? implemented by Carlos Silva through the Google Summer of Code
> ? program:
> ? - Support the "-h" (human-readable units) flag for ls
> ? - Implement tab-completion of commands, local and remote filenames
> ? - Support most of scp(1)'s commandline arguments in sftp(1), as a
> ? ? first step towards making sftp(1) a drop-in replacement for scp(1).
> ? ? Note that the rarely-used "-P sftp_server_path" option has
been
> ? ? moved to "-D sftp_server_path" to make way for "-P
port" to match
> ? ? scp(1).
> ? - Add recursive transfer support for get/put and on the commandline
>
> ?* New RSA keys will be generated with a public exponent of RSA_F4 => ?
(2**16)+1 == 65537 instead of the previous value 35.
>
> ?* Passphrase-protected SSH protocol 2 private keys are now protected
> ? with AES-128 instead of 3DES. This applied to freshly-generated keys
> ? as well as keys that are reencrypted (e.g. by changing their
> ? passphrase).
>
> Bugfixes:
>
> ?* When using ChrootDirectory, make sure we test for the existence of
> ? the user's shell inside the chroot and not outside (bz#1679)
> ?* Cache user and group name lookups in sftp-server using
> ? user_from_[ug]id(3) to improve performance on hosts where these
> ? operations are slow (e.g. NIS or LDAP). bz#1495
> ?* Fix problem that prevented passphrase reading from being interrupted
> ? in some circumstances; bz#1590
> ?* Ignore and log any Protocol 1 keys where the claimed size is not
> ? equal to the actual size.
> ?* Make HostBased authentication work with a ProxyCommand. bz#1569
> ?* Avoid run-time failures when specifying hostkeys via a relative
> ? path by prepending the current working directory in these cases.
> ? bz#1290
> ?* Do not prompt for a passphrase if we fail to open a keyfile, and log
> ? the reason why the open failed to debug. bz#1693
> ?* Document that the PubkeyAuthentication directive is allowed in a
> ? sshd_config(5) Match block. bz#1577
> ?* When converting keys, truncate key comments at 72 chars as per
> ? RFC4716. bz#1630
> ?* Do not allow logins if /etc/nologin exists but is not readable by the
> ? user logging in.
> ?* Output a debug log if sshd(8) can't open an existing
authorized_keys.
> ? bz#1694
> ?* Quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we
> ? usually don't actually have a tty to read/set; bz#1686
> ?* Prevent sftp from crashing when given a "-" without a command.
> ? Also, allow whitespace to follow a "-". bz#1691
> ?* After sshd receives a SIGHUP, ignore subsequent HUPs while sshd
> ? re-execs itself. Prevents two HUPs in quick succession from resulting
> ? in sshd dying. bz#1692
> ?* Clarify in sshd_config(5) that StrictModes does not apply to
> ? ChrootDirectory. Permissions and ownership are always checked when
> ? chrooting. bz#1532
> ?* Set close-on-exec on various descriptors so they don't get leaked to
> ? child processes. bz#1643
> ?* Fix very rare race condition in x11/agent channel allocation: don't
> ? read after the end of the select read/write fdset and make sure a
> ? reused FD is not touched before the pre-handlers are called.
> ?* Fix incorrect exit status when multiplexing and channel ID 0 is
> ? recycled. bz#1570
> ?* Fail with an error when an attempt is made to connect to a server
> ? with ForceCommand=internal-sftp with a shell session (i.e. not a
> ? subsystem session). Avoids stuck client when attempting to ssh to
> ? such a service. bz#1606:
> ?* Warn but do not fail if stat()ing the subsystem binary fails. This
> ? helps with chrootdirectory+forcecommand=sftp-server and restricted
> ? shells. bz #1599
> ?* Change "Connecting to host..." message to "Connected to
host."
> ? and delay it until after the sftp protocol connection has been
> ? established. Avoids confusing sequence of messages when the
> ? underlying ssh connection experiences problems. bz#1588
> ?* Use the HostKeyAlias rather than the hostname specified on the
> ? commandline when prompting for passwords. bz#1039
> ?* Correct off-by-one in percent_expand(): we would fatal() when trying
> ? to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to
> ? actually work. Note that nothing in OpenSSH actually uses close to
> ? this limit at present. bz#1607
> ?* Fix passing of empty options from scp(1) and sftp(1) to the
> ? underlying ssh(1). Also add support for the stop option "--".
> ?* Fix an incorrect magic number and typo in PROTOCOL; bz#1688
> ?* Don't escape backslashes when displaying the SSH2 banner. bz#1533
> ?* Don't unnecessarily dup() the in and out fds for sftp-server.
bz#1566
> ?* Force use of the correct hash function for random-art signature
> ? display as it was inheriting the wrong one when bubblebabble
> ? signatures were activated. bz#1611
> ?* Do not fall back to adding keys without contraints (ssh-add -c /
> ? -t ...) when the agent refuses the constrained add request. bz#1612
> ?* Fix a race condition in ssh-agent that could result in a wedged or
> ? spinning agent. bz#1633
> ?* Flush stdio before exec() to ensure that everying (motd
> ? in particular) has made it out before the streams go away. bz#1596
> ?* Set FD_CLOEXEC on in/out sockets in sshd(8). bz#1706
>
> Portable OpenSSH Bugfixes:
>
> ?* Use system's kerberos principal name on AIX if it's available.
> ? bz#1583
> ?* Disable OOM-killing of the listening sshd on Linux. bz#1740
> ?* Use pkg-config for opensc config if it's available. bz#1160
> ?* Unbreak Redhat spec to allow building without askpass. bz#1677
> ?* If PidFile is set in sshd_config, use it in SMF init file. bz#1628
> ?* Print error and usage() when ssh-rand-helper is passed command-
> ? line arguments as none are supported. bz#1568
> ?* Add missing setsockopt() to set IPV6_V6ONLY for local forwarding
> ? with GatwayPorts=yes. bz#1648
> ?* Make GNOME 2 askpass dialog desktop-modal. bz#1645
> ?* If SELinux is enabled set the security context to "sftpd_t"
before
> ? running the internal sftp server. bz#1637
> ?* Correctly check libselinux for necessary SELinux functions; bz#1713
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

In article <alpine.BSO.2.00.1002271127510.1818 at fuyu.mindrot.org>,
Damien
Miller wrote:
>Running the regression tests supplied with Portable OpenSSH does not
>require installation and is a simply:
>
>$ ./configure && make tests
I built this from CVS on Ubuntu 10.04 (in development).  I used
configure options which closely approximate those we use for the Debian
package, omitting a couple that go along with Debian patches:

  ./configure --build=i486-linux-gnu --prefix=/usr --sysconfdir=/etc/ssh
--libexecdir=/usr/lib/openssh --mandir=/usr/share/man --disable-strip
--with-mantype=doc --with-4in6 --with-privsep-path=/var/run/sshd
--without-rand-helper --with-tcp-wrappers --with-pam --with-libedit
--with-ssl-engine --with-selinux --with-xauth=/usr/bin/X11/xauth
--with-default-path=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11
--with-cflags='-O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat
-Wformat-security -DLOGIN_PROGRAM=\"/bin/login\"
-DLOGIN_NO_ENDOPT' --with-ldflags='-Wl,--as-needed -fPIE -pie
-Wl,-z,relro -Wl,-z,now'

There were a few compiler warnings most of which I don't think are
particularly new, although I don't recognise the one in
openssl-compat.c.  I don't know if you care about all of these but I'll
list them for completeness.

All regression tests passed.  I haven't done serious testing beyond
that, although I confirmed that sftp's tab-completion seemed to be
working.


gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all
-O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT  -I. -I.. -I. -I./.. 
-DHAVE_CONFIG_H -c openssl-compat.c
openssl-compat.c: In function ???ssh_SSLeay_add_all_algorithms???:
openssl-compat.c:70: warning: implicit declaration of function
???OPENSSL_config???

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all
-O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT  -I. -I.. -I. -I./.. 
-DHAVE_CONFIG_H -c bindresvport.c
bindresvport.c: In function ???bindresvport_sa???:
bindresvport.c:71: warning: dereferencing pointer ???sa??? does break
strict-aliasing rules
bindresvport.c:66: note: initialized from here

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all
-O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT  -I. -I.. -I. -I./.. 
-DHAVE_CONFIG_H -c readpassphrase.c
readpassphrase.c: In function ???readpassphrase???:
readpassphrase.c:127: warning: ignoring return value of ???write???, declared
with attribute warn_unused_result
readpassphrase.c:146: warning: ignoring return value of ???write???, declared
with attribute warn_unused_result

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all
-O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT  -I. -I. 
-DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H
-c channels.c
channels.c: In function ???channel_decode_socks5???:
channels.c:1235: warning: dereferencing type-punned pointer will break
strict-aliasing rules

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all
-O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT  -I. -I. 
-DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H
-c log.c
log.c: In function ???do_log???:
log.c:388: warning: ignoring return value of ???write???, declared with
attribute warn_unused_result

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all
-O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT  -I. -I. 
-DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H
-c packet.c
packet.c: In function ???packet_connection_is_ipv4???:
packet.c:441: warning: dereferencing pointer ???to.48??? does break
strict-aliasing rules
packet.c:441: note: initialized from here
packet.c:441: warning: dereferencing pointer ???to.48??? does break
strict-aliasing rules
packet.c:441: note: initialized from here
packet.c:441: warning: dereferencing pointer ???to.48??? does break
strict-aliasing rules
packet.c:441: note: initialized from here

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all
-O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT  -I. -I. 
-DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H
-c monitor_fdpass.c
monitor_fdpass.c: In function ???mm_send_fd???:
monitor_fdpass.c:74: warning: dereferencing type-punned pointer will break
strict-aliasing rules
monitor_fdpass.c: In function ???mm_receive_fd???:
monitor_fdpass.c:175: warning: dereferencing type-punned pointer will break
strict-aliasing rules

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all
-O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT  -I. -I. 
-DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H
-c umac.c
umac.c: In function ???pdf_gen_xor???:
umac.c:254: warning: dereferencing type-punned pointer will break
strict-aliasing rules
umac.c:257: warning: dereferencing type-punned pointer will break
strict-aliasing rules
umac.c:258: warning: dereferencing type-punned pointer will break
strict-aliasing rules
umac.c:260: warning: dereferencing type-punned pointer will break
strict-aliasing rules
umac.c:261: warning: dereferencing type-punned pointer will break
strict-aliasing rules

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all
-O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT  -I. -I. 
-DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H
-c schnorr.c
schnorr.c: In function ???debug3_bn???:
schnorr.c:468: warning: ignoring return value of ???vasprintf???, declared with
attribute warn_unused_result
schnorr.c: In function ???debug3_buf???:
schnorr.c:493: warning: ignoring return value of ???vasprintf???, declared with
attribute warn_unused_result

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all
-O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT  -I. -I. 
-DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H
-c sshd.c
sshd.c: In function ???main???:
sshd.c:1742: warning: ignoring return value of ???chdir???, declared with
attribute warn_unused_result

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all
-O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT  -I. -I. 
-DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H
-c serverloop.c
serverloop.c: In function ???notify_parent???:
serverloop.c:151: warning: ignoring return value of ???write???, declared with
attribute warn_unused_result

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all
-O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT  -I. -I. 
-DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H
-c ssh-agent.c
ssh-agent.c: In function ???main???:
ssh-agent.c:1258: warning: ignoring return value of ???chdir???, declared with
attribute warn_unused_result

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all
-O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT  -I. -I. 
-DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H
-c scp.c
scp.c: In function ???lostconn???:
scp.c:1289: warning: ignoring return value of ???write???, declared with
attribute warn_unused_result

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all
-O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT  -I. -I. 
-DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H
-c ssh-rand-helper.c
ssh-rand-helper.c: In function ???get_random_bytes_prngd???:
ssh-rand-helper.c:167: warning: dereferencing pointer ???addr_in??? does break
strict-aliasing rules
ssh-rand-helper.c:166: warning: dereferencing pointer ???addr_in??? does break
strict-aliasing rules
ssh-rand-helper.c:168: warning: dereferencing pointer ???addr_in??? does break
strict-aliasing rules
ssh-rand-helper.c:150: note: initialized from here
ssh-rand-helper.c:171: warning: dereferencing pointer ???addr_un??? does break
strict-aliasing rules
ssh-rand-helper.c:151: note: initialized from here

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all
-O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT  -I. -I. 
-DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H
-c sftp.c
sftp.c: In function ???cmd_interrupt???:
sftp.c:219: warning: ignoring return value of ???write???, declared with
attribute warn_unused_result


Thanks,

-- 
Colin Watson                                       [cjwatson at debian.org]

> -----Original Message-----
> From: Scott Neugroschl
> Sent: Monday, March 01, 2010 1:18 PM
> To: openssh-unix-dev at mindrot.org
> Subject: RE: Call for testing: OpenSSH-5.4
> 
> >
> > OpenSSH 5.4 is almost ready for release, so we would appreciate
> testing
> > on as many platforms and systems as possible. This is a big release,
> > with a number of major new features and many bug fixes.
> >
> 
> Passes all tests on Mandriva One 2010.0 32-bit.
Addendum: This was the 20100302 snapshot.

On Sat, Feb 27, 2010 at 01:25:38 -0600, Damien Miller
wrote:
> Hi,
> 
> OpenSSH 5.4 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release,
> with a number of major new features and many bug fixes.
> 
The 20100302 snapshot builds and tests successfully on the following
platforms:

	RHEL 5 (x86_64)
	SLES 10 (x86_64)
	SLES 10 (ia64)

On OS X (Intel), the snapshot builds but fails the regression tests:

run test cert-hostkey.sh ...
certified host keys: sign host rsa cert
certified host keys: sign host dsa cert
certified host keys: host rsa cert connect privsep yes
certified host keys: host dsa cert connect privsep yes
certified host keys: host rsa cert connect privsep no
certified host keys: host dsa cert connect privsep no
certified host keys: test host cert connect user-certificate expect failure
certified host keys: test host cert connect empty principals expect success
certified host keys: test host cert connect wrong principals expect failure
certified host keys: test host cert connect cert not yet valid expect failure
Invalid certificate time 20200101
couldn't sign cert_host_key_rsa
certified host keys: test host cert connect cert expired expect failure
Invalid certificate time 19800101
couldn't sign cert_host_key_rsa
certified host keys: test host cert connect cert valid interval expect success
certified host keys: test host cert connect cert has constraints expect failure
certified host keys: host rsa cert downgrade to raw key
certified host keys: host dsa cert downgrade to raw key
failed certified host keys
make[1]: *** [t-exec] Error 1
make: *** [tests] Error 2

And on Solaris 9 (SPARC/gcc) the tests likewise fail:

run test cert-userkey.sh ...
certified user keys: sign user rsa cert
certified user keys: sign user dsa cert
certified user keys: user rsa cert connect privsep yes
Permission denied (publickey,password,keyboard-interactive).
ssh cert connect failed
certified user keys: user dsa cert connect privsep yes
Permission denied (publickey,password,keyboard-interactive).
ssh cert connect failed
certified user keys: user rsa cert connect privsep no
Permission denied (publickey,password,keyboard-interactive).
ssh cert connect failed
certified user keys: user dsa cert connect privsep no
Permission denied (publickey,password,keyboard-interactive).
ssh cert connect failed
certified user keys: ensure CA key does not authenticate user
ssh cert connect with CA key succeeded unexpectedly
certified user keys: test user cert connect host-certificate expect failure
certified user keys: test user cert connect empty principals expect success
ssh cert connect empty principals failed unexpectedly
certified user keys: test user cert connect wrong principals expect failure
certified user keys: test user cert connect cert not yet valid expect failure
certified user keys: test user cert connect cert expired expect failure
certified user keys: test user cert connect cert valid interval expect success
ssh cert connect cert valid interval failed unexpectedly
certified user keys: test user cert connect wrong source-address expect failure
certified user keys: test user cert connect force-command expect failure
failed certified user keys
*** Error code 1
make: Fatal error: Command failed for target `t-exec'
Current working directory /u/wk/imorgan/src/openssh/openssh/regress
*** Error code 1
make: Fatal error: Command failed for target 'tests'

-- 
Iain Morgan

On Mon, 1 Mar 2010, The Doctor wrote:
> I do have 2 suggestions only 1 I can recall.
> 
> 1st is to check if poll is an available option on a system and if not
> anyone here has an idea for compensating around it?
We do already, see openbsd-compat/bsd-poll.c

-d

On Mac OS X 10.5.8 (Intel)

$ ./configure && make tests
...
run test cert-hostkey.sh ...
certified host keys: sign host rsa cert
certified host keys: sign host dsa cert
certified host keys: host rsa cert connect privsep yes
certified host keys: host dsa cert connect privsep yes
certified host keys: host rsa cert connect privsep no
certified host keys: host dsa cert connect privsep no
certified host keys: test host cert connect user-certificate expect failure
certified host keys: test host cert connect empty principals expect success
certified host keys: test host cert connect wrong principals expect failure
certified host keys: test host cert connect cert not yet valid expect failure
Invalid certificate time 20200101
couldn't sign cert_host_key_rsa
certified host keys: test host cert connect cert expired expect failure
Invalid certificate time 19800101
couldn't sign cert_host_key_rsa
certified host keys: test host cert connect cert valid interval expect success
certified host keys: test host cert connect cert has constraints expect failure
certified host keys: host rsa cert downgrade to raw key
certified host keys: host dsa cert downgrade to raw key
failed certified host keys
make[1]: *** [t-exec] Error 1
make: *** [tests] Error 2
$ 

Application of Tim Rice's patch to regress/cert-hostkey.sh lets things
get a bit further...

$ make tests
...
run test cert-hostkey.sh ...
certified host keys: sign host rsa cert
certified host keys: sign host dsa cert
certified host keys: host rsa cert connect privsep yes
certified host keys: host dsa cert connect privsep yes
certified host keys: host rsa cert connect privsep no
certified host keys: host dsa cert connect privsep no
certified host keys: test host cert connect user-certificate expect failure
certified host keys: test host cert connect empty principals expect success
certified host keys: test host cert connect wrong principals expect failure
certified host keys: test host cert connect cert not yet valid expect failure
Invalid certificate time 20200101
certified host keys: test host cert connect cert expired expect failure
Invalid certificate time 19800101
certified host keys: test host cert connect cert valid interval expect success
certified host keys: test host cert connect cert has constraints expect failure
certified host keys: host rsa cert downgrade to raw key
certified host keys: host dsa cert downgrade to raw key
ok certified host keys
run test cert-userkey.sh ...
certified user keys: sign user rsa cert
certified user keys: sign user dsa cert
certified user keys: user rsa cert connect privsep yes
Permission denied (publickey,password,keyboard-interactive).
ssh cert connect failed
certified user keys: user dsa cert connect privsep yes
Permission denied (publickey,password,keyboard-interactive).
ssh cert connect failed
certified user keys: user rsa cert connect privsep no
Permission denied (publickey,password,keyboard-interactive).
ssh cert connect failed
certified user keys: user dsa cert connect privsep no
Permission denied (publickey,password,keyboard-interactive).
ssh cert connect failed
certified user keys: ensure CA key does not authenticate user
ssh cert connect with CA key succeeded unexpectedly
certified user keys: test user cert connect host-certificate expect failure
certified user keys: test user cert connect empty principals expect success
ssh cert connect empty principals failed unexpectedly
certified user keys: test user cert connect wrong principals expect failure
certified user keys: test user cert connect cert not yet valid expect failure
Invalid certificate time 20200101
couldn't sign cert_user_key_rsa
certified user keys: test user cert connect cert expired expect failure
Invalid certificate time 19800101
couldn't sign cert_user_key_rsa
certified user keys: test user cert connect cert valid interval expect success
ssh cert connect cert valid interval failed unexpectedly
certified user keys: test user cert connect wrong source-address expect failure
certified user keys: test user cert connect force-command expect failure
failed certified user keys
make[1]: *** [t-exec] Error 1
make: *** [tests] Error 2
$ 

	-- Mark

Please forgive if I'm "doin it wrong" ... but here's what
I've got so far in
our lab environment ...

Using openssh-SNAP-20100303.tar.gz

====
Red Hat Linux 6.2 (Zoot)
Kernel: 2.2.14-6.0 i686
egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) - Target: i686-pc-linux-gnu
OpenSSL 0.9.8j 07 Jan 2009

  ./configure && make tests
...
run test agent-ptrace.sh ... [had to kill -9 the gdb process after 10
minutes without any activity]
gdb failed: exit code 0
  ** Inserting 'exit 0' at the beginning of agent-ptrace.sh and
re-running
'make tests' lets the rest of the tests complete
...
  all tests passed
  ** Note: the ssh/sshd binaries appear to be fully functional

***PARTIAL SUCCESS***

====
Red Hat Enterprise Linux ES release 4 (Nahant Update 5)
Kernel: 2.6.9-55.0.2.ELsmp i686
gcc version 3.4.6 20060404 (Red Hat 3.4.6-8) - Target: i686-pc-linux-gnu
OpenSSL 0.9.7a Feb 19 2003

  ./configure --without-zlib-version-check && make tests
ssh-keygen.c: In function `parse_cert_times':
ssh-keygen.c:1287: error: `BSDoptarg' undeclared (first use in this
function)
ssh-keygen.c:1287: error: (Each undeclared identifier is reported only once
ssh-keygen.c:1287: error: for each function it appears in.)
make: *** [ssh-keygen.o] Error 1

# rpmbuild -bb ./contrib/redhat/openssh.spec
error: parse error in expression
error: /usr/src/openssh/contrib/redhat/openssh.spec:77:
parseExpressionBoolean returns -1
error: Group field must be present in package: (main package)
error: License field must be present in package: (main package)
  ** spec file broken

***FAILED***

====
Red Hat Enterprise Linux Server release 5.4 (Tikanga)
Kernel: 2.6.18-128.2.1.el5 x86_64
gcc version 4.1.2 20080704 (Red Hat 4.1.2-46) - Target: x86_64-redhat-linux
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

  ./configure && make tests
  all tests passed

# rpmbuild -bb contrib/redhat/openssh.spec
error: parse error in expression
error: /usr/src/openssh/contrib/redhat/openssh.spec:77:
parseExpressionBoolean returns -1
error: Group field must be present in package: (main package)
error: License field must be present in package: (main package)
  ** spec file broken

***SUCCESS***

====
Ubuntu 9.10 (karmic) x86_64
Kernel: 2.6.31-19-generic
gcc version 4.4.1 (Ubuntu 4.4.1-4ubuntu9) - Target: x86_64-linux-gnu
OpenSSL 0.9.8g 19 Oct 2007

  ./configure && make tests
  all tests passed

***SUCCESS***

====
HP-UX B.11.23
gcc version 4.1.1 - Target: ia64-hp-hpux11.23
OpenSSL 0.9.7m 23 Feb 2007

  ./configure && gmake tests
loginrec.c:725: warning: 'struct utmpx' declared inside parameter list
loginrec.c:725: warning: its scope is only this definition or declaration,
which is probably not what you want
loginrec.c:736: warning: 'struct utmpx' declared inside parameter list
loginrec.c: In function 'construct_utmpx':
loginrec.c:741: error: dereferencing pointer to incomplete type
loginrec.c:750: error: dereferencing pointer to incomplete type
loginrec.c:753: error: dereferencing pointer to incomplete type
loginrec.c:756: error: dereferencing pointer to incomplete type
loginrec.c:756: error: dereferencing pointer to incomplete type
loginrec.c:757: warning: passing argument 2 of 'set_utmpx_time' from
incompatible pointer type
loginrec.c:758: error: dereferencing pointer to incomplete type
loginrec.c:761: error: dereferencing pointer to incomplete type
loginrec.c:762: error: dereferencing pointer to incomplete type
loginrec.c:762: error: dereferencing pointer to incomplete type
loginrec.c: At top level:
loginrec.c:987: warning: 'struct utmpx' declared inside parameter list
loginrec.c: In function 'utmpx_write_library':
loginrec.c:989: warning: implicit declaration of function 'setutxent'
loginrec.c:990: warning: implicit declaration of function 'pututxline'
loginrec.c:993: warning: implicit declaration of function 'endutxent'
loginrec.c: In function 'utmpx_perform_login':
loginrec.c:1012: error: storage size of 'utx' isn't known
loginrec.c:1012: warning: unused variable 'utx'
loginrec.c: In function 'utmpx_perform_logout':
loginrec.c:1033: error: storage size of 'utx' isn't known
loginrec.c:1033: warning: unused variable 'utx'
loginrec.c: In function 'record_failed_login':
loginrec.c:1628: warning: unused variable 'a6'
gmake: *** [loginrec.o] Error 1

  gmake clean && ./configure --disable-utmpx --disable-wtmpx &&
make tests
...
run test cert-hostkey.sh ...
certified host keys: sign host rsa cert
certified host keys: sign host dsa cert
certified host keys: host rsa cert connect privsep yes
certified host keys: host dsa cert connect privsep yes
certified host keys: host rsa cert connect privsep no
certified host keys: host dsa cert connect privsep no
certified host keys: test host cert connect user-certificate expect failure
certified host keys: test host cert connect empty principals expect success
certified host keys: test host cert connect wrong principals expect failure
certified host keys: test host cert connect cert not yet valid expect
failure
Invalid certificate time 20200101
couldn't sign cert_host_key_rsa
certified host keys: test host cert connect cert expired expect failure
Invalid certificate time 19800101
couldn't sign cert_host_key_rsa
certified host keys: test host cert connect cert valid interval expect
success
certified host keys: test host cert connect cert has constraints expect
failure
certified host keys: host rsa cert downgrade to raw key
certified host keys: host dsa cert downgrade to raw key
failed certified host keys
gmake[1]: *** [t-exec] Error 1
gmake[1]: Leaving directory `/var/compile/build/openssh/regress'
make: *** [tests] Error 2

***FAILED***
====
HP-UX B.11.31 ia64
gcc version 4.3.3 (GCC) - Target: ia64-hp-hpux11.31
OpenSSL 0.9.8l 5 Nov 2009

  ./configure && gmake tests
...
run test cert-hostkey.sh ...
certified host keys: sign host rsa cert
certified host keys: sign host dsa cert
certified host keys: host rsa cert connect privsep yes
certified host keys: host dsa cert connect privsep yes
certified host keys: host rsa cert connect privsep no
certified host keys: host dsa cert connect privsep no
certified host keys: test host cert connect user-certificate expect failure
certified host keys: test host cert connect empty principals expect success
certified host keys: test host cert connect wrong principals expect failure
certified host keys: test host cert connect cert not yet valid expect
failure
Invalid certificate time 20200101
couldn't sign cert_host_key_rsa
certified host keys: test host cert connect cert expired expect failure
Invalid certificate time 19800101
couldn't sign cert_host_key_rsa
certified host keys: test host cert connect cert valid interval expect
success
certified host keys: test host cert connect cert has constraints expect
failure
certified host keys: host rsa cert downgrade to raw key
certified host keys: host dsa cert downgrade to raw key
failed certified host keys
gmake[1]: *** [t-exec] Error 1
gmake[1]: Leaving directory `/usr/src/openssh/regress'
gmake: *** [tests] Error 2

***FAILED***

====
HP-UX B.11.31 ia64
cc: HP C/aC++ B3910B A.06.20 [May 13 2008]
OpenSSL 0.9.8l 5 Nov 2009

  ./configure && gmake tests
...

run test cert-hostkey.sh ...
certified host keys: sign host rsa cert
certified host keys: sign host dsa cert
certified host keys: host rsa cert connect privsep yes
certified host keys: host dsa cert connect privsep yes
certified host keys: host rsa cert connect privsep no
certified host keys: host dsa cert connect privsep no
certified host keys: test host cert connect user-certificate expect failure
certified host keys: test host cert connect empty principals expect success
certified host keys: test host cert connect wrong principals expect failure
certified host keys: test host cert connect cert not yet valid expect
failure
Invalid certificate time 20200101
couldn't sign cert_host_key_rsa
certified host keys: test host cert connect cert expired expect failure
Invalid certificate time 19800101
couldn't sign cert_host_key_rsa
certified host keys: test host cert connect cert valid interval expect
success
certified host keys: test host cert connect cert has constraints expect
failure
certified host keys: host rsa cert downgrade to raw key
certified host keys: host dsa cert downgrade to raw key
failed certified host keys
gmake: *** [t-exec] Error 1
*** Error exit code 2

Stop.

***FAILED***

====
AIX 5.3sp7 (5300-07-02-0806)
gcc version 4.2.0 - Target: powerpc-ibm-aix5.3.0.0
OpenSSL 0.9.8k 25 Mar 2009

  ./configure && gmake tests
...
run test cert-hostkey.sh ...
certified host keys: sign host rsa cert
certified host keys: sign host dsa cert
certified host keys: host rsa cert connect privsep yes
certified host keys: host dsa cert connect privsep yes
certified host keys: host rsa cert connect privsep no
certified host keys: host dsa cert connect privsep no
certified host keys: test host cert connect user-certificate expect failure
certified host keys: test host cert connect empty principals expect success
certified host keys: test host cert connect wrong principals expect failure
certified host keys: test host cert connect cert not yet valid expect
failure
Invalid certificate time 20200101
couldn't sign cert_host_key_rsa
certified host keys: test host cert connect cert expired expect failure
Invalid certificate time 19800101
couldn't sign cert_host_key_rsa
certified host keys: test host cert connect cert valid interval expect
success
certified host keys: test host cert connect cert has constraints expect
failure
certified host keys: host rsa cert downgrade to raw key
certified host keys: host dsa cert downgrade to raw key
failed certified host keys
gmake[1]: *** [t-exec] Error 1
gmake[1]: Leaving directory `/lppdir/build/phs-openssh/openssh/regress'
gmake: *** [tests] Error 2

***FAILED***

====
AIX 6.1sp4 (6100-04-00-0000) -
gcc version 4.2.0 - Target: powerpc-ibm-aix6.1.0.0
OpenSSL 0.9.8k 25 Mar 2009

  ./configure && gmake tests
...
run test cert-hostkey.sh ...
certified host keys: sign host rsa cert
certified host keys: sign host dsa cert
certified host keys: host rsa cert connect privsep yes
certified host keys: host dsa cert connect privsep yes
certified host keys: host rsa cert connect privsep no
certified host keys: host dsa cert connect privsep no
certified host keys: test host cert connect user-certificate expect failure
certified host keys: test host cert connect empty principals expect success
certified host keys: test host cert connect wrong principals expect failure
certified host keys: test host cert connect cert not yet valid expect
failure
Invalid certificate time 20200101
couldn't sign cert_host_key_rsa
certified host keys: test host cert connect cert expired expect failure
Invalid certificate time 19800101
couldn't sign cert_host_key_rsa
certified host keys: test host cert connect cert valid interval expect
success
certified host keys: test host cert connect cert has constraints expect
failure
certified host keys: host rsa cert downgrade to raw key
certified host keys: host dsa cert downgrade to raw key
failed certified host keys
gmake[1]: *** [t-exec] Error 1
gmake[1]: Leaving directory `/lppdir/build/phs-openssh/openssh/regress'
gmake: *** [tests] Error 2

***FAILED***

====
Not yet sure why the AIX/HP-UX boxes are failing on cert-hostkey.sh. Trying
to get sensibly verbose output out of the test script. Suspecting a
bsd/linux/gnu difference in command syntax/output vs AIX/HP-UX in the test
script.

-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

On Sat, Feb 27, 2010 at 01:25:38 -0600, Damien Miller
wrote:
> Hi,
> 
> OpenSSH 5.4 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release,
> with a number of major new features and many bug fixes.
> 
The 20100304 snapshot now builds and tests successfully on the following
platforms:

	Solaris 9 (SPARC)
	OS X 10.5 (Intel)
	AIX 5.3
-- 
Iain Morgan

On 02/27/2010 02:25 AM, Damien Miller wrote:
> Hi,
> 
> OpenSSH 5.4 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release,
> with a number of major new features and many bug fixes.
> 
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
> 
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
> 
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs
> 
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> 
> $ ./configure && make tests
> 
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
> 
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
> 
> Thanks to the many people who contributed to this release.
> 
> -------------------------------
> 
> Changes since OpenSSH 5.3
> ========================> 
> Features:
> 
>  * After a transition period of about 10 years, this release disables
>    SSH protocol 1 by default. Clients and servers that need to use the
>    legacy protocol must explicitly enable it in ssh_config / sshd_config
>    or on the command-line.
> 
>  * Deprecate the libsectok/OpenSC-based smartcard code and add
>    support for PKCS#11 tokens. PKCS#11 support is automatically enabled
>    on all platforms that support dlopen(3) and was inspired by patches
>    written by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1)
>    manpages
> 
>  * Add support for certificate authentication of users and hosts using a
>    new, minimal OpenSSH certificate format (not X.509). Certificates
>    contain a public key, identity information and some validity
>    constraints and are signed with a standard SSH public key using
>    ssh-keygen(1). CA keys may be marked as trusted in authorized_keys
>    (for user authentication) or known_hosts (for host authentication).
> 
>    Documentation for certificate support may be found in ssh-keygen(1),
>    sshd(8) and ssh(1) and a description of the protocol changes in
>    PROTOCOL.certkeys.
> 
>  * Added a 'netcat mode' to ssh(1): "ssh -W host:port
..." This connects
>    stdio on the client to a single port forward on the server. This
>    allows, for example, using ssh as a ProxyCommand to route connections
>    via intermediate servers. bz#1618
> 
>  * Rewrite the ssh(1) multiplexing support to support non-blocking
>    operation of the mux master, improve the resilience of the master to
>    malformed messages sent to it by the slave and add support for
>    requesting port- forwardings via the multiplex protocol. The new
>    stdio-to-local forward mode ("ssh -W host:port ...") is also
>    supported. The revised multiplexing protocol is documented in the
>    file PROTOCOL.mux in the source distribution.
> 
>  * Add a 'read-only' mode to sftp-server(8) that disables open in
write
>    mode and all other fs-modifying protocol methods. bz#430
> 
>  * Allow setting an explicit umask on the sftp-server(8) commandline to
>    override whatever default the user has. bz#1229
> 
>  * Many improvements to the sftp(1) client, many of which were
>    implemented by Carlos Silva through the Google Summer of Code
>    program:
>    - Support the "-h" (human-readable units) flag for ls
>    - Implement tab-completion of commands, local and remote filenames
>    - Support most of scp(1)'s commandline arguments in sftp(1), as a
>      first step towards making sftp(1) a drop-in replacement for scp(1).
>      Note that the rarely-used "-P sftp_server_path" option has
been
>      moved to "-D sftp_server_path" to make way for "-P
port" to match
>      scp(1).
>    - Add recursive transfer support for get/put and on the commandline
> 
>  * New RSA keys will be generated with a public exponent of RSA_F4 =>   
(2**16)+1 == 65537 instead of the previous value 35.
> 
>  * Passphrase-protected SSH protocol 2 private keys are now protected
>    with AES-128 instead of 3DES. This applied to freshly-generated keys
>    as well as keys that are reencrypted (e.g. by changing their
>    passphrase).
> 
> Bugfixes:
> 
>  * When using ChrootDirectory, make sure we test for the existence of
>    the user's shell inside the chroot and not outside (bz#1679)
>  * Cache user and group name lookups in sftp-server using
>    user_from_[ug]id(3) to improve performance on hosts where these
>    operations are slow (e.g. NIS or LDAP). bz#1495
>  * Fix problem that prevented passphrase reading from being interrupted
>    in some circumstances; bz#1590
>  * Ignore and log any Protocol 1 keys where the claimed size is not
>    equal to the actual size.
>  * Make HostBased authentication work with a ProxyCommand. bz#1569
>  * Avoid run-time failures when specifying hostkeys via a relative
>    path by prepending the current working directory in these cases.
>    bz#1290
>  * Do not prompt for a passphrase if we fail to open a keyfile, and log
>    the reason why the open failed to debug. bz#1693
>  * Document that the PubkeyAuthentication directive is allowed in a
>    sshd_config(5) Match block. bz#1577
>  * When converting keys, truncate key comments at 72 chars as per
>    RFC4716. bz#1630
>  * Do not allow logins if /etc/nologin exists but is not readable by the
>    user logging in.
>  * Output a debug log if sshd(8) can't open an existing
authorized_keys.
>    bz#1694
>  * Quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we
>    usually don't actually have a tty to read/set; bz#1686
>  * Prevent sftp from crashing when given a "-" without a command.
>    Also, allow whitespace to follow a "-". bz#1691
>  * After sshd receives a SIGHUP, ignore subsequent HUPs while sshd
>    re-execs itself. Prevents two HUPs in quick succession from resulting
>    in sshd dying. bz#1692
>  * Clarify in sshd_config(5) that StrictModes does not apply to
>    ChrootDirectory. Permissions and ownership are always checked when
>    chrooting. bz#1532
>  * Set close-on-exec on various descriptors so they don't get leaked to
>    child processes. bz#1643
>  * Fix very rare race condition in x11/agent channel allocation: don't
>    read after the end of the select read/write fdset and make sure a
>    reused FD is not touched before the pre-handlers are called.
>  * Fix incorrect exit status when multiplexing and channel ID 0 is
>    recycled. bz#1570
>  * Fail with an error when an attempt is made to connect to a server
>    with ForceCommand=internal-sftp with a shell session (i.e. not a
>    subsystem session). Avoids stuck client when attempting to ssh to
>    such a service. bz#1606:
>  * Warn but do not fail if stat()ing the subsystem binary fails. This
>    helps with chrootdirectory+forcecommand=sftp-server and restricted
>    shells. bz #1599
>  * Change "Connecting to host..." message to "Connected to
host."
>    and delay it until after the sftp protocol connection has been
>    established. Avoids confusing sequence of messages when the
>    underlying ssh connection experiences problems. bz#1588
>  * Use the HostKeyAlias rather than the hostname specified on the
>    commandline when prompting for passwords. bz#1039
>  * Correct off-by-one in percent_expand(): we would fatal() when trying
>    to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to
>    actually work. Note that nothing in OpenSSH actually uses close to
>    this limit at present. bz#1607
>  * Fix passing of empty options from scp(1) and sftp(1) to the
>    underlying ssh(1). Also add support for the stop option "--".
>  * Fix an incorrect magic number and typo in PROTOCOL; bz#1688
>  * Don't escape backslashes when displaying the SSH2 banner. bz#1533
>  * Don't unnecessarily dup() the in and out fds for sftp-server.
bz#1566
>  * Force use of the correct hash function for random-art signature
>    display as it was inheriting the wrong one when bubblebabble
>    signatures were activated. bz#1611
>  * Do not fall back to adding keys without contraints (ssh-add -c /
>    -t ...) when the agent refuses the constrained add request. bz#1612
>  * Fix a race condition in ssh-agent that could result in a wedged or
>    spinning agent. bz#1633
>  * Flush stdio before exec() to ensure that everying (motd
>    in particular) has made it out before the streams go away. bz#1596
>  * Set FD_CLOEXEC on in/out sockets in sshd(8). bz#1706
> 
> Portable OpenSSH Bugfixes:
> 
>  * Use system's kerberos principal name on AIX if it's available.
>    bz#1583
>  * Disable OOM-killing of the listening sshd on Linux. bz#1740
>  * Use pkg-config for opensc config if it's available. bz#1160
>  * Unbreak Redhat spec to allow building without askpass. bz#1677
>  * If PidFile is set in sshd_config, use it in SMF init file. bz#1628
>  * Print error and usage() when ssh-rand-helper is passed command-
>    line arguments as none are supported. bz#1568
>  * Add missing setsockopt() to set IPV6_V6ONLY for local forwarding
>    with GatwayPorts=yes. bz#1648
>  * Make GNOME 2 askpass dialog desktop-modal. bz#1645
>  * If SELinux is enabled set the security context to "sftpd_t"
before
>    running the internal sftp server. bz#1637
>  * Correctly check libselinux for necessary SELinux functions; bz#1713
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
openSUSE 11.2 (x86_64)
VERSION = 11.2

Linux allison 2.6.31.12-0.1-desktop #1 SMP PREEMPT 2010-01-27 08:20:11 +0100
x86_64 x86_64 x86_64 GNU/Linux


Passed all tests with snapshot, openssh-SNAP-20100303.tar.gz

LDB

openSUSE 11.2 (x86_64)
VERSION = 11.2

Linux allison 2.6.31.12-0.1-desktop #1 SMP PREEMPT 2010-01-27 08:20:11 +0100
x86_64 x86_64 x86_64 GNU/Linux


Passed all tests with snapshot, openssh-SNAP-20100303.tar.gz

LDB

Going for brevity here - full test results/output are available on request
...


Using openssh-SNAP-20100304.tar.gz

Summary:
+ Ubunto 6.10 i686   - gcc 4.1.3         - OpenSSL 0.9.8m            - build
OK   - all tests passed
+ Ubuntu 9.10 x86_64 - gcc 4.4.1         - OpenSSL 0.9.8g            - build
OK   - all tests passed
+ AIX 5.2 sp10 power - gcc 3.3.2         - OpenSSL 0.9.8f            - build
OK   - all tests passed
+ AIX 5.3 sp7 power  - gcc 4.2.0         - OpenSSL 0.9.8k            - build
OK   - all tests passed
+ AIX 6.1 sp4 power  - gcc 4.2.0         - OpenSSL 0.9.8k            - build
OK   - all tests passed
+ HP-UX 11.11 hppa2  - gcc 4.1.1         - OpenSSL 0.9.7m            - build
OK   - all tests passed
+ HP-UX 11.23 ia64   - gcc 4.1.1         - OpenSSL 0.9.7m            - build
OK**1* - all tests passed
+ HP-UX 11.31 ia64   - gcc 4.3.3         - OpenSSL 0.9.8l            - build
OK**1* - all tests passed
+ HP-UX 11.31 ia64   - HP C/aC++ A.06.20 - OpenSSL 0.9.8l            - build
OK   - all tests passed
+ RH 6.2 i686        - egcs-2.91.66      - OpenSSL 0.9.8j            - build
OK   - all tests passed**2*
+ RH 8.0 i686        - gcc 3.2.2         - OpenSSL 0.9.7a            - build
OK   - all tests passed
+ RHEL 2.1 i686      - gcc 2.9.6         - OpenSSL 0.9.8m            - build
OK   - all tests passed
+ RHEL 3.0 TU6 i686  - gcc 2.9.6         - OpenSSL 0.9.8m            - build
OK   - all tests passed
- RHEL 4.0 NU5 i686  - gcc 3.4.6         - OpenSSL 0.9.7a            - *build
FAIL* - **3*
+ RHEL 5.4 x86_64    - gcc 4.1.2         - OpenSSL 0.9.8e-fips-rhel5 - build
OK   - all tests passed


**1 ::* HP-UX 11.23/11.31 systems using gcc apparently must './configure
--disable-utmpx' or compile aborts here, (interesting to note that the HP
Ansi C/C++ compiler doesn't have this problem):
loginrec.c:725: warning: 'struct utmpx' declared inside parameter list
loginrec.c:725: warning: its scope is only this definition or declaration,
which is probably not what you want
loginrec.c:736: warning: 'struct utmpx' declared inside parameter list
loginrec.c: In function 'construct_utmpx':
loginrec.c:741: error: dereferencing pointer to incomplete type
loginrec.c:750: error: dereferencing pointer to incomplete type
loginrec.c:753: error: dereferencing pointer to incomplete type
loginrec.c:756: error: dereferencing pointer to incomplete type
loginrec.c:756: error: dereferencing pointer to incomplete type
loginrec.c:757: warning: passing argument 2 of 'set_utmpx_time' from
incompatible pointer type
loginrec.c:758: error: dereferencing pointer to incomplete type
loginrec.c:761: error: dereferencing pointer to incomplete type
loginrec.c:762: error: dereferencing pointer to incomplete type
loginrec.c:762: error: dereferencing pointer to incomplete type
loginrec.c: At top level:
loginrec.c:987: warning: 'struct utmpx' declared inside parameter list
loginrec.c: In function 'utmpx_write_library':
loginrec.c:989: warning: implicit declaration of function 'setutxent'
loginrec.c:990: warning: implicit declaration of function 'pututxline'
loginrec.c:993: warning: implicit declaration of function 'endutxent'
loginrec.c: In function 'utmpx_perform_login':
loginrec.c:1012: error: storage size of 'utx' isn't known
loginrec.c:1012: warning: unused variable 'utx'
loginrec.c: In function 'utmpx_perform_logout':
loginrec.c:1033: error: storage size of 'utx' isn't known
loginrec.c:1033: warning: unused variable 'utx'
loginrec.c: In function 'record_failed_login':
loginrec.c:1628: warning: unused variable 'a6'
gmake: *** [loginrec.o] Error 1

**2 ::* On Red Hat 6.2 openssh builds cleanly and appears to work fine, but
test 'regress/agent-ptrace.sh' hangs hard and requires a 'kill
-9' of the
gdb process to continue - hacking the script to exit 0 at the beginning
works around this.  Still investigating what's wrong here.

**3 ::* replicated this on three different servers running these releases -
maybe there's something wrong with how configure is identifying these boxes?

OPSYS:  Red Hat Enterprise Linux AS release 4 (Nahant Update 6)
KERNEL: 2.6.9-67.ELsmp i686
CC:     gcc version 3.4.6 20060404 (Red Hat 3.4.6-9)
TARGET: i686-pc-linux-gnu
SSL:    OpenSSL 0.9.7a Feb 19 2003

OPSYS:  Red Hat Enterprise Linux ES release 4 (Nahant Update 5)
KERNEL: 2.6.9-55.0.2.ELsmp i686
CC:     gcc version 3.4.6 20060404 (Red Hat 3.4.6-8)
TARGET: i686-pc-linux-gnu
SSL:    OpenSSL 0.9.7a Feb 19 2003

        ./configure --with-zlib=/var/tmp/zlib && make tests
...
OpenSSH has been configured with the following options:
                     User binaries: /usr/local/bin
                   System binaries: /usr/local/sbin
               Configuration files: /usr/local/etc
                   Askpass program: /usr/local/libexec/ssh-askpass
                      Manual pages: /usr/local/share/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/empty
            sshd default user PATH:
/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
                    Manpage format: doc
                       PAM support: no
                   OSF SIA support: no
                 KerberosV support: no
                   SELinux support: no
                 Smartcard support:
                     S/KEY support: no
              TCP Wrappers support: no
              MD5 password support: no
                   libedit support: no
  Solaris process contract support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: yes
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY

              Host: i686-pc-linux-gnu
          Compiler: gcc
    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -fno-builtin-memset -std=gnu99
Preprocessor flags: -I/var/tmp/zlib/include
      Linker flags: -L/var/tmp/zlib/lib
         Libraries: -lcrypto -ldl -lutil -lz -lnsl  -lcrypt
...
ssh-keygen.c: In function `parse_cert_times':
ssh-keygen.c:1303: error: `BSDoptarg' undeclared (first use in this
function)
ssh-keygen.c:1303: error: (Each undeclared identifier is reported only once
ssh-keygen.c:1303: error: for each function it appears in.)
make: *** [ssh-keygen.o] Error 1

Looks to be this bit here:

        if (to == NULL || from == to || *(to + 1) ==
'\0')
>>>             fatal("Invalid certificate life specification
%s", optarg);
        *to++ = '\0';



-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

Once upon a time, Damien Miller <djm at mindrot.org>
said:
> OpenSSH 5.4 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release,
> with a number of major new features and many bug fixes.
Hmm, build of 20100304 fails on Tru64 (ignore the "long long" info
messages):

cc -I/usr/local/include -O -ieee -std1 -arch generic -tune ev67  -I. -I. 
-DSSHDIR=\"/usr/local/etc/ssh\"
-D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/openssh/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/local/libexec/openssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/openssh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/openssh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty/sshd\"
-DSSH_RAND_HELPER=\"/usr/local/libexec/openssh/ssh-rand-helper\"
-DHAVE_CONFIG_H -c ssh-keygen.c
cc: Info: ssh-keygen.c, line 116: The integer constant is of type "unsigned
long long", which is a new feature of C99 might not be portable.
(longlongsufx)
u_int64_t cert_valid_to = ~0ULL;
---------------------------^
cc: Info: openbsd-compat/openbsd-compat.h, line 106: In this declaration, type
"long long" is a new feature in C99. (longlongtype)
int     fmt_scaled(long long number, char *result);
-------------------^
cc: Info: openbsd-compat/openbsd-compat.h, line 184: In this declaration, type
"long long" is a new feature in C99. (longlongtype)
long long strtoll(const char *, char **, int);
^
cc: Info: openbsd-compat/openbsd-compat.h, line 188: In this declaration, type
"long long" is a new feature in C99. (longlongtype)
long long strtonum(const char *, long long, long long, const char **);
^
cc: Info: openbsd-compat/openbsd-compat.h, line 188: In this declaration, type
"long long" is a new feature in C99. (longlongtype)
long long strtonum(const char *, long long, long long, const char **);
---------------------------------^
cc: Info: openbsd-compat/openbsd-compat.h, line 188: In this declaration, type
"long long" is a new feature in C99. (longlongtype)
long long strtonum(const char *, long long, long long, const char **);
--------------------------------------------^
cc: Error: ssh-keygen.c, line 1303: In this statement, "BSDoptarg" is
not declared. (undeclared)
                fatal("Invalid certificate life specification %s",
optarg);
-------------------------------------------------------------------^
make: *** [ssh-keygen.o] Error 1

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

The openssh 5.4 snap 20100302 compiles on fedora rawhide.
-- 
JFCh

On Sat, Feb 27, 2010 at 01:25:38 -0600, Damien Miller
wrote:
> Hi,
> 
> OpenSSH 5.4 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release,
> with a number of major new features and many bug fixes.
> 
The 20100305 snapshot built and tested successfuly on the following:

	RHEL 5 (x86_64)
	SLES 10 (x86_64)
	SLES 10 (ia64)
	AIX 5.3
	Solaris 9 (SPARC)
	OS X 10.5 (Intel)

-- 
Iain Morgan

On Fri, Feb 26, 2010 at 23:25, Damien Miller <djm at mindrot.org> wrote:
> Hi,
>
> OpenSSH 5.4 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release,
> with a number of major new features and many bug fixes.
>
>
Using openssh-SNAP-20100306.tar.gz

new issue on RHEL 5.4 x86_64:

with SUDO set ..
...
run test agent.sh ...
sudo: sorry, you must have a tty to run sudo
ssh_exchange_identification: Connection closed by remote host
agent fwd proto 1 failed (exit code 0)
sudo: sorry, you must have a tty to run sudo
ssh_exchange_identification: Connection closed by remote host
agent fwd proto 2 failed (exit code 0)
failed simple agent test
gmake[1]: *** [t-exec] Error 1
gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress'
gmake: *** [tests] Error 2

Caused by:  http://kbase.redhat.com/faq/docs/15839 ...

The /etc/sudoers file in Red Hat Enterprise Linux 5 has a default flag
'requiretty'. With this flag set, only logged in users can execute
commands
through sudo. This will disallow execution of sudo commands remotely through
rsh or ssh. The rsh and ssh utilities do not allocate a tty. It is
recommended to keep this flag to prevent a user from entering a visible
password.

With ssh, use -t to force pseudo-tty allocation
My proposed fix ...

*** regress/agent.sh    2010-03-05 14:01:13.000000000 -0800
--- regress/agent.sh.orig       2008-03-12 05:58:56.000000000 -0700
***************
*** 45,51 ****

        trace "simple connect via agent"
        for p in 1 2; do
!               ${SSH} -t -$p -F $OBJ/ssh_proxy somehost exit 5$p
                if [ $? -ne 5$p ]; then
                        fail "ssh connect with protocol $p failed (exit
code
$?)"
                fi
--- 45,51 ----

        trace "simple connect via agent"
        for p in 1 2; do
!               ${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p
                if [ $? -ne 5$p ]; then
                        fail "ssh connect with protocol $p failed (exit
code
$?)"
                fi
***************
*** 53,63 ****

        trace "agent forwarding"
        for p in 1 2; do
!               ${SSH} -t -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l >
/dev/null 2>&1
                if [ $? -ne 0 ]; then
                        fail "ssh-add -l via agent fwd proto $p failed
(exit
code $?)"
                fi
!               ${SSH} -t -A -$p -F $OBJ/ssh_proxy somehost \
                        "${SSH} -$p -F $OBJ/ssh_proxy somehost exit
5$p"
                if [ $? -ne 5$p ]; then
                        fail "agent fwd proto $p failed (exit code
$?)"
--- 53,63 ----

        trace "agent forwarding"
        for p in 1 2; do
!               ${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l >
/dev/null 2>&1
                if [ $? -ne 0 ]; then
                        fail "ssh-add -l via agent fwd proto $p failed
(exit
code $?)"
                fi
!               ${SSH} -A -$p -F $OBJ/ssh_proxy somehost \
                        "${SSH} -$p -F $OBJ/ssh_proxy somehost exit
5$p"
                if [ $? -ne 5$p ]; then
                        fail "agent fwd proto $p failed (exit code
$?)"

Once this is applied - all tests passed

-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

On Fri, Feb 26, 2010 at 23:25, Damien Miller <djm at mindrot.org> wrote:
> Hi,
>
> OpenSSH 5.4 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release,
> with a number of major new features and many bug fixes.
>
>
Using openssh-SNAP-20100306.tar.gz

Summary:
lx1072     + Ubunto 6.10 i686     - builds - all tests passed
hobbes     + Ubuntu 9.10 x86_64   - builds - all tests passed
ux0643     + AIX 5.2 sp10 power   - builds - all tests passed
ux9039     + AIX 5.3 sp7 power    - builds - all tests passed
ux9001     + AIX 6.1 sp4 power    - builds - all tests passed
ux1090     + HP-UX 11.11 hppa2    - builds - all tests passed
ux1025     + HP-UX 11.23 ia64     - builds - tests *PARTIAL FAIL *1*
ux9115     + HP-UX 11.31 ia64 gcc - builds - tests *FAIL:        *2*
ux9115     + HP-UX 11.31 ia64 aCC - builds - all tests passed
phswaora01 + RH 6.2 i686          - builds - tests *PATRIAL FAIL *3*
lx1030     + RH 8.0 i686          - builds - all tests passed
lx0527     + RHEL 2.1 i686        - builds - tests *PATRIAL FAIL *4*
lx1098     + RHEL 3.0 tu8 i686    - builds - all tests passed
lx9002     + RHEL 4.0 nu5 i686    - builds - all tests passed
lx9003     + RHEL 5.4 i686        - builds - all tests passed  * *5*

*1 :: Tests run as non-root user ...
      export SUDO=`which sudo`
    ...
    run test connect.sh ...
    Password:
    cat: Cannot open /var/tmp/ssh/openssh/regress/pidfile: Permission denied
(root:sys 0600)
    no sshd running
    ok simple connect
    run test proxy-connect.sh ...
    cat: Cannot open /var/tmp/ssh/openssh/regress/pidfile: Permission denied
    no sshd running
    ok proxy connect
    ...etc...
    run test reconfigure.sh ...
    cat: Cannot open /var/tmp/ssh/openssh/regress/pidfile: Permission denied
    usage: kill [ -signo ] pid ...
    FATAL: sshd did not restart
    gmake[1]: *** [t-exec] Error 1
    gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress'
    gmake: *** [tests] Error 2
      stale sshd process running from build dir - killed it
      unset SUDO
    ...
    run test connect.sh ...
    Permission denied.
    ssh connect with protocol 1 failed
    Permission denied (publickey,password,keyboard-interactive).
    ssh connect with protocol 2 failed
    failed simple connect
    gmake[1]: *** [t-exec] Error 1
    gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress'
    gmake: *** [tests] Error 2
   :: Run as root user, or 'sudo gmake tests' - all tests passed

*2 :: Tests fail (root/non-root):
    ...
    run test agent-ptrace.sh ...
    ptrace succeeded?: exit code 1
    failed disallow agent ptrace attach
    gmake[1]: *** [t-exec] Error 1
    gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress'
    gmake: *** [tests] Error 2

*3 :: Tests fail as non-root user (w/out SUDO) at:
    ...
    run test connect.sh ...
    Connection closed by 127.0.0.1
    ssh connect with protocol 1 failed
    Read from socket failed: Broken pipe
    ssh connect with protocol 2 failed
    failed simple connect
    gmake[1]: *** [t-exec] Error 1
    gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress'
    gmake: *** [tests] Error 2
   :: export SUDO=`which sudo` ... all(-1) tests passed (agent-ptrace.sh
which still hangs in gdb)

*4 :: Tests fail as non-root user (w/wout SUDO) at ...
    run test agent-getpeereid.sh ...
    ssh-add did not fail for nobody: 1 < 2
    failed disallow agent attach from other uid
    gmake[1]: *** [t-exec] Error 1
    gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress'
    gmake: *** [tests] Error 2
   :: Run as root user, or 'sudo gmake tests' - all tests passed

*5 :: patch of regress/agents.sh required.  See previous email.



-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
all tests passed on mac-osx

logu at logu-osx: openssh$ uname -a
Darwin logu-osx.local 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15  
16:55:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_I386 i386

logu at logu-osx: openssh$ gcc
i686-apple-darwin9-gcc-4.0.1: no input files