Hi, We will probably do an openssh-5.5p1 release soon, mainly for the sshd_config:AuthorizedKeysFile bug, but containing a few other small patches too. If you have any portability fixes that need to go in then please send them through at once. -d
Hi Damien, On Mar 17 06:04, Damien Miller wrote:> Hi, > > We will probably do an openssh-5.5p1 release soon, mainly for the > sshd_config:AuthorizedKeysFile bug, but containing a few other small > patches too. If you have any portability fixes that need to go in then > please send them through at once.That's good to know, but I don't see a matching patch for the AuthorizedKeysFile bug in the portable openssh repository, nor any reply to my mail concerning this problem: http://marc.info/?l=openssh-unix-dev&m=126838983321733&w=2 If there has been anything going on behind the scenes, it would be nice to learn about it. Thanks, Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat
On Tue, Mar 16, 2010 at 14:04:26 -0500, Damien Miller wrote:> Hi, > > We will probably do an openssh-5.5p1 release soon, mainly for the > sshd_config:AuthorizedKeysFile bug, but containing a few other small > patches too. If you have any portability fixes that need to go in then > please send them through at once. > > -d > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-devHi Damien, I just stumbled across an issue today building 5.4p1 on SLES 10 with libedit support. When --with-libedit is used, configure will use -lcurses when testing for a functional libedit. On SLES 10 (and perhaps other OS's) there is no libcurses.so (evan as a symlink) so the test fails. It may be best to check for -lcurses and -lncurses, and then use the appropriate library when checking for -ledit. I'm not an autoconf wizard and thus don't have an actual patch to submit. I'm just working around the issue by hacking the configure script. -- Iain Morgan
Damien Miller wrote:> Hi, > > We will probably do an openssh-5.5p1 release soon, mainly for the > sshd_config:AuthorizedKeysFile bug, but containing a few other small > patches too. If you have any portability fixes that need to go in then > please send them through at once.In past you create p2 version. What is new functionality for 5.5 (except bug fixes ) ? Roumen -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/
On Wed, 17 Mar 2010, Roumen Petrov wrote:> Damien Miller wrote: > > Hi, > > > > We will probably do an openssh-5.5p1 release soon, mainly for the > > sshd_config:AuthorizedKeysFile bug, but containing a few other small > > patches too. If you have any portability fixes that need to go in then > > please send them through at once. > > In past you create p2 version. What is new functionality for 5.5 (except bug > fixes ) ?We have created p2 versions whem the changes have been to portable OpenSSH only. In this case there are changes to the OpenBSD version too. -d
----- "Damien Miller" <djm at mindrot.org> wrote:> Hi, > > > > We will probably do an openssh-5.5p1 release soon, mainly for the > > sshd_config:AuthorizedKeysFile bug, but containing a few other small > > patches too. If you have any portability fixes that need to go in then > > please send them through at once. > >Damien, please have a look at https://bugzilla.mindrot.org/show_bug.cgi?id=1663 I still think that it's useful and safe. It's useful for creation small centralized domains without ldap... simply using ssh to transport the keys. -- JFCh
Corinna Vinschen
2010-Mar-23 16:03 UTC
[PATCH] Cygwin: ssh-host-config script broken on casesensitive systems (was Re: openssh-5.5p1)
Hi Damien, On Mar 17 06:04, Damien Miller wrote:> Hi, > > We will probably do an openssh-5.5p1 release soon, mainly for the > sshd_config:AuthorizedKeysFile bug, but containing a few other small > patches too. If you have any portability fixes that need to go in then > please send them through at once.I hope I'm not too late. I just stumbled over a problem with the Cygwin-specific ssh-host-config script. The script uses the Windows pathname to the directory holding the (/etc/)services file in a case-insensitive manner. However, the latest Cygwin allows to use case-sensitive paths and on systems supporting it (depends on a registry key) the default mount mode is case-sensitive. Unfortunately this breaks the script! So, it would be really nice if the below patch could still go into OpenSSH 5.5p1. It mounts the Windows directory containing the services file explicitely case-insensitive. This allows to tweak the Windows services file reliably, which *still* does not contain the "ssh 22/tcp" entry, even in the latest Windows 7 :( Thanks, Corinna Index: contrib/cygwin/ssh-host-config ==================================================================RCS file: /cvs/openssh/contrib/cygwin/ssh-host-config,v retrieving revision 1.28 diff -u -p -r1.28 ssh-host-config --- contrib/cygwin/ssh-host-config 12 Jul 2009 11:58:42 -0000 1.28 +++ contrib/cygwin/ssh-host-config 23 Mar 2010 16:02:26 -0000 @@ -90,7 +90,7 @@ update_services_file() { fi _serv_tmp="${_my_etcdir}/srv.out.$$" - mount -o text -f "${_win_etcdir}" "${_my_etcdir}" + mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" # Depends on the above mount _wservices=`cygpath -w "${_services}"` -- Corinna Vinschen Cygwin Project Co-Leader Red Hat
On Tue, Mar 16, 2010 at 14:04:26 -0500, Damien Miller wrote:> Hi, > > We will probably do an openssh-5.5p1 release soon, mainly for the > sshd_config:AuthorizedKeysFile bug, but containing a few other small > patches too. If you have any portability fixes that need to go in then > please send them through at once. > > -d > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-devHi Damien, One minor issue that I just spotted with the -L option with ssh-keygen is that it can yield a misleading error message if the cert is not readable due to filesystem permissions. $ ls -l /etc/ssh/ssh_host_rsa_key-cert.pub -rw------- 1 root root 1151 Mar 23 13:36 /etc/ssh/ssh_host_rsa_key-cert.pub $ ssh-keygen -Lf /etc/ssh/ssh_host_rsa_key-cert.pub /etc/ssh/ssh_host_rsa_key-cert.pub is not a public key $ (This was with the 5.4p1 release, but I assume it also holds for recent snapshots.) -- Iain Morgan
On Tue, 23 Mar 2010, Iain Morgan wrote:> Hi Damien, > > One minor issue that I just spotted with the -L option with ssh-keygen > is that it can yield a misleading error message if the cert is not > readable due to filesystem permissions. > > $ ls -l /etc/ssh/ssh_host_rsa_key-cert.pub > -rw------- 1 root root 1151 Mar 23 13:36 > /etc/ssh/ssh_host_rsa_key-cert.pub > $ ssh-keygen -Lf /etc/ssh/ssh_host_rsa_key-cert.pub > /etc/ssh/ssh_host_rsa_key-cert.pub is not a public key > > (This was with the 5.4p1 release, but I assume it also holds for recent > snapshots.)I think that is a more general problem for public key loading in ssh-keygen. Please file a bug and I will factor all of the offending cases out and fix them in one go after 5.5p1. -d
On Thu, Mar 25, 2010 at 16:53:45 -0500, Damien Miller wrote:> On Tue, 23 Mar 2010, Iain Morgan wrote: > > > Hi Damien, > > > > One minor issue that I just spotted with the -L option with ssh-keygen > > is that it can yield a misleading error message if the cert is not > > readable due to filesystem permissions. > > > > $ ls -l /etc/ssh/ssh_host_rsa_key-cert.pub > > -rw------- 1 root root 1151 Mar 23 13:36 > > /etc/ssh/ssh_host_rsa_key-cert.pub > > $ ssh-keygen -Lf /etc/ssh/ssh_host_rsa_key-cert.pub > > /etc/ssh/ssh_host_rsa_key-cert.pub is not a public key > > > > (This was with the 5.4p1 release, but I assume it also holds for recent > > snapshots.) > > I think that is a more general problem for public key loading in > ssh-keygen. Please file a bug and I will factor all of the offending cases > out and fix them in one go after 5.5p1. > > -dSounds good. It looks like Jan Chadima filed a similar bug, though due to a different cause. I can either add this to that existing bug or file a new one, which would be easier for you? -- Iain Morgan