openssh unix dev - Feb 2012 - Call for testing: OpenSSH-6.0

Hi,

OpenSSH 6.0 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This release contains a
couple of new features and changes and bug fixes. Testing of the new
sandboxed privilege separation mode (see below) would be particularly
appreciated.

Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable OpenSSH is also available via anonymous CVS using the
instructions at http://www.openssh.com/portable.html#cvs or
via Mercurial at http://hg.mindrot.org/openssh

Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:

$ ./configure && make tests

Live testing on suitable non-production systems is also
appreciated. Please send reports of success or failure to
openssh-unix-dev at mindrot.org.

Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.

Thanks to the many people who contributed to this release.

-------------------------------

Features:

 * ssh-keygen(1): Add optional checkpoints for moduli screening
 * ssh-add(1): new -k option to load plain keys (skipping certificates)
 * sshd(8): Add wildcard support to PermitOpen, allowing things like
   "PermitOpen localhost:*".  bz #1857
 * ssh(1): support for cancelling local and remote port forwards via the
   multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user at
host"
   to request the cancellation of the specified forwardings
 * support cancellation of local/dynamic forwardings from ~C commandline

Bugfixes:

 * ssh(1): ensure that $DISPLAY contains only valid characters before
   using it to extract xauth data so that it can't be used to play local
   shell metacharacter games.
 * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports
 * scp(1): uppress adding '--' to remote commandlines when the first
   argument does not start with '-'. saves breakage on some
   difficult-to-upgrade embedded/router platforms
 * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14"
class,
   but there is an "AF21" class
 * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during
   rekeying
 * ssh(1): skip attempting to create ~/.ssh when -F is passed
 * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943
 * sshd(1): send tty break to pty master instead of (probably already
     closed) slave side; bz#1859
 * sftp(1): silence error spam for "ls */foo" in directory with files;
   bz#1683
 * Fixed a number of memory and file descriptor leaks

Portable OpenSSH:

 * ssh-keygen(1): don't fail in -A on platforms that don't support ECC
 * Add optional support for LDNS, a BSD licensed DNS resolver library
   which supports DNSSEC

Reporting Bugs:
==============
- Please read http://www.openssh.com/report.html
  Security bugs should be reported directly to openssh at openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.

On Mon, 13 Feb 2012, Damien Miller wrote:
> Hi,
> 
> OpenSSH 6.0 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains a
> couple of new features and changes and bug fixes. Testing of the new
> sandboxed privilege separation mode (see below) would be particularly
> appreciated.
oops, the bit about the sandboxed privsep code is a carryover from the
previous release and isn't mentioned in the feature list below after all.
It could still do with some more testing though, as I don't recall seeing
any reports from users who tried it.

-d

Le 13/02/2012 07:51, Damien Miller a ?crit :
> -------------------------------
>
> Features:
>
>   * ssh-keygen(1): Add optional checkpoints for moduli screening
>    
Hello ssh users,

I've used that new feature a lot and posted the smallest patch ever to 
preserve tested primes between sessions:
https://bugzilla.mindrot.org/show_bug.cgi?id=1957


Christophe Garault

On Feb 13 17:51, Damien Miller wrote:
> Hi,
> 
> OpenSSH 6.0 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains a
> couple of new features and changes and bug fixes. Testing of the new
> sandboxed privilege separation mode (see below) would be particularly
> appreciated.
All tests pass on Cygwin.  However, is it possible to apply the below
patch before releasing 6.0?  It just added back an important system
environment variable for native Windows apps.


Thanks,
Corinna


Index: openbsd-compat/bsd-cygwin_util.c
==================================================================RCS file:
/cvs/openssh/openbsd-compat/bsd-cygwin_util.c,v
retrieving revision 1.23
diff -u -p -r1.23 bsd-cygwin_util.c
--- openbsd-compat/bsd-cygwin_util.c	17 Aug 2011 01:31:09 -0000	1.23
+++ openbsd-compat/bsd-cygwin_util.c	13 Feb 2012 13:45:21 -0000
@@ -76,6 +76,7 @@ static struct wenv {
 	{ NL("OS=") },
 	{ NL("PATH=") },
 	{ NL("PATHEXT=") },
+	{ NL("PROGRAMFILES=") },
 	{ NL("SYSTEMDRIVE=") },
 	{ NL("SYSTEMROOT=") },
 	{ NL("WINDIR=") }

-- 
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat

./configure is failing for me with
> ...
> configure: creating ./config.status
> config.status: creating Makefile
> config.status: creating buildpkg.sh
> config.status: creating opensshd.init
> config.status: creating openssh.xml
> config.status: creating openbsd-compat/Makefile
> config.status: creating openbsd-compat/regress/Makefile
> config.status: creating survey.sh
> config.status: error: cannot find input file: `config.h.in'
Is it expected to fail with autoconf 2.68?


Also, not too important, but the following files have execute permissions,
and I don't think they should:
- ssh-sandbox.h
- openbsd-compat/sha2.h
- openbsd-compat/sha2.c
- contrib/solaris/README
- opensshd.init.in

Although I'm not sure about the last one, it may have it on purpose for
having
opensshd.init inherit the +x, even though that's not happening in my system.

On Mon, 13 Feb 2012, Corinna Vinschen wrote:
> On Feb 13 17:51, Damien Miller wrote:
> > Hi,
> > 
> > OpenSSH 6.0 is almost ready for release, so we would appreciate
testing
> > on as many platforms and systems as possible. This release contains a
> > couple of new features and changes and bug fixes. Testing of the new
> > sandboxed privilege separation mode (see below) would be particularly
> > appreciated.
> 
> All tests pass on Cygwin.  However, is it possible to apply the below
> patch before releasing 6.0?  It just added back an important system
> environment variable for native Windows apps.
Done

-d

[resent without troublesome attachments]

Damien Miller <djm at mindrot.org> writes:
> OpenSSH 6.0 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains a
> couple of new features and changes and bug fixes. Testing of the new
> sandboxed privilege separation mode (see below) would be particularly
> appreciated.
openssh-SNAP-20120221 fails to build on FreeBSD 9 and 10: the configure
script incorrectly concludes that FreeBSD doesn't have openpty(3), and
bsd-openpty.c doesn't build on FreeBSD.  See http://www.des.no/openssh/

The same snapshot builds fine and passes all tests on 8.2p3.

BTW, what about my ssh-agent reference-counting patch?  :)

DES
-- 
Dag-Erling Sm?rgrav - des at des.no

On Sun, Feb 12, 2012 at 22:51, Damien Miller <djm at mindrot.org> wrote:
> Hi,
>
> OpenSSH 6.0 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains a
> couple of new features and changes and bug fixes. Testing of the new
> sandboxed privilege separation mode (see below) would be particularly
> appreciated.
>
> ...
 Using openssh-SNAP-20120221.tar.gz

./configure && make tests

OS              Build_Target                CC                  OpenSSL
      BUILD TEST
==============  =========================== =============== =================
===== =====================RH 6.2          i686-pc-linux-gnu           egcs
2.91.66        0.9.8j
       YES   All tests passed
RH 8.0          i686-pc-linux-gnu           gcc 3.2.2-5         0.9.7a
       YES   All tests passed
RHEL 2.1        i686-pc-linux-gnu           gcc 2.96-129.7.2    0.9.6b
       YES   All tests passed
RHEL 3.0        i686-pc-linux-gnu           gcc 3.2.3-20        0.9.7a
       YES   All tests passed
RHEL 4.0 tu6    i686-pc-linux-gnu           gcc 3.4.6           0.9.7a
       YES   All tests passed
RHEL 4.0 nu8    x86_64-unknown-linux-gnu    gcc 3.4.6-8         0.9.7a
       YES   All tests passed
RHEL 4.0 nu7    powerpc64-unknown-linux-gnu gcc 3.4.6           0.9.7a
       YES   All tests passed
RHEL 5.1        x86_64-redhat-linux         gcc 4.1.2-14        0.9.8b
       YES   All tests passed
RHEL 5.4        i686-pc-linux-gnu           gcc 4.1.2-46
 0.9.8e-fips-rhel5 YES   All tests passed
RHEL 5.5        i686-pc-linux-gnu           gcc 4.1.2-48
 0.9.8e-fips-rhel5 YES   All tests passed
RHEL 5.5        x86_64-redhat-linux         gcc 4.1.2-48
 0.9.8e-fips-rhel5 YES   All tests passed
RHEL 5.6        i686-pc-linux-gnu           gcc 4.1.2-50
 0.9.8e-fips-rhel5 YES   All tests passed
RHEL 5.6        x86_64-redhat-linux         gcc 4.1.2-50
 0.9.8e-fips-rhel5 YES   All tests passed
RHEL 5.7        i686-redhat-linux           gcc 4.1.2-51
 0.9.8e-fips-rhel5 YES   All tests passed
RHEL 5.7        x86_64-redhat-linux         gcc 4.1.2-51
 0.9.8e-fips-rhel5 YES   All tests passed
Fedora Core r2  i686-pc-linux-gnu           gcc 3.3.3-7         0.9.7a
       YES   All tests passed
Ubuntu 8.04.04  i686-pc-linux-gnu           gcc 4.2.4-1ubuntu4  0.9.8g
       YES   All tests passed
Ubuntu 10.10    x86_64-linux-gnu            gcc 4.4.4-14ubuntu5 0.9.8o
       YES   All tests passed
AIX 5200-10-04  powerpc-ibm-aix5.2.0.0      gcc 3.3.2           0.9.8f
       YES   All tests passed
AIX 5300-12-02  powerpc-ibm-aix5.3.0.0      gcc 4.0.0           0.9.8m
       YES   All tests passed
AIX 6100-04-06  powerpc-ibm-aix6.1.0.0      gcc 4.2.0           0.9.8k
       YES   All tests passed
AIX 7100-01-01  powerpc-ibm-aix7.1.0.0      xlc 11.1.0.6        0.9.8m
       YES   All tests passed
HP-UX 11.11     hppa2.0w-hp-hpux11.11       gcc 3.4.3           0.9.7m
       YES   All tests passed
HP-UX 11.23     ia64-hp-hpux11.23           gcc 4.1.1           0.9.8o
       YES   All tests passed
HP-UX 11.31     ia64-hp-hpux11.31           gcc 4.3.3           0.9.8n
       YES   All tests passed
HP-UX 11.31     ia64-hp-hpux11.31           C/aC++ A.06.20      0.9.8n
       YES   All tests passed

 RH      Red Hat
 RHEL    Red Hat Enterprise Linux

Non-prod usage testing in progress.

-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

Mr Dash Four wrote:
>
>> According to the manpages it does. Could you please try this?
>>   
> Not related to the above issue in particular, but I submitted a bug 
> with Fedora yesterday (see 
> https://bugzilla.redhat.com/show_bug.cgi?id=801633) - it prevents 
> cross-compilation/build of OpenSSH on "incompatible" platforms
(i.e.
> build=anything_86, host=arm or host=ppc for example) due to execution 
> of a binary (fips_standalone_sha1 - fips calculating hmac hashes) or 
> platforms with different versions of Lib C (say, glibc on "build"
and
> uclibc on "host").
>
> The "solution" I proposed there is very ugly and I do not like it
one
> bit, though I have no idea how this can be resolved.
Scratch what I have just posted above - it is related to openssl, not 
openssh - I must fully wake up before posting! Apologies for the noise!