Hi, OpenSSH 6.0 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains a couple of new features and changes and bug fixes. Testing of the new sandboxed privilege separation mode (see below) would be particularly appreciated. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via anonymous CVS using the instructions at http://www.openssh.com/portable.html#cvs or via Mercurial at http://hg.mindrot.org/openssh Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: $ ./configure && make tests Live testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org. Below is a summary of changes. More detail may be found in the ChangeLog in the portable OpenSSH tarballs. Thanks to the many people who contributed to this release. ------------------------------- Features: * ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user at host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline Bugfixes: * ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks Portable OpenSSH: * ssh-keygen(1): don't fail in -A on platforms that don't support ECC * Add optional support for LDNS, a BSD licensed DNS resolver library which supports DNSSEC Reporting Bugs: ============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
On Mon, 13 Feb 2012, Damien Miller wrote:> Hi, > > OpenSSH 6.0 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains a > couple of new features and changes and bug fixes. Testing of the new > sandboxed privilege separation mode (see below) would be particularly > appreciated.oops, the bit about the sandboxed privsep code is a carryover from the previous release and isn't mentioned in the feature list below after all. It could still do with some more testing though, as I don't recall seeing any reports from users who tried it. -d
Le 13/02/2012 07:51, Damien Miller a ?crit :> ------------------------------- > > Features: > > * ssh-keygen(1): Add optional checkpoints for moduli screening >Hello ssh users, I've used that new feature a lot and posted the smallest patch ever to preserve tested primes between sessions: https://bugzilla.mindrot.org/show_bug.cgi?id=1957 Christophe Garault
On Feb 13 17:51, Damien Miller wrote:> Hi, > > OpenSSH 6.0 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains a > couple of new features and changes and bug fixes. Testing of the new > sandboxed privilege separation mode (see below) would be particularly > appreciated.All tests pass on Cygwin. However, is it possible to apply the below patch before releasing 6.0? It just added back an important system environment variable for native Windows apps. Thanks, Corinna Index: openbsd-compat/bsd-cygwin_util.c ==================================================================RCS file: /cvs/openssh/openbsd-compat/bsd-cygwin_util.c,v retrieving revision 1.23 diff -u -p -r1.23 bsd-cygwin_util.c --- openbsd-compat/bsd-cygwin_util.c 17 Aug 2011 01:31:09 -0000 1.23 +++ openbsd-compat/bsd-cygwin_util.c 13 Feb 2012 13:45:21 -0000 @@ -76,6 +76,7 @@ static struct wenv { { NL("OS=") }, { NL("PATH=") }, { NL("PATHEXT=") }, + { NL("PROGRAMFILES=") }, { NL("SYSTEMDRIVE=") }, { NL("SYSTEMROOT=") }, { NL("WINDIR=") } -- Corinna Vinschen Cygwin Project Co-Leader Red Hat
./configure is failing for me with> ... > configure: creating ./config.status > config.status: creating Makefile > config.status: creating buildpkg.sh > config.status: creating opensshd.init > config.status: creating openssh.xml > config.status: creating openbsd-compat/Makefile > config.status: creating openbsd-compat/regress/Makefile > config.status: creating survey.sh > config.status: error: cannot find input file: `config.h.in'Is it expected to fail with autoconf 2.68? Also, not too important, but the following files have execute permissions, and I don't think they should: - ssh-sandbox.h - openbsd-compat/sha2.h - openbsd-compat/sha2.c - contrib/solaris/README - opensshd.init.in Although I'm not sure about the last one, it may have it on purpose for having opensshd.init inherit the +x, even though that's not happening in my system.
On Mon, 13 Feb 2012, Corinna Vinschen wrote:> On Feb 13 17:51, Damien Miller wrote: > > Hi, > > > > OpenSSH 6.0 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This release contains a > > couple of new features and changes and bug fixes. Testing of the new > > sandboxed privilege separation mode (see below) would be particularly > > appreciated. > > All tests pass on Cygwin. However, is it possible to apply the below > patch before releasing 6.0? It just added back an important system > environment variable for native Windows apps.Done -d
[resent without troublesome attachments] Damien Miller <djm at mindrot.org> writes:> OpenSSH 6.0 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains a > couple of new features and changes and bug fixes. Testing of the new > sandboxed privilege separation mode (see below) would be particularly > appreciated.openssh-SNAP-20120221 fails to build on FreeBSD 9 and 10: the configure script incorrectly concludes that FreeBSD doesn't have openpty(3), and bsd-openpty.c doesn't build on FreeBSD. See http://www.des.no/openssh/ The same snapshot builds fine and passes all tests on 8.2p3. BTW, what about my ssh-agent reference-counting patch? :) DES -- Dag-Erling Sm?rgrav - des at des.no
On Sun, Feb 12, 2012 at 22:51, Damien Miller <djm at mindrot.org> wrote:> Hi, > > OpenSSH 6.0 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains a > couple of new features and changes and bug fixes. Testing of the new > sandboxed privilege separation mode (see below) would be particularly > appreciated. > > ...Using openssh-SNAP-20120221.tar.gz ./configure && make tests OS Build_Target CC OpenSSL BUILD TEST ============== =========================== =============== ================= ===== =====================RH 6.2 i686-pc-linux-gnu egcs 2.91.66 0.9.8j YES All tests passed RH 8.0 i686-pc-linux-gnu gcc 3.2.2-5 0.9.7a YES All tests passed RHEL 2.1 i686-pc-linux-gnu gcc 2.96-129.7.2 0.9.6b YES All tests passed RHEL 3.0 i686-pc-linux-gnu gcc 3.2.3-20 0.9.7a YES All tests passed RHEL 4.0 tu6 i686-pc-linux-gnu gcc 3.4.6 0.9.7a YES All tests passed RHEL 4.0 nu8 x86_64-unknown-linux-gnu gcc 3.4.6-8 0.9.7a YES All tests passed RHEL 4.0 nu7 powerpc64-unknown-linux-gnu gcc 3.4.6 0.9.7a YES All tests passed RHEL 5.1 x86_64-redhat-linux gcc 4.1.2-14 0.9.8b YES All tests passed RHEL 5.4 i686-pc-linux-gnu gcc 4.1.2-46 0.9.8e-fips-rhel5 YES All tests passed RHEL 5.5 i686-pc-linux-gnu gcc 4.1.2-48 0.9.8e-fips-rhel5 YES All tests passed RHEL 5.5 x86_64-redhat-linux gcc 4.1.2-48 0.9.8e-fips-rhel5 YES All tests passed RHEL 5.6 i686-pc-linux-gnu gcc 4.1.2-50 0.9.8e-fips-rhel5 YES All tests passed RHEL 5.6 x86_64-redhat-linux gcc 4.1.2-50 0.9.8e-fips-rhel5 YES All tests passed RHEL 5.7 i686-redhat-linux gcc 4.1.2-51 0.9.8e-fips-rhel5 YES All tests passed RHEL 5.7 x86_64-redhat-linux gcc 4.1.2-51 0.9.8e-fips-rhel5 YES All tests passed Fedora Core r2 i686-pc-linux-gnu gcc 3.3.3-7 0.9.7a YES All tests passed Ubuntu 8.04.04 i686-pc-linux-gnu gcc 4.2.4-1ubuntu4 0.9.8g YES All tests passed Ubuntu 10.10 x86_64-linux-gnu gcc 4.4.4-14ubuntu5 0.9.8o YES All tests passed AIX 5200-10-04 powerpc-ibm-aix5.2.0.0 gcc 3.3.2 0.9.8f YES All tests passed AIX 5300-12-02 powerpc-ibm-aix5.3.0.0 gcc 4.0.0 0.9.8m YES All tests passed AIX 6100-04-06 powerpc-ibm-aix6.1.0.0 gcc 4.2.0 0.9.8k YES All tests passed AIX 7100-01-01 powerpc-ibm-aix7.1.0.0 xlc 11.1.0.6 0.9.8m YES All tests passed HP-UX 11.11 hppa2.0w-hp-hpux11.11 gcc 3.4.3 0.9.7m YES All tests passed HP-UX 11.23 ia64-hp-hpux11.23 gcc 4.1.1 0.9.8o YES All tests passed HP-UX 11.31 ia64-hp-hpux11.31 gcc 4.3.3 0.9.8n YES All tests passed HP-UX 11.31 ia64-hp-hpux11.31 C/aC++ A.06.20 0.9.8n YES All tests passed RH Red Hat RHEL Red Hat Enterprise Linux Non-prod usage testing in progress. -- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott at gmail.com> */
Mr Dash Four wrote:> >> According to the manpages it does. Could you please try this? >> > Not related to the above issue in particular, but I submitted a bug > with Fedora yesterday (see > https://bugzilla.redhat.com/show_bug.cgi?id=801633) - it prevents > cross-compilation/build of OpenSSH on "incompatible" platforms (i.e. > build=anything_86, host=arm or host=ppc for example) due to execution > of a binary (fips_standalone_sha1 - fips calculating hmac hashes) or > platforms with different versions of Lib C (say, glibc on "build" and > uclibc on "host"). > > The "solution" I proposed there is very ugly and I do not like it one > bit, though I have no idea how this can be resolved.Scratch what I have just posted above - it is related to openssl, not openssh - I must fully wake up before posting! Apologies for the noise!