Hi,
OpenSSH 6.1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This release contains a
couple of new features and bug fixes.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH is also available via anonymous CVS using the
instructions at http://www.openssh.com/portable.html#cvs or
via Mercurial at http://hg.mindrot.org/openssh
Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:
$ ./configure && make tests
Live testing on suitable non-production systems is also
appreciated. Please send reports of success or failure to
openssh-unix-dev at mindrot.org.
Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.
Thanks to the many people who contributed to this release.
-------------------------------
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for
new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config.
* ssh-keygen(1): Add options to specify starting line number and number of
lines to process when screening moduli candidates, allowing processing
of different parts of a candidate moduli file in parallel
* sshd(8): The Match directive now supports matching on the local (listen)
address and port upon which the incoming connection was received via
LocalAddress and LocalPort clauses.
* sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv
and {Allow,Deny}{Users,Groups}
* Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978
* ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8
* sshd(8): Allow the sshd_config PermitOpen directive to accept
"none" as
an argument to refuse all port-forwarding requests.
* sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile
* ssh-keyscan(1): Look for ECDSA keys by default. bz#1971
* sshd(8): Add "VersionAddendum" to sshd_config to allow server
operators
to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file
descriptor exhaustion. Instead back off for a while.
* ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as
they were removed from the specification. bz#2023,
* sshd(8): Handle long comments in config files better. bz#2025
* ssh(1): Delay setting tty_flag so RequestTTY options are correctly
picked up. bz#1995
* sshd(8): Fix handling of /etc/nologin incorrectly being applied to root
on platforms that use login_cap.
Portable OpenSSH:
* sshd(8): Allow sshd pre-auth sandboxing to fall-back to the rlimit
sandbox from the Linux SECCOMP filter sandbox when the latter is
not available in the kernel.
* ssh(1): Fix NULL dereference when built with LDNS and using DNSSEC to
retrieve a CNAME SSHFP record.
* Fix cross-compilation problems related to pkg-config. bz#1996
Reporting Bugs:
==============
- Please read http://www.openssh.com/report.html
Security bugs should be reported directly to openssh at openssh.com
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.
On Tue, Aug 21, 2012 at 4:10 AM, Damien Miller <djm at mindrot.org> wrote:> Hi, > > OpenSSH 6.1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains a > couple of new features and bug fixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > ...OS Build_Target CC OpenSSL BUILD TEST ============== =========================== =============== ============ ===== ================RHEL 2.1 i686-pc-linux-gnu gcc 2.96-129.7.2 0.9.6b OK all tests passed RHL 8.0 i686-pc-linux-gnu gcc 3.2.2-5 0.9.7a OK all tests passed RHEL 3.0 i686-pc-linux-gnu gcc 3.2.3-20 0.9.7a OK all tests passed Fedora Core r2 i686-pc-linux-gnu gcc 3.3.3-7 0.9.7a OK*1 all tests passed RHEL 4.0 nu6 i686-pc-linux-gnu gcc 3.4.6 0.9.7a OK*1 all tests passed RHEL 4.0 nu8 x86_64-unknown-linux-gnu gcc 3.4.6-8 0.9.7a OK*1 all tests passed RHEL 5.4 i686-pc-linux-gnu gcc 4.1.2-46 0.9.8e-fips OK all tests passed RHEL 5.4 x86_64-redhat-linux gcc 4.1.2-46 0.9.8e-fips OK*2 all tests passed RHEL 5.5 i686-pc-linux-gnu gcc 4.1.2-48 0.9.8e-fips OK all tests passed RHEL 5.5 x86_64-redhat-linux gcc 4.1.2-48 0.9.8e-fips OK all tests passed RHEL 5.6 i686-pc-linux-gnu gcc 4.1.2-50 0.9.8e-fips OK all tests passed RHEL 5.6 x86_64-redhat-linux gcc 4.1.2-50 0.9.8e-fips OK*2 all tests passed RHEL 5.7 i686-redhat-linux gcc 4.1.2-51 0.9.8e-fips OK all tests passed RHEL 5.7 x86_64-redhat-linux gcc 4.1.2-51 0.9.8e-fips OK all tests passed RHEL 6.2 i686-redhat-linux gcc 4.4.6-3 1.0.0-fips OK*2 all tests passed RHEL 6.2 x86_64-redhat-linux gcc 4.4.6-3 1.0.0-fips OK all tests passed Ubuntu 8.04.04 i686-pc-linux-gnu gcc 4.2.4-1ubuntu4 0.9.8g OK all tests passed Ubuntu 11.04 x86_64-linux-gnu gcc 4.5.2-8ubuntu4 0.9.8o OK all tests passed AIX 5300-12-02 powerpc-ibm-aix5.3.0.0 gcc 4.0.0 0.9.8m OK all tests passed AIX 5300-12-04 powerpc-ibm-aix5.3.0.0 xlc 8.0.0.16 0.9.8f OK*3 all tests passed AIX 6100-04-06 powerpc-ibm-aix6.1.0.0 gcc 4.2.0 0.9.8k OK all tests passed AIX 6100-04-03 powerpc-ibm-aix6.1.0.0 xlc 10.1.0.8 0.9.8k OK*3 all tests passed AIX 7100-01-05 powerpc-ibm-aix7.1.0.0 xlc 11.1.0.6 0.9.8m OK all tests passed HP-UX 11.23 ia64-hp-hpux11.23 gcc 4.1.1 0.9.8o OK all tests passed HP-UX 11.31 ia64-hp-hpux11.31 gcc 4.6.2 0.9.8n OK all tests passed HP-UX 11.31 ia64-hp-hpux11.31 C/aC++ A.06.20 0.9.8n OK all tests passed Zero problems getting this snapshot to compile that weren't because of missing/old system zlib/openssl headers. -- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott at gmail.com> */
openssh-SNAP-20120824, Solaris 11 - rlimit sandbox fails at configure, as select fails (I think this is expected) - make tests hangs at: ... run test reconfigure.sh ... /export/data/build/openssh-SNAP-20120824/regress/reconfigure.sh: warning: line 18: `...` obsolete, use $(...) /export/data/build/openssh-SNAP-20120824/regress/reconfigure.sh: warning: line 25: `...` obsolete, use $(...) ok simple connect after reconfigure run test dynamic-forward.sh ... /export/data/build/openssh-SNAP-20120824/regress/dynamic-forward.sh: warning: line 6: `...` obsolete, use $(...) /export/data/build/openssh-SNAP-20120824/regress/dynamic-forward.sh: warning: line 27: `...` obsolete, use $(...) /export/data/build/openssh-SNAP-20120824/regress/dynamic-forward.sh: warning: line 53: `...` obsolete, use $(...) nc: read failed (0/8): Broken pipe ssh_exchange_identification: Connection closed by remote host cmp: EOF on /export/data/build/openssh-SNAP-20120824/regress/ls.copy corrupted copy of /bin/ls nc: read failed (0/8): Broken pipe ssh_exchange_identification: Connection closed by remote host cmp: EOF on /export/data/build/openssh-SNAP-20120824/regress/ls.copy corrupted copy of /bin/ls
On 8/21/12, Damien Miller <djm at mindrot.org> wrote:> Hi, > > OpenSSH 6.1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains a > couple of new features and bug fixes. >We get the following failure(s) on Haiku with snapshot 20120824: run test connect.sh ... ok simple connect run test proxy-connect.sh ... ok proxy connect run test connect-privsep.sh ... Connection closed by UNKNOWN WARNING: ssh privsep/sandbox+proxyconnect protocol 1 failed Connection closed by UNKNOWN WARNING: ssh privsep/sandbox+proxyconnect protocol 2 failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt '' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt '' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'A' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'A' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'F' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'F' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'G' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'G' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'H' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'H' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'J' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'J' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'P' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'P' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'R' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'R' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'S' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'S' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'X' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'X' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'Z' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'Z' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt '<' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt '<' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt '>' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt '>' failed failed proxy connect with privsep make[1]: *** [t-exec] Error 1 make[1]: Leaving directory `/boot/common/develop/haikuports/net-misc/openssh/work/openssh/regress' make: *** [tests] Error 2 All of the tests that are run before the failure(s) passed. -scottmc
Ran find on SPARC Solaris 10 using Sun Studio 12. ok expand %h and %n all tests passed Damien Miller wrote:> Hi, > > OpenSSH 6.1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains a > couple of new features and bug fixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Mercurial at http://hg.mindrot.org/openssh > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > ------------------------------- > > Features: > > * sshd(8): This release turns on pre-auth sandboxing sshd by default for > new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. > * ssh-keygen(1): Add options to specify starting line number and number of > lines to process when screening moduli candidates, allowing processing > of different parts of a candidate moduli file in parallel > * sshd(8): The Match directive now supports matching on the local (listen) > address and port upon which the incoming connection was received via > LocalAddress and LocalPort clauses. > * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv > and {Allow,Deny}{Users,Groups} > * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 > * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 > * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as > an argument to refuse all port-forwarding requests. > * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile > * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 > * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators > to append some arbitrary text to the server SSH protocol banner. > > Bugfixes: > > * ssh(1)/sshd(8): Don't spin in accept() in situations of file > descriptor exhaustion. Instead back off for a while. > * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as > they were removed from the specification. bz#2023, > * sshd(8): Handle long comments in config files better. bz#2025 > * ssh(1): Delay setting tty_flag so RequestTTY options are correctly > picked up. bz#1995 > * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root > on platforms that use login_cap. > > Portable OpenSSH: > > * sshd(8): Allow sshd pre-auth sandboxing to fall-back to the rlimit > sandbox from the Linux SECCOMP filter sandbox when the latter is > not available in the kernel. > * ssh(1): Fix NULL dereference when built with LDNS and using DNSSEC to > retrieve a CNAME SSHFP record. > * Fix cross-compilation problems related to pkg-config. bz#1996 > > Reporting Bugs: > ==============> > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and > Ben Lindstrom. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > >-- Jeff Wieland | Purdue University Network Systems Administrator | ITSO UNIX Platforms Voice: (765)496-8234 | 401 S. Grant Street FAX: (765)496-1380 | West Lafayette, IN 47907
Hi Damien, On Aug 21 21:10, Damien Miller wrote:> Hi, > > OpenSSH 6.1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains a > couple of new features and bug fixes.Builds fine on Cygwin, all tests pass. However, we're just about to change the w32api headers from the Mingw.org based ones to the Mingw-w64 based ones. With the new set of Windows headers, there's a collision with definitions from the wincrypt.h header. It would be nice if we could get rid of the problem even before the new headers are available. The patch is simple: Index: openbsd-compat/bsd-cygwin_util.h ==================================================================RCS file: /cvs/openssh/openbsd-compat/bsd-cygwin_util.h,v retrieving revision 1.14 diff -u -p -r1.14 bsd-cygwin_util.h --- openbsd-compat/bsd-cygwin_util.h 30 Mar 2012 03:07:07 -0000 1.14 +++ openbsd-compat/bsd-cygwin_util.h 28 Aug 2012 08:38:35 -0000 @@ -36,6 +36,8 @@ #undef ERROR +#define WIN32_LEAN_AND_MEAN + #include <windows.h> #include <sys/cygwin.h> #include <io.h> This is also compatible with the older Mingw.org header files. Is it still ok to put this into 6.1? Thanks, Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat