Hi, It's that time again... OpenSSH 6.2 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains some substantial new features and a number of bugfixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via anonymous CVS using the instructions at http://www.openssh.com/portable.html#cvs or via Mercurial at http://hg.mindrot.org/openssh Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: $ ./configure && make tests Live testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org. Below is a summary of changes. More detail may be found in the ChangeLog in the portable OpenSSH tarballs. Thanks to the many people who contributed to this release. Changes since OpenSSH 6.1 ======================== Features: * ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in SSH protocol 2. The new cipher is available as aes128-gcm at openssh.com and aes256-gcm at openssh.com. It uses an identical packet format to the AES-GCM mode specified in RFC 5647, but uses simpler and different selection rules during key exchange. * ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes for SSH protocol 2. These modes alter the packet format and compute the MAC over the packet length and encrypted packet rather than over the plaintext data. These modes are considered more secure and are used by default when available. * ssh(1)/sshd(8): Added support for the UMAC-128 MAC as "umac-128 at openssh.com" and "umac-128-etm at openssh.com". The latter being an encrypt-then-mac mode. * sshd(8): Added support for multiple required authentication in SSH protocol 2 via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete. This allows, for example, requiring a user having to authenticate via public key or GSSAPI before they are offered password authentication. * sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists (KRLs), a compact binary format to represent lists of revoked keys and certificates that take as little as one bit per certificate when revoking by serial number. KRLs may be generated using ssh-keygen(1) and are loaded into sshd(8) via the existing RevokedKeys sshd_config option. * ssh(1): IdentitiesOnly now applies to keys obtained from a PKCS11Provider. This allows control of which keys are offered from tokens using IdentityFile. * sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local" and "remote" in addition to its previous "yes"/"no" keywords to allow the server to specify whether just local or remote TCP forwarding is enabled. * sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run under an account specified by an AuthorizedKeysCommandUser sshd_config(5) option. * sftp-server(8): Now supports a -d option to allow the starting directory to be something other than the user's home directory. * ssh-keygen(1): Now allows fingerprinting of keys hosted in PKCS#11 tokens using "ssh-keygen -lD pkcs11_provider". * ssh(1): When SSH protocol 2 only is selected (the default), ssh(1) now immediately sends its SSH protocol banner to the server without waiting to receive the server's banner, saving time when connecting. * ssh(1): Added ~v and ~V escape sequences to raise and lower the logging level respectively. * ssh(1): Made the escape command help (~?) context sensitive so that only commands that will work in the current session are shown. * ssh-keygen(1): When deleting host lines from known_hosts using "ssh-keygen -R host", ssh-keygen(1) now prints details of which lines were removed. Bugfixes: * ssh(1): Force a clean shutdown of ControlMaster client sessions when the ~. escape sequence is used. This means that ~. should now work in mux clients even if the server is no longer responding. * ssh(1): Correctly detect errors during local TCP forward setup in multiplexed clients. bz#2055 * ssh-add(1): Made deleting explicit keys "ssh-add -d" symmetric with adding keys with respect to certificates. It now tries to delete the corresponding certificate and respects the -k option to allow deleting of the key only. * sftp(1): Fix a number of parsing and command-editing bugs, including bz#1956 * ssh(1): When muxmaster is run with -N, ensured that it shuts down gracefully when a client sends it "-O stop" rather than hanging around. bz#1985 * ssh-keygen(1): When screening moduli candidates, append to the file rather than overwriting to allow resumption. bz#1957 * ssh(1): Record "Received disconnect" messages at ERROR rather than INFO priority. bz#2057. * ssh(1): Loudly warn if explicitly-provided private key is unreadable. bz#1981 Portable OpenSSH: * sshd(8): The Linux seccomp-filter sandbox is now supported on ARM platforms where the kernel supports it. * sshd(8): The seccomp-filter sandbox will not be enabled if the system headers support it at compile time, regardless of whether it can be enabled then. If the run-time system does not support seccomp-filter, sshd will fall back to the rlimit pseudo-sandbox. * ssh(1): Don't link in the Kerberos libraries. They aren't necessary on the client, just on sshd(8). bz#2072 * Fix GSSAPI linking on Solaris, which uses a differently-named GSSAPI library. bz#2073 * Fix compilation on systems with openssl-1.0.0-fips. * Fix a number of errors in the RPM spec files. Reporting Bugs: ============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
On Tue, Feb 26, 2013 at 16:09:29 -0600, Damien Miller wrote:> Hi, > > It's that time again... > > OpenSSH 6.2 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. >Hi Damien, One minor nit; the version numbers in contrib/{caldera,redhat,suse}/openssh.spec need to be cranked up to 6.2p1. -- Iain Morgan
On Tue, Feb 26, 2013 at 16:09:29 -0600, Damien Miller wrote:> Hi, > > It's that time again... > > OpenSSH 6.2 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. >The 20130227 snaphsot builds and tests OK for the following platforms: RHEL 6.4/x86_64, OpenSSL 1.0.0-fips RHEL 6.4/x86_64, OpenSSL 1.0.1e SLES 11SP1/x86_64, OpenSSL 1.0.1c Mac OS X 10.7.5, OpenSSL 0.9.8r -- Iain Morgan
On Feb 26, 2013, at 5:09 PM, Damien Miller <djm at mindrot.org> wrote:> Hi, > > It's that time again... > > OpenSSH 6.2 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. >For OpenSSH_6.2p1-snap20130227 all tests passed on: Mac OS X 10.8.2, OpenSSL 0.9.8r Fedora 18, OpenSSL 1.0.1c-fips jd
On Feb 27 09:09, Damien Miller wrote:> Hi, > > It's that time again... > > OpenSSH 6.2 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Mercurial at http://hg.mindrot.org/openssh > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make testsBuilds fine and all tests pass on Cygwin 1.7.18(*) w/ OpenSSL 1.0.1e. Corinna (*) Upcoming release. -- Corinna Vinschen Cygwin Maintainer Red Hat
Damien Miller wrote:> $ ./configure && make testsWarnings on Gentoo Linux x86_64 gcc-4.7.2 in 20130228 snapshot build: krl.c: In function 'choose_next_state': krl.c:507:6: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 3 has type 'u_int64_t' [-Wformat] krl.c:507:6: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 4 has type 'u_int64_t' [-Wformat] krl.c:507:6: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 5 has type 'u_int64_t' [-Wformat] krl.c:507:6: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 7 has type 'u_int64_t' [-Wformat] krl.c:507:6: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 8 has type 'u_int64_t' [-Wformat] krl.c:507:6: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 9 has type 'u_int64_t' [-Wformat] krl.c:507:6: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 10 has type 'u_int64_t' [-Wformat] krl.c: In function 'revoked_certs_generate': krl.c:542:7: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 3 has type 'u_int64_t' [-Wformat] krl.c:542:7: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 4 has type 'u_int64_t' [-Wformat] krl.c: In function 'ssh_krl_from_blob': krl.c:932:6: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 2 has type 'u_int64_t' [-Wformat] This one for every single file: <command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default] bsd-arc4random.c:1:0: note: this is the location of the previous definition Additionally, during plain make: auth2-chall.c: In function 'auth2_challenge_start': auth2-chall.c:172:22: warning: array subscript is above array bounds [-Warray-bounds] line 64: KbdintDevice *devices[] = { line 172: for (i = 0; devices[i]; i++) This from make tests: regress/modpipe.c: In function 'parse_modification': regress/modpipe.c:81:6: warning: format '%lli' expects argument of type 'long long int *', but argument 4 has type 'u_int64_t *' [-Wformat] And a failed test, run as regular user: run test agent.sh ... Permission denied. agent fwd proto 1 failed (exit code 0) Permission denied (publickey,password,keyboard-interactive). agent fwd proto 2 failed (exit code 0) failed simple agent test make[1]: *** [t-exec] Error 1 I ran make clean, make, and make tests separately, the test fails again, though slightly less verbosely: run test agent.sh ... Permission denied. Permission denied (publickey,password,keyboard-interactive). make[1]: *** [t-exec] Error 1 Running the test manually with -x as such: cd regress && \ export TEST_SHELL=sh && \ export TEST_ENV=MALLOC_OPTIONS=AFGJPRX && \ export TEST_SSH_SSH=/tmp/openssh/ssh && \ export TEST_SSH_SSHD=/tmp/openssh/sshd && \ export TEST_SSH_SSHADD=/tmp/openssh/ssh-add && \ export TEST_SSH_SSHAGENT=/tmp/openssh/ssh-agent && \ sh -x $(pwd)/test-exec.sh $(pwd) $(pwd)/agent.sh Gives: ++ trace 'agent forwarding' ++ echo 'trace: agent forwarding' ++ '[' X = Xyes ']' ++ for p in 1 2 ++ /tmp/openssh/ssh -A -1 -F /tmp/openssh/regress/ssh_proxy somehost ssh-add -l ++ '[' 0 -ne 0 ']' ++ /tmp/openssh/ssh -A -1 -F /tmp/openssh/regress/ssh_proxy somehost '/tmp/openssh/ssh -1 -F /tmp/openssh/regress/ssh_proxy somehost exit 51' Permission denied. ++ '[' 255 -ne 51 ']' ++ fail 'agent fwd proto 1 failed (exit code 0)' ++ echo 'FAIL: agent fwd proto 1 failed (exit code 0)' ++ RESULT=1 ++ echo 'agent fwd proto 1 failed (exit code 0)' agent fwd proto 1 failed (exit code 0) ++ for p in 1 2 ++ /tmp/openssh/ssh -A -2 -F /tmp/openssh/regress/ssh_proxy somehost ssh-add -l ++ '[' 0 -ne 0 ']' ++ /tmp/openssh/ssh -A -2 -F /tmp/openssh/regress/ssh_proxy somehost '/tmp/openssh/ssh -2 -F /tmp/openssh/regress/ssh_proxy somehost exit 52' Permission denied (publickey,password,keyboard-interactive). ++ '[' 255 -ne 52 ']' ++ fail 'agent fwd proto 2 failed (exit code 0)' ++ echo 'FAIL: agent fwd proto 2 failed (exit code 0)' ++ RESULT=1 ++ echo 'agent fwd proto 2 failed (exit code 0)' agent fwd proto 2 failed (exit code 0) Running: $ unset SSH_AGENT_PID SSH_AUTH_SOCK makes no difference. //Peter
openssh-SNAP-20130228.tar.gz builds cleanly, with all tests passed on: Slackware-14.0 64-bit (gcc-4.7.1, openssl-1.0.1c) Slackware-13.0 32-bit (gcc-4.3.3, openssl-0.9.8k) Regards, Andy On Wed, 27 Feb 2013, Damien Miller wrote:> Hi, > > It's that time again... > > OpenSSH 6.2 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Mercurial at http://hg.mindrot.org/openssh > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 6.1 > ========================> > Features: > > * ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in > SSH protocol 2. The new cipher is available as aes128-gcm at openssh.com > and aes256-gcm at openssh.com. It uses an identical packet format to the > AES-GCM mode specified in RFC 5647, but uses simpler and different > selection rules during key exchange. > > * ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes > for SSH protocol 2. These modes alter the packet format and compute > the MAC over the packet length and encrypted packet rather than over > the plaintext data. These modes are considered more secure and are > used by default when available. > > * ssh(1)/sshd(8): Added support for the UMAC-128 MAC as > "umac-128 at openssh.com" and "umac-128-etm at openssh.com". The latter > being an encrypt-then-mac mode. > > * sshd(8): Added support for multiple required authentication in SSH > protocol 2 via an AuthenticationMethods option. This option lists > one or more comma-separated lists of authentication method names. > Successful completion of all the methods in any list is required for > authentication to complete. This allows, for example, requiring a > user having to authenticate via public key or GSSAPI before they > are offered password authentication. > > * sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists > (KRLs), a compact binary format to represent lists of revoked keys > and certificates that take as little as one bit per certificate when > revoking by serial number. KRLs may be generated using ssh-keygen(1) > and are loaded into sshd(8) via the existing RevokedKeys sshd_config > option. > > * ssh(1): IdentitiesOnly now applies to keys obtained from a > PKCS11Provider. This allows control of which keys are offered from > tokens using IdentityFile. > > * sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local" > and "remote" in addition to its previous "yes"/"no" keywords to allow > the server to specify whether just local or remote TCP forwarding is > enabled. > > * sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to > support fetching authorized_keys from a command in addition to (or > instead of) from the filesystem. The command is run under an account > specified by an AuthorizedKeysCommandUser sshd_config(5) option. > > * sftp-server(8): Now supports a -d option to allow the starting > directory to be something other than the user's home directory. > > * ssh-keygen(1): Now allows fingerprinting of keys hosted in PKCS#11 > tokens using "ssh-keygen -lD pkcs11_provider". > > * ssh(1): When SSH protocol 2 only is selected (the default), ssh(1) > now immediately sends its SSH protocol banner to the server without > waiting to receive the server's banner, saving time when connecting. > > * ssh(1): Added ~v and ~V escape sequences to raise and lower the > logging level respectively. > > * ssh(1): Made the escape command help (~?) context sensitive so that > only commands that will work in the current session are shown. > > * ssh-keygen(1): When deleting host lines from known_hosts using > "ssh-keygen -R host", ssh-keygen(1) now prints details of which lines > were removed. > > Bugfixes: > > * ssh(1): Force a clean shutdown of ControlMaster client sessions when > the ~. escape sequence is used. This means that ~. should now work in > mux clients even if the server is no longer responding. > > * ssh(1): Correctly detect errors during local TCP forward setup in > multiplexed clients. bz#2055 > > * ssh-add(1): Made deleting explicit keys "ssh-add -d" symmetric with > adding keys with respect to certificates. It now tries to delete the > corresponding certificate and respects the -k option to allow deleting > of the key only. > > * sftp(1): Fix a number of parsing and command-editing bugs, including > bz#1956 > > * ssh(1): When muxmaster is run with -N, ensured that it shuts down > gracefully when a client sends it "-O stop" rather than hanging around. > bz#1985 > > * ssh-keygen(1): When screening moduli candidates, append to the file > rather than overwriting to allow resumption. bz#1957 > > * ssh(1): Record "Received disconnect" messages at ERROR rather than > INFO priority. bz#2057. > > * ssh(1): Loudly warn if explicitly-provided private key is unreadable. > bz#1981 > > Portable OpenSSH: > > * sshd(8): The Linux seccomp-filter sandbox is now supported on ARM > platforms where the kernel supports it. > > * sshd(8): The seccomp-filter sandbox will not be enabled if the system > headers support it at compile time, regardless of whether it can be > enabled then. If the run-time system does not support seccomp-filter, > sshd will fall back to the rlimit pseudo-sandbox. > > * ssh(1): Don't link in the Kerberos libraries. They aren't necessary > on the client, just on sshd(8). bz#2072 > > * Fix GSSAPI linking on Solaris, which uses a differently-named GSSAPI > library. bz#2073 > > * Fix compilation on systems with openssl-1.0.0-fips. > > * Fix a number of errors in the RPM spec files. > > Reporting Bugs: > ==============> > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and > Ben Lindstrom. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >Dr Andy Tsouladze Sr Unix/Storage SysAdmin
Damien Miller wrote:>OpenSSH 6.2 is almost ready for release, so we would appreciate testing >on as many platforms and systems as possible. This release contains >some substantial new features and a number of bugfixes.[...]>$ ./configure && make testsOn Ubuntu raring with Linux 3.8-rc6 and OpenSSL 1.0.1c, this builds fine but I get this test failure: run test connect-privsep.sh ... Connection closed by UNKNOWN WARNING: ssh privsep/sandbox+proxyconnect protocol 1 failed Connection closed by UNKNOWN WARNING: ssh privsep/sandbox+proxyconnect protocol 2 failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt '' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt '' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'A' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'A' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'F' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'F' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'G' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'G' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'H' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'H' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'J' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'J' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'P' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'P' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'R' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'R' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'S' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'S' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'X' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'X' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'Z' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'Z' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt '<' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt '<' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt '>' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt '>' failed failed proxy connect with privsep Advice welcome on how to debug this. -- Colin Watson [cjwatson at debian.org]
Damien Miller <djm at mindrot.org> writes:> Hi, > > It's that time again... > > OpenSSH 6.2 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes.Hi, I'd hoped to see the new version of ssh-copy-id included in 6.2, particularly given that the associated bug is tagged as blocking V_6_2 https://bugzilla.mindrot.org/show_bug.cgi?id=1980 is the fact that it's not in yet an oversight, or were you still waiting on me to do something before you're ready to include it? As mentioned in my last comment on that bug, I added the -o option 12 days ago, so the version to use would be available here: http://git.hands.com/ssh-copy-id =-=-=- BTW if anyone's got access to systems with particularly ancient or deranged shells, where they would realistically like to run this script, then bug reports telling me that there are still people using shells that don't understand $(...) and/or ${FOO:+BAR}, for instance, would be interesting -- although if the machine in question is going to get powered up for the first time this millennium in order to do the test, then I'm less interested. ;-) Please grab a copy of the script from here, and give it a go: http://git.hands.com/ssh-copy-id?p=ssh-copy-id.git;a=blob_plain;f=ssh-copy-id;hb=HEAD the man page is here -- proof reading would be welcome: http://git.hands.com/ssh-copy-id?p=ssh-copy-id.git;a=blob_plain;f=ssh-copy-id.1;hb=HEAD (of course I just found a couple of things to tweak on the man page :-) ) Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/ |-| HANDS.COM Ltd. http://www.uk.debian.org/ |(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20130228/4384cc74/attachment-0001.bin>
SNAP: openssh-SNAP-20130302.tar.gz AIX: 7100-02-01-1245 Compiler: xlc IBM XL C/C++ for AIX, V11.1 (5724-X13) Version: 11.01.0000.0012 ./configure - OK make - OK make tests - FAIL (cd openbsd-compat && make) Target "all" is up to date. [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; cc -qlanglvl=extc89 -I. -I. -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -o regress/modpipe ./regress/modpipe.c -L. -Lopenbsd-compat/ -blibpath:/usr/lib:/lib -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz "/usr/include/sys/mman.h", line 148.25: 1506-343 (S) Redeclaration of mmap64 differs from previous declaration on line 143 of "/usr/include/sys/mman.h". "/usr/include/sys/mman.h", line 148.25: 1506-377 (I) The type "long long" of parameter 6 differs from the previous type "long". make: 1254-004 The error code from the last command is 1. -- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott at gmail.com> */
Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20130302.tar.gz OS Build_Target CC OpenSSL BUILD TEST ============== =========================== =========================== ===== ================RHEL 2.1 i686-pc-linux-gnu gcc 2.96-129.7.2 0.9.6b-eng OK all tests passed RHL 8.0 i686-pc-linux-gnu gcc 3.2.2-5 0.9.7a OK all tests passed RHEL 3.0 i686-pc-linux-gnu gcc 3.2.3-20 0.9.7a OK all tests passed Fedora Core r2 i686-pc-linux-gnu gcc 3.3.3-7 0.9.7a OK*1 all tests passed RHEL 4.0 nu6 i686-pc-linux-gnu gcc 3.4.6 0.9.7a OK*1 all tests passed RHEL 4.0 nu8 x86_64-unknown-linux-gnu gcc 3.4.6-8 0.9.7a OK*1 all tests passed RHEL 5.4 i686-pc-linux-gnu gcc 4.1.2-46 0.9.8e-fips OK all tests passed RHEL 5.5 i686-pc-linux-gnu gcc 4.1.2-48 0.9.8x OK*2 all tests passed RHEL 5.5 x86_64-redhat-linux gcc 4.1.2-48 0.9.8e-fips OK all tests passed RHEL 5.6 i686-pc-linux-gnu gcc 4.1.2-50 0.9.8e-fips OK all tests passed RHEL 5.6 x86_64-redhat-linux gcc 4.1.2-50 0.9.8x OK*2 all tests passed RHEL 5.7 i686-redhat-linux gcc 4.1.2-51 0.9.8e-fips OK all tests passed RHEL 5.7 x86_64-redhat-linux gcc 4.1.2-51 0.9.8x OK*4 all tests passed RHEL 5.8 i686-redhat-linux gcc 4.1.2-52 0.9.8e-fips OK all tests passed RHEL 5.8 x86_64-redhat-linux gcc 4.1.2-52 0.9.8x OK*2 all tests passed RHEL 5.9 x86_64-redhat-linux gcc 4.1.2-54 0.9.8x OK*4 all tests passed RHEL 6.2 i686-redhat-linux gcc 4.4.6-3 0.9.8x OK*2 all tests passed RHEL 6.2 x86_64-redhat-linux gcc 4.4.6-3 1.0.0-fips OK all tests passed Ubuntu 8.04.04 i686-pc-linux-gnu gcc 4.2.4-1ubuntu4 0.9.8g OK all tests passed Ubuntu 11.10 x86_64-linux-gnu gcc 4.6.1-2ubuntu5 1.0.0e OK FAIL *7 AIX 5300-12-02 powerpc-ibm-aix5.3.0.0 gcc 4.0.0 0.9.8k OK FAIL *6 AIX 5300-12-02 powerpc-ibm-aix5.3.0.0 xlc 08.00.0000.0016 0.9.8k OK FAIL *5 AIX 6100-07-06 powerpc-ibm-aix6.1.0.0 gcc 4.2.0 0.9.8x OK FAIL *6 AIX 6100-07-06 powerpc-ibm-aix6.1.0.0 xlc 11.01.0000.0012 0.9.8x OK FAIL *5 AIX 7100-02-01 powerpc-ibm-aix7.1.0.0 xlc 11.01.0000.0012 0.9.8x OK FAIL *5 HP-UX 11.23 ia64-hp-hpux11.23 gcc 4.1.1 0.9.8w OK FAIL *8 HP-UX 11.31 ia64-hp-hpux11.31 gcc 4.6.2 0.9.8t OK all tests passed HP-UX 11.31 ia64-hp-hpux11.31 aCC A.06.20 0.9.8t OK all tests passed # RHL Red Hat Linux # RHEL Red Hat Enterprise Linux # *1 --without-zlib-version-check # *2 missing headers - so zlib 1.2.7 and openssl 0.9.8x in /var/tmp/ssh/ # *3 missing zlib.h - so zlib 1.2.7 /var/tmp/ssh/ # *4 missing openssl.h - so openssl 0.9.8x in /var/tmp/ssh/ # *5 make tests fails immediately - xlc_r "/usr/include/sys/mman.h", line 148.25: 1506-343 (S) Redeclaration of mmap64 differs from previous declaration on line 143 of "/usr/include/sys/mman.h". "/usr/include/sys/mman.h", line 148.25: 1506-377 (I) The type "long long" of parameter 6 differs from the previous type "long". make: 1254-004 The error code from the last command is 1. # *6 make tests fails immediately - gcc $ gmake tests (cd openbsd-compat && gmake) gmake[1]: Entering directory `/var/tmp/ssh/openssh/openbsd-compat' gmake[1]: Nothing to be done for `all'. gmake[1]: Leaving directory `/var/tmp/ssh/openssh/openbsd-compat' [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ gcc -I. -I. -I/opt/phs/include -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -o regress/modpipe regress/modpipe.c \ -L. -Lopenbsd-compat/ -L/opt/phs/lib -Wl,-blibpath:/usr/lib:/lib -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz In file included from ./includes.h:100, from ./openbsd-compat/getopt.c:32, from regress/modpipe.c:26: /usr/include/sys/mman.h:148: error: conflicting types for 'mmap64' /usr/include/sys/mman.h:143: error: previous declaration of 'mmap64' was here gmake: *** [regress/modpipe] Error 1 # *7 Make tests fails here: hangs forever run test forwarding.sh ... Warning: Could not request remote forwarding. ssh_exchange_identification: Connection closed by remote host cmp: EOF on /usr/src/UTILS/SSH/openssh/regress/ls.copy corrupted copy of /bin/ls Warning: remote port forwarding failed for listen port 3350 # *8 make test failes here: run test integrity.sh ... test integrity: hmac-sha1 @2900 Invalid modification spec "xor:2900:1" ssh_exchange_identification: Connection closed by remote host. unexpected error mac hmac-sha1 at 2900 .... failed integrity gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress' GMake: *** [tests] Error 2
On Fri, 1 Mar 2013, Kevin Brott wrote:> SNAP: openssh-SNAP-20130302.tar.gz > AIX: 7100-02-01-1245 > Compiler: xlc IBM XL C/C++ for AIX, V11.1 (5724-X13) Version: > 11.01.0000.0012Thanks again for your extensive testing. For this failure, could you try this patch? Index: regress/modpipe.c ==================================================================RCS file: /var/cvs/openssh/regress/modpipe.c,v retrieving revision 1.5 diff -u -p -r1.5 modpipe.c --- regress/modpipe.c 20 Feb 2013 10:16:09 -0000 1.5 +++ regress/modpipe.c 3 Mar 2013 23:26:08 -0000 @@ -16,6 +16,8 @@ /* $OpenBSD: modpipe.c,v 1.4 2013/02/20 08:29:27 djm Exp $ */ +#include "includes.h" + #include <sys/types.h> #include <unistd.h> #include <stdio.h>
Damien Miller <djm at mindrot.org> writes:> It's that time again...SNAP-20130306 builds fine on FreeBSD 9. On FreeBSD 10, it still gets confused about utmp / wtmp / utmpx, just like 6.0 and 6.1. This is because of code in loginrec.c that tries to use utmp without checking whether it's available. Line 625 says #if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN) which may be true even if UTMP is not available. DES -- Dag-Erling Sm?rgrav - des at des.no
On 02/26/2013 11:09 PM, Damien Miller wrote:> Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ >I tried to build the 20130307 snapshot on IRIX 5.3 but ran into problems. First problem is that configure hangs in the select+rlimit test. Taking away the setrlimit calls changes nothing so I guess it might have something to do with the use of /dev/null, though replacing /dev/null with /dev/zero does not help either. There did not seem to be a way to bypass the test (ie. setting something like 'select_works_with_rlimit=no') so I had to modify configure to avoid it. Bypassing the select+rlimit test the build then continues until this happens: gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -std=gnu99 -I. -I.. -I. -I./.. -I/usr/tgcware/include/openssl -I/usr/tgcware/include -DHAVE_CONFIG_H -c port-tun.c In file included from port-tun.c:24: /usr/include/netinet/ip.h:34: error: redefinition of `struct ip' /usr/include/netinet/ip.h:112: error: redefinition of `struct ip_timestamp' /usr/include/netinet/ip.h:124: error: redefinition of `union ipt_timestamp' /usr/include/netinet/ip.h:126: error: redefinition of `struct ipt_ta' make[1]: *** [port-tun.o] Error 1 As a workaround I removed #include <netinet/in_systm.h> #include <netinet/ip.h> from defines.h. With that workaround the build then continues until sshd is linked: gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o audit.o audit-bsm.o audit-linux.o platform.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o sftp-server.o sftp-common.o roaming_common.o roaming_serv.o sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o sandbox-seccomp-filter.o -L. -Lopenbsd-compat/ -Wl,-rpath,/usr/tgcware/lib -L/usr/tgcware/lib -Wl,-no_rqs -lssh -lopenbsd-compat -lcrypto -lz -lgen ld: ERROR 33: Unresolved text symbol "usleep" -- 1st referenced by sshd.o. ld: INFO 60: Output file removed because of error. collect2: ld returned 1 exit status IRIX 5.3 does not have usleep anywhere. I worked around this by replacing usleep with sginap. A generic IRIX issue is the use of killpg in sshd.c. sshd.c: In function `grace_alarm_handler': sshd.c:368: warning: implicit declaration of function `killpg' On IRIX using this function requires _BSD_SIGNALS to be defined otherwise results are unpredictable. See the manpage here for more details: http://techpubs.sgi.com/library/tpl/cgi-bin/getdoc.cgi?cmd=getdoc&coll=0650&db=man&fname=3%20killpg Looking at the kill() manpage it seems to me that killpg could be replaced with kill(0, SIGTERM) to achieve the same thing. With all the workarounds I can get the build to complete. The testsuite hangs in the 'test stderr data transfer: proto 2' tests (both with and without -n) which is unchanged from previous releases. -tgc
Here's another issue: FreeBSD's strnvis() is not 100% compatible with OpenBSD's, and OpenSSH can segfault when trying to use it. The attached patch adds a BROKEN_STRNVIS conditional (inspired by BROKEN_GLOB) and defines it on FreeBSD. DES -- Dag-Erling Sm?rgrav - des at des.no -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-strnvis.diff Type: text/x-patch Size: 2245 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20130307/0d44b5ae/attachment-0001.bin>
On Fri, 8 Mar 2013, Kevin Brott wrote:> Got a bit further this time with openssh-SNAP-20130309.tar.gz - but hp-ux > 11.11 is still not passing make tests. > > Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20130309.tar.gz >[snip]> test connection multiplexing: cmd exit > test connection multiplexing: cmd stop > failed connection multiplexing > *** Error exit code 1If you run the regress tests 10 times, does it fail all 10 times? I ask because my SVR5 platforms fail there about half the time. -- Tim Rice Multitalents tim at multitalents.net
Damien Miller <djm at mindrot.org> writes:> On Fri, 15 Mar 2013, Philip Hands wrote: > >> Damien Miller <djm at mindrot.org> writes: >> >> > So, did all the portability issues get sorted out here? AFAIK there was >> > something to do with Solaris that was lingering... >> >> The current state is that the solaris branch still doesn't work because >> the solaris version of getopt doesn't take options. >> >> There was a suggestion of detecting at the start of the script whether >> one is on an ancient shell, and if so then exec ksh or some other better >> shell to allow the script to work unmolested, but the it looks like I >> need to use getopts rather than getopt too (as solaris getopt doesn't >> like options). >> >> I was planning on getting a solaris VM image so that I can test this >> stuff today. > > Thanks - making shell-script work on every horrid platform is an > unrewarding and usually thankless task.I'd fogotted quite how maddening Solaris is. ;-) Solaris sh trap's failure to deal with '-' has decided me to go with the test and exec ksh approach, but while I'm cherrypicking the stuff like getopts replacement, and avoiding grep -q etc. from the solaris branch, it would be nice if people with solaris could try to spot any remaining breakage in this: http://git.hands.com/ssh-copy-id?p=ssh-copy-id.git;a=blob_plain;f=ssh-copy-id;hb=refs/heads/solaris it's not greatly tested, bit it was working for some things. The option handling needs proper testing on lots of platforms (I'll be grabbing that into the master branch later today). Also, the just reverted "no IdentitiesOnly=yes" commit is needed for me to test here, as I've not got OpenSSH installed on my Solaris VM, so I cannot test the exact version I want to publish at present. I'll do the cherrypicking later today, but here's something to go on with. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/ |-| HANDS.COM Ltd. http://www.uk.debian.org/ |(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20130320/a34d749c/attachment.bin>