Hi, OpenSSH 6.3 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains some substantial new features and a number of bugfixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via anonymous CVS using the instructions at http://www.openssh.com/portable.html#cvs or via Mercurial at http://hg.mindrot.org/openssh Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: $ ./configure && make tests Live testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org. Below is a summary of changes. More detail may be found in the ChangeLog in the portable OpenSSH tarballs. Thanks to the many people who contributed to this release. Changes since OpenSSH 6.2 ======================== This release is predominantly a bugfix release: Features: * sshd(8): add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards. * ssh(1)/sshd(8): allow optional time-based rekeying via a second argument to the existing RekeyLimit option. RekeyLimit is now supported in sshd_config as well as on the client. * sshd(8): standardise logging of information during user authentication. The presented key/cert and the remote username (if available) is now logged in the authentication success/failure message on the same log line as the local username, remote host/port and protocol in use. Certificates contents and the key fingerprint of the signing CA are logged too. Including all relevant information on a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. * ssh(1): add the ability to query supported ciphers, MAC algorithms, key types and key exchange methods. * ssh(1): support ProxyCommand=- to allow support cases where stdin and stdout already point to the proxy. * ssh(1): allow IdenityFile=none * ssh(1)/sshd(8): add -E option to ssh and sshd to append debugging logs to a specified file instead of stderr or syslog. * sftp(1): add support for resuming partial downloads using the "reget" command and on the sftp commandline or on the "get" commandline using the "-a" (append) option. * ssh(1): add an "IgnoreUnknown" configuration option to selectively suppress errors arising from unknown configuration directives. * sshd(8): add support for submethods to be appended to required authentication methods listed via AuthenticationMethods. Bugfixes: * sshd(8): fix refusal to accept certificate if a key of a different type to the CA key appeared in authorized_keys before the CA key. * ssh(1)/ssh-agent(1)/sshd(8): Use a monotonic time source for timers so that things like keepalives and rekeying will work properly over clock steps. * sftp(1): update progressmeter when data is acknowledged, not when it's sent. bz#2108 * ssh(1)/ssh-keygen(1): improve error messages when the current user does not exist in /etc/passwd; bz#2125 * ssh(1): reset the order in which public keys are tried after partial authentication success. * ssh-agent(1): clean up socket files after SIGINT when in debug mode; bz#2120 * ssh(1) and others: avoid confusing error messages in the case of broken system resolver configurations; bz#2122 * ssh(1): set TCP nodelay for connections started with -N; bz#2124 * ssh(1): correct manual for permission requirements on ~/.ssh/config; bz#2078 * ssh(1): fix ControlPersist timeout not triggering in cases where TCP connections have hung. bz#1917 * ssh(1): properly deatch a ControlPersist master from its controlling terminal. * sftp(1): avoid crashes in libedit when it has been compiled with multi- byte character support. bz#1990 * sshd(8): when running sshd -D, close stderr unless we have explicitly requested logging to stderr. bz#1976, * ssh(1): fix incomplete bzero; bz#2100 * sshd(8): log and error and exit if ChrootDirectory is specified and running without root privileges. * Many improvements to the regression test suite. In particular log files are now saved from ssh and sshd after failures. * Fix a number of memory leaks. bz#1967 bz#2096 and others * sshd(8): fix public key authentication when a :style is appended to the requested username. * ssh(1): do not fatally exit when attempting to cleanup multiplexing- created channels that are incompletely opened. bz#2079 Portable OpenSSH: * Major overhaul of contrib/cygwin/README * Fix unaligned accesses in umac.c for strict-alignment architectures. bz#2101 * Enable -Wsizeof-pointer-memaccess if the compiler supports it. bz#2100 * Fix broken incorrect commandline reporting errors. bz#1448 * Only include SHA256 and ECC-based key exchange methods if libcrypto has the required support. * A number of portability fixes for Android: * Don't try to use lastlog on Android; bz#2111 * Fall back to using openssl's DES_crypt function on platorms that don't have a native crypt() function; bz#2112 * Test for fd_mask, howmany and NFDBITS rather than trying to enumerate the plaforms that don't have them. bz#2085 * Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. bz#2085 * Add a null implementation of endgrent for platforms that don't have it (eg Android) bz#2087 * Support platforms, such as Android, that lack struct passwd.pw_gecos. bz#2086 Reporting Bugs: ============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
On Jul 25 13:35, Damien Miller wrote:> Hi, > > OpenSSH 6.3 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes.I'm testing from current CVS, and I ran into a problem on Cygwin. The new forwarding.sh regression test testing LocalForward/RemoteForward doesn't work. I'm getting "connection refused" errors. Does this functionality use AF_LOCAL descriptor passing by any chance? If so, it can't work on Cygwin and the test should be disabled. Other than that, 6.3p1 builds fine on Cygwin x86 and x86_64 and all other tests pass. Thanks, Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat
openssh-SNAP-20130726.tar.gz compiles and passes all tests on slackware64-14.0. I found it strange that configure script does not try to determine whether md5 passwords are supported by the system, and it defaults to no support. It only checks if --with-md5-passwords was supplied. Is this intended? What are the consequences of running sshd with no md5 password support on a system that does support them? Is there a way to programmatically determine this? Or maybe default should be to support md5 passwords? Regards, Andy On Thu, 25 Jul 2013, Damien Miller wrote:> Hi, > > OpenSSH 6.3 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Mercurial at http://hg.mindrot.org/openssh > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 6.2 > ========================> > This release is predominantly a bugfix release: > > Features: > > * sshd(8): add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, > or hostkeys on smartcards. > > * ssh(1)/sshd(8): allow optional time-based rekeying via a second argument > to the existing RekeyLimit option. RekeyLimit is now supported in > sshd_config as well as on the client. > > * sshd(8): standardise logging of information during user authentication. > > The presented key/cert and the remote username (if available) is now > logged in the authentication success/failure message on the same log > line as the local username, remote host/port and protocol in use. > Certificates contents and the key fingerprint of the signing CA are > logged too. > > Including all relevant information on a single line simplifies log > analysis as it is no longer necessary to relate information scattered > across multiple log entries. > > * ssh(1): add the ability to query supported ciphers, MAC algorithms, key > types and key exchange methods. > > * ssh(1): support ProxyCommand=- to allow support cases where stdin and > stdout already point to the proxy. > > * ssh(1): allow IdenityFile=none > > * ssh(1)/sshd(8): add -E option to ssh and sshd to append debugging logs > to a specified file instead of stderr or syslog. > > * sftp(1): add support for resuming partial downloads using the "reget" > command and on the sftp commandline or on the "get" commandline using > the "-a" (append) option. > > * ssh(1): add an "IgnoreUnknown" configuration option to selectively > suppress errors arising from unknown configuration directives. > > * sshd(8): add support for submethods to be appended to required > authentication methods listed via AuthenticationMethods. > > Bugfixes: > > * sshd(8): fix refusal to accept certificate if a key of a different type > to the CA key appeared in authorized_keys before the CA key. > > * ssh(1)/ssh-agent(1)/sshd(8): Use a monotonic time source for timers so > that things like keepalives and rekeying will work properly over clock > steps. > > * sftp(1): update progressmeter when data is acknowledged, not when it's > sent. bz#2108 > > * ssh(1)/ssh-keygen(1): improve error messages when the current user does > not exist in /etc/passwd; bz#2125 > > * ssh(1): reset the order in which public keys are tried after partial > authentication success. > > * ssh-agent(1): clean up socket files after SIGINT when in debug mode; > bz#2120 > > * ssh(1) and others: avoid confusing error messages in the case of broken > system resolver configurations; bz#2122 > > * ssh(1): set TCP nodelay for connections started with -N; bz#2124 > > * ssh(1): correct manual for permission requirements on ~/.ssh/config; > bz#2078 > > * ssh(1): fix ControlPersist timeout not triggering in cases where TCP > connections have hung. bz#1917 > > * ssh(1): properly deatch a ControlPersist master from its controlling > terminal. > > * sftp(1): avoid crashes in libedit when it has been compiled with multi- > byte character support. bz#1990 > > * sshd(8): when running sshd -D, close stderr unless we have explicitly > requested logging to stderr. bz#1976, > > * ssh(1): fix incomplete bzero; bz#2100 > > * sshd(8): log and error and exit if ChrootDirectory is specified and > running without root privileges. > > * Many improvements to the regression test suite. In particular log files > are now saved from ssh and sshd after failures. > > * Fix a number of memory leaks. bz#1967 bz#2096 and others > > * sshd(8): fix public key authentication when a :style is appended to > the requested username. > > * ssh(1): do not fatally exit when attempting to cleanup multiplexing- > created channels that are incompletely opened. bz#2079 > > Portable OpenSSH: > > * Major overhaul of contrib/cygwin/README > > * Fix unaligned accesses in umac.c for strict-alignment architectures. > bz#2101 > > * Enable -Wsizeof-pointer-memaccess if the compiler supports it. bz#2100 > > * Fix broken incorrect commandline reporting errors. bz#1448 > > * Only include SHA256 and ECC-based key exchange methods if libcrypto has > the required support. > > * A number of portability fixes for Android: > * Don't try to use lastlog on Android; bz#2111 > * Fall back to using openssl's DES_crypt function on platorms that don't > have a native crypt() function; bz#2112 > * Test for fd_mask, howmany and NFDBITS rather than trying to enumerate > the plaforms that don't have them. bz#2085 > * Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. > bz#2085 > * Add a null implementation of endgrent for platforms that don't have > it (eg Android) bz#2087 > * Support platforms, such as Android, that lack struct passwd.pw_gecos. > bz#2086 > > Reporting Bugs: > ==============> > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and > Ben Lindstrom. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >Dr Andy Tsouladze Sr Unix/Storage SysAdmin
Damien Miller <djm at mindrot.org> writes:> OpenSSH 6.3 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes.Could you please look into the sftp symlink issue before 6.3? Basically, the sftp hardlink patch included a hunk which converts the symlink target to an absolute path, mirroring the logic used for hardlinks. This is correct for hardlinks but not for symlinks. DES -- Dag-Erling Sm?rgrav - des at des.no
Mageia 3, 64 bit. All tests passed. 2013-07-27 Snapshot.
On Wed, Jul 24, 2013 at 22:35:25 -0500, Damien Miller wrote:> Hi, > > OpenSSH 6.3 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. >All tests passed with the 20130730 snapshot on the following platforms: RHEL 6.4/x86_64 OpenSSL 1.0.0-fips RHEL 6.4/x86_64 OpenSSL 1.0.1e SLES 11 SP1/x86_64 OpenSSL 1.0.1c OS X 10.8.4 OpenSSL 0.9.8x For completeness, I should note that I encountered a hang in try-ciphers on OS X when attempting to build against OpenSSL 1.0.1e. I'm assuming that this is an issue with my build environment, but haven't looked at it closely yet. The support for additional build hardening options which Darren suggested earlier this year seems to be missing. Is this an oversight or simply that there wan't enough testing and feedback in the meantime? I expect it is too late to include the build modifications into this release, but it would be nice to see them in the next one. -- Iain Morgan
On Wed, Jul 24, 2013 at 22:35:25 -0500, Damien Miller wrote:> Hi, > > OpenSSH 6.3 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. >[snip]> > * sftp(1): add support for resuming partial downloads using the "reget" > command and on the sftp commandline or on the "get" commandline using > the "-a" (append) option. >Some initial testing of the reget functionality shows that its interaction with the progress meter code is a bit buggy. In one test, it reported an inordinately high initial rate. In another test, it reported a negative rate. A simple test is to reget a file which was already transferred successfully: sftp> reget testfile.10gb Resuming /nobackupp1/imorgan/testfile.10gb to testfile.10gb /nobackupp1/imorgan/testfile.10gb 100% 10GB -2097151.-9KB/s 00: sftp> -- Iain Morgan
Hi, Please find the snapshot test results on HP-UX platform. Used http://www.mindrot.org/openssh_snap/openssh-SNAP-20130730.tar.gz Results : OS Build_Target CC OpenSSL BUILD TEST ============== ===================== ================================================ ======= ===== ===============HP-UX 11.31 ia64-hp-hpux11.31 HP C (bundled) for Integrity Servers B3910B A.06.12 0.9.8t OK all tests passed HP-UX 11.31 PA-RISC-hp-hpux11.31 HP92453-01 B.11.11.24 HP C Compiler 0.9.8y OK all tests passed HP-UX 11.23 ia64-hp-hpux11.23 HP C/aC++ for Integrity Servers B3910B A.06.25 0.9.8y OK all tests passed HP-UX 11.23 PA-RISC -hp-hpux11.23 HP92453-01 B.11.11.22 HP C Compiler 0.9.8y OK all tests passed HP-UX 11.11 PA-RISC -hp-hpux11.11 HP92453-01 B.11.11.16 HP C Compiler 0.9.7i OK all tests passed Thanks and Regards, Binny. -----Original Message----- From: openssh-unix-dev-bounces+kulkarniamit=hp.com at mindrot.org [mailto:openssh-unix-dev-bounces+kulkarniamit=hp.com at mindrot.org] On Behalf Of Damien Miller Sent: Thursday, July 25, 2013 9:05 AM To: openssh-unix-dev at mindrot.org Subject: Call for testing: OpenSSH-6.3 Hi, OpenSSH 6.3 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains some substantial new features and a number of bugfixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via anonymous CVS using the instructions at http://www.openssh.com/portable.html#cvs or via Mercurial at http://hg.mindrot.org/openssh Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: $ ./configure && make tests Live testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org. Below is a summary of changes. More detail may be found in the ChangeLog in the portable OpenSSH tarballs. Thanks to the many people who contributed to this release. Changes since OpenSSH 6.2 ======================== This release is predominantly a bugfix release: Features: * sshd(8): add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards. * ssh(1)/sshd(8): allow optional time-based rekeying via a second argument to the existing RekeyLimit option. RekeyLimit is now supported in sshd_config as well as on the client. * sshd(8): standardise logging of information during user authentication. The presented key/cert and the remote username (if available) is now logged in the authentication success/failure message on the same log line as the local username, remote host/port and protocol in use. Certificates contents and the key fingerprint of the signing CA are logged too. Including all relevant information on a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. * ssh(1): add the ability to query supported ciphers, MAC algorithms, key types and key exchange methods. * ssh(1): support ProxyCommand=- to allow support cases where stdin and stdout already point to the proxy. * ssh(1): allow IdenityFile=none * ssh(1)/sshd(8): add -E option to ssh and sshd to append debugging logs to a specified file instead of stderr or syslog. * sftp(1): add support for resuming partial downloads using the "reget" command and on the sftp commandline or on the "get" commandline using the "-a" (append) option. * ssh(1): add an "IgnoreUnknown" configuration option to selectively suppress errors arising from unknown configuration directives. * sshd(8): add support for submethods to be appended to required authentication methods listed via AuthenticationMethods. Bugfixes: * sshd(8): fix refusal to accept certificate if a key of a different type to the CA key appeared in authorized_keys before the CA key. * ssh(1)/ssh-agent(1)/sshd(8): Use a monotonic time source for timers so that things like keepalives and rekeying will work properly over clock steps. * sftp(1): update progressmeter when data is acknowledged, not when it's sent. bz#2108 * ssh(1)/ssh-keygen(1): improve error messages when the current user does not exist in /etc/passwd; bz#2125 * ssh(1): reset the order in which public keys are tried after partial authentication success. * ssh-agent(1): clean up socket files after SIGINT when in debug mode; bz#2120 * ssh(1) and others: avoid confusing error messages in the case of broken system resolver configurations; bz#2122 * ssh(1): set TCP nodelay for connections started with -N; bz#2124 * ssh(1): correct manual for permission requirements on ~/.ssh/config; bz#2078 * ssh(1): fix ControlPersist timeout not triggering in cases where TCP connections have hung. bz#1917 * ssh(1): properly deatch a ControlPersist master from its controlling terminal. * sftp(1): avoid crashes in libedit when it has been compiled with multi- byte character support. bz#1990 * sshd(8): when running sshd -D, close stderr unless we have explicitly requested logging to stderr. bz#1976, * ssh(1): fix incomplete bzero; bz#2100 * sshd(8): log and error and exit if ChrootDirectory is specified and running without root privileges. * Many improvements to the regression test suite. In particular log files are now saved from ssh and sshd after failures. * Fix a number of memory leaks. bz#1967 bz#2096 and others * sshd(8): fix public key authentication when a :style is appended to the requested username. * ssh(1): do not fatally exit when attempting to cleanup multiplexing- created channels that are incompletely opened. bz#2079 Portable OpenSSH: * Major overhaul of contrib/cygwin/README * Fix unaligned accesses in umac.c for strict-alignment architectures. bz#2101 * Enable -Wsizeof-pointer-memaccess if the compiler supports it. bz#2100 * Fix broken incorrect commandline reporting errors. bz#1448 * Only include SHA256 and ECC-based key exchange methods if libcrypto has the required support. * A number of portability fixes for Android: * Don't try to use lastlog on Android; bz#2111 * Fall back to using openssl's DES_crypt function on platorms that don't have a native crypt() function; bz#2112 * Test for fd_mask, howmany and NFDBITS rather than trying to enumerate the plaforms that don't have them. bz#2085 * Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. bz#2085 * Add a null implementation of endgrent for platforms that don't have it (eg Android) bz#2087 * Support platforms, such as Android, that lack struct passwd.pw_gecos. bz#2086 Reporting Bugs: ============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
I only saw a few compiler warnings: regress/modpipe.c:83:6: ?parse_modification? function: format ?%lli? (?long long int *?) but argument 4 is ?u_int64_t *? servconf.c:2066:2: ?dump_config? function: format ?%lld? (?long long int?) but argument 2 is ?int64_t? printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval); md5crypt.c:53:42: ?md5_crypt? function variable ?p? set but not used [-Wunused-but-set-variable] (the ?p = passwd + strlen(passwd);? line is dead code, the strlcat()s below were probably using p instead of passwd earlier)
Hi, Dne 25.7.2013 05:35, Damien Miller napsal(a):> Hi, > > OpenSSH 6.3 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes.Is there any chance that bugs bz#2040 and bz#2041 would be fixed in some future release? Is there anything I can do about it? Regards, Ond?ej Caletka
All tests pass on FreeBSD 9 and 10, configured with --with-pam --with-tcp-wrappers --with-libedit --with-ssl-engine. DES -- Dag-Erling Sm?rgrav - des at des.no
Damien Miller <djm at mindrot.org> writes:> OpenSSH 6.3 is almost ready for release, [...]Still no release six weeks later - is anything the matter? When can we expect 6.3p1 to ship? DES -- Dag-Erling Sm?rgrav - des at des.no