Hi, OpenSSH 6.6 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a small release mostly to fix some minor but annoying bugs in openssh-6.5. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via anonymous CVS using the instructions at http://www.openssh.com/portable.html#cvs or via Git at https://anongit.mindrot.org/openssh.git/ Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: $ ./configure && make tests Live testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org. Below is a summary of changes. More detail may be found in the ChangeLog in the portable OpenSSH tarballs. Thanks to the many people who contributed to this release. Changes since OpenSSH 6.5 ======================== This is primarily a bugfix release. New / changed features: * ssh(1), sshd(8): this release removes the J-PAKE authentication code. This code was experimental, never enabled and had been unmaintained for some time. * ssh(1): when processing Match blocks, skip 'exec' clauses other clauses predicates failed to match. * ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied. Bugfixes: * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. bz#2200, debian#738692 * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase. * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum parsing. Minimum key length checks render this bug unexploitable to compromise SSH 1 sessions. * sshd_config(5): clarify behaviour of a keyword that appears in multiple matching Match blocks. bz#2184 * ssh(1): avoid unnecessary hostname lookups when canonicalisation is disabled. bz#2205 * sshd(8): avoid sandbox violation crashes in GSSAPI code by caching the supported list of GSSAPI mechanism OIDs before entering the sandbox. bz#2107 * ssh(1): fix possible crashes in SOCKS4 parsing caused by assumption that the SOCKS username is nul-terminated. * ssh(1): fix regression for UsePrivilegedPort=yes when BindAddress is not specified. * ssh(1), sshd(8): fix memory leak in ECDSA signature verification. * ssh(1): fix matching of 'Host' directives in ssh_config(5) files to be case-sensitive again (regression in 6.5). Portable OpenSSH: * sshd(8): don't fatal if the FreeBSD Capsicum is offered by the system headers and libc but is not supported by the kernel. * Fix build using the HP-UX compiler. Reporting Bugs: ============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
I'm not sure if I'm supposed to be testing yet, but since I'm the pesky NetBSD guy, I did: git clone https://github.com/openssh/openssh-portable/ and after the autoreconf && ./configure && make tests, I got: run test dhgex.sh ... dhgex bits 3072 diffie-hellman-group-exchange-sha1 cast128-cbc FATAL: dhgex expected 3072 bit group, got 2048 *** Error code 1 Stop. make[1]: stopped in /home/htodd/openssh-portable/regress *** Error code 1 Stop. make: stopped in /home/htodd/openssh-portable -- Hisashi T Fujinaka - htodd at twofifty.com BSEE(6/86) + BSChem(3/95) + BAEnglish(8/95) + MSCS(8/03) + $2.50 = latte
Test on my OpenBSD desktop machine: OpenBSD logan.my.domain 5.4 GENERIC.MP#41 amd64 run test dhgex.sh ... dhgex bits 3072 diffie-hellman-group-exchange-sha1 cast128-cbc FATAL: dhgex expected 3072 bit group, got 2048 *** Error 1 in regress (Makefile:172 't-exec': @if [ "xconnect.sh proxy-connect.sh connect-privsep.sh proto-version.sh proto-mismatch.sh exi...) *** Error 1 in /home/logan/openssh_snap/openssh (Makefile:454 'tests') On Sat, Mar 1, 2014 at 2:19 AM, Damien Miller <djm at mindrot.org> wrote:> Hi, > > OpenSSH 6.6 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a small release > mostly to fix some minor but annoying bugs in openssh-6.5. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Git at https://anongit.mindrot.org/openssh.git/ > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 6.5 > ========================> > This is primarily a bugfix release. > > New / changed features: > > * ssh(1), sshd(8): this release removes the J-PAKE authentication code. > This code was experimental, never enabled and had been unmaintained > for some time. > > * ssh(1): when processing Match blocks, skip 'exec' clauses other clauses > predicates failed to match. > > * ssh(1): if hostname canonicalisation is enabled and results in the > destination hostname being changed, then re-parse ssh_config(5) files > using the new destination hostname. This gives 'Host' and 'Match' > directives that use the expanded hostname a chance to be applied. > > Bugfixes: > > * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in > ssh -W. bz#2200, debian#738692 > > * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace > sandbox modes, as it is reachable if the connection is terminated > during the pre-auth phase. > > * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum > parsing. Minimum key length checks render this bug unexploitable to > compromise SSH 1 sessions. > > * sshd_config(5): clarify behaviour of a keyword that appears in > multiple matching Match blocks. bz#2184 > > * ssh(1): avoid unnecessary hostname lookups when canonicalisation is > disabled. bz#2205 > > * sshd(8): avoid sandbox violation crashes in GSSAPI code by caching > the supported list of GSSAPI mechanism OIDs before entering the > sandbox. bz#2107 > > * ssh(1): fix possible crashes in SOCKS4 parsing caused by assumption > that the SOCKS username is nul-terminated. > > * ssh(1): fix regression for UsePrivilegedPort=yes when BindAddress is > not specified. > > * ssh(1), sshd(8): fix memory leak in ECDSA signature verification. > > * ssh(1): fix matching of 'Host' directives in ssh_config(5) files > to be case-sensitive again (regression in 6.5). > > Portable OpenSSH: > > * sshd(8): don't fatal if the FreeBSD Capsicum is offered by the > system headers and libc but is not supported by the kernel. > * Fix build using the HP-UX compiler. > > Reporting Bugs: > ==============> > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and > Ben Lindstrom. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present.
On Mar 1 09:19, Damien Miller wrote:> Hi, > > OpenSSH 6.6 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a small release > mostly to fix some minor but annoying bugs in openssh-6.5.Builds OOTB on Cygwin, all tests pass. One questions though:> * ssh(1): fix matching of 'Host' directives in ssh_config(5) files > to be case-sensitive again (regression in 6.5).Shouldn't that be "case-*in*sensitive here? Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140301/53ad9f64/attachment.bin>
openssh-SNAP-20140302.tar.gz builds and passes all tests on Slackware-14.0 and 13.37, both 64-bit. There is, however, a problem with scp which I reported earlier, Jan 20, during 6.5 testing, and which did not get any reply. So I re-tested it, and it is still there. Since the problem is with scp which relies on installed ssh, I built a Slackware-13.37 openssh package, and installed it in a VM. The problem happens when I run `scp -3' and only when both remote accounts require passwords. Second password is echo'ed to the terminal. Below is a full session showing what happens: --------------------------------------------- scp -3 andyt2 at majesty:/etc/group andyt2 at mate:/tmp/group andyt2 at majesty's password: andyt2 at mate's password: XXXXXX --------------------------- As you can see, after the command is started, both remote systems prompt for a password on the same line. So I enter a password for user andyt2 and press ENTER. What happens next is probably a bug. Line advances, and nothing at all happens. So I am assuming that now the second system is waiting for a password. I enter it, and it appears in the terminal in cleartext (substituted here with XXXXXX). The command then proceeds and finishes successfully. A workaround I found is to simply press ENTER instead of typing a second password. Then, you get an error saying the password is incorrect, and a new, normal password prompt appears. Enter the password, and this time, it is not visible. This is what it looks like: ---------------------------- andyt at king: andyt> scp -3 andyt2 at majesty:/etc/group andyt2 at mate:/tmp/group andyt2 at majesty's password: andyt2 at mate's password: Permission denied, please try again. andyt2 at mate's password: ---------------------------- I would think scp should try to connect to the first remote machine, and only when/if authentication completes successfully proceed with the second remote machine. Regards, Andy On Sat, 1 Mar 2014, Damien Miller wrote:> Hi, > > OpenSSH 6.6 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a small release > mostly to fix some minor but annoying bugs in openssh-6.5. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Git at https://anongit.mindrot.org/openssh.git/ > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 6.5 > ========================> > This is primarily a bugfix release. > > New / changed features: > > * ssh(1), sshd(8): this release removes the J-PAKE authentication code. > This code was experimental, never enabled and had been unmaintained > for some time. > > * ssh(1): when processing Match blocks, skip 'exec' clauses other clauses > predicates failed to match. > > * ssh(1): if hostname canonicalisation is enabled and results in the > destination hostname being changed, then re-parse ssh_config(5) files > using the new destination hostname. This gives 'Host' and 'Match' > directives that use the expanded hostname a chance to be applied. > > Bugfixes: > > * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in > ssh -W. bz#2200, debian#738692 > > * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace > sandbox modes, as it is reachable if the connection is terminated > during the pre-auth phase. > > * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum > parsing. Minimum key length checks render this bug unexploitable to > compromise SSH 1 sessions. > > * sshd_config(5): clarify behaviour of a keyword that appears in > multiple matching Match blocks. bz#2184 > > * ssh(1): avoid unnecessary hostname lookups when canonicalisation is > disabled. bz#2205 > > * sshd(8): avoid sandbox violation crashes in GSSAPI code by caching > the supported list of GSSAPI mechanism OIDs before entering the > sandbox. bz#2107 > > * ssh(1): fix possible crashes in SOCKS4 parsing caused by assumption > that the SOCKS username is nul-terminated. > > * ssh(1): fix regression for UsePrivilegedPort=yes when BindAddress is > not specified. > > * ssh(1), sshd(8): fix memory leak in ECDSA signature verification. > > * ssh(1): fix matching of 'Host' directives in ssh_config(5) files > to be case-sensitive again (regression in 6.5). > > Portable OpenSSH: > > * sshd(8): don't fatal if the FreeBSD Capsicum is offered by the > system headers and libc but is not supported by the kernel. > * Fix build using the HP-UX compiler. > > Reporting Bugs: > ==============> > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and > Ben Lindstrom. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >Dr Andy Tsouladze Sr Unix/Storage/Security SysAdmin PWD=`cat /dev/urandom | sed 's/[^\x21-\x7f]//g' | head -c 14`
So - trying to build openssh-SNAP-20140307.tar.gz on RHEL 4 (SP8) x86_64 and I'm hitting a wall in 'make tests': ... ok connection multiplexing run test reexec.sh ... test config passing reexec tests: proto 1 reexec tests: proto 2 test reexec fallback FATAL: no sshd running on port 4242 gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress' gmake: *** [tests] Error 2 None of the regress/failed*.logs tell me anything more than there's no sshd running on port 4242. i.e. failed-sshd.log: trace: wait for sshd Received signal 15; terminating. debug3: channel 0: will not send data after close debug2: channel 0: rcvd close Received disconnect from 127.0.0.1: 11: disconnected by user debug1: do_cleanup FATAL: no sshd running on port 4242 trace: wait for sshd Received signal 15; terminating. debug3: channel 0: will not send data after close debug2: channel 0: rcvd close Received disconnect from 127.0.0.1: 11: disconnected by user debug1: do_cleanup FATAL: no sshd running on port 4242 FAIL: no sshd running on port 4242 I thought it might be memory - but bumping it up in the VM doesn't change anything and it doesn't seem to be selinux, or any open port conflicts (some of my favourite stumbling blocks). The weirder thing is that I got this to work in the i386 test box just fine. Thoughts?