openssh unix dev - Jul 2016 - Call for testing: OpenSSH 7.3

Hi,

OpenSSH 5.3 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This release contains some
substantial new features and a number of bugfixes.

Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable OpenSSH is also available via anonymous CVS using the
instructions at http://www.openssh.com/portable.html#cvs or
via Git at https://anongit.mindrot.org/openssh.git/

Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:

$ ./configure && make tests

Live testing on suitable non-production systems is also
appreciated. Please send reports of success or failure to
openssh-unix-dev at mindrot.org.

Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.

Thanks to the many people who contributed to this release.

Changes since OpenSSH 7.2
========================
This is primarily a bugfix release.

Security
--------

 * sshd(8): Mitigate a potential denial-of-service attack against
   the system's crypt(3) function via sshd(8). An attacker could
   send very long passwords that would cause excessive CPU use in
   crypt(3). sshd(8) now refuses to accept password authentication
   requests of length greater than 1024 characters. Independently
   reported by Tomas Kuthan (Oracle) and curesec via coredump at
   autistici.org.

 * sshd(8): Mitigate timing differences in password authentication
   that could be used to discern valid from invalid account names
   when long passwords were sent and particular password hashing
   algorithms are in use on the server. CVE-2016-6210, reported by
   EddieEzra.Harari at verint.com

 * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding
   oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
   Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers
   are disabled by default and only included for legacy compatibility.

 * ssh(1), sshd(8): Improve ordering ordering of MAC verification for
   Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
   MAC before decrypting any ciphertext. This removes the possibility
   of timing differences leaking facts about the plaintext, though no
   such leakage has been observed.  Reported by Jean Paul Degabriele,
   Kenny Paterson, Torben Hansen and Martin Albrecht.
    
 * sshd(8): (portable only) Ignore PAM environment vars when
   UseLogin=yes. If PAM is configured to read user-specified
   environment variables and UseLogin=yes in sshd_config, then a
   hostile local user may attack /bin/login via LD_PRELOAD or
   similar environment variables set via PAM. CVE-2015-8325,
   found by Shayan Sadigh.

New Features
------------

 * ssh(1): Add a ProxyJump option and corresponding -J command-line
   flag to allow simplified indirection through a one or more SSH
   bastions or "jump hosts".

 * ssh(1): Add an IdentityAgent option to allow specifying specific
   agent sockets instead of accepting one from the environment.
    
 * ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be
   optionally overridden when using ssh -W. bz#2577

 * ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as
   per draft-sgtatham-secsh-iutf8-00.
    
 * ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman
   2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.

 * ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
   signatures in certificates;
    
 * ssh(1): Add an Include directive for ssh_config(5) files.

 * ssh(1): Permit UTF-8 characters in pre-authentication banners sent
   from the server. bz#2058

Bugfixes
--------

 * ssh(1), sshd(8): Reduce the syslog level of some relatively common
   protocol events from LOG_CRIT. bz#2585

 * sshd(8): Refuse AuthenticationMethods="" in configurations and
   accept AuthenticationMethods=any for the default behaviour of not
   requiring multiple authentication. bz#2398

 * sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
   ATTEMPT!" message when forward and reverse DNS don't match. bz#2585

 * ssh(1): Close ControlPersist background process stderr except
   in debug mode or when logging to syslog. bz#1988

 * misc: Make PROTOCOL description for direct-streamlocal at openssh.com
   channel open messages match deployed code. bz#2529

 * ssh(1): Deduplicate LocalForward and RemoteForward entries to fix
   failures when both ExitOnForwardFailure and hostname
   canonicalisation are enabled. bz#2562

 * sshd(8): Remove fallback from moduli to obsolete "primes" file
   that was deprecated in 2001. bz#2559.

 * sshd_config(5): Correct description of UseDNS: it affects ssh
   hostname processing for authorized_keys, not known_hosts; bz#2554
    
 * ssh(1): Fix authentication using lone certificate keys in an agent
   without corresponding private keys on the filesystem. bz#2550

 * sshd(8): Send ClientAliveInterval pings when a time-based
   RekeyLimit is set; previously keepalive packets were not being
   sent. bz#2252
    
Portability
-----------

 * ssh(1), sshd(8): Fix compilation by automatically disabling ciphers
   not supported by OpenSSL. bz#2466

 * misc: Fix compilation failures on some versions of AIX's compiler
   related to the definition of the VA_COPY macro. bz#2589

 * sshd(8): Whitelist more architectures to enable the seccomp-bpf
   sandbox. bz#2590

 * ssh-agent(1), sftp-server(8): Disable process tracing on Solaris
   using setpflags(__PROC_PROTECT, ...). bz#2584

 * sshd(8): On Solaris, don't call Solaris setproject() with
   UsePAM=yes it's PAM's responsibility. bz#2425

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.

On Fri, Jul 22, 2016 at 02:40:04PM +1000, Damien Miller
wrote:
> Hi,
> 
> OpenSSH 5.3 is almost ready for release, so we would appreciate testing
          ^

	  Huh?
> on as many platforms and systems as possible. This release contains some
> substantial new features and a number of bugfixes.
> 
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
> 
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
> 
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs or
> via Git at https://anongit.mindrot.org/openssh.git/
> 
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> 
> $ ./configure && make tests
> 
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
> 
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
> 
> Thanks to the many people who contributed to this release.
> 
> Changes since OpenSSH 7.2
> ========================> 
> This is primarily a bugfix release.
> 
> Security
> --------
> 
>  * sshd(8): Mitigate a potential denial-of-service attack against
>    the system's crypt(3) function via sshd(8). An attacker could
>    send very long passwords that would cause excessive CPU use in
>    crypt(3). sshd(8) now refuses to accept password authentication
>    requests of length greater than 1024 characters. Independently
>    reported by Tomas Kuthan (Oracle) and curesec via coredump at
>    autistici.org.
> 
>  * sshd(8): Mitigate timing differences in password authentication
>    that could be used to discern valid from invalid account names
>    when long passwords were sent and particular password hashing
>    algorithms are in use on the server. CVE-2016-6210, reported by
>    EddieEzra.Harari at verint.com
> 
>  * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding
>    oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
>    Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers
>    are disabled by default and only included for legacy compatibility.
> 
>  * ssh(1), sshd(8): Improve ordering ordering of MAC verification for
>    Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
>    MAC before decrypting any ciphertext. This removes the possibility
>    of timing differences leaking facts about the plaintext, though no
>    such leakage has been observed.  Reported by Jean Paul Degabriele,
>    Kenny Paterson, Torben Hansen and Martin Albrecht.
>     
>  * sshd(8): (portable only) Ignore PAM environment vars when
>    UseLogin=yes. If PAM is configured to read user-specified
>    environment variables and UseLogin=yes in sshd_config, then a
>    hostile local user may attack /bin/login via LD_PRELOAD or
>    similar environment variables set via PAM. CVE-2015-8325,
>    found by Shayan Sadigh.
> 
> New Features
> ------------
> 
>  * ssh(1): Add a ProxyJump option and corresponding -J command-line
>    flag to allow simplified indirection through a one or more SSH
>    bastions or "jump hosts".
> 
>  * ssh(1): Add an IdentityAgent option to allow specifying specific
>    agent sockets instead of accepting one from the environment.
>     
>  * ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be
>    optionally overridden when using ssh -W. bz#2577
> 
>  * ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as
>    per draft-sgtatham-secsh-iutf8-00.
>     
>  * ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman
>    2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
> 
>  * ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
>    signatures in certificates;
>     
>  * ssh(1): Add an Include directive for ssh_config(5) files.
> 
>  * ssh(1): Permit UTF-8 characters in pre-authentication banners sent
>    from the server. bz#2058
> 
> Bugfixes
> --------
> 
>  * ssh(1), sshd(8): Reduce the syslog level of some relatively common
>    protocol events from LOG_CRIT. bz#2585
> 
>  * sshd(8): Refuse AuthenticationMethods="" in configurations and
>    accept AuthenticationMethods=any for the default behaviour of not
>    requiring multiple authentication. bz#2398
> 
>  * sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
>    ATTEMPT!" message when forward and reverse DNS don't match.
bz#2585
> 
>  * ssh(1): Close ControlPersist background process stderr except
>    in debug mode or when logging to syslog. bz#1988
> 
>  * misc: Make PROTOCOL description for direct-streamlocal at openssh.com
>    channel open messages match deployed code. bz#2529
> 
>  * ssh(1): Deduplicate LocalForward and RemoteForward entries to fix
>    failures when both ExitOnForwardFailure and hostname
>    canonicalisation are enabled. bz#2562
> 
>  * sshd(8): Remove fallback from moduli to obsolete "primes" file
>    that was deprecated in 2001. bz#2559.
> 
>  * sshd_config(5): Correct description of UseDNS: it affects ssh
>    hostname processing for authorized_keys, not known_hosts; bz#2554
>     
>  * ssh(1): Fix authentication using lone certificate keys in an agent
>    without corresponding private keys on the filesystem. bz#2550
> 
>  * sshd(8): Send ClientAliveInterval pings when a time-based
>    RekeyLimit is set; previously keepalive packets were not being
>    sent. bz#2252
>     
> Portability
> -----------
> 
>  * ssh(1), sshd(8): Fix compilation by automatically disabling ciphers
>    not supported by OpenSSL. bz#2466
> 
>  * misc: Fix compilation failures on some versions of AIX's compiler
>    related to the definition of the VA_COPY macro. bz#2589
> 
>  * sshd(8): Whitelist more architectures to enable the seccomp-bpf
>    sandbox. bz#2590
> 
>  * ssh-agent(1), sftp-server(8): Disable process tracing on Solaris
>    using setpflags(__PROC_PROTECT, ...). bz#2584
> 
>  * sshd(8): On Solaris, don't call Solaris setproject() with
>    UsePAM=yes it's PAM's responsibility. bz#2425
> 
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
-- 
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  Look at Psalms 14 and 53 on Atheism
Language is the source of misunderstandings.  -Antoine de Saint-Exupery

On Fri, 22 Jul 2016, Damien Miller wrote:
> Hi,
> 
> OpenSSH 5.3 is almost ready for release, so we would appreciate testing
s/5.3/7.3/ and I'd better get myself another cup of tea

On Fri, Jul 22, 2016 at 2:51 PM, The Doctor <doctor at doctor.nl2k.ab.ca>
wrote:
> On Fri, Jul 22, 2016 at 02:40:04PM +1000, Damien Miller wrote:
[...]
>> OpenSSH 5.3 is almost ready for release, so we would appreciate testing
>           ^
>           Huh?
Either a clone of Damien has been frozen Austin Powers style since
2009 and has only just been thawed out or maybe it was a typo.  Tough
to tell.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Hi, I have tested the mitigation timing differences in password
authentication (CVE-2016-6210). I have compiled
openssh-SNAP-20160722.tar.gz in a Debian 8 and use my tool Osueta
(https://github.com/c0r3dump3d/osueta) against the system.

Ok, I have seen that you calculate all the password hash exist or not
exist the user, and with this you can not discriminate the presence or
absence of that user, but now it's more easy to establish the DOS
condition in the access to the Openssh server and exhausting the CPU
resources, any dummy user it can be used!

For example:

osueta -H 192.168.100.204 -U asdf -v no -d 15 -p 22 --dos yes -t 40

Users found      Time delay in seconds
--------------------------------------
asdf                      27

I have attached screenshots with the CPU resource exhaustion and the DOS
in the access to the Openssh server.

The test machine it's a Debian 8 VM in KVM with 4 Core and 2GB of RAM.


For CVE-2016-6210 user enumeration really it's mitigate but for the
problem of DOS as I say seems much easier to exploit!!

Regards.

Andres Rojas
http://www.devconsole.info


El 22/07/16 a las 06:40, Damien Miller escribi?:
> Hi,
> 
> OpenSSH 5.3 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains some
> substantial new features and a number of bugfixes.
> 
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
> 
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

On Jul 22 14:40, Damien Miller wrote:
> Hi,
> 
> OpenSSH 7.3 is almost ready for release, so we would appreciate testing
This version doesn't build on Cygwin anymore.  The reason is that
various configure tests fail.

The culprit is the new definition of IPPORT_RESERVED to 0 in configure.ac.

After setting this value in configure, confdefs.h contains

  #define IPPORT_RESERVED 0

netinet/in.h defines IPPORT_RESERVED as enum, just as on other systems:

  enum
  {
    [...]
    IPPORT_RESERVED = 1024,
    [...]
  };

Since confdefs.h is evaluated *before* including any headers during
configure, we have the following situation:

  #define IPPORT_RESERVED 0
  #include <netinet/in.h>
  --> enum { IPPORT_RESERVED = 1024 };

which evaluates to

  enum { 0 = 1024 };

which then leads to a compiler error:

  conftest.c:66:25: error: expected identifier before numeric constant

and thus to a broken configuration.

The same problem occurs when trying to build the source since config.h
is included via includes.h prior to the system headers.

So the simplification from NO_IPPORT_RESERVED_CONCEPT to just
defining IPPORT_RESERVED as 0 doesn't work as desired.

Can we revert this to the former NO_IPPORT_RESERVED_CONCEPT, please?

I created the below patch which is less intrusive than the original
patch.  I tested that it works as desired and OpenSSH 7.3 builds
on Cygwin.

I have not *tested* OpenSSH7.3 on Cygwin yet.  I'll report back in a
followup mail.


Thanks,
Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------

On Fri, Jul 22, 2016 at 7:05 PM, C0r3dump3d <coredump at autistici.org>
wrote:
> but now it's more easy to establish the DOS
> condition in the access to the Openssh server and exhausting the CPU
> resources, any dummy user it can be used!
The snapshot you're using (openssh-SNAP-20160722.tar.gz) was
unfortunately made in the time after the code to cap the password size
at 1k was committed to OpenBSD
(http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-passwd.c.diff?r1=1.44&r2=1.45)
but before it was synced into -Portable
(https://anongit.mindrot.org/openssh.git/commit/?id=fcd135c9df440bcd2d5870405ad3311743d78d97).
As a result your very large password strings are still making it into
crypt(3).

Please either grab the code directly from git (you'll need to run
"autoreconf" yourself) or try tomorrow's snapshot and retest it.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

On 07/22/2016 06:40 AM, Damien Miller wrote:
> [...]
>  * ssh(1), sshd(8): Improve ordering ordering of MAC verification [...]
"ordering ordering" seems to be a typo

all tests pass on my machines with:
- Ubuntu 14.04.4 LTS
- Scientific Linux release 6.7 (Carbon)
- SUSE Linux Enterprise Server 11 SP3

tested with openssh-SNAP-20160722.tar.gz


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2252 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160722/43c24c3b/attachment.bin>

On Jul 22 12:05, Corinna Vinschen wrote:
> On Jul 22 14:40, Damien Miller wrote:
> > Hi,
> > 
> > OpenSSH 7.3 is almost ready for release, so we would appreciate
testing
> 
> This version doesn't build on Cygwin anymore.  The reason is that
> various configure tests fail.
> 
> The culprit is the new definition of IPPORT_RESERVED to 0 in configure.ac.
> 
> After setting this value in configure, confdefs.h contains
> 
>   #define IPPORT_RESERVED 0
> 
> netinet/in.h defines IPPORT_RESERVED as enum, just as on other systems:
> 
>   enum
>   {
>     [...]
>     IPPORT_RESERVED = 1024,
>     [...]
>   };
> 
> Since confdefs.h is evaluated *before* including any headers during
> configure, we have the following situation:
> 
>   #define IPPORT_RESERVED 0
>   #include <netinet/in.h>
>   --> enum { IPPORT_RESERVED = 1024 };
> 
> which evaluates to
> 
>   enum { 0 = 1024 };
> 
> which then leads to a compiler error:
> 
>   conftest.c:66:25: error: expected identifier before numeric constant
> 
> and thus to a broken configuration.
> 
> The same problem occurs when trying to build the source since config.h
> is included via includes.h prior to the system headers.
> 
> So the simplification from NO_IPPORT_RESERVED_CONCEPT to just
> defining IPPORT_RESERVED as 0 doesn't work as desired.
> 
> Can we revert this to the former NO_IPPORT_RESERVED_CONCEPT, please?
> 
> I created the below patch which is less intrusive than the original
> patch.  I tested that it works as desired and OpenSSH 7.3 builds
> on Cygwin.
> 
> I have not *tested* OpenSSH7.3 on Cygwin yet.  I'll report back in a
> followup mail.
All tests pass on current Cygwin with this patch applied.


Thanks,
Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160722/bca8d14c/attachment.bin>

On Fri, Jul 22, 2016 at 12:05:53PM +0200, Corinna Vinschen wrote:
[...]
> This version doesn't build on Cygwin anymore.  The reason is that
> various configure tests fail.
> 
> The culprit is the new definition of IPPORT_RESERVED to 0 in configure.ac.
Sigh.

How about putting it in defines.h instead?  includes.h includes
netinet/in.h from whence the definition of IPPORT_RESERVED is, on Cygwin
at least, seems to be protected against multiple inclusion.  Putting it
there means only one definition in a file that we don't sync with OpenBSD.

diff --git a/configure.ac b/configure.ac
index 21ef389..2cd6a6f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -589,8 +589,9 @@ case "$host" in
 		[Define if you want to disable shadow passwords])
 	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
 		[Define if X11 doesn't support AF_UNIX sockets on that system])
-	AC_DEFINE([IPPORT_RESERVED], [0],
-		[Cygwin has no notion of ports only accessible to superusers])
+	AC_DEFINE([NO_IPPORT_RESERVED_CONCEPT], [1],
+		[Define if the concept of ports only accessible to
+		superusers isn't known])
 	AC_DEFINE([DISABLE_FD_PASSING], [1],
 		[Define if your platform needs to skip post auth
 		file descriptor passing])
diff --git a/defines.h b/defines.h
index a438ddd..c099df6 100644
--- a/defines.h
+++ b/defines.h
@@ -43,6 +43,17 @@ enum
 #endif
 
 /*
+ * Cygwin doesn't really have a notion of reserved ports but for backward
+ * compatibility they define it to 1024 in netinet/in.h inside an enum.  We
+ * don't actually want that restriction so we want to set that to zero, but
+ * we can't do it direct in config.h because it'll cause a conflicting
+ * definition the first time we include netinet/in.h.
+ */
+#ifdef NO_IPPORT_RESERVED_CONCEPT
+#define IPPORT_RESERVED 0
+#endif
+
+/*
  * Definitions for IP type of service (ip_tos)
  */
 #include <netinet/in_systm.h>

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

In NetBSD-current(ish):

test_sshkey: ..................................[1]   Segmentation fault (core
dumped) ${V} /home/htodd...
*** Error code 139

And gdb bt shows:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000000041174e in cert_parse (key=0x756584f120c0,
certbuf=0x756584f16200, b=0x756584f161b0) at sshkey.c:1896
1896                   
key->cert->principals[key->cert->nprincipals++] = principal;
(gdb) bt
#0  0x000000000041174e in cert_parse (key=0x756584f120c0,
certbuf=0x756584f16200, b=0x756584f161b0) at sshkey.c:1896
#1  sshkey_from_blob_internal (b=b at entry=0x756584f161b0, keyp=keyp at
entry=0x7f7fff8c0220, allow_cert=allow_cert at entry=1)
     at sshkey.c:2117
#2  0x0000000000411951 in sshkey_from_blob (blob=<optimized out>,
blen=blen at entry=422, keyp=keyp at entry=0x7f7fff8c0220)
     at sshkey.c:2150
#3  0x0000000000411a97 in sshkey_read (ret=ret at entry=0x756584f12080, cpp=cpp
at entry=0x7f7fff8c0280) at sshkey.c:1302
#4  0x0000000000414baa in sshkey_try_load_public (k=k at entry=0x756584f12080,
     filename=0x756584f16070
"/home/htodd/openssh-portable/regress/unittests/sshkey/testdata/rsa_1-cert.pub",
     commentp=commentp at entry=0x0) at authfile.c:319
#5  0x0000000000415309 in sshkey_load_cert (filename=<optimized out>,
keyp=keyp at entry=0x7f7fff8c4330) at authfile.c:425
#6  0x0000000000409f41 in sshkey_tests () at
regress/unittests/sshkey/test_sshkey.c:527
#7  0x0000000000405dc3 in tests () at regress/unittests/sshkey/tests.c:24
#8  0x000000000042a2e1 in main (argc=3, argv=0x7f7fff8c4420) at
regress/unittests/test_helper/test_helper.c:162
(gdb)

-- 
Hisashi T Fujinaka - htodd at twofifty.com
BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee

After making /var/empty, tests ran fine on netbsd-7.

-- 
Hisashi T Fujinaka - htodd at twofifty.com
BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee

On Fri, 22 Jul 2016, Hisashi T Fujinaka wrote:
> In NetBSD-current(ish):
> 
> test_sshkey: ..................................[1]   Segmentation fault
(core
> dumped) ${V} /home/htodd...
> *** Error code 139
> 
> And gdb bt shows:
> 
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x000000000041174e in cert_parse (key=0x756584f120c0,
> certbuf=0x756584f16200, b=0x756584f161b0) at sshkey.c:1896
> 1896                   
key->cert->principals[key->cert->nprincipals++] > principal;
Thanks for reporting this. I don't understand how it could fail at that
point. Could you rerun the failing test and see what the values of
key, *key, key->cert and *key->cert are? It's possible to run just the
sshkey unit test using:

./regress/unittests/sshkey/test_sshkey -d regress/unittests/sshkey/testdata

from the top-level directory.

-d

I think I forgot to send this to the mailing list too.

On Sat, 23 Jul 2016, Damien Miller wrote:

  On Fri, 22 Jul 2016, Hisashi T Fujinaka wrote:
> In NetBSD-current(ish):
> 
> test_sshkey: ..................................[1]   Segmentation fault 
> (core
> dumped) ${V} /home/htodd...
> *** Error code 139
> 
> And gdb bt shows:
> 
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x000000000041174e in cert_parse (key=0x756584f120c0,
> certbuf=0x756584f16200, b=0x756584f161b0) at sshkey.c:1896
> 1896                   
key->cert->principals[key->cert->nprincipals++] > principal;
  Thanks for reporting this. I don't understand how it could fail at that
  point. Could you rerun the failing test and see what the values of
  key, *key, key->cert and *key->cert are? It's possible to run just
the
  sshkey unit test using:

  ./regress/unittests/sshkey/test_sshkey -d regress/unittests/sshkey/testdata

  from the top-level directory.

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000000041174e in cert_parse (key=0x7037f9b120c0, 
certbuf=0x7037f9b16200, b=0x7037f9b161b0) at sshkey.c:1896
1896                   
key->cert->principals[key->cert->nprincipals++] =
principal;
(gdb) bt
#0  0x000000000041174e in cert_parse (key=0x7037f9b120c0, 
certbuf=0x7037f9b16200, b=0x7037f9b161b0) at sshkey.c:1896
#1  sshkey_from_blob_internal (b=b at entry=0x7037f9b161b0, 
keyp=keyp at entry=0x7f7fff104970, allow_cert=allow_cert at entry=1)
    at sshkey.c:2117
#2  0x0000000000411951 in sshkey_from_blob (blob=<optimized out>, 
blen=blen at entry=422, keyp=keyp at entry=0x7f7fff104970)
    at sshkey.c:2150
#3  0x0000000000411a97 in sshkey_read (ret=ret at entry=0x7037f9b12080, 
cpp=cpp at entry=0x7f7fff1049d0) at sshkey.c:1302
#4  0x0000000000414baa in sshkey_try_load_public (k=k at entry=0x7037f9b12080,
    filename=0x7037f9b16070 
"/home/htodd/openssh-portable/regress/unittests/sshkey/testdata/rsa_1-cert.pub",
    commentp=commentp at entry=0x0) at authfile.c:319
#5  0x0000000000415309 in sshkey_load_cert (filename=<optimized out>, 
keyp=keyp at entry=0x7f7fff108a80) at authfile.c:425
#6  0x0000000000409f41 in sshkey_tests () at 
regress/unittests/sshkey/test_sshkey.c:527
#7  0x0000000000405dc3 in tests () at regress/unittests/sshkey/tests.c:24
#8  0x000000000042a2e1 in main (argc=3, argv=0x7f7fff108b68) at 
regress/unittests/test_helper/test_helper.c:162
(gdb) p key
$1 = (struct sshkey *) 0x7037f9b120c0
(gdb) p key->cert
$2 = (struct sshkey_cert *) 0x7037f9b1b080
(gdb) p *key->cert
$3 = {certblob = 0x7037f9b162a0, type = 2, serial = 5, key_id = 
0x7037f9b18090 "julius", nprincipals = 1,
  principals = 0xfffffffff9b180a0, valid_after = 915145200, valid_before = 
1293836400, critical = 0x7037f9b162f0,
  extensions = 0x7037f9b16340, signature_key = 0x0}



-- 
Hisashi T Fujinaka - htodd at twofifty.com
BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee

On Fri, 22 Jul 2016, Hisashi T Fujinaka wrote:
> regress/unittests/test_helper/test_helper.c:162
> (gdb) p key
> $1 = (struct sshkey *) 0x7037f9b120c0
> (gdb) p key->cert
> $2 = (struct sshkey_cert *) 0x7037f9b1b080
> (gdb) p *key->cert
> $3 = {certblob = 0x7037f9b162a0, type = 2, serial = 5, key_id =
0x7037f9b18090
> "julius", nprincipals = 1,
>  principals = 0xfffffffff9b180a0, valid_after = 915145200, valid_before 
Thanks for taking the time to debug this.

The key->cert->principals pointer looks wrong - does NetBSD libc
provide a reallocarray function? We detect its presence during
configure:

checking for reallocarray... no

(that's on Linux)

Could you try commenting out the HAVE_REALLOCARRAY line in config.h
make clean, make and rerun the test?

-d

On 7/21/16 9:40 PM, Damien Miller wrote:
> Live testing on suitable non-production systems is also
> appreciated.
Working fine on illumos here.

The GSSAPI key exchange patch we've been carrying around for compat
needs some work now though (or maybe we'll just drop it).

On 07/22/2016 06:40 AM, Damien Miller wrote:
> OpenSSH 5.3 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains some
> substantial new features and a number of bugfixes.
Testing with latest snap/git and applying our patches revealed only one 
problem (when I don't count missing API for GSSAPI Kex, where we were 
using get_canonical_hostname() also in the client code):

  * Forgotten  get_remote_ipaddr()  function in audit-linux.c code 
(attached patch)

Otherwise the package builds and passes all tests on current Fedora 24.

Regards,

-- 
Jakub Jelen
Security Technologies
Red Hat

-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-ssh-remote-ipaddr.patch
Type: text/x-patch
Size: 603 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160726/74cc6c55/attachment.bin>

On Tue, 26 Jul 2016, Jakub Jelen wrote:
> On 07/22/2016 06:40 AM, Damien Miller wrote:
> > OpenSSH 5.3 is almost ready for release, so we would appreciate
testing
> > on as many platforms and systems as possible. This release contains
some
> > substantial new features and a number of bugfixes.
> Testing with latest snap/git and applying our patches revealed only one
> problem (when I don't count missing API for GSSAPI Kex, where we were
using
> get_canonical_hostname() also in the client code):
> 
>  * Forgotten  get_remote_ipaddr()  function in audit-linux.c code (attached
> patch)
Applied (also needed to include packet.h).

-d

Compiles and passes tests on SPARC Solaris 10, using our local
build of OpenSSL 1.0.2h.

Damien Miller wrote:
> Hi,
>
> OpenSSH 5.3 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains some
> substantial new features and a number of bugfixes.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs or
> via Git at https://anongit.mindrot.org/openssh.git/
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Changes since OpenSSH 7.2
> ========================>
> This is primarily a bugfix release.
>
> Security
> --------
>
>  * sshd(8): Mitigate a potential denial-of-service attack against
>    the system's crypt(3) function via sshd(8). An attacker could
>    send very long passwords that would cause excessive CPU use in
>    crypt(3). sshd(8) now refuses to accept password authentication
>    requests of length greater than 1024 characters. Independently
>    reported by Tomas Kuthan (Oracle) and curesec via coredump at
>    autistici.org.
>
>  * sshd(8): Mitigate timing differences in password authentication
>    that could be used to discern valid from invalid account names
>    when long passwords were sent and particular password hashing
>    algorithms are in use on the server. CVE-2016-6210, reported by
>    EddieEzra.Harari at verint.com
>
>  * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding
>    oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
>    Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers
>    are disabled by default and only included for legacy compatibility.
>
>  * ssh(1), sshd(8): Improve ordering ordering of MAC verification for
>    Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
>    MAC before decrypting any ciphertext. This removes the possibility
>    of timing differences leaking facts about the plaintext, though no
>    such leakage has been observed.  Reported by Jean Paul Degabriele,
>    Kenny Paterson, Torben Hansen and Martin Albrecht.
>     
>  * sshd(8): (portable only) Ignore PAM environment vars when
>    UseLogin=yes. If PAM is configured to read user-specified
>    environment variables and UseLogin=yes in sshd_config, then a
>    hostile local user may attack /bin/login via LD_PRELOAD or
>    similar environment variables set via PAM. CVE-2015-8325,
>    found by Shayan Sadigh.
>
> New Features
> ------------
>
>  * ssh(1): Add a ProxyJump option and corresponding -J command-line
>    flag to allow simplified indirection through a one or more SSH
>    bastions or "jump hosts".
>
>  * ssh(1): Add an IdentityAgent option to allow specifying specific
>    agent sockets instead of accepting one from the environment.
>     
>  * ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be
>    optionally overridden when using ssh -W. bz#2577
>
>  * ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as
>    per draft-sgtatham-secsh-iutf8-00.
>     
>  * ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman
>    2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
>
>  * ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
>    signatures in certificates;
>     
>  * ssh(1): Add an Include directive for ssh_config(5) files.
>
>  * ssh(1): Permit UTF-8 characters in pre-authentication banners sent
>    from the server. bz#2058
>
> Bugfixes
> --------
>
>  * ssh(1), sshd(8): Reduce the syslog level of some relatively common
>    protocol events from LOG_CRIT. bz#2585
>
>  * sshd(8): Refuse AuthenticationMethods="" in configurations and
>    accept AuthenticationMethods=any for the default behaviour of not
>    requiring multiple authentication. bz#2398
>
>  * sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
>    ATTEMPT!" message when forward and reverse DNS don't match.
bz#2585
>
>  * ssh(1): Close ControlPersist background process stderr except
>    in debug mode or when logging to syslog. bz#1988
>
>  * misc: Make PROTOCOL description for direct-streamlocal at openssh.com
>    channel open messages match deployed code. bz#2529
>
>  * ssh(1): Deduplicate LocalForward and RemoteForward entries to fix
>    failures when both ExitOnForwardFailure and hostname
>    canonicalisation are enabled. bz#2562
>
>  * sshd(8): Remove fallback from moduli to obsolete "primes" file
>    that was deprecated in 2001. bz#2559.
>
>  * sshd_config(5): Correct description of UseDNS: it affects ssh
>    hostname processing for authorized_keys, not known_hosts; bz#2554
>     
>  * ssh(1): Fix authentication using lone certificate keys in an agent
>    without corresponding private keys on the filesystem. bz#2550
>
>  * sshd(8): Send ClientAliveInterval pings when a time-based
>    RekeyLimit is set; previously keepalive packets were not being
>    sent. bz#2252
>     
> Portability
> -----------
>
>  * ssh(1), sshd(8): Fix compilation by automatically disabling ciphers
>    not supported by OpenSSL. bz#2466
>
>  * misc: Fix compilation failures on some versions of AIX's compiler
>    related to the definition of the VA_COPY macro. bz#2589
>
>  * sshd(8): Whitelist more architectures to enable the seccomp-bpf
>    sandbox. bz#2590
>
>  * ssh-agent(1), sftp-server(8): Disable process tracing on Solaris
>    using setpflags(__PROC_PROTECT, ...). bz#2584
>
>  * sshd(8): On Solaris, don't call Solaris setproject() with
>    UsePAM=yes it's PAM's responsibility. bz#2425
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>   
-- 
          Jeff Wieland            |         Purdue University
   Network Systems Administrator  |        ITIS UNIX Platforms
       Voice: (765)496-8234       |        155 S. Grant Street
        FAX: (765)496-1380        |      West Lafayette, IN 47907