Hi,
OpenSSH 7.4 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This release contains some
substantial new features and a number of bugfixes.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH is also available via anonymous CVS using the
instructions at http://www.openssh.com/portable.html#cvs or
via Git at https://anongit.mindrot.org/openssh.git/ or via a
mirror at Github: https://github.com/openssh/openssh-portable
Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:
$ ./configure && make tests
Live testing on suitable non-production systems is also
appreciated. Please send reports of success or failure to
openssh-unix-dev at mindrot.org.
Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.
Thanks to the many people who contributed to this release.
Potentially-incompatible changes
===============================
This release includes a number of changes that may affect existing
configurations:
* This release removes server support for the SSH v.1 protocol.
* ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
block ciphers are not safe in 2016 and we don't want to wait until
attacks like SWEET32 are extended to SSH. As 3des-cbc was the
only mandatory cipher in the SSH RFCs, this may cause problems
connecting to older devices using the default configuration,
but it's highly likely that such devices already need explicit
configuration for key exchange and hostkey algorithms already
anyway.
* sshd(8): Remove support for pre-authentication compression.
Doing compression early in the protocol probably seemed reasonable
in the 1990s, but today it's clearly a bad idea in terms of both
cryptography (cf. multiple compression oracle attacks in TLS) and
attack surface. Pre-auth compression support has been disabled by
default for >10 years. Support remains in the client.
* ssh-agent will refuse to load PKCS#11 modules outside a whitelist
of trusted paths by default. The path whitelist may be specified
at run-time.
* sshd(8): When a forced-command appears in both a certificate and
an authorized keys/principals command= restriction, sshd will now
refuse to accept the certificate unless they are identical.
The previous (documented) behaviour of having the certificate
forced-command override the other could be a bit confusing and
error-prone.
* sshd(8): Remove the UseLogin configuration directive and support
for having /bin/login manage login sessions.
Changes since OpenSSH 7.3
========================
This is primarily a bugfix release.
New Features
------------
* ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the
version in PuTTY by Simon Tatham. This allows a multiplexing
client to communicate with the master process using a subset of
the SSH packet and channels protocol over a Unix-domain socket,
with the main process acting as a proxy that translates channel
IDs, etc. This allows multiplexing mode to run on systems that
lack file- descriptor passing (used by current multiplexing
code) and potentially, in conjunction with Unix-domain socket
forwarding, with the client and multiplexing master process on
different machines. Multiplexing proxy mode may be invoked using
"ssh -O proxy ..."
* sshd(8): Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well
as anything else we might implement in the future. Like the
'restrict' authorized_keys flag, this is intended to be a simple
and future-proof way of restricting an account.
* sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
method. This is identical to the currently-support method named
"curve25519-sha256 at libssh.org".
* sshd(8): Improve handling of SIGHUP by checking to see if sshd is
already daemonised at startup and skipping the call to daemon(3)
if it is. This ensures that a SIGHUP restart of sshd(8) will
retain the same process-ID as the initial execution. sshd(8) will
also now unlink the PidFile prior to SIGHUP restart and re-create
it after a successful restart, rather than leaving a stale file in
the case of a configuration error. bz#2641
* sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
directives to appear in sshd_config Match blocks.
* sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match
those supported by AuthorizedKeysCommand (key, key type,
fingerprint, etc.) and a few more to provide access to the
contents of the certificate being offered.
* Added regression tests for string matching, address matching and
string sanitisation functions.
* Improved the key exchange fuzzer harness.
Bugfixes
--------
* ssh(1): Allow IdentityFile to successfully load and use
certificates that have no corresponding bare public key. bz#2617
certificate id_rsa-cert.pub (and no id_rsa.pub).
* ssh(1): Fix public key authentication when multiple
authentication is in use and publickey is not just the first
method attempted. bz#2642
* regress: Allow the PuTTY interop tests to run unattended. bz#2639
* ssh-agent(1), ssh(1): improve reporting when attempting to load
keys from PKCS#11 tokens with fewer useless log messages and more
detail in debug messages. bz#2610
* ssh(1): When tearing down ControlMaster connections, don't
pollute stderr when LogLevel=quiet.
* sftp(1): On ^Z wait for underlying ssh(1) to suspend before
suspending sftp(1) to ensure that ssh(1) restores the terminal mode
correctly if suspended during a password prompt.
* ssh(1): Avoid busy-wait when ssh(1) is suspended during a password
prompt.
* ssh(1), sshd(8): Correctly report errors during sending of ext-
info messages.
* sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
sequence NEWKEYS message.
* sshd(8): Correct list of supported signature algorithms sent in
the server-sig-algs extension. bz#2547
* sshd(8): Fix sending ext_info message if privsep is disabled.
* sshd(8): more strictly enforce the expected ordering of privilege
separation monitor calls used for authentication and allow them
only when their respective authentication methods are enabled
in the configuration
* sshd(8): Fix uninitialised optlen in getsockopt() call; harmless
on Unix/BSD but potentially crashy on Cygwin.
* Fix false positive reports caused by explicit_bzero(3) not being
recognised as a memory initialiser when compiled with
-fsanitize-memory.
* sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for
configuration examples.
Portability
-----------
* On environments configured with Turkish locales, fall back to the
C/POSIX locale to avoid errors in configuration parsing caused by
that locale's unique handling of the letters 'i' and 'I'.
bz#2643
* sftp-server(8), ssh-agent(1): Deny ptrace on OS X using
ptrace(PT_DENY_ATTACH, ..)
* ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL.
* Fix compilation for libcrypto compiled without RIPEMD160 support.
* contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640
* sshd(8): Improve PRNG reseeding across privilege separation and
force libcrypto to obtain a high-quality seed before chroot or
sandboxing.
* All: Explicitly test for broken strnvis. NetBSD added an strnvis
and unfortunately made it incompatible with the existing one in
OpenBSD and Linux's libbsd (the former having existed for over ten
years). Try to detect this mess, and assume the only safe option
if we're cross compiling.
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.
On Wed, Dec 14, 2016 at 11:53:32AM +1100, Damien Miller wrote:> Hi, > > OpenSSH 7.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains some > substantial new features and a number of bugfixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Git at https://anongit.mindrot.org/openssh.git/ or via a > mirror at Github: https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release.Got you. Will run make tests. So far running on FreeBSD 11.0 using openssl 1.0.2 current . Trying Openssl 1.1> > Potentially-incompatible changes > ===============================> > This release includes a number of changes that may affect existing > configurations: > > * This release removes server support for the SSH v.1 protocol. > > * ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit > block ciphers are not safe in 2016 and we don't want to wait until > attacks like SWEET32 are extended to SSH. As 3des-cbc was the > only mandatory cipher in the SSH RFCs, this may cause problems > connecting to older devices using the default configuration, > but it's highly likely that such devices already need explicit > configuration for key exchange and hostkey algorithms already > anyway. > > * sshd(8): Remove support for pre-authentication compression. > Doing compression early in the protocol probably seemed reasonable > in the 1990s, but today it's clearly a bad idea in terms of both > cryptography (cf. multiple compression oracle attacks in TLS) and > attack surface. Pre-auth compression support has been disabled by > default for >10 years. Support remains in the client. > > * ssh-agent will refuse to load PKCS#11 modules outside a whitelist > of trusted paths by default. The path whitelist may be specified > at run-time. > > * sshd(8): When a forced-command appears in both a certificate and > an authorized keys/principals command= restriction, sshd will now > refuse to accept the certificate unless they are identical. > The previous (documented) behaviour of having the certificate > forced-command override the other could be a bit confusing and > error-prone. > > * sshd(8): Remove the UseLogin configuration directive and support > for having /bin/login manage login sessions. > > Changes since OpenSSH 7.3 > ========================> > This is primarily a bugfix release. > > New Features > ------------ > > * ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the > version in PuTTY by Simon Tatham. This allows a multiplexing > client to communicate with the master process using a subset of > the SSH packet and channels protocol over a Unix-domain socket, > with the main process acting as a proxy that translates channel > IDs, etc. This allows multiplexing mode to run on systems that > lack file- descriptor passing (used by current multiplexing > code) and potentially, in conjunction with Unix-domain socket > forwarding, with the client and multiplexing master process on > different machines. Multiplexing proxy mode may be invoked using > "ssh -O proxy ..." > > * sshd(8): Add a sshd_config DisableForwaring option that disables > X11, agent, TCP, tunnel and Unix domain socket forwarding, as well > as anything else we might implement in the future. Like the > 'restrict' authorized_keys flag, this is intended to be a simple > and future-proof way of restricting an account. > > * sshd(8), ssh(1): Support the "curve25519-sha256" key exchange > method. This is identical to the currently-support method named > "curve25519-sha256 at libssh.org". > > * sshd(8): Improve handling of SIGHUP by checking to see if sshd is > already daemonised at startup and skipping the call to daemon(3) > if it is. This ensures that a SIGHUP restart of sshd(8) will > retain the same process-ID as the initial execution. sshd(8) will > also now unlink the PidFile prior to SIGHUP restart and re-create > it after a successful restart, rather than leaving a stale file in > the case of a configuration error. bz#2641 > > * sshd(8): Allow ClientAliveInterval and ClientAliveCountMax > directives to appear in sshd_config Match blocks. > > * sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match > those supported by AuthorizedKeysCommand (key, key type, > fingerprint, etc.) and a few more to provide access to the > contents of the certificate being offered. > > * Added regression tests for string matching, address matching and > string sanitisation functions. > > * Improved the key exchange fuzzer harness. > > Bugfixes > -------- > > * ssh(1): Allow IdentityFile to successfully load and use > certificates that have no corresponding bare public key. bz#2617 > certificate id_rsa-cert.pub (and no id_rsa.pub). > > * ssh(1): Fix public key authentication when multiple > authentication is in use and publickey is not just the first > method attempted. bz#2642 > > * regress: Allow the PuTTY interop tests to run unattended. bz#2639 > > * ssh-agent(1), ssh(1): improve reporting when attempting to load > keys from PKCS#11 tokens with fewer useless log messages and more > detail in debug messages. bz#2610 > > * ssh(1): When tearing down ControlMaster connections, don't > pollute stderr when LogLevel=quiet. > > * sftp(1): On ^Z wait for underlying ssh(1) to suspend before > suspending sftp(1) to ensure that ssh(1) restores the terminal mode > correctly if suspended during a password prompt. > > * ssh(1): Avoid busy-wait when ssh(1) is suspended during a password > prompt. > > * ssh(1), sshd(8): Correctly report errors during sending of ext- > info messages. > > * sshd(8): fix NULL-deref crash if sshd(8) received an out-of- > sequence NEWKEYS message. > > * sshd(8): Correct list of supported signature algorithms sent in > the server-sig-algs extension. bz#2547 > > * sshd(8): Fix sending ext_info message if privsep is disabled. > > * sshd(8): more strictly enforce the expected ordering of privilege > separation monitor calls used for authentication and allow them > only when their respective authentication methods are enabled > in the configuration > > * sshd(8): Fix uninitialised optlen in getsockopt() call; harmless > on Unix/BSD but potentially crashy on Cygwin. > > * Fix false positive reports caused by explicit_bzero(3) not being > recognised as a memory initialiser when compiled with > -fsanitize-memory. > > * sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for > configuration examples. > > Portability > ----------- > > * On environments configured with Turkish locales, fall back to the > C/POSIX locale to avoid errors in configuration parsing caused by > that locale's unique handling of the letters 'i' and 'I'. bz#2643 > > * sftp-server(8), ssh-agent(1): Deny ptrace on OS X using > ptrace(PT_DENY_ATTACH, ..) > > * ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL. > > * Fix compilation for libcrypto compiled without RIPEMD160 support. > > * contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640 > > * sshd(8): Improve PRNG reseeding across privilege separation and > force libcrypto to obtain a high-quality seed before chroot or > sandboxing. > > * All: Explicitly test for broken strnvis. NetBSD added an strnvis > and unfortunately made it incompatible with the existing one in > OpenBSD and Linux's libbsd (the former having existed for over ten > years). Try to detect this mess, and assume the only safe option > if we're cross compiling. > > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, > Tim Rice and Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Merry Christmas 2016 and Happy New Year 2017
On Tue, 13 Dec 2016, The Doctor wrote:> Got you. Will run make tests. So far running on > FreeBSD 11.0 using openssl 1.0.2 currentThanks!> Trying Openssl 1.1Won't work - see the thread here about 6 week back... -d
Hey Damien, my special snowflake cert tests seem to work fine on osx sierra (OpenSSH_7.3p1-snap20161214, OpenSSL 1.0.2j 26 Sep 2016). thanks! On Tue, Dec 13, 2016 at 4:53 PM, Damien Miller <djm at mindrot.org> wrote:> Hi, > > OpenSSH 7.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains some > substantial new features and a number of bugfixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Git at https://anongit.mindrot.org/openssh.git/ or via a > mirror at Github: https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Potentially-incompatible changes > ===============================> > This release includes a number of changes that may affect existing > configurations: > > * This release removes server support for the SSH v.1 protocol. > > * ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit > block ciphers are not safe in 2016 and we don't want to wait until > attacks like SWEET32 are extended to SSH. As 3des-cbc was the > only mandatory cipher in the SSH RFCs, this may cause problems > connecting to older devices using the default configuration, > but it's highly likely that such devices already need explicit > configuration for key exchange and hostkey algorithms already > anyway. > > * sshd(8): Remove support for pre-authentication compression. > Doing compression early in the protocol probably seemed reasonable > in the 1990s, but today it's clearly a bad idea in terms of both > cryptography (cf. multiple compression oracle attacks in TLS) and > attack surface. Pre-auth compression support has been disabled by > default for >10 years. Support remains in the client. > > * ssh-agent will refuse to load PKCS#11 modules outside a whitelist > of trusted paths by default. The path whitelist may be specified > at run-time. > > * sshd(8): When a forced-command appears in both a certificate and > an authorized keys/principals command= restriction, sshd will now > refuse to accept the certificate unless they are identical. > The previous (documented) behaviour of having the certificate > forced-command override the other could be a bit confusing and > error-prone. > > * sshd(8): Remove the UseLogin configuration directive and support > for having /bin/login manage login sessions. > > Changes since OpenSSH 7.3 > ========================> > This is primarily a bugfix release. > > New Features > ------------ > > * ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the > version in PuTTY by Simon Tatham. This allows a multiplexing > client to communicate with the master process using a subset of > the SSH packet and channels protocol over a Unix-domain socket, > with the main process acting as a proxy that translates channel > IDs, etc. This allows multiplexing mode to run on systems that > lack file- descriptor passing (used by current multiplexing > code) and potentially, in conjunction with Unix-domain socket > forwarding, with the client and multiplexing master process on > different machines. Multiplexing proxy mode may be invoked using > "ssh -O proxy ..." > > * sshd(8): Add a sshd_config DisableForwaring option that disables > X11, agent, TCP, tunnel and Unix domain socket forwarding, as well > as anything else we might implement in the future. Like the > 'restrict' authorized_keys flag, this is intended to be a simple > and future-proof way of restricting an account. > > * sshd(8), ssh(1): Support the "curve25519-sha256" key exchange > method. This is identical to the currently-support method named > "curve25519-sha256 at libssh.org". > > * sshd(8): Improve handling of SIGHUP by checking to see if sshd is > already daemonised at startup and skipping the call to daemon(3) > if it is. This ensures that a SIGHUP restart of sshd(8) will > retain the same process-ID as the initial execution. sshd(8) will > also now unlink the PidFile prior to SIGHUP restart and re-create > it after a successful restart, rather than leaving a stale file in > the case of a configuration error. bz#2641 > > * sshd(8): Allow ClientAliveInterval and ClientAliveCountMax > directives to appear in sshd_config Match blocks. > > * sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match > those supported by AuthorizedKeysCommand (key, key type, > fingerprint, etc.) and a few more to provide access to the > contents of the certificate being offered. > > * Added regression tests for string matching, address matching and > string sanitisation functions. > > * Improved the key exchange fuzzer harness. > > Bugfixes > -------- > > * ssh(1): Allow IdentityFile to successfully load and use > certificates that have no corresponding bare public key. bz#2617 > certificate id_rsa-cert.pub (and no id_rsa.pub). > > * ssh(1): Fix public key authentication when multiple > authentication is in use and publickey is not just the first > method attempted. bz#2642 > > * regress: Allow the PuTTY interop tests to run unattended. bz#2639 > > * ssh-agent(1), ssh(1): improve reporting when attempting to load > keys from PKCS#11 tokens with fewer useless log messages and more > detail in debug messages. bz#2610 > > * ssh(1): When tearing down ControlMaster connections, don't > pollute stderr when LogLevel=quiet. > > * sftp(1): On ^Z wait for underlying ssh(1) to suspend before > suspending sftp(1) to ensure that ssh(1) restores the terminal mode > correctly if suspended during a password prompt. > > * ssh(1): Avoid busy-wait when ssh(1) is suspended during a password > prompt. > > * ssh(1), sshd(8): Correctly report errors during sending of ext- > info messages. > > * sshd(8): fix NULL-deref crash if sshd(8) received an out-of- > sequence NEWKEYS message. > > * sshd(8): Correct list of supported signature algorithms sent in > the server-sig-algs extension. bz#2547 > > * sshd(8): Fix sending ext_info message if privsep is disabled. > > * sshd(8): more strictly enforce the expected ordering of privilege > separation monitor calls used for authentication and allow them > only when their respective authentication methods are enabled > in the configuration > > * sshd(8): Fix uninitialised optlen in getsockopt() call; harmless > on Unix/BSD but potentially crashy on Cygwin. > > * Fix false positive reports caused by explicit_bzero(3) not being > recognised as a memory initialiser when compiled with > -fsanitize-memory. > > * sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for > configuration examples. > > Portability > ----------- > > * On environments configured with Turkish locales, fall back to the > C/POSIX locale to avoid errors in configuration parsing caused by > that locale's unique handling of the letters 'i' and 'I'. bz#2643 > > * sftp-server(8), ssh-agent(1): Deny ptrace on OS X using > ptrace(PT_DENY_ATTACH, ..) > > * ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL. > > * Fix compilation for libcrypto compiled without RIPEMD160 support. > > * contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640 > > * sshd(8): Improve PRNG reseeding across privilege separation and > force libcrypto to obtain a high-quality seed before chroot or > sandboxing. > > * All: Explicitly test for broken strnvis. NetBSD added an strnvis > and unfortunately made it incompatible with the existing one in > OpenBSD and Linux's libbsd (the former having existed for over ten > years). Try to detect this mess, and assume the only safe option > if we're cross compiling. > > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, > Tim Rice and Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
On Tue, 13 Dec 2016, Peter Moody wrote:> Hey Damien, my special snowflake cert tests seem to work fine on osx sierra > (OpenSSH_7.3p1-snap20161214, OpenSSL 1.0.2j 26 Sep 2016).Thanks - all certificates are special snowflakes :)
On 2016-12-14 at 01:53, Damien Miller wrote:> OpenSSH 7.4 is almost ready for release, so we would appreciate > testing > on as many platforms and systems as possible. This release contains > some > substantial new features and a number of bugfixes.Those who want working X11 with macOS can take at https://github.com/jschlyter/openssh-portable/tree/osx. Perhaps it's not too late to merge this. jakob
Hi Damien, On Dec 14 11:53, Damien Miller wrote:> OpenSSH 7.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains some > substantial new features and a number of bugfixes.Current git master tested on upcoming Cygwin 2.6.1 x86_64. Builds and runs out of the box, all regression tests pass. Thanks, Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161214/9a0ad230/attachment-0001.bin>
all tests passed on - Ubuntu 14.04.5 LTS - Scientific Linux release 6.8 - SUSE Linux Enterprise Server 11 SP3 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5254 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161214/113a7b17/attachment-0001.bin>
On Wed, Dec 14, 2016 at 11:53 AM Damien Miller <djm at mindrot.org> wrote:> Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org.CentOS 7.2.1511 - all tests passed CentOS 6.5 - all tests passed Mac OS X 10.11.6 (15G1108) - all tests passed
On Wed, Dec 14, 2016 at 11:53:32AM +1100, Damien Miller wrote:>Hi, > >OpenSSH 7.4 is almost ready for release, so we would appreciate testing >on as many platforms and systems as possible. This release contains some >substantial new features and a number of bugfixes. >Hi, I tested (or tried) git commit b737e4d7 on three systems, with somewhat mixed results. On Mac OSX (macOS?) 10.9, configure failed with: ... checking OpenSSL header version... 1000208f (OpenSSL 1.0.2h 3 May 2016) checking OpenSSL library version... 009081df (OpenSSL 0.9.8zg 14 July 2015) checking whether OpenSSL's headers match the library... no configure: error: Your OpenSSL headers do not match your library. Check config.log for details. A second attempt with configure's openssl-dir pointed at a macports install in /opt/local built successfully and passed all tests, though there were some warnings during the build (mostly noticed just because I configured with -Werror and then manually papered over them; not sure how important these really are): - daemon() deprecated (ssh.c, sshd.c) - utmp, login, logout, logwtmp deprecated (loginrec.c) - sandbox_init() deprecated (sandbox-darwin.c) - struct monitor declared in ssh_sandbox_init() parameter list (sandbox-darwin.c) - set-but-unused 'flag' variable in sys_tun_open() (port-tun.c) On Void Linux (which uses LibreSSL, for what it's worth): unable to compile due to undeclared arc4random*() functions. The symbols exist in libcrypto so configure's tests for them pass, but they're not declared in any header files. I'm not sure where exactly these are "supposed" to be declared, so I don't know if this is a problem with OpenSSH or LibreSSL or some packaging bungle on Void's part. On Debian testing: discovered a small-but-significant problem in auth.c's allowed_user() function. Commit 010359b3 expanded the body of the loop that checks DenyUsers entries, but didn't add the necessary braces around it, so it didn't exactly have the intended effect, instead resulting in only the last entry in DenyUsers actually being enforced. (Credit to gcc's -Wmisleading-indentation warning here.) The attached patch 0001-Unbreak-DenyUsers-with-1-user-specified.patch fixes the bug; the next two patches (0002-Add-and-use-stop_sshd-helper-function.patch and 0003-Add-regression-test-for-AllowUsers-DenyUsers.patch) add a regression test that detects it (failing before and passing after patch 0001). With those patches applied a -Werror build completed successfully and passed all tests. (I also noticed a mis-typed error message in dh.c, addressed in the attached 0004-Fix-mis-worded-error-message-in-choose_dh.patch.) Thanks, Zev -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Unbreak-DenyUsers-with-1-user-specified.patch Type: text/x-diff Size: 1129 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161214/6db87cb7/attachment-0004.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Add-and-use-stop_sshd-helper-function.patch Type: text/x-diff Size: 2222 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161214/6db87cb7/attachment-0005.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Add-regression-test-for-AllowUsers-DenyUsers.patch Type: text/x-diff Size: 2739 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161214/6db87cb7/attachment-0006.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-Fix-mis-worded-error-message-in-choose_dh.patch Type: text/x-diff Size: 725 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161214/6db87cb7/attachment-0007.bin>
Damien Miller wrote:> Hi, > > OpenSSH 7.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains some > substantial new features and a number of bugfixes. > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > >SPARC Solaris 10, using our local build of OpenSSL 1.0.2j, compiled in 32 bit mode with Sun/Solaris/Oracle Studio 12.[024], passes all tests. I haven't been able to run the tests using Oracle's build of OpenSSL, which is sort of in a state of flux :-). -- Jeff Wieland, UNIX/Network Systems Administrator Purdue University IT Infrastructure Services UNIX Platforms
Once I created /var/empty, test passed on NetBSD-current and NetBSD-7 (both amd64). -- Hisashi T Fujinaka - htodd at twofifty.com BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee
On Thu, Dec 15, 2016 at 4:22 PM, Zev Weiss <zev at bewilderbeest.net> wrote: [...]> I tested (or tried) git commit b737e4d7 on three systems, with somewhat > mixed results.Thanks for the comprehensive testing!> On Mac OSX (macOS?) 10.9, configure failed with: > > ... > checking OpenSSL header version... 1000208f (OpenSSL 1.0.2h 3 May 2016) > checking OpenSSL library version... 009081df (OpenSSL 0.9.8zg 14 July > 2015) > checking whether OpenSSL's headers match the library... no > configure: error: Your OpenSSL headers do not match your > library. Check config.log for details.I think that's due to the headers and libraries supplied (or not) by Apple.> A second attempt with configure's openssl-dir pointed at a macports install > in /opt/local built successfully and passed all tests, though there were > some warnings during the build (mostly noticed just because I configured > with -Werror and then manually papered over them; not sure how important > these really are): > > - daemon() deprecated (ssh.c, sshd.c) > - utmp, login, logout, logwtmp deprecated (loginrec.c) > - sandbox_init() deprecated (sandbox-darwin.c)I don't think there's much we can do about these without abandoning earlier OS releases.> - struct monitor declared in ssh_sandbox_init() parameter list > (sandbox-darwin.c)Missing monitor.h include. Harmless (it's never used), now fixed.> - set-but-unused 'flag' variable in sys_tun_open() (port-tun.c)True, the code that uses it is inside an ifdef. Might look at this later.> On Void Linux (which uses LibreSSL, for what it's worth): unable to compile > due to undeclared arc4random*() functions. The symbols exist in libcrypto > so configure's tests for them pass, but they're not declared in any header > files. I'm not sure where exactly these are "supposed" to be declared, so I > don't know if this is a problem with OpenSSH or LibreSSL or some packaging > bungle on Void's part.Don't know about this one. Might install a VM to look at this if I get a chance.> On Debian testing: discovered a small-but-significant problem in auth.c's > allowed_user() function. Commit 010359b3 expanded the body of the loop that > checks DenyUsers entries, but didn't add the necessary braces around it, so > it didn't exactly have the intended effect, instead resulting in only the > last entry in DenyUsers actually being enforced. (Credit to gcc's > -Wmisleading-indentation warning here.)Nice find! Fixed.> The attached patch 0001-Unbreak-DenyUsers-with-1-user-specified.patch fixes > the bug; the next two patchesAll patches applied. Thank you. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Wed, 14 Dec 2016, Zev Weiss wrote:> Hi, > > I tested (or tried) git commit b737e4d7 on three systems, with somewhat mixed > results.Thanks for the testing and fixes, and even more for taking the time to write a regression test! -d
On 12/15/2016 05:17 PM, Hisashi T Fujinaka wrote:> Once I created /var/empty, test passed on NetBSD-current and NetBSD-7 > (both amd64). >Likewise on Debian 8.6. Will try to start the runs against the build farm @ work, assuming our change-freeze on production work is still in place. :p -- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott at GMail.com> */
On 14/12/16 01:53, Damien Miller wrote:> Hi, > > OpenSSH 7.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible.I've tested Solaris 2.6/sparc, 7/sparc, 8/sparc and 9/x86 using HEAD from the git repo. All exhihit this error: test_utf8: .. regress/unittests/utf8/tests.c:52 test #3 "utf8_null" ASSERT_STRING_EQ(buf, wants) failed: buf = (NULL) (len zu) wants = (null) (len zu) gmake[1]: *** [unit] Error 134 -tgc
On Sun, 18 Dec 2016, Tom G. Christensen wrote:> On 14/12/16 01:53, Damien Miller wrote: > > Hi, > > > > OpenSSH 7.4 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. > > I've tested Solaris 2.6/sparc, 7/sparc, 8/sparc and 9/x86 using HEAD from the > git repo. > > All exhihit this error: > test_utf8: .. > regress/unittests/utf8/tests.c:52 test #3 "utf8_null" > ASSERT_STRING_EQ(buf, wants) failed: > buf = (NULL) (len zu) > wants = (null) (len zu) > gmake[1]: *** [unit] Error 134Thanks for testing! It looks like that test case relies on undefined behaviour (printf of NULL). We should just disable it: diff --git a/regress/unittests/utf8/tests.c b/regress/unittests/utf8/tests.c index 6d06fa1..c2793ea 100644 --- a/regress/unittests/utf8/tests.c +++ b/regress/unittests/utf8/tests.c @@ -65,7 +65,6 @@ tests(void) TEST_DONE(); badarg(); - one("null", NULL, 8, 6, 6, "(null)"); one("empty", "", 2, 0, 0, ""); one("ascii", "x", -2, -2, -2, "x"); one("newline", "a\nb", -2, -2, -2, "a\nb");
On 12/14/2016 01:53 AM, Damien Miller wrote:> * sshd(8): Remove the UseLogin configuration directive and support > for having /bin/login manage login sessions.Hi all, this option should go away also from the example sshd_config in the repository so it will not confuse users. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat