On Jan 7 09:52, Damien Miller wrote:> Hi,
>
> We've landed some fairly significant changes in OpenSSH recently and
> would appreciate your help in testing them. The biggest of the changes
> are:
>
> 1. Conversion of the ssh and sshd mainloop from select() to poll()
>
> This should be entirely invisible to users, so any behaviour change
> is a bug. If you see something and want to help debug it further,
> uncomment the DEBUG_CHANNEL_POLL #define in channels.c for helps of
> extra debug logging.
>
> 2. Restricted agent keys.
>
> This is a large set of changes to add destination- and path-restricted
> keys to ssh-agent. A full writeup is at on the website at
> https://www.openssh.com/agent-restrict.html - I'm interested to hear
> feedback on how this works in practice, UI and things that could be
> improved (as well as bug reports).
>
> 3. Running down the remaining RSA/SHA2 corner-cases
>
> There has been a fair bit of work to identify and fix the remaining
> cases where various things behaved badly wrt RSA signature algorithms.
> Recent fixes include hostbased authentication and UpdateHostkeys.
> Again, [almost] any change in visible behaviour here is a bug.
>
> All of these changes are in git and will be in tomorrow's snapshot
> (20220108).
Took me a while but today I tested this on recent Cygwin. The testsuite
fails at one point:
run test hostkey-agent.sh ...
[...]
cert type sk-ssh-ed25519-cert-v01 at openssh.com
cert type sk-ssh-ed25519-cert-v01 at openssh.com failed
bad SSH_CONNECTION key type sk-ssh-ed25519-cert-v01 at openssh.com
[...]
bad SSH_CONNECTION key type sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com
failed hostkey agent
Looking into cat failed-sshd.log I notice this message for *all*
agent-key.*.pub files:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for
'/home/corinna/tmp/openssh/regress/agent-key.ecdsa-sha2-nistp256.pub'
are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key
"/home/corinna/tmp/openssh/regress/agent-key.ecdsa-sha2-nistp256.pub":
bad permissions
Shouldn't the testsuite have generated the files with correct permissions
in the first place? And then again, these are PUB files. Shouldn't
a 644 permission suffice?
Corinna