Hi, OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a bugfix release. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at http://www.openssh.com/portable.html#cvs At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: https://github.com/openssh/openssh-portable Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: $ ./configure && make tests Live testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org. Security bugs should be reported directly to openssh at openssh.com. Below is a summary of changes. More detail may be found in the ChangeLog in the portable OpenSSH tarballs. Thanks to the many people who contributed to this release. Future deprecation notice ======================== OpenSSH plans to remove support for the DSA signature algorithm in early 2025 and compile-time disable it later this year. DSA, as specified in the SSHv2 protocol, is inherently weak - being limited to a 160 bit private key and use of the SHA1 digest. Its estimated security level is only 80 bits symmetric equivalent. OpenSSH has disabled DSA keys by default since 2015 but has retained run-time optional support for them. DSA was the only mandatory-to- implement algorithm in the SSHv2 RFCs[3], mostly because alternative algorithms were encumbered by patents when the SSHv2 protocol was specified. This has not been the case for decades at this point and better algorithms are well supported by all actively-maintained SSH implementations. We do not consider the costs of maintaining DSA in OpenSSH to be justified and hope that removing it from OpenSSH can accelerate its wider deprecation in supporting cryptography libraries. This release makes DSA support in OpenSSH compile-time optional, defaulting to on. We intend the next release to change the default to disable DSA at compile time. The first OpenSSH release of 2025 will remove DSA support entirely. Changes since OpenSSH 9.6 ======================== This release contains mostly bugfixes. New features ------------ * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches all open channels and will close all open channels if there is no traffic on any of them for the specified interval. This is in addition to the existing per-channel timeouts added recently. This supports situations like having both session and x11 forwarding channels open where one may be idle for an extended period but the other is actively used. The global timeout could close both channels when both have been idle for too long. * All: make DSA key support compile-time optional, defaulting to on. Bugfixes -------- * sshd(8): don't append an unnecessary space to the end of subsystem arguments (bz3667) * ssh(1): fix the multiplexing "channel proxy" mode, broken when keystroke timing obfuscation was added. (GHPR#463) * ssh(1), sshd(8): fix spurious configuration parsing errors when options that accept array arguments are overridden (bz3657). * Many fixes to manual pages and other documentation, including GHPR#462, GHPR#454, GHPR#442 and GHPR#441. * Greatly improve interop testing against PuTTY. Portability ----------- * Improve the error message when the autoconf OpenSSL header check fails (bz#3668) * Improve detection of broken toolchain -fzero-call-used-regs support (bz3645). * Fix regress/misc/fuzz-harness fuzzers and make them compile without warnings when using clang16 OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
On 2024-03-05 01:24, Damien Miller wrote:> Hi, > > OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/Hi all, it compiles under OpenIndiana against custom OpenSSL 3.2 library and works fine (I did just basic ssh server and client tests): :; uname -rosv SunOS 5.11 illumos-8b0687e22a illumos :; which ssh /pz/SFW/bin/ssh :; /pz/SFW/bin/ssh -V OpenSSH_9.6p1-snap20240305, OpenSSL 3.2.1 30 Jan 2024 Thanks you. Best regards -- Predrag Ze?evi?
On my test systems: Ubuntu 22.04 with GCC 11.4 and OpenSSL 3.0.2 on AMD: PASS Fedora 39 with GCC 12.3.1 and OpenSSL 3.0.9 on Intel: PASS OS X 14.3.1 with clang 15.0.0 on Apple M2 (--without-openssl): FAIL The failure is with "make tests" specifically when it runs /Users/rapier/openssh-portable/ssh-keygen -if /Users/rapier/openssh-portable/regress/rsa_ssh2.prv | diff - /Users/rapier/openssh-portable/regress/rsa_openssh.prv key conversion disabled at compile time 0a1,15 > -----BEGIN RSA PRIVATE KEY----- > // elided // > -----END RSA PRIVATE KEY----- make[1]: *** [t1] Error 1 Make t-exec, in contrast, does pass all tests. I'm seeing the same behaviour on Ubuntu 22.04 if I use --without-openssl so I'm guessing this is expected behaviour. Chris On 3/4/24 7:24 PM, Damien Miller wrote:> > Hi, > > OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via git using the > instructions at http://www.openssh.com/portable.html#cvs > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev at mindrot.org. Security bugs should be reported > directly to openssh at openssh.com. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Future deprecation notice > ========================> > OpenSSH plans to remove support for the DSA signature algorithm in > early 2025 and compile-time disable it later this year. > > DSA, as specified in the SSHv2 protocol, is inherently weak - being > limited to a 160 bit private key and use of the SHA1 digest. Its > estimated security level is only 80 bits symmetric equivalent. > > OpenSSH has disabled DSA keys by default since 2015 but has retained > run-time optional support for them. DSA was the only mandatory-to- > implement algorithm in the SSHv2 RFCs[3], mostly because alternative > algorithms were encumbered by patents when the SSHv2 protocol was > specified. > > This has not been the case for decades at this point and better > algorithms are well supported by all actively-maintained SSH > implementations. We do not consider the costs of maintaining DSA in > OpenSSH to be justified and hope that removing it from OpenSSH can > accelerate its wider deprecation in supporting cryptography > libraries. > > This release makes DSA support in OpenSSH compile-time optional, > defaulting to on. We intend the next release to change the default > to disable DSA at compile time. The first OpenSSH release of 2025 > will remove DSA support entirely. > > Changes since OpenSSH 9.6 > ========================> > This release contains mostly bugfixes. > > New features > ------------ > > * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches > all open channels and will close all open channels if there is no > traffic on any of them for the specified interval. This is in > addition to the existing per-channel timeouts added recently. > > This supports situations like having both session and x11 > forwarding channels open where one may be idle for an extended > period but the other is actively used. The global timeout could > close both channels when both have been idle for too long. > > * All: make DSA key support compile-time optional, defaulting to on. > > Bugfixes > -------- > > * sshd(8): don't append an unnecessary space to the end of subsystem > arguments (bz3667) > > * ssh(1): fix the multiplexing "channel proxy" mode, broken when > keystroke timing obfuscation was added. (GHPR#463) > > * ssh(1), sshd(8): fix spurious configuration parsing errors when > options that accept array arguments are overridden (bz3657). > > * Many fixes to manual pages and other documentation, including > GHPR#462, GHPR#454, GHPR#442 and GHPR#441. > > * Greatly improve interop testing against PuTTY. > > Portability > ----------- > > * Improve the error message when the autoconf OpenSSL header check > fails (bz#3668) > > * Improve detection of broken toolchain -fzero-call-used-regs support > (bz3645). > > * Fix regress/misc/fuzz-harness fuzzers and make them compile without > warnings when using clang16 > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, > Tim Rice and Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
On Tue, Mar 05, 2024 at 11:24:28AM +1100, Damien Miller wrote:> > Hi, > > OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via git using the > instructions at http://www.openssh.com/portable.html#cvs > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev at mindrot.org. Security bugs should be reported > directly to openssh at openssh.com. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Future deprecation notice > ========================> > OpenSSH plans to remove support for the DSA signature algorithm in > early 2025 and compile-time disable it later this year. > > DSA, as specified in the SSHv2 protocol, is inherently weak - being > limited to a 160 bit private key and use of the SHA1 digest. Its > estimated security level is only 80 bits symmetric equivalent. > > OpenSSH has disabled DSA keys by default since 2015 but has retained > run-time optional support for them. DSA was the only mandatory-to- > implement algorithm in the SSHv2 RFCs[3], mostly because alternative > algorithms were encumbered by patents when the SSHv2 protocol was > specified. > > This has not been the case for decades at this point and better > algorithms are well supported by all actively-maintained SSH > implementations. We do not consider the costs of maintaining DSA in > OpenSSH to be justified and hope that removing it from OpenSSH can > accelerate its wider deprecation in supporting cryptography > libraries. > > This release makes DSA support in OpenSSH compile-time optional, > defaulting to on. We intend the next release to change the default > to disable DSA at compile time. The first OpenSSH release of 2025 > will remove DSA support entirely. > > Changes since OpenSSH 9.6 > ========================> > This release contains mostly bugfixes. > > New features > ------------ > > * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches > all open channels and will close all open channels if there is no > traffic on any of them for the specified interval. This is in > addition to the existing per-channel timeouts added recently. > > This supports situations like having both session and x11 > forwarding channels open where one may be idle for an extended > period but the other is actively used. The global timeout could > close both channels when both have been idle for too long. > > * All: make DSA key support compile-time optional, defaulting to on. > > Bugfixes > -------- > > * sshd(8): don't append an unnecessary space to the end of subsystem > arguments (bz3667) > > * ssh(1): fix the multiplexing "channel proxy" mode, broken when > keystroke timing obfuscation was added. (GHPR#463) > > * ssh(1), sshd(8): fix spurious configuration parsing errors when > options that accept array arguments are overridden (bz3657). > > * Many fixes to manual pages and other documentation, including > GHPR#462, GHPR#454, GHPR#442 and GHPR#441. > > * Greatly improve interop testing against PuTTY. > > Portability > ----------- > > * Improve the error message when the autoconf OpenSSL header check > fails (bz#3668) > > * Improve detection of broken toolchain -fzero-call-used-regs support > (bz3645). > > * Fix regress/misc/fuzz-harness fuzzers and make them compile without > warnings when using clang16 > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, > Tim Rice and Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-devShowstopper problem! I want configure to work with /usr/local/bin/openssl and not /usr/bin/openssl -- Member - Liberal International This is doctor at nk.ca Ici doctor at nk.ca Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be seen What worth the power of law that won't stop lawlessness? -unknown
Hi Damien, On Mar 5 11:24, Damien Miller wrote:> > Hi, > > OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release.Tested on Cygwin 3.5.1. I have a testsuite failure in the dynamic-forward testcase. trace: will use ProxyCommand /home/corinna/tmp/openssh/openssh-9.7p1-1.x86_64/build/regress/netcat -x 127.0.0.1:4243 -X trace: wait for sshd trace: test -D forwarding trace: start dynamic -D forwarding, fork to background trace: testing ssh socks version 4 host 127.0.0.1 (-D) FAIL: ssh failed with exit status 255 [...] I attached the tar file with the logs. All other tests succeed. Thanks, Corinna -------------- next part -------------- A non-text attachment was scrubbed... Name: failed-dynamic_forwarding-logs.tar Type: application/x-tar Size: 20480 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240306/f993994a/attachment-0001.tar>
Hello,
I got a failure on configuring the master branch on Fedora 39:
upstream/openssh-portable$ ./configure --disable-dsa
....
checking OpenSSL header version... 30100010 (OpenSSL 3.1.1 30 May 2023)
checking for OpenSSL_version... yes
checking for OpenSSL_version_num... yes
checking OpenSSL library version... configure: error: Unknown/unsupported
OpenSSL version ("30100010 (OpenSSL 3.1.1 30 May 2023)")
On Tue, Mar 5, 2024 at 1:26?AM Damien Miller <djm at mindrot.org> wrote:
>
> Hi,
>
> OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev at mindrot.org. Security bugs should be reported
> directly to openssh at openssh.com.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Future deprecation notice
> ========================>
> OpenSSH plans to remove support for the DSA signature algorithm in
> early 2025 and compile-time disable it later this year.
>
> DSA, as specified in the SSHv2 protocol, is inherently weak - being
> limited to a 160 bit private key and use of the SHA1 digest. Its
> estimated security level is only 80 bits symmetric equivalent.
>
> OpenSSH has disabled DSA keys by default since 2015 but has retained
> run-time optional support for them. DSA was the only mandatory-to-
> implement algorithm in the SSHv2 RFCs[3], mostly because alternative
> algorithms were encumbered by patents when the SSHv2 protocol was
> specified.
>
> This has not been the case for decades at this point and better
> algorithms are well supported by all actively-maintained SSH
> implementations. We do not consider the costs of maintaining DSA in
> OpenSSH to be justified and hope that removing it from OpenSSH can
> accelerate its wider deprecation in supporting cryptography
> libraries.
>
> This release makes DSA support in OpenSSH compile-time optional,
> defaulting to on. We intend the next release to change the default
> to disable DSA at compile time. The first OpenSSH release of 2025
> will remove DSA support entirely.
>
> Changes since OpenSSH 9.6
> ========================>
> This release contains mostly bugfixes.
>
> New features
> ------------
>
> * ssh(1), sshd(8): add a "global" ChannelTimeout type that
watches
> all open channels and will close all open channels if there is no
> traffic on any of them for the specified interval. This is in
> addition to the existing per-channel timeouts added recently.
>
> This supports situations like having both session and x11
> forwarding channels open where one may be idle for an extended
> period but the other is actively used. The global timeout could
> close both channels when both have been idle for too long.
>
> * All: make DSA key support compile-time optional, defaulting to on.
>
> Bugfixes
> --------
>
> * sshd(8): don't append an unnecessary space to the end of subsystem
> arguments (bz3667)
>
> * ssh(1): fix the multiplexing "channel proxy" mode, broken when
> keystroke timing obfuscation was added. (GHPR#463)
>
> * ssh(1), sshd(8): fix spurious configuration parsing errors when
> options that accept array arguments are overridden (bz3657).
>
> * Many fixes to manual pages and other documentation, including
> GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
>
> * Greatly improve interop testing against PuTTY.
>
> Portability
> -----------
>
> * Improve the error message when the autoconf OpenSSL header check
> fails (bz#3668)
>
> * Improve detection of broken toolchain -fzero-call-used-regs support
> (bz3645).
>
> * Fix regress/misc/fuzz-harness fuzzers and make them compile without
> warnings when using clang16
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
--
Dmitry Belyavskiy
On 05/03/2024 01:24, Damien Miller wrote:> > Hi, > > OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. >Running the testsuite on Solaris 9 I see this: set -xe ; if /export/home/tgc/buildpkg/openssh/src/openssh-git/ssh -Q key | grep -q ^ssh-rsa ; then \ /export/home/tgc/buildpkg/openssh/src/openssh-git/ssh-keygen -if /export/home/tgc/buildpkg/openssh/src/openssh-git/regress/rsa_ssh2.prv | diff - /export/home/tgc/buildpkg/openssh/src /openssh-git/regress/rsa_openssh.prv ; \ tr '\n' '\r' </export/home/tgc/buildpkg/openssh/src/openssh-git/regress/rsa_ssh2.prv > /export/home/tgc/buildpkg/openssh/src/openssh-git/regress/rsa_ssh2_cr.prv ; \ /export/home/tgc/buildpkg/openssh/src/openssh-git/ssh-keygen -if /export/home/tgc/buildpkg/openssh/src/openssh-git/regress/rsa_ssh2_cr.prv | diff - /export/home/tgc/buildpkg/openssh/ src/openssh-git/regress/rsa_openssh.prv ; \ awk '{print $0 "\r"}' /export/home/tgc/buildpkg/openssh/src/openssh-git/regress/rsa_ssh2.prv > /export/home/tgc/buildpkg/openssh/src/openssh-git/regress/rsa_ssh2_crnl.prv ; \ /export/home/tgc/buildpkg/openssh/src/openssh-git/ssh-keygen -if /export/home/tgc/buildpkg/openssh/src/openssh-git/regress/rsa_ssh2_crnl.prv | diff - /export/home/tgc/buildpkg/openss h/src/openssh-git/regress/rsa_openssh.prv ; \ fi + /export/home/tgc/buildpkg/openssh/src/openssh-git/ssh -Q key + grep -q Usage: grep [OPTION]... PATTERN [FILE]... Try 'grep --help' for more information. + ssh-rsa /bin/sh: ssh-rsa: not found and the same for ssh-dss. The issue is that /bin/sh is sensitive to the ^ character. It either needs to be escaped or the string quoted. -tgc