Hi,
OpenSSH 10.1p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH is also available via git using the
instructions at http://www.openssh.com/portable.html#cvs
At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
https://github.com/openssh/openssh-portable
Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:
$ ./configure && make tests
Live testing on suitable non-production systems is also appreciated.
Please send reports of success or failure to
openssh-unix-dev at mindrot.org. Security bugs should be reported
directly to openssh at openssh.com.
Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.
Thanks to the many people who contributed to this release.
Potentially-incompatible changes
--------------------------------
* ssh(1): add a warning when the connection negotiates a non-post
quantum key agreement algorithm.
This warning has been added due to the risk of "store now, decrypt
later" attacks. More details at https://openssh.com/pq.html
This warning may be controlled via a new WarnWeakCrypto ssh_config
option, defaulting to on. This option is likely to control
additional weak crypto warnings in the future.
* ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS
Both the client and the server have changed the default DCSP
(a.k.a IPQos) values and the way these values are selected at
runtime.
Both endpoints now use Expedited Forward (EF) for interactive
traffic by default. This provides better prioritisation,
especially on wireless media (cf. RFC 8325). Non-interactive
traffic now uses the operating system default DSCP marking.
Both the interactive and non-interactive DSCP values may be
overridden via the IPQoS keyword in ssh_config(5) and
sshd_config(5).
The DSCP value selected may now change over the course of a
connection. ssh(1) and sshd(8) will automatically select between
the interactive and non-interactive IPQoS values depending on
the type of SSH channels open. E.g. if a sftp session is using
the connectionn, then the non-interactive value will be used.
This is important now that the default interactive IPQoS is EF
(Expedited Forwarding), as many networks are configured to allow
only relatively small amounts of traffic of this class and they will
aggressively deprioritise the entire connection if this is exceeded.
* ssh-add(1): when adding certificates to an agent, set the expiry
to the certificate expiry time plus a short (5 min) grace period.
This will cause the agent to automtically remove certificates shortly
after they expire. A new ssh-add -N option disables this behaviour.
* All: remove experimental support for XMSS keys. This was never
enabled by default. We expect to implement a new post-quantu
signature scheme in the near future.
* ssh(1), sshd(8): deprecate support for IPv4 type-of-service (TOS)
keywords in the IPQoS configuration directive.
Type of Service (ToS) was deprecated in the late nineties and
replaced with the Differentiated Services architecture. Diffserv
has significant advantages for operators because this mechanism
offers more granularity.
OpenSSH switched its default IPQoS from ToS to DSCP values in 2018.
IPQoS configurations with 'lowdelay', 'reliability', or
'throughput' will be ignored and instead the system default QoS
settings apply. Additionally, a debug message is logged about the
deprecation with a suggestion to use DSCP.
* ssh-agent(1), sshd(8): move agent listener sockets from /tmp to
under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets
in sshd(8).
This ensures processes that have restricted filesystem access
that includes /tmp do not ambiently have the ability to use keys
in an agent.
Moving the default directory has the consequence that the OS will
no longer clean up stale agent sockets, so ssh-agent now gains
this ability.
To support $HOME on NFS, the socket path includes a truncated hash of
the hostname. ssh-agent will by default only clean up sockets from
the same hostname.
ssh-agent(1) gains some new flags: -U suppresses the automatic
cleanup of stale sockets when it starts. -u forces a cleanup
without keeping a running agent, -uu forces a cleanup that ignores
the hostname. -T makes ssh-agent put the socket back in /tmp.
Changes since OpenSSH 10.0
=========================
New features
------------
* ssh(1), sshd(8): add SIGINFO handlers to log active channel and
session information.
* sshd(8): when refusing a certificate for user authentication, log
enough information to identify the certificate in addition to the
reason why it was being denied. Makes debugging certificate
authorisation problems a bit easier.
* ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11
tokens.
* ssh(1): add a ssh_config(5) RefuseConnection option that, when
encountered while processing an active section in a
configuration terminates ssh(1) with an error message that
contains the argument to the option.
This may be useful for expressing reminders or warnings in config
files, for example:
Match host foo
RefuseConnection "foo is deprecated, use splork instead"
* sshd(8): make the X11 display number check relative to
X11DisplayOffset. This will allows people to use X11DisplayOffset
to configure much higher port ranges if they really want, while
not changing the default behaviour.
* unit tests: the unit test framework now includes some basic
benchmarking capabilities. Run with "make UNITTEST_BENCHMARK=yes"
on OpenBSD or "make unit-bench" on Portable OpenSSH.
Bugfixes
--------
* sshd(8): fix mistracking of MaxStartups process exits in some
situations. At worst, this could cause all MaxStartups slots to
fill and sshd to refuse new connections.
* ssh(1): fix delay on X client startup when ObscureKeystrokeTiming
is enabled. bz#3820
* sshd(8): increase the maximum size of the supported configuration
from 256KB to 4MB, which ought to be enough for anybody. Fail
early and visibly when this limit is breached. bz3808
* sftp(1): during sftp uploads, avoid a condition where a failed
write could be ignored if a subsequent write succeeded. This is
unlikely but technically possible because sftp servers are
allowed to reorder requests.
* sftp(1): avoid a fatal() when sftp tab-completes filenames that
share common utf-8 characters that don't encode to a complete
codepoint.
* sshd(8): avoid a race condition when the sshd-auth process exits
tha could cause a spurious error message to be logged.
* sshd(8): log at level INFO when PerSourcePenalties actually
blocks access to a source address range. Previously this was
logged at level VERBOSE, which hid enforcement actions under
default config settings.
* sshd(8): GssStrictAcceptor was missing from sshd -T output; fix
* sshd(8): Make the MaxStartups and PerSourceNetBlockSize options
first-match-wins as advertised. bz3859
* ssh(1): fix an incorrect return value check in the local forward
cancellation path that would cause failed cancellations not to be
logged.
* sshd(8): make "Match !final" not trigger a 2nd pass ssh_config
parsing pass (unless hostname canonicalisation or a separate
"Match final" does). bz3843
* ssh(1): better debug diagnostics when loading keys. Will now list
key fingerprint and algorithm (not just algorithm number) as well
as making it explicit which keys didn't load.
* All: fix a number of memory leaks found by LeakSanitizer,
Coverity and manual inspection.
* sshd(8): : Output the current name for PermitRootLogin's
"prohibit-password" in sshd -T instead of its deprecated alias
"without-password". bz#3788
* ssh(1): make writing known_hosts lines more atomic by writing
the entire line in one operation and using unbuffered stdio.
Usually writes to this file are serialised on the "Are you sure you
want to continue connecting?" prompt, but if host key checking is
disabled and connections were being made with high concurrency
then interleaved writes might have been possible.
Portability
-----------
* sshd(8): check the username didn't change during the PAM
transactions.
PAM modules can change the user during their execution, but
this is not supported by sshd(8). If such a case was incorrectly
configured by the system administrator, then sshd(8) could end up
using a different username to the one authorised by PAM.
* sshd(8): don't log audit messages with UNKNOWN hostname to avoid
slow DNS lookups in the audit subsystem.
* All: when making a copy of struct passwd, ensure struct fields are
non-NULL. Android libc can return NULL pw_gecos, for example.
* All: Remove status bits from OpenSSL >=3 version check.
* sshd(8), ssh(1): Use SSH_TUN_COMPAT_AF on FreeBSD. Otherwise tun
forwarding from other OSes fails as soon as the first IPv6 message
is sent by the other side (which is usually a Router Solicitation
ICMPv6 message which is sent as soon as the interface is up).
* ssh(1), ssh-agent(8): check for nlist function presence before
attenmpting to use it instead of relying on the presence of the
nlist.h header. Mac OS X, in particular has the header, but only
has the function in the 32bit libraries.
* All: fill in missing system header files.
Create replacement header files inside openbsd-compat for common
headers that are missing on a given platform. Usually these are
just empty, but in some cases they'll include the equivalent file.
This avoids having to wrap those includes in '#ifdef HAVE_FOO_H'
and reduces the diff between Portable OpenSSH and OpenBSD.
* sshd(8): handle futex_time64 properly in seccomp sandbox
Previously we only allowed __NR_futex, but some 32-bit systems
apparently support __NR_futex_time64. We had support for this
in the sandbox, but because of a macro error only __NR_futex was
allowlisted.
* Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API.
* sshd(8): let ga_init() fail gracefully if getgrouplist does.
Apparently getgrouplist() can fail on OSX when passed a
non-existent group name. Other platforms seem to return a group
list consisting of the numeric gid passed to the function. bz3848
* ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation,
preventing a graceful shutdown of an agent via systemd from
incorrectly marking the service as "failed".
* build: wrap some autoconf macros in AC_CACHE_CHECK.
This allows skipping/overriding the OSSH_CHECK_CFLAG_COMPILE and
OSSH_CHECK_CFLAG_LINK macros used to discover supported compiler
or linker flags. E.g.
$ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no
[...]
checking if cc supports compile flag -fzero-call-used-regs=used and linking
succeeds... (cached) no
Reporting Bugs:
==============
- Please read https://www.openssh.com/report.html
Security bugs should be reported directly to openssh at openssh.com
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.
Hi Damien, On 30/09/2025 14:45, Damien Miller wrote:> OpenSSH 10.1p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible.The source archive extracts to a directory called openssh. On Darwin, if you extract the snapshot archive from the GUI, and there's already a directory named openssh present, the system adds a number to the directory name to avoid what's in place. e.g "openssh 2" When it comes to configuring, the "checking compiler and flags for sanity" fails with "clang: error: no such file or directory: '2/openbsd-compat/include'" Recreated the issue on another OS: mkdir openssh\ 2 tar zxf openssh-SNAP-20250930.tar.gz -C openssh\ 2 configure:13635: checking compiler and flags for sanity configure:13654: cc -o conftest -g -O2 -pipe -Wunknown-warning-option -Wno-error=format-truncation -Qunused-arguments -Wall -Wextra -Wpointer-arit h -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -Wmislead ing-indentation -Wbitwise-instead-of-logical -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fzero-call-used-regs=used -ftrivial-auto-var-init=z ero -mretpoline -fno-builtin-memset -fstack-protector-strong -I/home/sevan/openssh 2/openssh/openbsd-compat/include -Wl,-z,relro -Wl,-z,now -Wl, -z,noexecstack -Wl,-z,retpolineplt -fstack-protector-strong conftest.c >&5 cc: error: no such file or directory: '2/openssh/openbsd-compat/include' configure:13654: $? = 1 configure: program exited with status 1 Sincerely, Sevan
Is anyone testing openssl 3.6 against the upcoming candidate? -- Member - Liberal International This is doctor at nk.ca Ici doctor at nk.ca Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism ; All I want to hear from JEsus Christ is WEll done Good and Faithful servant
On 30/09/2025 14:45, Damien Miller wrote:> Live testing on suitable non-production systems is also appreciated.Built fine & ran tests without issue out of the box on macOS 10.15 Catalina, linking against OpenSSL 3.4.x. clock_gettime and its various clock_id definitions didn't show up in darwin until macOS 10.12 Sierra (darwin 16). The autoconf infra already checks for clock_gettime() so I added a guard in misc-agent.c which allowed OpenSSH to build on There are two calls to clock_gettime() in regress/unittests/test_helper/test_helper.c which I just commented out to move forward. The comment in the header of regress/keygen-comment.sh seems corrupt and it trips up ancient bash (2.05b) on ancient OS X (10.4) resulting in the error "regress/keygen-comment.sh: cannot execute binary file" when running the test suite. I cleared that up. With these changes it was possible to build and run the test suite on Mac OS X 10.4.11 PowerPC (on G4 & G5), linking against OpenSSL 3.5.x Had to configure with --disable-security-key as the build infra uses "-shared" for building libraries and ancient OS X doesn't recognise that. Will provide a patch for that if/when I get to look at it on a rainy day. Sincerely, Sevan -------------- next part -------------- --- openssh.orig/misc-agent.c 2025-09-30 01:19:15.000000000 +0100 +++ openssh/misc-agent.c 2025-09-30 20:24:27.000000000 +0100 @@ -279,11 +279,13 @@ char *prefix = NULL, *dirpath = NULL, *path = NULL; struct timespec now, sub, *mtimp = NULL; +#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_REALTIME) /* Only consider sockets last modified > 1 hour ago */ if (clock_gettime(CLOCK_REALTIME, &now) != 0) { error_f("clock_gettime: %s", strerror(errno)); return; } +#endif /* HAVE_CLOCK_GETTIME && REALTIME */ sub.tv_sec = 60 * 60; sub.tv_nsec = 0; timespecsub(&now, &sub, &now); --- openssh.orig/regress/keygen-comment.sh 2025-09-30 01:19:15.000000000 +0100 +++ openssh/regress/keygen-comment.sh 2025-09-30 21:16:41.000000000 +0100 @@ -1,4 +1,5 @@ -#??? Placed in the Public Domain. +# $OpenBSD$ +# Placed in the Public Domain. tid="Comment extraction from private key"
Hi Damien, Tested compilation of openssh-SNAP-20250930.tar.gz on OpenIndiana: * :; uname -rosv SunOS 5.11 illumos-da3b00f42a illumos * GCC 14 (and GCC 13 was tested too) * custom: OpenSSL 3.5.3, OpenLDAP 2.6.10, Keberos5-1.21.3 compilation went fine (no error): :; ssh -V OpenSSH_10.0p2-snap20250930, OpenSSL 3.5.3 16 Sep 2025 When running tests, a lot of scripts throw warning, like: openssh-SNAP-20250930/regress/agent-timeout.sh: warning: line 9: `...` obsolete, use $(...) etc Even if I set "WarnWeakCrypto no" in my config (https://www.openssh.com/pq.html) to avoid connection warning I have noticed: * connection to CentOS 9 (openssh 9.9p1) works w/o issues * connection to CentOS 8 (openssh 8.0p1) introduces some issues (slow connection and interaction on remote node - like it (ssh) spends some time in some loop). Have not tried connection to older systems (with older openssh), so I was forced to go back to version 10.0p2 * 'make test' runs fine, but terminates with strange error: ... ok basic sftp put/get run test sftp-chroot.sh ... test sftp in chroot: get FATAL: Fetch testdata_predrag_zecevic.179304 failed rm: cannot remove '/var/run/testdata_predrag_zecevic.179304': Permission denied Regards. P.S. any hint how I can see where is problem (w/o need to change anything on remote side/server) would be appreciated On 2025-09-30 15:45, Damien Miller wrote:> Hi, > > OpenSSH 10.1p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via git using the > instructions at http://www.openssh.com/portable.html#cvs > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev at mindrot.org. Security bugs should be reported > directly to openssh at openssh.com. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Potentially-incompatible changes > -------------------------------- > > * ssh(1): add a warning when the connection negotiates a non-post > quantum key agreement algorithm. > > This warning has been added due to the risk of "store now, decrypt > later" attacks. More details at https://openssh.com/pq.html > > This warning may be controlled via a new WarnWeakCrypto ssh_config > option, defaulting to on. This option is likely to control > additional weak crypto warnings in the future. > > * ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS > > Both the client and the server have changed the default DCSP > (a.k.a IPQos) values and the way these values are selected at > runtime. > > Both endpoints now use Expedited Forward (EF) for interactive > traffic by default. This provides better prioritisation, > especially on wireless media (cf. RFC 8325). Non-interactive > traffic now uses the operating system default DSCP marking. > Both the interactive and non-interactive DSCP values may be > overridden via the IPQoS keyword in ssh_config(5) and > sshd_config(5). > > The DSCP value selected may now change over the course of a > connection. ssh(1) and sshd(8) will automatically select between > the interactive and non-interactive IPQoS values depending on > the type of SSH channels open. E.g. if a sftp session is using > the connectionn, then the non-interactive value will be used. > > This is important now that the default interactive IPQoS is EF > (Expedited Forwarding), as many networks are configured to allow > only relatively small amounts of traffic of this class and they will > aggressively deprioritise the entire connection if this is exceeded. > > * ssh-add(1): when adding certificates to an agent, set the expiry > to the certificate expiry time plus a short (5 min) grace period. > > This will cause the agent to automtically remove certificates shortly > after they expire. A new ssh-add -N option disables this behaviour. > > * All: remove experimental support for XMSS keys. This was never > enabled by default. We expect to implement a new post-quantu > signature scheme in the near future. > > * ssh(1), sshd(8): deprecate support for IPv4 type-of-service (TOS) > keywords in the IPQoS configuration directive. > > Type of Service (ToS) was deprecated in the late nineties and > replaced with the Differentiated Services architecture. Diffserv > has significant advantages for operators because this mechanism > offers more granularity. > > OpenSSH switched its default IPQoS from ToS to DSCP values in 2018. > > IPQoS configurations with 'lowdelay', 'reliability', or > 'throughput' will be ignored and instead the system default QoS > settings apply. Additionally, a debug message is logged about the > deprecation with a suggestion to use DSCP. > > * ssh-agent(1), sshd(8): move agent listener sockets from /tmp to > under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets > in sshd(8). > > This ensures processes that have restricted filesystem access > that includes /tmp do not ambiently have the ability to use keys > in an agent. > > Moving the default directory has the consequence that the OS will > no longer clean up stale agent sockets, so ssh-agent now gains > this ability. > > To support $HOME on NFS, the socket path includes a truncated hash of > the hostname. ssh-agent will by default only clean up sockets from > the same hostname. > > ssh-agent(1) gains some new flags: -U suppresses the automatic > cleanup of stale sockets when it starts. -u forces a cleanup > without keeping a running agent, -uu forces a cleanup that ignores > the hostname. -T makes ssh-agent put the socket back in /tmp. > > Changes since OpenSSH 10.0 > =========================> > New features > ------------ > > * ssh(1), sshd(8): add SIGINFO handlers to log active channel and > session information. > > * sshd(8): when refusing a certificate for user authentication, log > enough information to identify the certificate in addition to the > reason why it was being denied. Makes debugging certificate > authorisation problems a bit easier. > > * ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11 > tokens. > > * ssh(1): add a ssh_config(5) RefuseConnection option that, when > encountered while processing an active section in a > configuration terminates ssh(1) with an error message that > contains the argument to the option. > > This may be useful for expressing reminders or warnings in config > files, for example: > > Match host foo > RefuseConnection "foo is deprecated, use splork instead" > > * sshd(8): make the X11 display number check relative to > X11DisplayOffset. This will allows people to use X11DisplayOffset > to configure much higher port ranges if they really want, while > not changing the default behaviour. > > * unit tests: the unit test framework now includes some basic > benchmarking capabilities. Run with "make UNITTEST_BENCHMARK=yes" > on OpenBSD or "make unit-bench" on Portable OpenSSH. > > Bugfixes > -------- > > * sshd(8): fix mistracking of MaxStartups process exits in some > situations. At worst, this could cause all MaxStartups slots to > fill and sshd to refuse new connections. > > * ssh(1): fix delay on X client startup when ObscureKeystrokeTiming > is enabled. bz#3820 > > * sshd(8): increase the maximum size of the supported configuration > from 256KB to 4MB, which ought to be enough for anybody. Fail > early and visibly when this limit is breached. bz3808 > > * sftp(1): during sftp uploads, avoid a condition where a failed > write could be ignored if a subsequent write succeeded. This is > unlikely but technically possible because sftp servers are > allowed to reorder requests. > > * sftp(1): avoid a fatal() when sftp tab-completes filenames that > share common utf-8 characters that don't encode to a complete > codepoint. > > * sshd(8): avoid a race condition when the sshd-auth process exits > tha could cause a spurious error message to be logged. > > * sshd(8): log at level INFO when PerSourcePenalties actually > blocks access to a source address range. Previously this was > logged at level VERBOSE, which hid enforcement actions under > default config settings. > > * sshd(8): GssStrictAcceptor was missing from sshd -T output; fix > > * sshd(8): Make the MaxStartups and PerSourceNetBlockSize options > first-match-wins as advertised. bz3859 > > * ssh(1): fix an incorrect return value check in the local forward > cancellation path that would cause failed cancellations not to be > logged. > > * sshd(8): make "Match !final" not trigger a 2nd pass ssh_config > parsing pass (unless hostname canonicalisation or a separate > "Match final" does). bz3843 > > * ssh(1): better debug diagnostics when loading keys. Will now list > key fingerprint and algorithm (not just algorithm number) as well > as making it explicit which keys didn't load. > > * All: fix a number of memory leaks found by LeakSanitizer, > Coverity and manual inspection. > > * sshd(8): : Output the current name for PermitRootLogin's > "prohibit-password" in sshd -T instead of its deprecated alias > "without-password". bz#3788 > > * ssh(1): make writing known_hosts lines more atomic by writing > the entire line in one operation and using unbuffered stdio. > > Usually writes to this file are serialised on the "Are you sure you > want to continue connecting?" prompt, but if host key checking is > disabled and connections were being made with high concurrency > then interleaved writes might have been possible. > > Portability > ----------- > > * sshd(8): check the username didn't change during the PAM > transactions. > > PAM modules can change the user during their execution, but > this is not supported by sshd(8). If such a case was incorrectly > configured by the system administrator, then sshd(8) could end up > using a different username to the one authorised by PAM. > > * sshd(8): don't log audit messages with UNKNOWN hostname to avoid > slow DNS lookups in the audit subsystem. > > * All: when making a copy of struct passwd, ensure struct fields are > non-NULL. Android libc can return NULL pw_gecos, for example. > > * All: Remove status bits from OpenSSL >=3 version check. > > * sshd(8), ssh(1): Use SSH_TUN_COMPAT_AF on FreeBSD. Otherwise tun > forwarding from other OSes fails as soon as the first IPv6 message > is sent by the other side (which is usually a Router Solicitation > ICMPv6 message which is sent as soon as the interface is up). > > * ssh(1), ssh-agent(8): check for nlist function presence before > attenmpting to use it instead of relying on the presence of the > nlist.h header. Mac OS X, in particular has the header, but only > has the function in the 32bit libraries. > > * All: fill in missing system header files. > > Create replacement header files inside openbsd-compat for common > headers that are missing on a given platform. Usually these are > just empty, but in some cases they'll include the equivalent file. > This avoids having to wrap those includes in '#ifdef HAVE_FOO_H' > and reduces the diff between Portable OpenSSH and OpenBSD. > > * sshd(8): handle futex_time64 properly in seccomp sandbox > Previously we only allowed __NR_futex, but some 32-bit systems > apparently support __NR_futex_time64. We had support for this > in the sandbox, but because of a macro error only __NR_futex was > allowlisted. > > * Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API. > > * sshd(8): let ga_init() fail gracefully if getgrouplist does. > Apparently getgrouplist() can fail on OSX when passed a > non-existent group name. Other platforms seem to return a group > list consisting of the numeric gid passed to the function. bz3848 > > * ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation, > preventing a graceful shutdown of an agent via systemd from > incorrectly marking the service as "failed". > > * build: wrap some autoconf macros in AC_CACHE_CHECK. > > This allows skipping/overriding the OSSH_CHECK_CFLAG_COMPILE and > OSSH_CHECK_CFLAG_LINK macros used to discover supported compiler > or linker flags. E.g. > > $ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no > [...] > checking if cc supports compile flag -fzero-call-used-regs=used and linking succeeds... (cached) no > > Reporting Bugs: > ==============> > - Please read https://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, > Tim Rice and Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- Predrag Ze?evi?
> * All: remove experimental support for XMSS keys. This was never > enabled by default. We expect to implement a new post-quantu^m?> signature scheme in the near future.Regards, Eike -- Rolf Eike Beer emlix GmbH Headquarters: Berliner Str. 12, 37073 G?ttingen, Germany Phone +49 (0)551 30664-0, e-mail info at emlix.com District Court of G?ttingen, Registry Number HR B 3160 Managing Directors: Heike Jordan, Dr. Uwe Kracke VAT ID No. DE 205 198 055 Office Berlin: Panoramastr. 1, 10178 Berlin, Germany Office Bonn: Bachstr. 6, 53115 Bonn, Germany http://www.emlix.com emlix - your embedded Linux partner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 350 bytes Desc: This is a digitally signed message part. URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20251001/0cd43010/attachment.asc>
Hi, The build process went pretty smooth in a RHEL 8.10, except the `make tests` as follow: [leo at boxer build]$ uname -a Linux boxer 4.18.0-553.75.1.el8_10.x86_64 #1 SMP Wed Sep 10 00:05:32 EDT 2025 x86_64 x86_64 x86_64 GNU/Linux [leo at boxer build]$ cat /etc/redhat-release Red Hat Enterprise Linux release 8.10 (Ootpa) [leo at boxer build]$ openssl version OpenSSL 3.5.4 30 Sep 2025 (Library: OpenSSL 3.5.4 30 Sep 2025) [leo at boxer build]$ ssh -V OpenSSH_10.0p2, OpenSSL 3.5.4 30 Sep 2025 [...] unexpected ssh output multihop restricted multihop username multihop wildcard username multihop wrong username multihop cycle no agent multihop cycle agent unrestricted 12d11 < ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d 13a13 > ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d 22d21 < ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d 23a23 > ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d 32d31 < ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d 33a33 > ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d 42d41 < ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d 43a43 > ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d 52d51 < ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d 53a53 > ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d 62d61 < ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d 63a63 > ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d 72d71 < ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d 73a73 > ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d unexpected ssh output multihop cycle restricted deny multihop cycle restricted allow failed agent restrictions make[1]: *** [Makefile:255: t-exec] Error 1 make[1]: Leaving directory '/export/home/leo/src/openssh-10.0p1/regress' make: *** [Makefile:788: t-exec] Error 2 Regards, -- Leo On 9/30/25 07:45, Damien Miller wrote:> Hi, > > OpenSSH 10.1p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via git using the > instructions at http://www.openssh.com/portable.html#cvs > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev at mindrot.org. Security bugs should be reported > directly to openssh at openssh.com. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Potentially-incompatible changes > -------------------------------- > > * ssh(1): add a warning when the connection negotiates a non-post > quantum key agreement algorithm. > > This warning has been added due to the risk of "store now, decrypt > later" attacks. More details at https://openssh.com/pq.html > > This warning may be controlled via a new WarnWeakCrypto ssh_config > option, defaulting to on. This option is likely to control > additional weak crypto warnings in the future. > > * ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS > > Both the client and the server have changed the default DCSP > (a.k.a IPQos) values and the way these values are selected at > runtime. > > Both endpoints now use Expedited Forward (EF) for interactive > traffic by default. This provides better prioritisation, > especially on wireless media (cf. RFC 8325). Non-interactive > traffic now uses the operating system default DSCP marking. > Both the interactive and non-interactive DSCP values may be > overridden via the IPQoS keyword in ssh_config(5) and > sshd_config(5). > > The DSCP value selected may now change over the course of a > connection. ssh(1) and sshd(8) will automatically select between > the interactive and non-interactive IPQoS values depending on > the type of SSH channels open. E.g. if a sftp session is using > the connectionn, then the non-interactive value will be used. > > This is important now that the default interactive IPQoS is EF > (Expedited Forwarding), as many networks are configured to allow > only relatively small amounts of traffic of this class and they will > aggressively deprioritise the entire connection if this is exceeded. > > * ssh-add(1): when adding certificates to an agent, set the expiry > to the certificate expiry time plus a short (5 min) grace period. > > This will cause the agent to automtically remove certificates shortly > after they expire. A new ssh-add -N option disables this behaviour. > > * All: remove experimental support for XMSS keys. This was never > enabled by default. We expect to implement a new post-quantu > signature scheme in the near future. > > * ssh(1), sshd(8): deprecate support for IPv4 type-of-service (TOS) > keywords in the IPQoS configuration directive. > > Type of Service (ToS) was deprecated in the late nineties and > replaced with the Differentiated Services architecture. Diffserv > has significant advantages for operators because this mechanism > offers more granularity. > > OpenSSH switched its default IPQoS from ToS to DSCP values in 2018. > > IPQoS configurations with 'lowdelay', 'reliability', or > 'throughput' will be ignored and instead the system default QoS > settings apply. Additionally, a debug message is logged about the > deprecation with a suggestion to use DSCP. > > * ssh-agent(1), sshd(8): move agent listener sockets from /tmp to > under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets > in sshd(8). > > This ensures processes that have restricted filesystem access > that includes /tmp do not ambiently have the ability to use keys > in an agent. > > Moving the default directory has the consequence that the OS will > no longer clean up stale agent sockets, so ssh-agent now gains > this ability. > > To support $HOME on NFS, the socket path includes a truncated hash of > the hostname. ssh-agent will by default only clean up sockets from > the same hostname. > > ssh-agent(1) gains some new flags: -U suppresses the automatic > cleanup of stale sockets when it starts. -u forces a cleanup > without keeping a running agent, -uu forces a cleanup that ignores > the hostname. -T makes ssh-agent put the socket back in /tmp. > > Changes since OpenSSH 10.0 > =========================> > New features > ------------ > > * ssh(1), sshd(8): add SIGINFO handlers to log active channel and > session information. > > * sshd(8): when refusing a certificate for user authentication, log > enough information to identify the certificate in addition to the > reason why it was being denied. Makes debugging certificate > authorisation problems a bit easier. > > * ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11 > tokens. > > * ssh(1): add a ssh_config(5) RefuseConnection option that, when > encountered while processing an active section in a > configuration terminates ssh(1) with an error message that > contains the argument to the option. > > This may be useful for expressing reminders or warnings in config > files, for example: > > Match host foo > RefuseConnection "foo is deprecated, use splork instead" > > * sshd(8): make the X11 display number check relative to > X11DisplayOffset. This will allows people to use X11DisplayOffset > to configure much higher port ranges if they really want, while > not changing the default behaviour. > > * unit tests: the unit test framework now includes some basic > benchmarking capabilities. Run with "make UNITTEST_BENCHMARK=yes" > on OpenBSD or "make unit-bench" on Portable OpenSSH. > > Bugfixes > -------- > > * sshd(8): fix mistracking of MaxStartups process exits in some > situations. At worst, this could cause all MaxStartups slots to > fill and sshd to refuse new connections. > > * ssh(1): fix delay on X client startup when ObscureKeystrokeTiming > is enabled. bz#3820 > > * sshd(8): increase the maximum size of the supported configuration > from 256KB to 4MB, which ought to be enough for anybody. Fail > early and visibly when this limit is breached. bz3808 > > * sftp(1): during sftp uploads, avoid a condition where a failed > write could be ignored if a subsequent write succeeded. This is > unlikely but technically possible because sftp servers are > allowed to reorder requests. > > * sftp(1): avoid a fatal() when sftp tab-completes filenames that > share common utf-8 characters that don't encode to a complete > codepoint. > > * sshd(8): avoid a race condition when the sshd-auth process exits > tha could cause a spurious error message to be logged. > > * sshd(8): log at level INFO when PerSourcePenalties actually > blocks access to a source address range. Previously this was > logged at level VERBOSE, which hid enforcement actions under > default config settings. > > * sshd(8): GssStrictAcceptor was missing from sshd -T output; fix > > * sshd(8): Make the MaxStartups and PerSourceNetBlockSize options > first-match-wins as advertised. bz3859 > > * ssh(1): fix an incorrect return value check in the local forward > cancellation path that would cause failed cancellations not to be > logged. > > * sshd(8): make "Match !final" not trigger a 2nd pass ssh_config > parsing pass (unless hostname canonicalisation or a separate > "Match final" does). bz3843 > > * ssh(1): better debug diagnostics when loading keys. Will now list > key fingerprint and algorithm (not just algorithm number) as well > as making it explicit which keys didn't load. > > * All: fix a number of memory leaks found by LeakSanitizer, > Coverity and manual inspection. > > * sshd(8): : Output the current name for PermitRootLogin's > "prohibit-password" in sshd -T instead of its deprecated alias > "without-password". bz#3788 > > * ssh(1): make writing known_hosts lines more atomic by writing > the entire line in one operation and using unbuffered stdio. > > Usually writes to this file are serialised on the "Are you sure you > want to continue connecting?" prompt, but if host key checking is > disabled and connections were being made with high concurrency > then interleaved writes might have been possible. > > Portability > ----------- > > * sshd(8): check the username didn't change during the PAM > transactions. > > PAM modules can change the user during their execution, but > this is not supported by sshd(8). If such a case was incorrectly > configured by the system administrator, then sshd(8) could end up > using a different username to the one authorised by PAM. > > * sshd(8): don't log audit messages with UNKNOWN hostname to avoid > slow DNS lookups in the audit subsystem. > > * All: when making a copy of struct passwd, ensure struct fields are > non-NULL. Android libc can return NULL pw_gecos, for example. > > * All: Remove status bits from OpenSSL >=3 version check. > > * sshd(8), ssh(1): Use SSH_TUN_COMPAT_AF on FreeBSD. Otherwise tun > forwarding from other OSes fails as soon as the first IPv6 message > is sent by the other side (which is usually a Router Solicitation > ICMPv6 message which is sent as soon as the interface is up). > > * ssh(1), ssh-agent(8): check for nlist function presence before > attenmpting to use it instead of relying on the presence of the > nlist.h header. Mac OS X, in particular has the header, but only > has the function in the 32bit libraries. > > * All: fill in missing system header files. > > Create replacement header files inside openbsd-compat for common > headers that are missing on a given platform. Usually these are > just empty, but in some cases they'll include the equivalent file. > This avoids having to wrap those includes in '#ifdef HAVE_FOO_H' > and reduces the diff between Portable OpenSSH and OpenBSD. > > * sshd(8): handle futex_time64 properly in seccomp sandbox > Previously we only allowed __NR_futex, but some 32-bit systems > apparently support __NR_futex_time64. We had support for this > in the sandbox, but because of a macro error only __NR_futex was > allowlisted. > > * Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API. > > * sshd(8): let ga_init() fail gracefully if getgrouplist does. > Apparently getgrouplist() can fail on OSX when passed a > non-existent group name. Other platforms seem to return a group > list consisting of the numeric gid passed to the function. bz3848 > > * ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation, > preventing a graceful shutdown of an agent via systemd from > incorrectly marking the service as "failed". > > * build: wrap some autoconf macros in AC_CACHE_CHECK. > > This allows skipping/overriding the OSSH_CHECK_CFLAG_COMPILE and > OSSH_CHECK_CFLAG_LINK macros used to discover supported compiler > or linker flags. E.g. > > $ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no > [...] > checking if cc supports compile flag -fzero-call-used-regs=used and linking succeeds... (cached) no > > Reporting Bugs: > ==============> > - Please read https://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, > Tim Rice and Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
No issues on any of my systems MacOS 15 --without-OpenSSL Debian 12, 13 Fedora 40, 41, 42, 43 Ubuntu 20.04, 22.04, 24.04, 25.05 With the exception of Fedora 42 FIPS Mode. That fails 'make tests' almost immediately with the RSA key in do_convert_from_ssh2. I believe that's expected in FIPS mode though. Note: in all cases (except for MacOS) I just used a plain configure. Chris On 9/30/25 09:45, Damien Miller wrote:> Hi, > > OpenSSH 10.1p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via git using the > instructions at http://www.openssh.com/portable.html#cvs > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev at mindrot.org. Security bugs should be reported > directly to openssh at openssh.com. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Potentially-incompatible changes > -------------------------------- > > * ssh(1): add a warning when the connection negotiates a non-post > quantum key agreement algorithm. > > This warning has been added due to the risk of "store now, decrypt > later" attacks. More details at https://openssh.com/pq.html > > This warning may be controlled via a new WarnWeakCrypto ssh_config > option, defaulting to on. This option is likely to control > additional weak crypto warnings in the future. > > * ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS > > Both the client and the server have changed the default DCSP > (a.k.a IPQos) values and the way these values are selected at > runtime. > > Both endpoints now use Expedited Forward (EF) for interactive > traffic by default. This provides better prioritisation, > especially on wireless media (cf. RFC 8325). Non-interactive > traffic now uses the operating system default DSCP marking. > Both the interactive and non-interactive DSCP values may be > overridden via the IPQoS keyword in ssh_config(5) and > sshd_config(5). > > The DSCP value selected may now change over the course of a > connection. ssh(1) and sshd(8) will automatically select between > the interactive and non-interactive IPQoS values depending on > the type of SSH channels open. E.g. if a sftp session is using > the connectionn, then the non-interactive value will be used. > > This is important now that the default interactive IPQoS is EF > (Expedited Forwarding), as many networks are configured to allow > only relatively small amounts of traffic of this class and they will > aggressively deprioritise the entire connection if this is exceeded. > > * ssh-add(1): when adding certificates to an agent, set the expiry > to the certificate expiry time plus a short (5 min) grace period. > > This will cause the agent to automtically remove certificates shortly > after they expire. A new ssh-add -N option disables this behaviour. > > * All: remove experimental support for XMSS keys. This was never > enabled by default. We expect to implement a new post-quantu > signature scheme in the near future. > > * ssh(1), sshd(8): deprecate support for IPv4 type-of-service (TOS) > keywords in the IPQoS configuration directive. > > Type of Service (ToS) was deprecated in the late nineties and > replaced with the Differentiated Services architecture. Diffserv > has significant advantages for operators because this mechanism > offers more granularity. > > OpenSSH switched its default IPQoS from ToS to DSCP values in 2018. > > IPQoS configurations with 'lowdelay', 'reliability', or > 'throughput' will be ignored and instead the system default QoS > settings apply. Additionally, a debug message is logged about the > deprecation with a suggestion to use DSCP. > > * ssh-agent(1), sshd(8): move agent listener sockets from /tmp to > under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets > in sshd(8). > > This ensures processes that have restricted filesystem access > that includes /tmp do not ambiently have the ability to use keys > in an agent. > > Moving the default directory has the consequence that the OS will > no longer clean up stale agent sockets, so ssh-agent now gains > this ability. > > To support $HOME on NFS, the socket path includes a truncated hash of > the hostname. ssh-agent will by default only clean up sockets from > the same hostname. > > ssh-agent(1) gains some new flags: -U suppresses the automatic > cleanup of stale sockets when it starts. -u forces a cleanup > without keeping a running agent, -uu forces a cleanup that ignores > the hostname. -T makes ssh-agent put the socket back in /tmp. > > Changes since OpenSSH 10.0 > =========================> > New features > ------------ > > * ssh(1), sshd(8): add SIGINFO handlers to log active channel and > session information. > > * sshd(8): when refusing a certificate for user authentication, log > enough information to identify the certificate in addition to the > reason why it was being denied. Makes debugging certificate > authorisation problems a bit easier. > > * ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11 > tokens. > > * ssh(1): add a ssh_config(5) RefuseConnection option that, when > encountered while processing an active section in a > configuration terminates ssh(1) with an error message that > contains the argument to the option. > > This may be useful for expressing reminders or warnings in config > files, for example: > > Match host foo > RefuseConnection "foo is deprecated, use splork instead" > > * sshd(8): make the X11 display number check relative to > X11DisplayOffset. This will allows people to use X11DisplayOffset > to configure much higher port ranges if they really want, while > not changing the default behaviour. > > * unit tests: the unit test framework now includes some basic > benchmarking capabilities. Run with "make UNITTEST_BENCHMARK=yes" > on OpenBSD or "make unit-bench" on Portable OpenSSH. > > Bugfixes > -------- > > * sshd(8): fix mistracking of MaxStartups process exits in some > situations. At worst, this could cause all MaxStartups slots to > fill and sshd to refuse new connections. > > * ssh(1): fix delay on X client startup when ObscureKeystrokeTiming > is enabled. bz#3820 > > * sshd(8): increase the maximum size of the supported configuration > from 256KB to 4MB, which ought to be enough for anybody. Fail > early and visibly when this limit is breached. bz3808 > > * sftp(1): during sftp uploads, avoid a condition where a failed > write could be ignored if a subsequent write succeeded. This is > unlikely but technically possible because sftp servers are > allowed to reorder requests. > > * sftp(1): avoid a fatal() when sftp tab-completes filenames that > share common utf-8 characters that don't encode to a complete > codepoint. > > * sshd(8): avoid a race condition when the sshd-auth process exits > tha could cause a spurious error message to be logged. > > * sshd(8): log at level INFO when PerSourcePenalties actually > blocks access to a source address range. Previously this was > logged at level VERBOSE, which hid enforcement actions under > default config settings. > > * sshd(8): GssStrictAcceptor was missing from sshd -T output; fix > > * sshd(8): Make the MaxStartups and PerSourceNetBlockSize options > first-match-wins as advertised. bz3859 > > * ssh(1): fix an incorrect return value check in the local forward > cancellation path that would cause failed cancellations not to be > logged. > > * sshd(8): make "Match !final" not trigger a 2nd pass ssh_config > parsing pass (unless hostname canonicalisation or a separate > "Match final" does). bz3843 > > * ssh(1): better debug diagnostics when loading keys. Will now list > key fingerprint and algorithm (not just algorithm number) as well > as making it explicit which keys didn't load. > > * All: fix a number of memory leaks found by LeakSanitizer, > Coverity and manual inspection. > > * sshd(8): : Output the current name for PermitRootLogin's > "prohibit-password" in sshd -T instead of its deprecated alias > "without-password". bz#3788 > > * ssh(1): make writing known_hosts lines more atomic by writing > the entire line in one operation and using unbuffered stdio. > > Usually writes to this file are serialised on the "Are you sure you > want to continue connecting?" prompt, but if host key checking is > disabled and connections were being made with high concurrency > then interleaved writes might have been possible. > > Portability > ----------- > > * sshd(8): check the username didn't change during the PAM > transactions. > > PAM modules can change the user during their execution, but > this is not supported by sshd(8). If such a case was incorrectly > configured by the system administrator, then sshd(8) could end up > using a different username to the one authorised by PAM. > > * sshd(8): don't log audit messages with UNKNOWN hostname to avoid > slow DNS lookups in the audit subsystem. > > * All: when making a copy of struct passwd, ensure struct fields are > non-NULL. Android libc can return NULL pw_gecos, for example. > > * All: Remove status bits from OpenSSL >=3 version check. > > * sshd(8), ssh(1): Use SSH_TUN_COMPAT_AF on FreeBSD. Otherwise tun > forwarding from other OSes fails as soon as the first IPv6 message > is sent by the other side (which is usually a Router Solicitation > ICMPv6 message which is sent as soon as the interface is up). > > * ssh(1), ssh-agent(8): check for nlist function presence before > attenmpting to use it instead of relying on the presence of the > nlist.h header. Mac OS X, in particular has the header, but only > has the function in the 32bit libraries. > > * All: fill in missing system header files. > > Create replacement header files inside openbsd-compat for common > headers that are missing on a given platform. Usually these are > just empty, but in some cases they'll include the equivalent file. > This avoids having to wrap those includes in '#ifdef HAVE_FOO_H' > and reduces the diff between Portable OpenSSH and OpenBSD. > > * sshd(8): handle futex_time64 properly in seccomp sandbox > Previously we only allowed __NR_futex, but some 32-bit systems > apparently support __NR_futex_time64. We had support for this > in the sandbox, but because of a macro error only __NR_futex was > allowlisted. > > * Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API. > > * sshd(8): let ga_init() fail gracefully if getgrouplist does. > Apparently getgrouplist() can fail on OSX when passed a > non-existent group name. Other platforms seem to return a group > list consisting of the numeric gid passed to the function. bz3848 > > * ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation, > preventing a graceful shutdown of an agent via systemd from > incorrectly marking the service as "failed". > > * build: wrap some autoconf macros in AC_CACHE_CHECK. > > This allows skipping/overriding the OSSH_CHECK_CFLAG_COMPILE and > OSSH_CHECK_CFLAG_LINK macros used to discover supported compiler > or linker flags. E.g. > > $ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no > [...] > checking if cc supports compile flag -fzero-call-used-regs=used and linking succeeds... (cached) no > > Reporting Bugs: > ==============> > - Please read https://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, > Tim Rice and Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
On 9/30/25 09:45, Damien Miller wrote:> Hi, > > OpenSSH 10.1p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. >Perhaps I am confused somehow but I have OpenSSH_10.0p2 running fine on a Solaris 10 server : hubble # uname -a SunOS hubble 5.10 Generic_150400-67 sun4u sparc SUNW,SPARC-Enterprise hubble # hubble # /opt/bw/sbin/sshd -V OpenSSH_10.0p2, OpenSSL 3.5.4 30 Sep 2025 hubble # Note the "p2" there. Now I see "p1" needs testing? -- -- Dennis Clarke RISC-V/SPARC/PPC/ARM/CISC UNIX and Linux spoken
Hi there, Tested on Alma 10, Kernel 6.15. Works like a charm. Zak On 2025-09-30 14:45, Damien Miller wrote:> Hi, > > OpenSSH 10.1p1 is almost ready for release, so we would appreciate > testing > on as many platforms and systems as possible. >