I think you are testing the 10.0p2 release as opposed to 10.1p1.
That said, I did run into that problem earlier and I can't remember how
I resolved it.
Chris
On 10/1/25 12:26, Leonardo Saavedra via openssh-unix-dev
wrote:> Just a little detail in version
>
> [leo at boxer tmp]$ tar -xzvf ../openssh-10.0p1.tar.gz openssh-10.0p1/
> version.h | xargs cat
> /* $OpenBSD: version.h,v 1.105 2025/04/09 07:00:21 djm Exp $ */
>
> #define SSH_VERSION? ? "OpenSSH_10.0"
>
> #define SSH_PORTABLE? ? "p2"
> #define SSH_RELEASE? ? SSH_VERSION SSH_PORTABLE
>
> [leo at boxer openssh-10.0p1]$ diff -u version.h.orig? version.h
> --- version.h.orig? ? 2025-10-01 09:20:07.508606652 -0700
> +++ version.h? ? 2025-10-01 09:20:15.404580439 -0700
> @@ -2,5 +2,5 @@
>
> ?#define SSH_VERSION? ? "OpenSSH_10.0"
>
> -#define SSH_PORTABLE? ? "p2"
> +#define SSH_PORTABLE? ? "p1"
> ?#define SSH_RELEASE? ? SSH_VERSION SSH_PORTABLE
>
>
> On 10/1/25 10:09, Leonardo Saavedra via openssh-unix-dev wrote:
>> Hi,
>>
>> The build process went pretty smooth in a RHEL 8.10, except the `make
>> tests` as follow:
>>
>>
>> [leo at boxer build]$ uname -a
>> Linux boxer 4.18.0-553.75.1.el8_10.x86_64 #1 SMP Wed Sep 10 00:05:32
>> EDT 2025 x86_64 x86_64 x86_64 GNU/Linux
>>
>> [leo at boxer build]$ cat /etc/redhat-release
>> Red Hat Enterprise Linux release 8.10 (Ootpa)
>>
>> [leo at boxer build]$ openssl version
>> OpenSSL 3.5.4 30 Sep 2025 (Library: OpenSSL 3.5.4 30 Sep 2025)
>>
>> [leo at boxer build]$ ssh -V
>> OpenSSH_10.0p2, OpenSSL 3.5.4 30 Sep 2025
>>
>>
>> [...]
>>
>> unexpected ssh output
>> multihop restricted
>> multihop username
>> multihop wildcard username
>> multihop wrong username
>> multihop cycle no agent
>> multihop cycle agent unrestricted
>> 12d11
>> < ssh-ed25519
>> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>> 13a13
>> > ssh-ed25519
>> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>> 22d21
>> < ssh-ed25519
>> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>> 23a23
>> > ssh-ed25519
>> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>> 32d31
>> < ssh-ed25519
>> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>> 33a33
>> > ssh-ed25519
>> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>> 42d41
>> < ssh-ed25519
>> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>> 43a43
>> > ssh-ed25519
>> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>> 52d51
>> < ssh-ed25519
>> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>> 53a53
>> > ssh-ed25519
>> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>> 62d61
>> < ssh-ed25519
>> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>> 63a63
>> > ssh-ed25519
>> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>> 72d71
>> < ssh-ed25519
>> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>> 73a73
>> > ssh-ed25519
>> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>> unexpected ssh output
>> multihop cycle restricted deny
>> multihop cycle restricted allow
>> failed agent restrictions
>> make[1]: *** [Makefile:255: t-exec] Error 1
>> make[1]: Leaving directory
'/export/home/leo/src/openssh-10.0p1/regress'
>> make: *** [Makefile:788: t-exec] Error 2
>>
>>
>>
>> Regards,
>>
>> --
>>
>> Leo
>>
>>
>> On 9/30/25 07:45, Damien Miller wrote:
>>> Hi,
>>>
>>> OpenSSH 10.1p1 is almost ready for release, so we would appreciate
>>> testing
>>> on as many platforms and systems as possible.
>>>
>>> Snapshot releases for portable OpenSSH are available from
>>> http://www.mindrot.org/openssh_snap/
>>>
>>> The OpenBSD version is available in CVS HEAD:
>>> http://www.openbsd.org/anoncvs.html
>>>
>>> Portable OpenSSH is also available via git using the
>>> instructions at http://www.openssh.com/portable.html#cvs
>>> At https://anongit.mindrot.org/openssh.git/ or via a mirror at
Github:
>>> https://github.com/openssh/openssh-portable
>>>
>>> Running the regression tests supplied with Portable OpenSSH does
not
>>> require installation and is a simply:
>>>
>>> $ ./configure && make tests
>>>
>>> Live testing on suitable non-production systems is also
appreciated.
>>> Please send reports of success or failure to
>>> openssh-unix-dev at mindrot.org. Security bugs should be reported
>>> directly to openssh at openssh.com.
>>>
>>> Below is a summary of changes. More detail may be found in the
ChangeLog
>>> in the portable OpenSSH tarballs.
>>>
>>> Thanks to the many people who contributed to this release.
>>>
>>> Potentially-incompatible changes
>>> --------------------------------
>>>
>>> ? * ssh(1): add a warning when the connection negotiates a non-post
>>> ??? quantum key agreement algorithm.
>>>
>>> ??? This warning has been added due to the risk of "store now,
decrypt
>>> ??? later" attacks. More details at
https://openssh.com/pq.html
>>>
>>> ??? This warning may be controlled via a new WarnWeakCrypto
ssh_config
>>> ??? option, defaulting to on. This option is likely to control
>>> ??? additional weak crypto warnings in the future.
>>>
>>> ? * ssh(1), sshd(8): major changes to handling of DSCP
marking/IPQoS
>>>
>>> ??? Both the client and the server have changed the default DCSP
>>> ??? (a.k.a IPQos) values and the way these values are selected at
>>> ??? runtime.
>>>
>>> ??? Both endpoints now use Expedited Forward (EF) for interactive
>>> ??? traffic by default. This provides better prioritisation,
>>> ??? especially on wireless media (cf. RFC 8325). Non-interactive
>>> ??? traffic now uses the operating system default DSCP marking.
>>> ??? Both the interactive and non-interactive DSCP values may be
>>> ??? overridden via the IPQoS keyword in ssh_config(5) and
>>> ??? sshd_config(5).
>>>
>>> ??? The DSCP value selected may now change over the course of a
>>> ??? connection. ssh(1) and sshd(8) will automatically select
between
>>> ??? the interactive and non-interactive IPQoS values depending on
>>> ??? the type of SSH channels open. E.g. if a sftp session is using
>>> ??? the connectionn, then the non-interactive value will be used.
>>>
>>> ??? This is important now that the default interactive IPQoS is EF
>>> ??? (Expedited Forwarding), as many networks are configured to
allow
>>> ??? only relatively small amounts of traffic of this class and they
will
>>> ??? aggressively deprioritise the entire connection if this is
exceeded.
>>>
>>> ? * ssh-add(1): when adding certificates to an agent, set the
expiry
>>> ??? to the certificate expiry time plus a short (5 min) grace
period.
>>>
>>> ??? This will cause the agent to automtically remove certificates
>>> shortly
>>> ??? after they expire. A new ssh-add -N option disables this
behaviour.
>>>
>>> ? * All: remove experimental support for XMSS keys. This was never
>>> ??? enabled by default. We expect to implement a new post-quantu
>>> ??? signature scheme in the near future.
>>>
>>> ? * ssh(1), sshd(8): deprecate support for IPv4 type-of-service
(TOS)
>>> ??? keywords in the IPQoS configuration directive.
>>>
>>> ??? Type of Service (ToS) was deprecated in the late nineties and
>>> ??? replaced with the Differentiated Services architecture.
Diffserv
>>> ??? has significant advantages for operators because this mechanism
>>> ??? offers more granularity.
>>>
>>> ??? OpenSSH switched its default IPQoS from ToS to DSCP values in
2018.
>>>
>>> ??? IPQoS configurations with 'lowdelay',
'reliability', or
>>> ??? 'throughput' will be ignored and instead the system
default QoS
>>> ??? settings apply. Additionally, a debug message is logged about
the
>>> ??? deprecation with a suggestion to use DSCP.
>>>
>>> ? * ssh-agent(1), sshd(8): move agent listener sockets from /tmp to
>>> ??? under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets
>>> ??? in sshd(8).
>>>
>>> ??? This ensures processes that have restricted filesystem access
>>> ??? that includes /tmp do not ambiently have the ability to use
keys
>>> ??? in an agent.
>>>
>>> ??? Moving the default directory has the consequence that the OS
will
>>> ??? no longer clean up stale agent sockets, so ssh-agent now gains
>>> ??? this ability.
>>>
>>> ??? To support $HOME on NFS, the socket path includes a truncated
>>> hash of
>>> ??? the hostname. ssh-agent will by default only clean up sockets
from
>>> ??? the same hostname.
>>>
>>> ??? ssh-agent(1) gains some new flags: -U suppresses the automatic
>>> ??? cleanup of stale sockets when it starts. -u forces a cleanup
>>> ??? without keeping a running agent, -uu forces a cleanup that
ignores
>>> ??? the hostname. -T makes ssh-agent put the socket back in /tmp.
>>>
>>> Changes since OpenSSH 10.0
>>> =========================>>>
>>> New features
>>> ------------
>>>
>>> ? * ssh(1), sshd(8): add SIGINFO handlers to log active channel and
>>> ??? session information.
>>>
>>> ? * sshd(8): when refusing a certificate for user authentication,
log
>>> ??? enough information to identify the certificate in addition to
the
>>> ??? reason why it was being denied. Makes debugging certificate
>>> ??? authorisation problems a bit easier.
>>>
>>> ? * ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11
>>> ??? tokens.
>>>
>>> ? * ssh(1): add a ssh_config(5) RefuseConnection option that, when
>>> ???? encountered while processing an active section in a
>>> ???? configuration terminates ssh(1) with an error message that
>>> ???? contains the argument to the option.
>>>
>>> ???? This may be useful for expressing reminders or warnings in
config
>>> ???? files, for example:
>>>
>>> ???? Match host foo
>>> ??????????? RefuseConnection "foo is deprecated, use splork
instead"
>>>
>>> ? * sshd(8): make the X11 display number check relative to
>>> ??? X11DisplayOffset. This will allows people to use
X11DisplayOffset
>>> ??? to configure much higher port ranges if they really want, while
>>> ??? not changing the default behaviour.
>>>
>>> ? * unit tests: the unit test framework now includes some basic
>>> ??? benchmarking capabilities. Run with "make
UNITTEST_BENCHMARK=yes"
>>> ??? on OpenBSD or "make unit-bench" on Portable OpenSSH.
>>>
>>> Bugfixes
>>> --------
>>>
>>> ? * sshd(8): fix mistracking of MaxStartups process exits in some
>>> ??? situations. At worst, this could cause all MaxStartups slots to
>>> ??? fill and sshd to refuse new connections.
>>>
>>> ? * ssh(1): fix delay on X client startup when
ObscureKeystrokeTiming
>>> ??? is enabled. bz#3820
>>>
>>> ? * sshd(8): increase the maximum size of the supported
configuration
>>> ??? from 256KB to 4MB, which ought to be enough for anybody. Fail
>>> ??? early and visibly when this limit is breached. bz3808
>>>
>>> ? * sftp(1): during sftp uploads, avoid a condition where a failed
>>> ??? write could be ignored if a subsequent write succeeded. This is
>>> ??? unlikely but technically possible because sftp servers are
>>> ??? allowed to reorder requests.
>>>
>>> ? * sftp(1): avoid a fatal() when sftp tab-completes filenames that
>>> ??? share common utf-8 characters that don't encode to a
complete
>>> ??? codepoint.
>>>
>>> ? * sshd(8): avoid a race condition when the sshd-auth process
exits
>>> ??? tha could cause a spurious error message to be logged.
>>>
>>> ? * sshd(8): log at level INFO when PerSourcePenalties actually
>>> ??? blocks access to a source address range. Previously this was
>>> ??? logged at level VERBOSE, which hid enforcement actions under
>>> ??? default config settings.
>>>
>>> ? * sshd(8): GssStrictAcceptor was missing from sshd -T output; fix
>>>
>>> ? * sshd(8): Make the MaxStartups and PerSourceNetBlockSize options
>>> ??? first-match-wins as advertised. bz3859
>>>
>>> ? * ssh(1): fix an incorrect return value check in the local
forward
>>> ??? cancellation path that would cause failed cancellations not to
be
>>> ??? logged.
>>>
>>> ? * sshd(8): make "Match !final" not trigger a 2nd pass
ssh_config
>>> ??? parsing pass (unless hostname canonicalisation or a separate
>>> ??? "Match final" does). bz3843
>>>
>>> ? * ssh(1): better debug diagnostics when loading keys. Will now
list
>>> ??? key fingerprint and algorithm (not just algorithm number) as
well
>>> ??? as making it explicit which keys didn't load.
>>>
>>> ? * All: fix a number of memory leaks found by LeakSanitizer,
>>> ??? Coverity and manual inspection.
>>>
>>> ? * sshd(8): : Output the current name for PermitRootLogin's
>>> ??? "prohibit-password" in sshd -T instead of its
deprecated alias
>>> ??? "without-password".? bz#3788
>>>
>>> ? * ssh(1): make writing known_hosts lines more atomic by writing
>>> ??? the entire line in one operation and using unbuffered stdio.
>>>
>>> ??? Usually writes to this file are serialised on the "Are you
sure you
>>> ??? want to continue connecting?" prompt, but if host key
checking is
>>> ??? disabled and connections were being made with high concurrency
>>> ??? then interleaved writes might have been possible.
>>>
>>> Portability
>>> -----------
>>>
>>> ? * sshd(8): check the username didn't change during the PAM
>>> ??? transactions.
>>>
>>> ??? PAM modules can change the user during their execution, but
>>> ??? this is not supported by sshd(8). If such a case was
incorrectly
>>> ??? configured by the system administrator, then sshd(8) could end
up
>>> ??? using a different username to the one authorised by PAM.
>>>
>>> ? * sshd(8): don't log audit messages with UNKNOWN hostname to
avoid
>>> ??? slow DNS lookups in the audit subsystem.
>>>
>>> ? * All: when making a copy of struct passwd, ensure struct fields
are
>>> ??? non-NULL. Android libc can return NULL pw_gecos, for example.
>>>
>>> ? * All: Remove status bits from OpenSSL >=3 version check.
>>>
>>> ? * sshd(8), ssh(1): Use SSH_TUN_COMPAT_AF on FreeBSD. Otherwise
tun
>>> ??? forwarding from other OSes fails as soon as the first IPv6
message
>>> ??? is sent by the other side (which is usually a Router
Solicitation
>>> ??? ICMPv6 message which is sent as soon as the interface is up).
>>>
>>> ? * ssh(1), ssh-agent(8): check for nlist function presence before
>>> ??? attenmpting to use it instead of relying on the presence of the
>>> ??? nlist.h header.? Mac OS X, in particular has the header, but
only
>>> ??? has the function in the 32bit libraries.
>>>
>>> ? * All: fill in missing system header files.
>>>
>>> ??? Create replacement header files inside openbsd-compat for
common
>>> ??? headers that are missing on a given platform. Usually these are
>>> ??? just empty, but in some cases they'll include the
equivalent file.
>>> ??? This avoids having to wrap those includes in '#ifdef
HAVE_FOO_H'
>>> ??? and reduces the diff between Portable OpenSSH and OpenBSD.
>>>
>>> ? * sshd(8): handle futex_time64 properly in seccomp sandbox
>>> ??? Previously we only allowed __NR_futex, but some 32-bit systems
>>> ??? apparently support __NR_futex_time64. We had support for this
>>> ??? in the sandbox, but because of a macro error only __NR_futex
was
>>> ??? allowlisted.
>>>
>>> ? * Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API.
>>>
>>> ? * sshd(8): let ga_init() fail gracefully if getgrouplist does.
>>> ??? Apparently getgrouplist() can fail on OSX when passed a
>>> ??? non-existent group name. Other platforms seem to return a group
>>> ??? list consisting of the numeric gid passed to the function.
bz3848
>>>
>>> ? * ssh-agent(1): exit 0 from SIGTERM under systemd
socket-activation,
>>> ??? preventing a graceful shutdown of an agent via systemd from
>>> ??? incorrectly marking the service as "failed".
>>>
>>> ? * build: wrap some autoconf macros in AC_CACHE_CHECK.
>>>
>>> ??? This allows skipping/overriding the OSSH_CHECK_CFLAG_COMPILE
and
>>> ??? OSSH_CHECK_CFLAG_LINK macros used to discover supported
compiler
>>> ??? or linker flags. E.g.
>>>
>>> ????? $ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no
>>> ????? [...]
>>> ????? checking if cc supports compile flag
-fzero-call-used-regs=used
>>> and linking succeeds... (cached) no
>>>
>>> Reporting Bugs:
>>> ==============>>>
>>> - Please read https://www.openssh.com/report.html
>>> ?? Security bugs should be reported directly to openssh at
openssh.com
>>>
>>> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
>>> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
>>> Tim Rice and Ben Lindstrom.
>>>
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev at mindrot.org
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev