I am testing the right one, just happened SSH_PORTABLE? in version.h
wasn't update from p2 to p1:
11:11:50 leo at sdf-1 ~/temp $ curl -O
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.0p1.tar.gz
11:11:57 leo at sdf-1 ~/temp $ tar tzvf openssh-10.0p1.tar.gz | grep version.h
-rw-r--r--? 0 djm? ? djm? ? ? ?172 Apr? 9 01:02 openssh-10.0p1/version.h
11:12:14 leo at sdf-1 ~/temp $ tar xzvf openssh-10.0p1.tar.gz
openssh-10.0p1/version.h
x openssh-10.0p1/version.h
11:13:42 leo at bsdf-1 ~/temp $ cat openssh-10.0p1/version.h
/* $OpenBSD: version.h,v 1.105 2025/04/09 07:00:21 djm Exp $ */
#define SSH_VERSION? ? "OpenSSH_10.0"
#define SSH_PORTABLE? ? "p2". <--------
#define SSH_RELEASE? ? SSH_VERSION SSH_PORTABLE
Regards,
--
Leo
On 10/1/25 10:48, Chris Rapier wrote:> I think you are testing the 10.0p2 release as opposed to 10.1p1.
>
> That said, I did run into that problem earlier and I can't remember
> how I resolved it.
>
> Chris
>
> On 10/1/25 12:26, Leonardo Saavedra via openssh-unix-dev wrote:
>> Just a little detail in version
>>
>> [leo at boxer tmp]$ tar -xzvf ../openssh-10.0p1.tar.gz openssh-10.0p1/
>> version.h | xargs cat
>> /* $OpenBSD: version.h,v 1.105 2025/04/09 07:00:21 djm Exp $ */
>>
>> #define SSH_VERSION? ? "OpenSSH_10.0"
>>
>> #define SSH_PORTABLE? ? "p2"
>> #define SSH_RELEASE? ? SSH_VERSION SSH_PORTABLE
>>
>> [leo at boxer openssh-10.0p1]$ diff -u version.h.orig? version.h
>> --- version.h.orig? ? 2025-10-01 09:20:07.508606652 -0700
>> +++ version.h? ? 2025-10-01 09:20:15.404580439 -0700
>> @@ -2,5 +2,5 @@
>>
>> ??#define SSH_VERSION? ? "OpenSSH_10.0"
>>
>> -#define SSH_PORTABLE? ? "p2"
>> +#define SSH_PORTABLE? ? "p1"
>> ??#define SSH_RELEASE? ? SSH_VERSION SSH_PORTABLE
>>
>>
>> On 10/1/25 10:09, Leonardo Saavedra via openssh-unix-dev wrote:
>>> Hi,
>>>
>>> The build process went pretty smooth in a RHEL 8.10, except the
>>> `make tests` as follow:
>>>
>>>
>>> [leo at boxer build]$ uname -a
>>> Linux boxer 4.18.0-553.75.1.el8_10.x86_64 #1 SMP Wed Sep 10
00:05:32
>>> EDT 2025 x86_64 x86_64 x86_64 GNU/Linux
>>>
>>> [leo at boxer build]$ cat /etc/redhat-release
>>> Red Hat Enterprise Linux release 8.10 (Ootpa)
>>>
>>> [leo at boxer build]$ openssl version
>>> OpenSSL 3.5.4 30 Sep 2025 (Library: OpenSSL 3.5.4 30 Sep 2025)
>>>
>>> [leo at boxer build]$ ssh -V
>>> OpenSSH_10.0p2, OpenSSL 3.5.4 30 Sep 2025
>>>
>>>
>>> [...]
>>>
>>> unexpected ssh output
>>> multihop restricted
>>> multihop username
>>> multihop wildcard username
>>> multihop wrong username
>>> multihop cycle no agent
>>> multihop cycle agent unrestricted
>>> 12d11
>>> < ssh-ed25519
>>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>>> 13a13
>>> > ssh-ed25519
>>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>>> 22d21
>>> < ssh-ed25519
>>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>>> 23a23
>>> > ssh-ed25519
>>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>>> 32d31
>>> < ssh-ed25519
>>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>>> 33a33
>>> > ssh-ed25519
>>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>>> 42d41
>>> < ssh-ed25519
>>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>>> 43a43
>>> > ssh-ed25519
>>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>>> 52d51
>>> < ssh-ed25519
>>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>>> 53a53
>>> > ssh-ed25519
>>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>>> 62d61
>>> < ssh-ed25519
>>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>>> 63a63
>>> > ssh-ed25519
>>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>>> 72d71
>>> < ssh-ed25519
>>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>>> 73a73
>>> > ssh-ed25519
>>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
>>> unexpected ssh output
>>> multihop cycle restricted deny
>>> multihop cycle restricted allow
>>> failed agent restrictions
>>> make[1]: *** [Makefile:255: t-exec] Error 1
>>> make[1]: Leaving directory
>>> '/export/home/leo/src/openssh-10.0p1/regress'
>>> make: *** [Makefile:788: t-exec] Error 2
>>>
>>>
>>>
>>> Regards,
>>>
>>> --
>>>
>>> Leo
>>>
>>>
>>> On 9/30/25 07:45, Damien Miller wrote:
>>>> Hi,
>>>>
>>>> OpenSSH 10.1p1 is almost ready for release, so we would
appreciate
>>>> testing
>>>> on as many platforms and systems as possible.
>>>>
>>>> Snapshot releases for portable OpenSSH are available from
>>>> http://www.mindrot.org/openssh_snap/
>>>>
>>>> The OpenBSD version is available in CVS HEAD:
>>>> http://www.openbsd.org/anoncvs.html
>>>>
>>>> Portable OpenSSH is also available via git using the
>>>> instructions at http://www.openssh.com/portable.html#cvs
>>>> At https://anongit.mindrot.org/openssh.git/ or via a mirror at
Github:
>>>> https://github.com/openssh/openssh-portable
>>>>
>>>> Running the regression tests supplied with Portable OpenSSH
does not
>>>> require installation and is a simply:
>>>>
>>>> $ ./configure && make tests
>>>>
>>>> Live testing on suitable non-production systems is also
appreciated.
>>>> Please send reports of success or failure to
>>>> openssh-unix-dev at mindrot.org. Security bugs should be
reported
>>>> directly to openssh at openssh.com.
>>>>
>>>> Below is a summary of changes. More detail may be found in the
>>>> ChangeLog
>>>> in the portable OpenSSH tarballs.
>>>>
>>>> Thanks to the many people who contributed to this release.
>>>>
>>>> Potentially-incompatible changes
>>>> --------------------------------
>>>>
>>>> ? * ssh(1): add a warning when the connection negotiates a
non-post
>>>> ??? quantum key agreement algorithm.
>>>>
>>>> ??? This warning has been added due to the risk of "store
now, decrypt
>>>> ??? later" attacks. More details at
https://openssh.com/pq.html
>>>>
>>>> ??? This warning may be controlled via a new WarnWeakCrypto
ssh_config
>>>> ??? option, defaulting to on. This option is likely to control
>>>> ??? additional weak crypto warnings in the future.
>>>>
>>>> ? * ssh(1), sshd(8): major changes to handling of DSCP
marking/IPQoS
>>>>
>>>> ??? Both the client and the server have changed the default
DCSP
>>>> ??? (a.k.a IPQos) values and the way these values are selected
at
>>>> ??? runtime.
>>>>
>>>> ??? Both endpoints now use Expedited Forward (EF) for
interactive
>>>> ??? traffic by default. This provides better prioritisation,
>>>> ??? especially on wireless media (cf. RFC 8325).
Non-interactive
>>>> ??? traffic now uses the operating system default DSCP marking.
>>>> ??? Both the interactive and non-interactive DSCP values may be
>>>> ??? overridden via the IPQoS keyword in ssh_config(5) and
>>>> ??? sshd_config(5).
>>>>
>>>> ??? The DSCP value selected may now change over the course of a
>>>> ??? connection. ssh(1) and sshd(8) will automatically select
between
>>>> ??? the interactive and non-interactive IPQoS values depending
on
>>>> ??? the type of SSH channels open. E.g. if a sftp session is
using
>>>> ??? the connectionn, then the non-interactive value will be
used.
>>>>
>>>> ??? This is important now that the default interactive IPQoS is
EF
>>>> ??? (Expedited Forwarding), as many networks are configured to
allow
>>>> ??? only relatively small amounts of traffic of this class and
they
>>>> will
>>>> ??? aggressively deprioritise the entire connection if this is
>>>> exceeded.
>>>>
>>>> ? * ssh-add(1): when adding certificates to an agent, set the
expiry
>>>> ??? to the certificate expiry time plus a short (5 min) grace
period.
>>>>
>>>> ??? This will cause the agent to automtically remove
certificates
>>>> shortly
>>>> ??? after they expire. A new ssh-add -N option disables this
>>>> behaviour.
>>>>
>>>> ? * All: remove experimental support for XMSS keys. This was
never
>>>> ??? enabled by default. We expect to implement a new
post-quantu
>>>> ??? signature scheme in the near future.
>>>>
>>>> ? * ssh(1), sshd(8): deprecate support for IPv4 type-of-service
(TOS)
>>>> ??? keywords in the IPQoS configuration directive.
>>>>
>>>> ??? Type of Service (ToS) was deprecated in the late nineties
and
>>>> ??? replaced with the Differentiated Services architecture.
Diffserv
>>>> ??? has significant advantages for operators because this
mechanism
>>>> ??? offers more granularity.
>>>>
>>>> ??? OpenSSH switched its default IPQoS from ToS to DSCP values
in
>>>> 2018.
>>>>
>>>> ??? IPQoS configurations with 'lowdelay',
'reliability', or
>>>> ??? 'throughput' will be ignored and instead the system
default QoS
>>>> ??? settings apply. Additionally, a debug message is logged
about the
>>>> ??? deprecation with a suggestion to use DSCP.
>>>>
>>>> ? * ssh-agent(1), sshd(8): move agent listener sockets from
/tmp to
>>>> ??? under ~/.ssh/agent for both ssh-agent(1) and forwarded
sockets
>>>> ??? in sshd(8).
>>>>
>>>> ??? This ensures processes that have restricted filesystem
access
>>>> ??? that includes /tmp do not ambiently have the ability to use
keys
>>>> ??? in an agent.
>>>>
>>>> ??? Moving the default directory has the consequence that the
OS will
>>>> ??? no longer clean up stale agent sockets, so ssh-agent now
gains
>>>> ??? this ability.
>>>>
>>>> ??? To support $HOME on NFS, the socket path includes a
truncated
>>>> hash of
>>>> ??? the hostname. ssh-agent will by default only clean up
sockets from
>>>> ??? the same hostname.
>>>>
>>>> ??? ssh-agent(1) gains some new flags: -U suppresses the
automatic
>>>> ??? cleanup of stale sockets when it starts. -u forces a
cleanup
>>>> ??? without keeping a running agent, -uu forces a cleanup that
ignores
>>>> ??? the hostname. -T makes ssh-agent put the socket back in
/tmp.
>>>>
>>>> Changes since OpenSSH 10.0
>>>> =========================>>>>
>>>> New features
>>>> ------------
>>>>
>>>> ? * ssh(1), sshd(8): add SIGINFO handlers to log active channel
and
>>>> ??? session information.
>>>>
>>>> ? * sshd(8): when refusing a certificate for user
authentication, log
>>>> ??? enough information to identify the certificate in addition
to the
>>>> ??? reason why it was being denied. Makes debugging certificate
>>>> ??? authorisation problems a bit easier.
>>>>
>>>> ? * ssh(1), ssh-agent(1): support ed25519 keys hosted on
PKCS#11
>>>> ??? tokens.
>>>>
>>>> ? * ssh(1): add a ssh_config(5) RefuseConnection option that,
when
>>>> ???? encountered while processing an active section in a
>>>> ???? configuration terminates ssh(1) with an error message that
>>>> ???? contains the argument to the option.
>>>>
>>>> ???? This may be useful for expressing reminders or warnings in
config
>>>> ???? files, for example:
>>>>
>>>> ???? Match host foo
>>>> ??????????? RefuseConnection "foo is deprecated, use
splork instead"
>>>>
>>>> ? * sshd(8): make the X11 display number check relative to
>>>> ??? X11DisplayOffset. This will allows people to use
X11DisplayOffset
>>>> ??? to configure much higher port ranges if they really want,
while
>>>> ??? not changing the default behaviour.
>>>>
>>>> ? * unit tests: the unit test framework now includes some basic
>>>> ??? benchmarking capabilities. Run with "make
UNITTEST_BENCHMARK=yes"
>>>> ??? on OpenBSD or "make unit-bench" on Portable
OpenSSH.
>>>>
>>>> Bugfixes
>>>> --------
>>>>
>>>> ? * sshd(8): fix mistracking of MaxStartups process exits in
some
>>>> ??? situations. At worst, this could cause all MaxStartups
slots to
>>>> ??? fill and sshd to refuse new connections.
>>>>
>>>> ? * ssh(1): fix delay on X client startup when
ObscureKeystrokeTiming
>>>> ??? is enabled. bz#3820
>>>>
>>>> ? * sshd(8): increase the maximum size of the supported
configuration
>>>> ??? from 256KB to 4MB, which ought to be enough for anybody.
Fail
>>>> ??? early and visibly when this limit is breached. bz3808
>>>>
>>>> ? * sftp(1): during sftp uploads, avoid a condition where a
failed
>>>> ??? write could be ignored if a subsequent write succeeded.
This is
>>>> ??? unlikely but technically possible because sftp servers are
>>>> ??? allowed to reorder requests.
>>>>
>>>> ? * sftp(1): avoid a fatal() when sftp tab-completes filenames
that
>>>> ??? share common utf-8 characters that don't encode to a
complete
>>>> ??? codepoint.
>>>>
>>>> ? * sshd(8): avoid a race condition when the sshd-auth process
exits
>>>> ??? tha could cause a spurious error message to be logged.
>>>>
>>>> ? * sshd(8): log at level INFO when PerSourcePenalties actually
>>>> ??? blocks access to a source address range. Previously this
was
>>>> ??? logged at level VERBOSE, which hid enforcement actions
under
>>>> ??? default config settings.
>>>>
>>>> ? * sshd(8): GssStrictAcceptor was missing from sshd -T output;
fix
>>>>
>>>> ? * sshd(8): Make the MaxStartups and PerSourceNetBlockSize
options
>>>> ??? first-match-wins as advertised. bz3859
>>>>
>>>> ? * ssh(1): fix an incorrect return value check in the local
forward
>>>> ??? cancellation path that would cause failed cancellations not
to be
>>>> ??? logged.
>>>>
>>>> ? * sshd(8): make "Match !final" not trigger a 2nd
pass ssh_config
>>>> ??? parsing pass (unless hostname canonicalisation or a
separate
>>>> ??? "Match final" does). bz3843
>>>>
>>>> ? * ssh(1): better debug diagnostics when loading keys. Will
now list
>>>> ??? key fingerprint and algorithm (not just algorithm number)
as well
>>>> ??? as making it explicit which keys didn't load.
>>>>
>>>> ? * All: fix a number of memory leaks found by LeakSanitizer,
>>>> ??? Coverity and manual inspection.
>>>>
>>>> ? * sshd(8): : Output the current name for
PermitRootLogin's
>>>> ??? "prohibit-password" in sshd -T instead of its
deprecated alias
>>>> ??? "without-password".? bz#3788
>>>>
>>>> ? * ssh(1): make writing known_hosts lines more atomic by
writing
>>>> ??? the entire line in one operation and using unbuffered
stdio.
>>>>
>>>> ??? Usually writes to this file are serialised on the "Are
you sure
>>>> you
>>>> ??? want to continue connecting?" prompt, but if host key
checking is
>>>> ??? disabled and connections were being made with high
concurrency
>>>> ??? then interleaved writes might have been possible.
>>>>
>>>> Portability
>>>> -----------
>>>>
>>>> ? * sshd(8): check the username didn't change during the
PAM
>>>> ??? transactions.
>>>>
>>>> ??? PAM modules can change the user during their execution, but
>>>> ??? this is not supported by sshd(8). If such a case was
incorrectly
>>>> ??? configured by the system administrator, then sshd(8) could
end up
>>>> ??? using a different username to the one authorised by PAM.
>>>>
>>>> ? * sshd(8): don't log audit messages with UNKNOWN hostname
to avoid
>>>> ??? slow DNS lookups in the audit subsystem.
>>>>
>>>> ? * All: when making a copy of struct passwd, ensure struct
fields are
>>>> ??? non-NULL. Android libc can return NULL pw_gecos, for
example.
>>>>
>>>> ? * All: Remove status bits from OpenSSL >=3 version check.
>>>>
>>>> ? * sshd(8), ssh(1): Use SSH_TUN_COMPAT_AF on FreeBSD.
Otherwise tun
>>>> ??? forwarding from other OSes fails as soon as the first IPv6
message
>>>> ??? is sent by the other side (which is usually a Router
Solicitation
>>>> ??? ICMPv6 message which is sent as soon as the interface is
up).
>>>>
>>>> ? * ssh(1), ssh-agent(8): check for nlist function presence
before
>>>> ??? attenmpting to use it instead of relying on the presence of
the
>>>> ??? nlist.h header.? Mac OS X, in particular has the header,
but only
>>>> ??? has the function in the 32bit libraries.
>>>>
>>>> ? * All: fill in missing system header files.
>>>>
>>>> ??? Create replacement header files inside openbsd-compat for
common
>>>> ??? headers that are missing on a given platform. Usually these
are
>>>> ??? just empty, but in some cases they'll include the
equivalent file.
>>>> ??? This avoids having to wrap those includes in '#ifdef
HAVE_FOO_H'
>>>> ??? and reduces the diff between Portable OpenSSH and OpenBSD.
>>>>
>>>> ? * sshd(8): handle futex_time64 properly in seccomp sandbox
>>>> ??? Previously we only allowed __NR_futex, but some 32-bit
systems
>>>> ??? apparently support __NR_futex_time64. We had support for
this
>>>> ??? in the sandbox, but because of a macro error only
__NR_futex was
>>>> ??? allowlisted.
>>>>
>>>> ? * Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR
API.
>>>>
>>>> ? * sshd(8): let ga_init() fail gracefully if getgrouplist
does.
>>>> ??? Apparently getgrouplist() can fail on OSX when passed a
>>>> ??? non-existent group name. Other platforms seem to return a
group
>>>> ??? list consisting of the numeric gid passed to the function.
bz3848
>>>>
>>>> ? * ssh-agent(1): exit 0 from SIGTERM under systemd
socket-activation,
>>>> ??? preventing a graceful shutdown of an agent via systemd from
>>>> ??? incorrectly marking the service as "failed".
>>>>
>>>> ? * build: wrap some autoconf macros in AC_CACHE_CHECK.
>>>>
>>>> ??? This allows skipping/overriding the
OSSH_CHECK_CFLAG_COMPILE and
>>>> ??? OSSH_CHECK_CFLAG_LINK macros used to discover supported
compiler
>>>> ??? or linker flags. E.g.
>>>>
>>>> ????? $ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no
>>>> ????? [...]
>>>> ????? checking if cc supports compile flag
>>>> -fzero-call-used-regs=used and linking succeeds... (cached) no
>>>>
>>>> Reporting Bugs:
>>>> ==============>>>>
>>>> - Please read https://www.openssh.com/report.html
>>>> ?? Security bugs should be reported directly to openssh at
openssh.com
>>>>
>>>> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo
de
>>>> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason
McIntyre,
>>>> Tim Rice and Ben Lindstrom.
>>>>
>>>> _______________________________________________
>>>> openssh-unix-dev mailing list
>>>> openssh-unix-dev at mindrot.org
>>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev at mindrot.org
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev