That was a mistake in openssh 10.0 portable, which CANNOT BE FIXED.
Reversing the number creates worse problems.
It will not be fixed.
The current call is for testing 10.1, not 10.0
> I am testing the right one, just happened SSH_PORTABLE? in version.h
> wasn't update from p2 to p1:
>
> 11:11:50 leo at sdf-1 ~/temp $ curl -O
> https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.0p1.tar.gz
>
> 11:11:57 leo at sdf-1 ~/temp $ tar tzvf openssh-10.0p1.tar.gz | grep
version.h
> -rw-r--r--? 0 djm? ? djm? ? ? ?172 Apr? 9 01:02 openssh-10.0p1/version.h
>
> 11:12:14 leo at sdf-1 ~/temp $ tar xzvf openssh-10.0p1.tar.gz
> openssh-10.0p1/version.h
> x openssh-10.0p1/version.h
>
> 11:13:42 leo at bsdf-1 ~/temp $ cat openssh-10.0p1/version.h
> /* $OpenBSD: version.h,v 1.105 2025/04/09 07:00:21 djm Exp $ */
>
> #define SSH_VERSION? ? "OpenSSH_10.0"
>
> #define SSH_PORTABLE? ? "p2". <--------
> #define SSH_RELEASE? ? SSH_VERSION SSH_PORTABLE
>
>
> Regards,
>
> --
>
> Leo
>
> On 10/1/25 10:48, Chris Rapier wrote:
> > I think you are testing the 10.0p2 release as opposed to 10.1p1.
> >
> > That said, I did run into that problem earlier and I can't
remember
> > how I resolved it.
> >
> > Chris
> >
> > On 10/1/25 12:26, Leonardo Saavedra via openssh-unix-dev wrote:
> >> Just a little detail in version
> >>
> >> [leo at boxer tmp]$ tar -xzvf ../openssh-10.0p1.tar.gz
openssh-10.0p1/
> >> version.h | xargs cat
> >> /* $OpenBSD: version.h,v 1.105 2025/04/09 07:00:21 djm Exp $ */
> >>
> >> #define SSH_VERSION? ? "OpenSSH_10.0"
> >>
> >> #define SSH_PORTABLE? ? "p2"
> >> #define SSH_RELEASE? ? SSH_VERSION SSH_PORTABLE
> >>
> >> [leo at boxer openssh-10.0p1]$ diff -u version.h.orig? version.h
> >> --- version.h.orig? ? 2025-10-01 09:20:07.508606652 -0700
> >> +++ version.h? ? 2025-10-01 09:20:15.404580439 -0700
> >> @@ -2,5 +2,5 @@
> >>
> >> ??#define SSH_VERSION? ? "OpenSSH_10.0"
> >>
> >> -#define SSH_PORTABLE? ? "p2"
> >> +#define SSH_PORTABLE? ? "p1"
> >> ??#define SSH_RELEASE? ? SSH_VERSION SSH_PORTABLE
> >>
> >>
> >> On 10/1/25 10:09, Leonardo Saavedra via openssh-unix-dev wrote:
> >>> Hi,
> >>>
> >>> The build process went pretty smooth in a RHEL 8.10, except
the
> >>> `make tests` as follow:
> >>>
> >>>
> >>> [leo at boxer build]$ uname -a
> >>> Linux boxer 4.18.0-553.75.1.el8_10.x86_64 #1 SMP Wed Sep 10
> >>> 00:05:32 EDT 2025 x86_64 x86_64 x86_64 GNU/Linux
> >>>
> >>> [leo at boxer build]$ cat /etc/redhat-release
> >>> Red Hat Enterprise Linux release 8.10 (Ootpa)
> >>>
> >>> [leo at boxer build]$ openssl version
> >>> OpenSSL 3.5.4 30 Sep 2025 (Library: OpenSSL 3.5.4 30 Sep 2025)
> >>>
> >>> [leo at boxer build]$ ssh -V
> >>> OpenSSH_10.0p2, OpenSSL 3.5.4 30 Sep 2025
> >>>
> >>>
> >>> [...]
> >>>
> >>> unexpected ssh output
> >>> multihop restricted
> >>> multihop username
> >>> multihop wildcard username
> >>> multihop wrong username
> >>> multihop cycle no agent
> >>> multihop cycle agent unrestricted
> >>> 12d11
> >>> < ssh-ed25519
> >>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> >>> 13a13
> >>> > ssh-ed25519
> >>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> >>> 22d21
> >>> < ssh-ed25519
> >>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> >>> 23a23
> >>> > ssh-ed25519
> >>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> >>> 32d31
> >>> < ssh-ed25519
> >>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> >>> 33a33
> >>> > ssh-ed25519
> >>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> >>> 42d41
> >>> < ssh-ed25519
> >>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> >>> 43a43
> >>> > ssh-ed25519
> >>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> >>> 52d51
> >>> < ssh-ed25519
> >>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> >>> 53a53
> >>> > ssh-ed25519
> >>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> >>> 62d61
> >>> < ssh-ed25519
> >>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> >>> 63a63
> >>> > ssh-ed25519
> >>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> >>> 72d71
> >>> < ssh-ed25519
> >>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> >>> 73a73
> >>> > ssh-ed25519
> >>>
AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> >>> unexpected ssh output
> >>> multihop cycle restricted deny
> >>> multihop cycle restricted allow
> >>> failed agent restrictions
> >>> make[1]: *** [Makefile:255: t-exec] Error 1
> >>> make[1]: Leaving directory
> >>> '/export/home/leo/src/openssh-10.0p1/regress'
> >>> make: *** [Makefile:788: t-exec] Error 2
> >>>
> >>>
> >>>
> >>> Regards,
> >>>
> >>> -- Leo
> >>>
> >>>
> >>> On 9/30/25 07:45, Damien Miller wrote:
> >>>> Hi,
> >>>>
> >>>> OpenSSH 10.1p1 is almost ready for release, so we would
> >>>> appreciate testing
> >>>> on as many platforms and systems as possible.
> >>>>
> >>>> Snapshot releases for portable OpenSSH are available from
> >>>> http://www.mindrot.org/openssh_snap/
> >>>>
> >>>> The OpenBSD version is available in CVS HEAD:
> >>>> http://www.openbsd.org/anoncvs.html
> >>>>
> >>>> Portable OpenSSH is also available via git using the
> >>>> instructions at http://www.openssh.com/portable.html#cvs
> >>>> At https://anongit.mindrot.org/openssh.git/ or via a
mirror at Github:
> >>>> https://github.com/openssh/openssh-portable
> >>>>
> >>>> Running the regression tests supplied with Portable
OpenSSH does not
> >>>> require installation and is a simply:
> >>>>
> >>>> $ ./configure && make tests
> >>>>
> >>>> Live testing on suitable non-production systems is also
appreciated.
> >>>> Please send reports of success or failure to
> >>>> openssh-unix-dev at mindrot.org. Security bugs should be
reported
> >>>> directly to openssh at openssh.com.
> >>>>
> >>>> Below is a summary of changes. More detail may be found in
the
> >>>> ChangeLog
> >>>> in the portable OpenSSH tarballs.
> >>>>
> >>>> Thanks to the many people who contributed to this release.
> >>>>
> >>>> Potentially-incompatible changes
> >>>> --------------------------------
> >>>>
> >>>> ? * ssh(1): add a warning when the connection negotiates a
non-post
> >>>> ??? quantum key agreement algorithm.
> >>>>
> >>>> ??? This warning has been added due to the risk of
"store now, decrypt
> >>>> ??? later" attacks. More details at
https://openssh.com/pq.html
> >>>>
> >>>> ??? This warning may be controlled via a new
WarnWeakCrypto ssh_config
> >>>> ??? option, defaulting to on. This option is likely to
control
> >>>> ??? additional weak crypto warnings in the future.
> >>>>
> >>>> ? * ssh(1), sshd(8): major changes to handling of DSCP
marking/IPQoS
> >>>>
> >>>> ??? Both the client and the server have changed the
default DCSP
> >>>> ??? (a.k.a IPQos) values and the way these values are
selected at
> >>>> ??? runtime.
> >>>>
> >>>> ??? Both endpoints now use Expedited Forward (EF) for
interactive
> >>>> ??? traffic by default. This provides better
prioritisation,
> >>>> ??? especially on wireless media (cf. RFC 8325).
Non-interactive
> >>>> ??? traffic now uses the operating system default DSCP
marking.
> >>>> ??? Both the interactive and non-interactive DSCP values
may be
> >>>> ??? overridden via the IPQoS keyword in ssh_config(5) and
> >>>> ??? sshd_config(5).
> >>>>
> >>>> ??? The DSCP value selected may now change over the course
of a
> >>>> ??? connection. ssh(1) and sshd(8) will automatically
select between
> >>>> ??? the interactive and non-interactive IPQoS values
depending on
> >>>> ??? the type of SSH channels open. E.g. if a sftp session
is using
> >>>> ??? the connectionn, then the non-interactive value will
be used.
> >>>>
> >>>> ??? This is important now that the default interactive
IPQoS is EF
> >>>> ??? (Expedited Forwarding), as many networks are
configured to allow
> >>>> ??? only relatively small amounts of traffic of this class
and
> >>>> they will
> >>>> ??? aggressively deprioritise the entire connection if
this is
> >>>> exceeded.
> >>>>
> >>>> ? * ssh-add(1): when adding certificates to an agent, set
the expiry
> >>>> ??? to the certificate expiry time plus a short (5 min)
grace period.
> >>>>
> >>>> ??? This will cause the agent to automtically remove
certificates
> >>>> shortly
> >>>> ??? after they expire. A new ssh-add -N option disables
this
> >>>> behaviour.
> >>>>
> >>>> ? * All: remove experimental support for XMSS keys. This
was never
> >>>> ??? enabled by default. We expect to implement a new
post-quantu
> >>>> ??? signature scheme in the near future.
> >>>>
> >>>> ? * ssh(1), sshd(8): deprecate support for IPv4
type-of-service (TOS)
> >>>> ??? keywords in the IPQoS configuration directive.
> >>>>
> >>>> ??? Type of Service (ToS) was deprecated in the late
nineties and
> >>>> ??? replaced with the Differentiated Services
architecture. Diffserv
> >>>> ??? has significant advantages for operators because this
mechanism
> >>>> ??? offers more granularity.
> >>>>
> >>>> ??? OpenSSH switched its default IPQoS from ToS to DSCP
values in
> >>>> 2018.
> >>>>
> >>>> ??? IPQoS configurations with 'lowdelay',
'reliability', or
> >>>> ??? 'throughput' will be ignored and instead the
system default QoS
> >>>> ??? settings apply. Additionally, a debug message is
logged about the
> >>>> ??? deprecation with a suggestion to use DSCP.
> >>>>
> >>>> ? * ssh-agent(1), sshd(8): move agent listener sockets
from /tmp to
> >>>> ??? under ~/.ssh/agent for both ssh-agent(1) and forwarded
sockets
> >>>> ??? in sshd(8).
> >>>>
> >>>> ??? This ensures processes that have restricted filesystem
access
> >>>> ??? that includes /tmp do not ambiently have the ability
to use keys
> >>>> ??? in an agent.
> >>>>
> >>>> ??? Moving the default directory has the consequence that
the OS will
> >>>> ??? no longer clean up stale agent sockets, so ssh-agent
now gains
> >>>> ??? this ability.
> >>>>
> >>>> ??? To support $HOME on NFS, the socket path includes a
truncated
> >>>> hash of
> >>>> ??? the hostname. ssh-agent will by default only clean up
sockets from
> >>>> ??? the same hostname.
> >>>>
> >>>> ??? ssh-agent(1) gains some new flags: -U suppresses the
automatic
> >>>> ??? cleanup of stale sockets when it starts. -u forces a
cleanup
> >>>> ??? without keeping a running agent, -uu forces a cleanup
that ignores
> >>>> ??? the hostname. -T makes ssh-agent put the socket back
in /tmp.
> >>>>
> >>>> Changes since OpenSSH 10.0
> >>>> =========================> >>>>
> >>>> New features
> >>>> ------------
> >>>>
> >>>> ? * ssh(1), sshd(8): add SIGINFO handlers to log active
channel and
> >>>> ??? session information.
> >>>>
> >>>> ? * sshd(8): when refusing a certificate for user
authentication, log
> >>>> ??? enough information to identify the certificate in
addition to the
> >>>> ??? reason why it was being denied. Makes debugging
certificate
> >>>> ??? authorisation problems a bit easier.
> >>>>
> >>>> ? * ssh(1), ssh-agent(1): support ed25519 keys hosted on
PKCS#11
> >>>> ??? tokens.
> >>>>
> >>>> ? * ssh(1): add a ssh_config(5) RefuseConnection option
that, when
> >>>> ???? encountered while processing an active section in a
> >>>> ???? configuration terminates ssh(1) with an error message
that
> >>>> ???? contains the argument to the option.
> >>>>
> >>>> ???? This may be useful for expressing reminders or
warnings in config
> >>>> ???? files, for example:
> >>>>
> >>>> ???? Match host foo
> >>>> ??????????? RefuseConnection "foo is deprecated, use
splork instead"
> >>>>
> >>>> ? * sshd(8): make the X11 display number check relative to
> >>>> ??? X11DisplayOffset. This will allows people to use
X11DisplayOffset
> >>>> ??? to configure much higher port ranges if they really
want, while
> >>>> ??? not changing the default behaviour.
> >>>>
> >>>> ? * unit tests: the unit test framework now includes some
basic
> >>>> ??? benchmarking capabilities. Run with "make
UNITTEST_BENCHMARK=yes"
> >>>> ??? on OpenBSD or "make unit-bench" on Portable
OpenSSH.
> >>>>
> >>>> Bugfixes
> >>>> --------
> >>>>
> >>>> ? * sshd(8): fix mistracking of MaxStartups process exits
in some
> >>>> ??? situations. At worst, this could cause all MaxStartups
slots to
> >>>> ??? fill and sshd to refuse new connections.
> >>>>
> >>>> ? * ssh(1): fix delay on X client startup when
ObscureKeystrokeTiming
> >>>> ??? is enabled. bz#3820
> >>>>
> >>>> ? * sshd(8): increase the maximum size of the supported
configuration
> >>>> ??? from 256KB to 4MB, which ought to be enough for
anybody. Fail
> >>>> ??? early and visibly when this limit is breached. bz3808
> >>>>
> >>>> ? * sftp(1): during sftp uploads, avoid a condition where
a failed
> >>>> ??? write could be ignored if a subsequent write
succeeded. This is
> >>>> ??? unlikely but technically possible because sftp servers
are
> >>>> ??? allowed to reorder requests.
> >>>>
> >>>> ? * sftp(1): avoid a fatal() when sftp tab-completes
filenames that
> >>>> ??? share common utf-8 characters that don't encode to
a complete
> >>>> ??? codepoint.
> >>>>
> >>>> ? * sshd(8): avoid a race condition when the sshd-auth
process exits
> >>>> ??? tha could cause a spurious error message to be logged.
> >>>>
> >>>> ? * sshd(8): log at level INFO when PerSourcePenalties
actually
> >>>> ??? blocks access to a source address range. Previously
this was
> >>>> ??? logged at level VERBOSE, which hid enforcement actions
under
> >>>> ??? default config settings.
> >>>>
> >>>> ? * sshd(8): GssStrictAcceptor was missing from sshd -T
output; fix
> >>>>
> >>>> ? * sshd(8): Make the MaxStartups and
PerSourceNetBlockSize options
> >>>> ??? first-match-wins as advertised. bz3859
> >>>>
> >>>> ? * ssh(1): fix an incorrect return value check in the
local forward
> >>>> ??? cancellation path that would cause failed
cancellations not to be
> >>>> ??? logged.
> >>>>
> >>>> ? * sshd(8): make "Match !final" not trigger a
2nd pass ssh_config
> >>>> ??? parsing pass (unless hostname canonicalisation or a
separate
> >>>> ??? "Match final" does). bz3843
> >>>>
> >>>> ? * ssh(1): better debug diagnostics when loading keys.
Will now list
> >>>> ??? key fingerprint and algorithm (not just algorithm
number) as well
> >>>> ??? as making it explicit which keys didn't load.
> >>>>
> >>>> ? * All: fix a number of memory leaks found by
LeakSanitizer,
> >>>> ??? Coverity and manual inspection.
> >>>>
> >>>> ? * sshd(8): : Output the current name for
PermitRootLogin's
> >>>> ??? "prohibit-password" in sshd -T instead of
its deprecated alias
> >>>> ??? "without-password".? bz#3788
> >>>>
> >>>> ? * ssh(1): make writing known_hosts lines more atomic by
writing
> >>>> ??? the entire line in one operation and using unbuffered
stdio.
> >>>>
> >>>> ??? Usually writes to this file are serialised on the
"Are you
> >>>> sure you
> >>>> ??? want to continue connecting?" prompt, but if host
key checking is
> >>>> ??? disabled and connections were being made with high
concurrency
> >>>> ??? then interleaved writes might have been possible.
> >>>>
> >>>> Portability
> >>>> -----------
> >>>>
> >>>> ? * sshd(8): check the username didn't change during
the PAM
> >>>> ??? transactions.
> >>>>
> >>>> ??? PAM modules can change the user during their
execution, but
> >>>> ??? this is not supported by sshd(8). If such a case was
incorrectly
> >>>> ??? configured by the system administrator, then sshd(8)
could end up
> >>>> ??? using a different username to the one authorised by
PAM.
> >>>>
> >>>> ? * sshd(8): don't log audit messages with UNKNOWN
hostname to avoid
> >>>> ??? slow DNS lookups in the audit subsystem.
> >>>>
> >>>> ? * All: when making a copy of struct passwd, ensure
struct fields are
> >>>> ??? non-NULL. Android libc can return NULL pw_gecos, for
example.
> >>>>
> >>>> ? * All: Remove status bits from OpenSSL >=3 version
check.
> >>>>
> >>>> ? * sshd(8), ssh(1): Use SSH_TUN_COMPAT_AF on FreeBSD.
Otherwise tun
> >>>> ??? forwarding from other OSes fails as soon as the first
IPv6 message
> >>>> ??? is sent by the other side (which is usually a Router
Solicitation
> >>>> ??? ICMPv6 message which is sent as soon as the interface
is up).
> >>>>
> >>>> ? * ssh(1), ssh-agent(8): check for nlist function
presence before
> >>>> ??? attenmpting to use it instead of relying on the
presence of the
> >>>> ??? nlist.h header.? Mac OS X, in particular has the
header, but only
> >>>> ??? has the function in the 32bit libraries.
> >>>>
> >>>> ? * All: fill in missing system header files.
> >>>>
> >>>> ??? Create replacement header files inside openbsd-compat
for common
> >>>> ??? headers that are missing on a given platform. Usually
these are
> >>>> ??? just empty, but in some cases they'll include the
equivalent file.
> >>>> ??? This avoids having to wrap those includes in
'#ifdef HAVE_FOO_H'
> >>>> ??? and reduces the diff between Portable OpenSSH and
OpenBSD.
> >>>>
> >>>> ? * sshd(8): handle futex_time64 properly in seccomp
sandbox
> >>>> ??? Previously we only allowed __NR_futex, but some 32-bit
systems
> >>>> ??? apparently support __NR_futex_time64. We had support
for this
> >>>> ??? in the sandbox, but because of a macro error only
__NR_futex was
> >>>> ??? allowlisted.
> >>>>
> >>>> ? * Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the
GCR API.
> >>>>
> >>>> ? * sshd(8): let ga_init() fail gracefully if getgrouplist
does.
> >>>> ??? Apparently getgrouplist() can fail on OSX when passed
a
> >>>> ??? non-existent group name. Other platforms seem to
return a group
> >>>> ??? list consisting of the numeric gid passed to the
function. bz3848
> >>>>
> >>>> ? * ssh-agent(1): exit 0 from SIGTERM under systemd
socket-activation,
> >>>> ??? preventing a graceful shutdown of an agent via systemd
from
> >>>> ??? incorrectly marking the service as "failed".
> >>>>
> >>>> ? * build: wrap some autoconf macros in AC_CACHE_CHECK.
> >>>>
> >>>> ??? This allows skipping/overriding the
OSSH_CHECK_CFLAG_COMPILE and
> >>>> ??? OSSH_CHECK_CFLAG_LINK macros used to discover
supported compiler
> >>>> ??? or linker flags. E.g.
> >>>>
> >>>> ????? $ ./configure
ossh_cv_cflag__fzero_call_used_regs_used=no
> >>>> ????? [...]
> >>>> ????? checking if cc supports compile flag
> >>>> -fzero-call-used-regs=used and linking succeeds...
(cached) no
> >>>>
> >>>> Reporting Bugs:
> >>>> ==============> >>>>
> >>>> - Please read https://www.openssh.com/report.html
> >>>> ?? Security bugs should be reported directly to openssh at
openssh.com
> >>>>
> >>>> OpenSSH is brought to you by Markus Friedl, Niels Provos,
Theo de
> >>>> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason
McIntyre,
> >>>> Tim Rice and Ben Lindstrom.
> >>>>
> >>>> _______________________________________________
> >>>> openssh-unix-dev mailing list
> >>>> openssh-unix-dev at mindrot.org
> >>>>
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> >>> _______________________________________________
> >>> openssh-unix-dev mailing list
> >>> openssh-unix-dev at mindrot.org
> >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> >> _______________________________________________
> >> openssh-unix-dev mailing list
> >> openssh-unix-dev at mindrot.org
> >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev