From bugzilla-daemon at mindrot.org Mon Aug 3 12:44:51 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 03 Aug 2020 02:44:51 +0000 Subject: [Bug 831] Allow agent forwarding in sftp & scp In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=831 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3162 Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #8 from Damien Miller --- patch applied and will be in openssh-8.4 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 [Bug 3162] Tracking bug for 8.4 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. You are watching the reporter of the bug. From bugzilla-daemon at mindrot.org Mon Aug 3 12:44:52 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 03 Aug 2020 02:44:52 +0000 Subject: [Bug 3162] Tracking bug for 8.4 release In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 Bug 3162 depends on bug 831, which changed state. Bug 831 Summary: Allow agent forwarding in sftp & scp https://bugzilla.mindrot.org/show_bug.cgi?id=831 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching the assignee of the bug. You are watching the reporter of the bug. From bugzilla-daemon at mindrot.org Mon Aug 3 12:44:51 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 03 Aug 2020 02:44:51 +0000 Subject: [Bug 3162] Tracking bug for 8.4 release In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |831 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=831 [Bug 831] Allow agent forwarding in sftp & scp -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Mon Aug 3 12:54:01 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 03 Aug 2020 02:54:01 +0000 Subject: [Bug 3198] Custom critical options and extensions are not lexically ordered In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3198 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #4 from Damien Miller --- patch applied - thanks -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Mon Aug 3 12:54:02 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 03 Aug 2020 02:54:02 +0000 Subject: [Bug 3162] Tracking bug for 8.4 release In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 Bug 3162 depends on bug 3198, which changed state. Bug 3198 Summary: Custom critical options and extensions are not lexically ordered https://bugzilla.mindrot.org/show_bug.cgi?id=3198 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Mon Aug 3 23:43:54 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 03 Aug 2020 13:43:54 +0000 Subject: [Bug 3199] New: Pass address family switch to proxy command Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3199 Bug ID: 3199 Summary: Pass address family switch to proxy command Product: Portable OpenSSH Version: 8.3p1 Hardware: Other OS: Linux Status: NEW Keywords: patch Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: jjelen at redhat.com Created attachment 3438 --> https://bugzilla.mindrot.org/attachment.cgi?id=3438&action=edit Pass address family switch to proxy command Generally, proxy command is used to connect to proxy servers and the address family of the target host is up to the decision of the proxy command itself (regardless it is netcat, another ssh or something else). Currently, hints from commandline (-4, -6) are not used at all and not passed to proxy command similarly as any other hints from configuration files (unless the proxy command is ssh too and the proxy host has specific AddressFamily directive). My suggestion would be to provide a new replacement percent-token to inform the proxy-command about the preferred address family (%f) to provide either -4, -6 or empty string if no preference was given. See the proposed patch -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Wed Aug 5 09:00:34 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 04 Aug 2020 23:00:34 +0000 Subject: [Bug 960] Support needed for NetBSD utmpx field ut_ss In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=960 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3162 CC| |djm at mindrot.org Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #6 from Damien Miller --- Most of the patch has been applied - the remainder seems unnecessary. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 [Bug 3162] Tracking bug for 8.4 release -- You are receiving this mail because: You are the assignee for the bug. You are watching someone on the CC list of the bug. From bugzilla-daemon at mindrot.org Wed Aug 5 09:00:35 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 04 Aug 2020 23:00:35 +0000 Subject: [Bug 3162] Tracking bug for 8.4 release In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 Bug 3162 depends on bug 960, which changed state. Bug 960 Summary: Support needed for NetBSD utmpx field ut_ss https://bugzilla.mindrot.org/show_bug.cgi?id=960 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Wed Aug 5 09:00:34 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 04 Aug 2020 23:00:34 +0000 Subject: [Bug 3162] Tracking bug for 8.4 release In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |960 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=960 [Bug 960] Support needed for NetBSD utmpx field ut_ss -- You are receiving this mail because: You are watching the assignee of the bug. You are watching the reporter of the bug. From bugzilla-daemon at mindrot.org Thu Aug 6 08:56:32 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 05 Aug 2020 22:56:32 +0000 Subject: [Bug 3173] spurious message about pubkey being invalid format In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3173 --- Comment #10 from comm+openssh at squotd.net --- A fix has apparently been checked in. https://blog.hqcodeshop.fi/archives/482-OpenSSH-8.3-client-fails-with-load-pubkey-invalid-format.html -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Thu Aug 6 20:46:50 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 06 Aug 2020 10:46:50 +0000 Subject: [Bug 3087] Ed448 support In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3087 sergio changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|WONTFIX |--- Status|RESOLVED |REOPENED --- Comment #3 from sergio --- I believe this decision should be reviewed. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. From bugzilla-daemon at mindrot.org Thu Aug 6 20:49:12 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 06 Aug 2020 10:49:12 +0000 Subject: [Bug 3087] Ed448 support In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3087 --- Comment #4 from sergio --- openssl supports Ed448 gnupg will support Ed448: https://dev.gnupg.org/D505 erlang ssh supports Ed448: https://erlang.org/doc/man/SSH_app.html -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. From bugzilla-daemon at mindrot.org Fri Aug 7 13:44:03 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 07 Aug 2020 03:44:03 +0000 Subject: [Bug 3199] Pass address family switch to proxy command In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3199 Darren Tucker changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at dtucker.net --- Comment #1 from Darren Tucker --- I'm not sure about these semantics because it's significantly different to that of the existing TOKENs. Where possible we try to keep them consistent across all keywords than can use them. I can imagine use cases where the other keywords might also want access to this information and as it stands this isn't really suitable for that. None of the other TOKENs are in the form of a command line flag, and they always expand into something. This one only expands into something some of the time. I grant it's convenient for this exact use case, but my concern is it will be difficult or impossible to use for any other case. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. From bugzilla-daemon at mindrot.org Fri Aug 7 14:10:20 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 07 Aug 2020 04:10:20 +0000 Subject: [Bug 2670] Add ssh_config option that sets the lifetime of the key if added via AddKeysToAgent In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=2670 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3165|0 |1 is obsolete| | Attachment #3188|0 |1 is obsolete| | Status|NEW |ASSIGNED Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org CC| |djm at mindrot.org, | |dtucker at dtucker.net Attachment #3439| |ok?(dtucker at dtucker.net) Flags| | --- Comment #3 from Damien Miller --- Created attachment 3439 --> https://bugzilla.mindrot.org/attachment.cgi?id=3439&action=edit AddKeysToAgent with interval support This adds support for specifying an interval to AddKeysToAgent, including requesting both per-use confirmation and an interval via AddKeysToAgent="confirm 5m" -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. From bugzilla-daemon at mindrot.org Fri Aug 7 14:11:11 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 07 Aug 2020 04:11:11 +0000 Subject: [Bug 2191] Feature Proposal: Add an identity to the agent automatically when loading the identity In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=2191 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |DUPLICATE Status|NEW |RESOLVED CC| |djm at mindrot.org --- Comment #1 from Damien Miller --- This feature was added a while ago in the form of AddKeysToAgent. The only missing piece is being able to set a timeout. That is being worked on in bug 2670. *** This bug has been marked as a duplicate of bug 2670 *** -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Fri Aug 7 14:11:11 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 07 Aug 2020 04:11:11 +0000 Subject: [Bug 2670] Add ssh_config option that sets the lifetime of the key if added via AddKeysToAgent In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=2670 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomo at cx4a.org --- Comment #4 from Damien Miller --- *** Bug 2191 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. From bugzilla-daemon at mindrot.org Fri Aug 7 14:12:39 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 07 Aug 2020 04:12:39 +0000 Subject: [Bug 2192] scp output alignment bug with UTF-8/multibyte sequences In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=2192 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #7 from Damien Miller --- Are you able to replicate this with a recent OpenSSH? There have been quite a few fixes in this area since 7.x. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Fri Aug 7 14:25:55 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 07 Aug 2020 04:25:55 +0000 Subject: [Bug 3069] sftp issues with [ or ] in path name In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3069 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org, | |dtucker at dtucker.net Attachment #3440| |ok?(dtucker at dtucker.net) Flags| | --- Comment #1 from Damien Miller --- Created attachment 3440 --> https://bugzilla.mindrot.org/attachment.cgi?id=3440&action=edit Retry unglobbed filename on get remote_glob failure I think this should fix it. Filenames for sftp get commands are processed using remote_glob() to wildcard-expand them. In this case it was interpreting and eating the special characters. This patch makes the remote_glob() call return the original, unmodified filename when expansion fails. Pretty much every other remote_glob() call in the sftp client already does this for precisely this reason. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. From bugzilla-daemon at mindrot.org Fri Aug 7 14:26:05 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 07 Aug 2020 04:26:05 +0000 Subject: [Bug 3069] sftp issues with [ or ] in path name In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3069 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3162 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 [Bug 3162] Tracking bug for 8.4 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Fri Aug 7 14:26:05 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 07 Aug 2020 04:26:05 +0000 Subject: [Bug 3162] Tracking bug for 8.4 release In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |3069 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3069 [Bug 3069] sftp issues with [ or ] in path name -- You are receiving this mail because: You are watching the assignee of the bug. You are watching the reporter of the bug. From bugzilla-daemon at mindrot.org Fri Aug 7 14:30:51 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 07 Aug 2020 04:30:51 +0000 Subject: [Bug 3070] Using recursive put always copies permissions In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3070 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #1 from Damien Miller --- I think that's a bit of an overbroad hammer - IMO users generally want some permissions to be preserved, e.g. X bits. Unfortunately, the sftp protocol doesn't have notions of umask or changing only a subset of permission bits - either the client specifies all of them or none of them. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Fri Aug 7 14:53:40 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 07 Aug 2020 04:53:40 +0000 Subject: [Bug 1542] Send echo on/off flag to SSH_ASKPASS In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=1542 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #25 from Damien Miller --- OpenSSH 8.2 sets a $SSH_ASKPASS_PROMPT environment variable that passes context through to the askpass program. The contrib/gnome-ssh-askpass[23] helper has been updated to use it too. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. From bugzilla-daemon at mindrot.org Fri Aug 7 17:15:37 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 07 Aug 2020 07:15:37 +0000 Subject: [Bug 3199] Pass address family switch to proxy command In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3199 --- Comment #2 from Jakub Jelen --- Thank you for feedback. That was the reason why I started this discussion on the mailing list whether the might be some other use cases that we should consider when implementing this feature. https://lists.mindrot.org/pipermail/openssh-unix-dev/2020-August/038698.html I see it is quite strictly tied to (proxy) commands, which is probably fine (as we already have for example %T only for local commands). The choice of whole command-line switch was for convenience as -4 and -6 are quite standard and there is usually no way how to express default family choice (any/unspec) while checking various netcat implementations. But if somebody can come with more suitable solution, I am fine with that. For the sssd use case mentioned on the mailing list, we are quite free to use anything, for example some environment variable to pass this information if it would be more suitable (but it would be useless for netcat or other tools at this moment). -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. From bugzilla-daemon at mindrot.org Fri Aug 7 17:18:36 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 07 Aug 2020 07:18:36 +0000 Subject: [Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login. In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=2049 Darren Tucker changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3162 --- Comment #8 from Darren Tucker --- Updated patch to current and applied. It's a slight improvement but I'm not sure it resolves the original report since AFAIK none of the original reporters tested it for their use case. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 [Bug 3162] Tracking bug for 8.4 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Fri Aug 7 17:18:36 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 07 Aug 2020 07:18:36 +0000 Subject: [Bug 3162] Tracking bug for 8.4 release In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 Darren Tucker changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |2049 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2049 [Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login. -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Fri Aug 7 17:41:24 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 07 Aug 2020 07:41:24 +0000 Subject: [Bug 3069] sftp issues with [ or ] in path name In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3069 Darren Tucker changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3440|ok?(dtucker at dtucker.net) |ok+ Flags| | -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Fri Aug 7 17:43:20 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 07 Aug 2020 07:43:20 +0000 Subject: [Bug 2670] Add ssh_config option that sets the lifetime of the key if added via AddKeysToAgent In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=2670 Darren Tucker changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3439|ok?(dtucker at dtucker.net) |ok+ Flags| | -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Fri Aug 7 18:14:22 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 07 Aug 2020 08:14:22 +0000 Subject: [Bug 2192] scp output alignment bug with UTF-8/multibyte sequences In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=2192 --- Comment #8 from Darren Tucker --- Yeah it's still there. It's kinda hard to follow what progressmeter is doing composing the status line into a single buffer, we should probably put the component parts into their own dynamically allocated buffer and compose the final one with a single asmprintf. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. From bugzilla-daemon at mindrot.org Sat Aug 8 14:22:17 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 08 Aug 2020 04:22:17 +0000 Subject: [Bug 3200] New: Will future versions of openssh fix CVE-2020-15778? Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3200 Bug ID: 3200 Summary: Will future versions of openssh fix CVE-2020-15778? Product: Portable OpenSSH Version: 8.3p1 Hardware: ARM64 OS: Linux Status: NEW Severity: security Priority: P5 Component: scp Assignee: unassigned-bugs at mindrot.org Reporter: kircherlike at outlook.com Although separating the scp function from the ssh is a difficult task, it is inappropriate to run commands in the scp that transfers files. Will OpenSSH be able to restore the CVE? https://github.com/cpandya2909/CVE-2020-15778 -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Tue Aug 11 00:26:49 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 10 Aug 2020 14:26:49 +0000 Subject: =?UTF-8?B?W0J1ZyAzMjAxXSBOZXc6IHByb3ZpZGUgYW4gb3B0aW9uIHRvIHVz?= =?UTF-8?B?ZSBzZnRwIGluc3RlYWQgb2Ygc3NoICdleGVjIHNoIC1jIOKApicgZm9yIGlu?= =?UTF-8?B?c3RhbGxpbmcgc3NoLWtleXMgdmlhIHNzaC1jb3B5LWlk?= Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3201 Bug ID: 3201 Summary: provide an option to use sftp instead of ssh 'exec sh -c ?' for installing ssh-keys via ssh-copy-id Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh-copy-id Assignee: unassigned-bugs at mindrot.org Reporter: blaimi at blaimi.de currently the command ssh-copy-id requires shell-access on the server-side. To allow the usage of ssh-copy-id on systems where shell-access is not allowed like on some commercial storage providers (e.g. hetzner storage-box), the modification of authorized_keys could be done through downloading, modifying and uploading instead of executing a command on the server-side. If nothing prevents this, we could provide some developer-resources to achieve this with an optional flag like '--use-sftp' or '-s'. -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Tue Aug 11 15:34:07 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 11 Aug 2020 05:34:07 +0000 Subject: =?UTF-8?B?W0J1ZyAzMjAxXSBwcm92aWRlIGFuIG9wdGlvbiB0byB1c2Ugc2Z0?= =?UTF-8?B?cCBpbnN0ZWFkIG9mIHNzaCAnZXhlYyBzaCAtYyDigKYnIGZvciBpbnN0YWxs?= =?UTF-8?B?aW5nIHNzaC1rZXlzIHZpYSBzc2gtY29weS1pZA==?= In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3201 Joel Nothman changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |joel.nothman at gmail.com --- Comment #1 from Joel Nothman --- +1 that I would find this feature useful, and could make an attempt at implementing it. The university that I work for provides sftp-only access to its data stores. This feature would help us support researchers and students using key-based authentication. Eerily, I found this bug posted on the same day as I was considering it. -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Tue Aug 11 20:55:44 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 11 Aug 2020 10:55:44 +0000 Subject: =?UTF-8?B?W0J1ZyAzMjAxXSBwcm92aWRlIGFuIG9wdGlvbiB0byB1c2Ugc2Z0?= =?UTF-8?B?cCBpbnN0ZWFkIG9mIHNzaCAnZXhlYyBzaCAtYyDigKYnIGZvciBpbnN0YWxs?= =?UTF-8?B?aW5nIHNzaC1rZXlzIHZpYSBzc2gtY29weS1pZA==?= In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3201 --- Comment #2 from Joel Nothman --- hard parts of this may include: * ensuring umask is set correctly * avoiding race conditions in modifying authorized_keys -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Wed Aug 12 02:46:35 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 11 Aug 2020 16:46:35 +0000 Subject: =?UTF-8?B?W0J1ZyAzMjAxXSBwcm92aWRlIGFuIG9wdGlvbiB0byB1c2Ugc2Z0?= =?UTF-8?B?cCBpbnN0ZWFkIG9mIHNzaCAnZXhlYyBzaCAtYyDigKYnIGZvciBpbnN0YWxs?= =?UTF-8?B?aW5nIHNzaC1rZXlzIHZpYSBzc2gtY29weS1pZA==?= In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3201 --- Comment #3 from Matthias Bl?mel --- I made a draft pull-request: https://github.com/openssh/openssh-portable/pull/199 -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Wed Aug 12 15:35:50 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 12 Aug 2020 05:35:50 +0000 Subject: [Bug 2670] Add ssh_config option that sets the lifetime of the key if added via AddKeysToAgent In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=2670 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED Blocks| |3162 --- Comment #5 from Damien Miller --- This has been committed and will be in OpenSSH 8.4. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 [Bug 3162] Tracking bug for 8.4 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Wed Aug 12 15:35:51 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 12 Aug 2020 05:35:51 +0000 Subject: [Bug 3162] Tracking bug for 8.4 release In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 Bug 3162 depends on bug 2670, which changed state. Bug 2670 Summary: Add ssh_config option that sets the lifetime of the key if added via AddKeysToAgent https://bugzilla.mindrot.org/show_bug.cgi?id=2670 What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Wed Aug 12 15:35:50 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 12 Aug 2020 05:35:50 +0000 Subject: [Bug 3162] Tracking bug for 8.4 release In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |2670 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2670 [Bug 2670] Add ssh_config option that sets the lifetime of the key if added via AddKeysToAgent -- You are receiving this mail because: You are watching the assignee of the bug. You are watching the reporter of the bug. From bugzilla-daemon at mindrot.org Tue Aug 18 23:51:43 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 18 Aug 2020 13:51:43 +0000 Subject: =?UTF-8?B?W0J1ZyAzMjAxXSBwcm92aWRlIGFuIG9wdGlvbiB0byB1c2Ugc2Z0?= =?UTF-8?B?cCBpbnN0ZWFkIG9mIHNzaCAnZXhlYyBzaCAtYyDigKYnIGZvciBpbnN0YWxs?= =?UTF-8?B?aW5nIHNzaC1rZXlzIHZpYSBzc2gtY29weS1pZA==?= In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3201 --- Comment #4 from Matthias Bl?mel --- Created attachment 3441 --> https://bugzilla.mindrot.org/attachment.cgi?id=3441&action=edit patchfile to solve #3201 this is a patchfile for the same changes as in https://github.com/openssh/openssh-portable/pull/199/commits/81658011c9a7f4330bf8a49ec4b3f2f129215fa1 but ported to http://git.hands.com/ssh-copy-id.git -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Tue Aug 18 23:52:15 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 18 Aug 2020 13:52:15 +0000 Subject: =?UTF-8?B?W0J1ZyAzMjAxXSBwcm92aWRlIGFuIG9wdGlvbiB0byB1c2Ugc2Z0?= =?UTF-8?B?cCBpbnN0ZWFkIG9mIHNzaCAnZXhlYyBzaCAtYyDigKYnIGZvciBpbnN0YWxs?= =?UTF-8?B?aW5nIHNzaC1rZXlzIHZpYSBzc2gtY29weS1pZA==?= In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3201 Matthias Bl?mel changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |phil at hands.com -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Sat Aug 22 00:14:32 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 21 Aug 2020 14:14:32 +0000 Subject: =?UTF-8?B?W0J1ZyAzMjAxXSBwcm92aWRlIGFuIG9wdGlvbiB0byB1c2Ugc2Z0?= =?UTF-8?B?cCBpbnN0ZWFkIG9mIHNzaCAnZXhlYyBzaCAtYyDigKYnIGZvciBpbnN0YWxs?= =?UTF-8?B?aW5nIHNzaC1rZXlzIHZpYSBzc2gtY29weS1pZA==?= In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3201 --- Comment #5 from Philip Hands --- Sorry I didn't notice this earlier -- I'll try to have a look at it shortly. Thanks for the contribution :-) -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Wed Aug 26 18:45:31 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Aug 2020 08:45:31 +0000 Subject: [Bug 3202] New: Ed25519 key on HSM is not getting listed in ssh-add -l command Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3202 Bug ID: 3202 Summary: Ed25519 key on HSM is not getting listed in ssh-add -l command Product: Portable OpenSSH Version: 8.2p1 Hardware: ARM64 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh-add Assignee: unassigned-bugs at mindrot.org Reporter: ranjan.kumar at thalesgroup.com Created attachment 3442 --> https://bugzilla.mindrot.org/attachment.cgi?id=3442&action=edit Logs that shows detailed output of each command with cryptoki log and dmesg. Steps to Reproduce: 1.Install OpenSSH 2.Install SafeNet LunaClient and setup NTLS. 3.Generate Edward 25519 and RSA Key using SafeNet ckdemo utility. 4.Run below commands: a.)eval `ssh-agent -P "/usr/safenet/lunaclient/lib/*" -s` b.)ssh-add -s /usr/safenet/lunaclient/lib/libcklog2.so c.)ssh-add -l Actual Output: 2048 SHA256:r/7tkup1Bb76UDVgs5GDfTDvKpTVhhM0SWNY+Mja2Xg Generated RSA Public Key (RSA) Expected Output: Both RSA And Ed25519 key should be listed. 5.Create Ed25519 key using ssh-keygen command on HSM: ssh-keygen -t ed25519 -D /usr/safenet/lunaclient/lib/libcklog2.so Actual Output: Enter PIN for 'ranjan': skipping unsupported key type failed to fetch key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCTt5YbM8CVbfAhjhu5QeQJ/P8To47dWjw2oeb2lRycZkW/UmgRdT+wd/i1nqwMaiPhNHW40ivI90ta2KFNGfx+hQAXgFn+UWpFeTDsHbvSCnO0vQh4s8EHPw89Fr4Sl9NXgTZNIbzEOjE7KiPy85zmoBY8rr06jhA4xK7ig3Bq6zkj9AoW/H+ph+F7v3uyeaJVqNbD3SjMbdf8kt9UAlQczHtKdaJm/akH5HlWa38+wDwQsTAnFvbSmiM6/nYcD8f5PA1/tCr5JdsrhhLplYIrfh3Xf/ZBAubYESKeOy1QNR3U4TXSklPVrkPPlx7qpynMS1emVgzen2Fonkga8V4t Generated RSA Public Key Expected Output:Ed25519 Key Should be generated -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Wed Aug 26 21:34:54 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Aug 2020 11:34:54 +0000 Subject: [Bug 3203] New: Could default_ccache_name from krb5.conf be used for GSSAPI connections? Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3203 Bug ID: 3203 Summary: Could default_ccache_name from krb5.conf be used for GSSAPI connections? Product: Portable OpenSSH Version: 8.3p1 Hardware: ix86 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Kerberos support Assignee: unassigned-bugs at mindrot.org Reporter: toby at inf.ed.ac.uk Hi there, I'm filing this bug upstream as suggested in this ubuntu bug report: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1889548 I'll recreate my original text from that ticket here: " ssh connections from a client with the following in ssh_config... GSSAPIAuthentication yes GSSAPIDelegateCredentials yes ... to an ubuntu 20.04 machine result in KRB5CCNAME being set to 'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in /etc/krb5.conf: [libdefaults] ... default_ccache_name = KEYRING:persistent:%{uid} This means that we cannot enforce a policy to use KEYRING ccaches across our systems. Authentications which go via the pam stack (e.g. login to the machine at the console or over ssh using a password) can be configured to use a KEYRING ccache, via libpam-krb5 settings in /etc/krb5.conf. The FILE: setting seems to be hard-coded in the openssh code (auth-krb5.c). It would be great if ssh(gssapi-with-mic) connections either (a) set KRB5CCNAME to the default_ccache_name value, if set in /etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system default is used. " Redhat already patch for this, but they patch the upstream source quite heavily (as do ubuntu, but in different ways). I'm hoping to spend more time on getting a patch to do this on ubuntu, but I suspect that wouldn't be of much use upstream. Would there be interest in implementing this functionality upstream? Thanks Toby Blake School of Informatics University of Edinburgh -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Thu Aug 27 19:28:53 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Aug 2020 09:28:53 +0000 Subject: [Bug 3203] Could default_ccache_name from krb5.conf be used for GSSAPI connections? In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3203 Jakub Jelen changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jjelen at redhat.com --- Comment #1 from Jakub Jelen --- We use several patches to do that in RHEL/Fedora and this was already proposed in bug #2775, but without any feedback from OpenSSH developers. Feel free to use the patches we use (might need updating from version posted in the bug). But note that there is still many people interested in using per-session caches. -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Thu Aug 27 19:32:06 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Aug 2020 09:32:06 +0000 Subject: [Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3202 Jakub Jelen changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |pkcs11 CC| |jjelen at redhat.com --- Comment #1 from Jakub Jelen --- The support for Ed25519 keys is very fresh in PKCS #11 so not even all pksc11 libraries caught up. But as we have RSA and ECDSA, adding Ed25519 should not be that hard. I would like to have a look into that eventually. -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Thu Aug 27 19:37:41 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Aug 2020 09:37:41 +0000 Subject: [Bug 3203] Could default_ccache_name from krb5.conf be used for GSSAPI connections? In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3203 --- Comment #2 from Toby Blake --- (In reply to Jakub Jelen from comment #1) > We use several patches to do that in RHEL/Fedora and this was > already proposed in bug #2775, but without any feedback from OpenSSH > developers. > > Feel free to use the patches we use (might need updating from > version posted in the bug). But note that there is still many people > interested in using per-session caches. Hi Jakub, Thanks for the reply. I've tried a (slightly reworked to get it to apply) version of openssh-7.7p1-gssapi-new-unique.patch but it doesn't seem to quite do what I want it to do, specifically it always gives me a new unique ccache, rather than using e.g. KEYRING:persistent:%{uid}. It may be that in reworking it I've messed it up somewhat so I need to find some time to look at it in more detail. Cheers Toby -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Thu Aug 27 19:54:03 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Aug 2020 09:54:03 +0000 Subject: [Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3202 --- Comment #2 from Ranjan --- Thanks Jakub. We have many customers who want to use ED25519,so can you please tell when we can expect the support for this will be avaiable? -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Thu Aug 27 20:00:50 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Aug 2020 10:00:50 +0000 Subject: [Bug 3203] Could default_ccache_name from krb5.conf be used for GSSAPI connections? In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3203 --- Comment #3 from Jakub Jelen --- Hi, the current version we use in Fedora lives here so it could have gone through some updates and fixes since 2 years ago: https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-7.7p1-gssapi-new-unique.patch The new unique cache in the given collection is probably the most sensible way of doing this. Or you suggest that you would like the new login to override existing tickets in the ccache? Or you still see the ccache in /tmp being used? What configuration did you try? -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Thu Aug 27 20:55:31 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Aug 2020 10:55:31 +0000 Subject: [Bug 3203] Could default_ccache_name from krb5.conf be used for GSSAPI connections? In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3203 --- Comment #4 from Toby Blake --- (In reply to Jakub Jelen from comment #3) > Hi, > the current version we use in Fedora lives here so it could have > gone through some updates and fixes since 2 years ago: > > https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-7. > 7p1-gssapi-new-unique.patch Hi, this is the patch I've tried to rework for ubuntu. > The new unique cache in the given collection is probably the most > sensible way of doing this. Or you suggest that you would like the > new login to override existing tickets in the ccache? Or you still > see the ccache in /tmp being used? What configuration did you try? What I'd like is to be able to set [libdefaults] default_ccache_name = KEYRING:persistent:%{uid} ... in /etc/krb5.conf and for (gssapi) ssh connections to use this, in the same way that I can set it for PAM connections. This no doubt works under redhat (and indeed it works for us with Scientific Linux 7.8 with the addition of a backported openssh-7.5p1-gss-environment.patch, as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=1199363) I think I need to look at the gssapi-new-unique patch again, with a more complete understanding of the relevant code areas. My reworking of it is definitely not doing what it should do. The biggest issue in getting this working is the divergent code bases between redhat and ubuntu (in particular, I suspect, the gsskex patch). This is why I'd much prefer this issue to be fixed upstream. Pending that, I'll look again at the the unique patch. Cheers Toby -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Fri Aug 28 13:05:34 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Aug 2020 03:05:34 +0000 Subject: [Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3202 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #3 from Damien Miller --- OpenSSH won't implement this until we have some way to test, preferably both hardware and a software (softhsm or similar) target to test against. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Fri Aug 28 13:14:24 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Aug 2020 03:14:24 +0000 Subject: [Bug 3200] Will future versions of openssh fix CVE-2020-15778? In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3200 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #1 from Damien Miller --- this CVE stems from a misunderstanding of how scp works. It is an old program that *deliberately* invokes the remote shell for glob pattern expansion. We're not going to "fix" scp, but we might replace it entirely. There are significant backwards-compatibility concerns to work through however. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Fri Aug 28 13:17:28 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Aug 2020 03:17:28 +0000 Subject: [Bug 3178] When authenticating with a -sk key via agent, no 'touch security key' prompt displayed In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3178 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WORKSFORME --- Comment #3 from Damien Miller --- Closing; this works for me. If you are able to reproduce this with an agent configured to use ssh-askpass, then please reopen. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Fri Aug 28 13:18:21 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Aug 2020 03:18:21 +0000 Subject: [Bug 3179] sshd bind function and IPv6 neighbor discovery In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3179 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. From bugzilla-daemon at mindrot.org Fri Aug 28 13:26:31 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Aug 2020 03:26:31 +0000 Subject: [Bug 2929] OpenSSH server should not send the SSH_MSG_EXT_INFO message after rekeying In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=2929 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|REOPENED |RESOLVED --- Comment #8 from Damien Miller --- This was fixed in openssh-8.1 last year -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Fri Aug 28 13:26:31 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Aug 2020 03:26:31 +0000 Subject: [Bug 2915] Tracking bug for 8.0 release In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=2915 Bug 2915 depends on bug 2929, which changed state. Bug 2929 Summary: OpenSSH server should not send the SSH_MSG_EXT_INFO message after rekeying https://bugzilla.mindrot.org/show_bug.cgi?id=2929 What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching the assignee of the bug. You are watching the reporter of the bug. From bugzilla-daemon at mindrot.org Fri Aug 28 13:28:43 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Aug 2020 03:28:43 +0000 Subject: [Bug 2942] minor memory leak in ssh_set_newkeys() In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=2942 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED CC| |djm at mindrot.org --- Comment #2 from Damien Miller --- This was fixed back in OpenSSH 8.0 last year, but I forgot to update this bug at the time. Thanks! -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Fri Aug 28 13:43:36 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Aug 2020 03:43:36 +0000 Subject: [Bug 2948] implement "copy-data" sftp extension In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=2948 --- Comment #9 from Damien Miller --- Comment on attachment 3344 --> https://bugzilla.mindrot.org/attachment.cgi?id=3344 sftp server copy-data extension looks good - some minor comments >diff --git a/PROTOCOL b/PROTOCOL >index f75c1c0ae5b0..04a392db33be 100644 ... >+static void >+process_extended_copy_data(u_int32_t id) ... >+ /* Disallow reading & writing to the same handle */ >+ if (read_handle == write_handle || read_fd < 0 || write_fd < 0) { I think this should also check that both the read and write handles do not refer to the same path? (use handle_to_name()) >+ status = SSH2_FX_FAILURE; >+ } else { nit: prefer "goto out" over nesting if/else >+ if (lseek(read_fd, read_off, SEEK_SET) < 0) { >+ status = errno_to_portable(errno); >+ error("process_extended_copy_data: read_seek failed"); nit: ditto >+ } else if (!(handle_to_flags(write_handle) & O_APPEND) && >+ lseek(write_fd, write_off, SEEK_SET) < 0) { >+ status = errno_to_portable(errno); >+ error("process_extended_copy_data: write_seek failed"); nit: prefer __func__ to manual inclusion of function name >+ } else { >+ /* Process the request in chunks. */ >+ while (read_len || copy_until_eof) { nit: prefer explicit comparison against zero (i.e "read_len > 0") >+ >+ ret = read(read_fd, buf, len); ... >+ ret = write(write_fd, buf, len); I think this should use atomicio here to be signal safe. >+ if ((size_t)ret != len) { >+ debug2("nothing at all written"); >+ status = SSH2_FX_FAILURE; >+ break; >+ } this block can go away with atomicio -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. From bugzilla-daemon at mindrot.org Fri Aug 28 13:47:23 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Aug 2020 03:47:23 +0000 Subject: [Bug 2948] implement "copy-data" sftp extension In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=2948 --- Comment #10 from Damien Miller --- Comment on attachment 3345 --> https://bugzilla.mindrot.org/attachment.cgi?id=3345 sftp client copy-data extension This too looks good, minor comments: >diff --git a/sftp-client.c b/sftp-client.c >index 4986d6d8d291..cd2844a8585e 100644 >--- a/sftp-client.c >+++ b/sftp-client.c ... >+int >+do_copy(struct sftp_conn *conn, const char *oldpath, const char *newpath) >+{ ... >+ /* Silently return if the extension is not supported */ >+ if ((conn->exts & SFTP_EXT_COPY_DATA) == 0) { >+ error("Server does not support copy-data extension"); This is not silent :) >diff --git a/sftp.1 b/sftp.1 >index 0fd54cae090e..f2eae7f32790 100644 >--- a/sftp.1 >+++ b/sftp.1 ... >+.Ic lchdir , copy , chmod , chown , the manpage says the command is "copy", but ... >diff --git a/sftp.c b/sftp.c >index 7db86c2d3cf0..3288279172a9 100644 >--- a/sftp.c >+++ b/sftp.c ... >+ { "cp", I_COPY, REMOTE }, ... it's implemented as "cp" Either/both is fine, but it needs to be consistent of course. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Fri Aug 28 13:49:19 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Aug 2020 03:49:19 +0000 Subject: [Bug 2948] implement "copy-data" sftp extension In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=2948 --- Comment #11 from Damien Miller --- Comment on attachment 3344 --> https://bugzilla.mindrot.org/attachment.cgi?id=3344 sftp server copy-data extension >+ /* Disallow reading & writing to the same handle */ >+ if (read_handle == write_handle || read_fd < 0 || write_fd < 0) { Maybe mention here that this also ensures that both handles refer to files rather than directories -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Fri Aug 28 13:52:01 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Aug 2020 03:52:01 +0000 Subject: [Bug 2949] "limits@openssh.com" extension to SFTP to query various transfer limits In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=2949 --- Comment #5 from Damien Miller --- sorry for stalling. This looks fine to me -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Fri Aug 28 19:41:32 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Aug 2020 09:41:32 +0000 Subject: [Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3202 --- Comment #4 from Jakub Jelen --- (In reply to Damien Miller from comment #3) > OpenSSH won't implement this until we have some way to test, > preferably both hardware and a software (softhsm or similar) target > to test against. SoftHSM supports Ed25519 keys already [0] (with some follow-up fixes to match final PKCS #11 3.0 specs) and for OpenSC we have patches pending (tested with NitroKey with Gnuk applet) [1] so if anyone is interested to work on this, there are enough possibilities. [0] https://github.com/opendnssec/SoftHSMv2/pull/324 [1] https://github.com/OpenSC/OpenSC/pull/1960 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Sat Aug 29 09:33:40 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Aug 2020 23:33:40 +0000 Subject: [Bug 3204] New: Enable user-relative revoked keys files Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3204 Bug ID: 3204 Summary: Enable user-relative revoked keys files Product: Portable OpenSSH Version: 8.1p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: macdjord at gmail.com The `AuthorizedKeysFile` directive supports the %h, %U, and %u tokens, but the `RevokedKeys` directive does not. Thus it is possible to grant individual users the ability to add authorized login keys (and indeed this is the default with `.ssh/authorized_keys`), including authorized certificate authorities using the `cert-authority` option, but there is no way to grant them the ability to manage their own lists of revoked keys. This should be fixed by enabling support for the %h, %U, and %u tokens for the `RevokedKeys` directive. See also: https://bugzilla.mindrot.org/show_bug.cgi?id=2328 , which proposes a more powerful but more complicated solution to this issue: allowing `authorized_keys` to specify a revocation list file for each certificate authority key it defines. -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Sat Aug 29 09:34:56 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Aug 2020 23:34:56 +0000 Subject: [Bug 2328] Per-user certificate revocation list (CRL) in authorized_keys In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=2328 Jordan Macdonald changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |macdjord at gmail.com --- Comment #3 from Jordan Macdonald --- Created a new bug report for the suggestion to define per-user (rather than per-cert) revocation lists: https://bugzilla.mindrot.org/show_bug.cgi?id=3204 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Sat Aug 29 09:53:21 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Aug 2020 23:53:21 +0000 Subject: [Bug 3204] Enable user-relative revoked keys files In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3204 --- Comment #1 from Jordan Macdonald --- Note: Both approaches - this one and the one suggested in https://bugzilla.mindrot.org/show_bug.cgi?id=2328 - offer distinct advantages: * Maintaining separate KRLs for each certificate authority is best-practice and enables fine-grained control (e.g. revoking the signature of a particular key by a particular CA but still allowing that same key to be used if it is also signed by a different authorized CA) * However, not everyone follows best practices, and many users will just want to have one file to append their old/invalid/compromised keys to without having to specify `crl-file="~/.ssh/revoked_keys"` separately for every CA in `authorized_keys` Either option would satisfactorily solve the issue of allowing users to control their own revocations, but the ideal solution would probably be to offer both. Also, if per-user revocation files are supported, it would probably be a good idea to give `RevokedKeys` a suitable default; I suggest `.ssh/revoked_keys`. It seems unwise to enable user-specified CAs by default without offering user-specified revocation. -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Sat Aug 29 09:54:00 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Aug 2020 23:54:00 +0000 Subject: [Bug 3204] Enable user-relative revoked keys files In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3204 Jordan Macdonald changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugzilla.mindrot.or | |g/show_bug.cgi?id=2328 CC| |macdjord at gmail.com -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Sat Aug 29 09:54:00 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Aug 2020 23:54:00 +0000 Subject: [Bug 2328] Per-user certificate revocation list (CRL) in authorized_keys In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=2328 Jordan Macdonald changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugzilla.mindrot.or | |g/show_bug.cgi?id=3204 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Sat Aug 29 10:04:40 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 29 Aug 2020 00:04:40 +0000 Subject: [Bug 2265] ServerAlive{Interval, CountMax} ignored if using an active -R or -L tunnel In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=2265 Jordan Macdonald changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |macdjord at gmail.com -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. From bugzilla-daemon at mindrot.org Sun Aug 30 05:09:29 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 29 Aug 2020 19:09:29 +0000 Subject: [Bug 3205] New: Support HPE NonStop Server Port Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3205 Bug ID: 3205 Summary: Support HPE NonStop Server Port Product: Portable OpenSSH Version: 8.3p1 Hardware: Other OS: Other Status: NEW Severity: enhancement Priority: P5 Component: Build system Assignee: unassigned-bugs at mindrot.org Reporter: rsbecker at nexbridge.com I am working on updating the port for HPE NonStop Itanium and x86 (Big Endian) platforms. I would like to contribute the changes, once working, to the main repository for inclusion into the code base. For reference, I have been maintaining the openssh-portable port for both platforms through 7.6p1 using OpenSSL 1.0.2. The port for OpenSSL 1.1.1 was just completed and this has enabled me to bring the port up to date. There are a few changes needed based on configure not handling some situations but mostly the key difference is that ROOT is 65535 not 0 on this platform. The compiler we have to use is c99 but can upgrade to c11 or higher in about 3 years when the Itanium platform is deprecated. The team I work on is called ITUGLIB and maintain many of the critical Open Source ports for the platform. Is this contribution desired? -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Sun Aug 30 13:21:21 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 30 Aug 2020 03:21:21 +0000 Subject: [Bug 3205] Support HPE NonStop Server Port In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3205 Darren Tucker changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at dtucker.net --- Comment #1 from Darren Tucker --- Our general policy is that we'll support something as long as someone is willing to do the work, and that the changes involved don't compromise support for modern platforms. It sounds like you're willing to do the work, so the other question is how invasive the required changes are. Can you share the existing port or the diff against the stock code of the same vintage? It doesn't have to be polished, I just want to get a sense for what's involved. > x86 (Big Endian) I didn't know that was even possible. > The compiler we have to use is c99 right now all of the code (with the exception of some of the experimental post-quantum stuff not compiled by default) is c89 for maximum portability so c99 is fine. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Sun Aug 30 22:33:02 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 30 Aug 2020 12:33:02 +0000 Subject: [Bug 3206] New: sftp client(32bit) chown command does not support uid >LONG_MAX Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3206 Bug ID: 3206 Summary: sftp client(32bit) chown command does not support uid >LONG_MAX Product: Portable OpenSSH Version: 6.9p1 Hardware: 68k OS: All Status: NEW Severity: normal Priority: P5 Component: sftp Assignee: unassigned-bugs at mindrot.org Reporter: booking00 at sina.cn Server could accept uid < ULONG_MAX. But client can only accept uid chown 2147483648 execute.sh You must supply a numeric argument to the chown command. case I_CHOWN: case I_CHGRP: if ((optidx = parse_ch_flags(cmd, argv, argc, hflag)) == -1) return -1; /* Get numeric arg (mandatory) */ if (argc - optidx < 1) goto need_num_arg; errno = 0; l = strtol(argv[optidx], &cp2, base); if (cp2 == argv[optidx] || *cp2 != '\0' || ((l == LONG_MIN || l == LONG_MAX) && errno == ERANGE) || l < 0) { need_num_arg: error("You must supply a numeric argument " "to the %s command.", cmd); return -1; } -- You are receiving this mail because: You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Mon Aug 31 00:29:56 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 30 Aug 2020 14:29:56 +0000 Subject: [Bug 3205] Support HPE NonStop Server Port In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3205 --- Comment #2 from Randall S. Becker --- We went to c99 because some of the constructs in the regression suite do not compile with c89. I don't mind going back to c89 but there will be a larger set of changes. I'll share a patch listing here once I get this compiling correctly. Note: the Big-Endian part has worked since 6.x - does not seem to take any specific mods to get that working. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. From bugzilla-daemon at mindrot.org Mon Aug 31 00:34:05 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 30 Aug 2020 14:34:05 +0000 Subject: [Bug 3205] Support HPE NonStop Server Port In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3205 --- Comment #3 from Randall S. Becker --- One thing that has me confused: cc -c99 -I. -I. -I/usr/local-ssl1.1/include -Wnowarn=262,1252 -I/usr/local-ssl1.1/include -DSSHDIR=\"/usr/local-ssl1.1/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local-ssl1.1/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local-ssl1.1/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local-ssl1.1/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local-ssl1.1/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local-ssl1.1/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/local-ssl1.1/libexec/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -fPIC -shared -o regress/misc/sk-dummy/sk-dummy.so regress/misc/sk-dummy/sk-dummy.lo regress/misc/sk-dummy/fatal.lo ed25519.lo hash.lo ge25519.lo fe25519.lo sc25519.lo verify.lo \ -L. -Lopenbsd-compat -lopenbsd-compat -L. -Lopenbsd-compat/ -L/usr/local-ssl1.1/lib -L/usr/local-ssl1.1/lib -lcrypto -lz c99: error: Invalid input file extension"regress/misc/sk-dummy/sk-dummy.lo". c99: error: Invalid input file extension"regress/misc/sk-dummy/fatal.lo". c99: error: Invalid input file extension"ed25519.lo". c99: error: Invalid input file extension"hash.lo". c99: error: Invalid input file extension"ge25519.lo". c99: error: Invalid input file extension"fe25519.lo". c99: error: Invalid input file extension"sc25519.lo". c99: error: Invalid input file extension"verify.lo". I'm not sure how to fix this in your build structure. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. From bugzilla-daemon at mindrot.org Mon Aug 31 00:48:13 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 30 Aug 2020 14:48:13 +0000 Subject: [Bug 3205] Support HPE NonStop Server Port In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3205 --- Comment #4 from Randall S. Becker --- Created attachment 3443 --> https://bugzilla.mindrot.org/attachment.cgi?id=3443&action=edit Git diff for patches associated with the NonStop port -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. From bugzilla-daemon at mindrot.org Mon Aug 31 17:01:56 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 31 Aug 2020 07:01:56 +0000 Subject: [Bug 3205] Support HPE NonStop Server Port In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3205 Damien Miller changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #5 from Damien Miller --- (In reply to Randall S. Becker from comment #3) > One thing that has me confused: > > cc -c99 -I. -I. -I/usr/local-ssl1.1/include -Wnowarn=262,1252 > -I/usr/local-ssl1.1/include -DSSHDIR=\"/usr/local-ssl1.1/etc\" > -D_PATH_SSH_PROGRAM=\"/usr/local-ssl1.1/bin/ssh\" > -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local-ssl1.1/libexec/ssh- > askpass\" > -D_PATH_SFTP_SERVER=\"/usr/local-ssl1.1/libexec/sftp-server\" > -D_PATH_SSH_KEY_SIGN=\"/usr/local-ssl1.1/libexec/ssh-keysign\" > -D_PATH_SSH_PKCS11_HELPER=\"/usr/local-ssl1.1/libexec/ssh-pkcs11- > helper\" > -D_PATH_SSH_SK_HELPER=\"/usr/local-ssl1.1/libexec/ssh-sk-helper\" > -D_PATH_SSH_PIDDIR=\"/var/run\" > -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -fPIC > -shared -o regress/misc/sk-dummy/sk-dummy.so > regress/misc/sk-dummy/sk-dummy.lo regress/misc/sk-dummy/fatal.lo > ed25519.lo hash.lo ge25519.lo fe25519.lo sc25519.lo verify.lo \ > -L. -Lopenbsd-compat -lopenbsd-compat -L. -Lopenbsd-compat/ > -L/usr/local-ssl1.1/lib -L/usr/local-ssl1.1/lib -lcrypto -lz > c99: error: Invalid input file > extension"regress/misc/sk-dummy/sk-dummy.lo". > c99: error: Invalid input file > extension"regress/misc/sk-dummy/fatal.lo". > c99: error: Invalid input file extension"ed25519.lo". > c99: error: Invalid input file extension"hash.lo". > c99: error: Invalid input file extension"ge25519.lo". > c99: error: Invalid input file extension"fe25519.lo". > c99: error: Invalid input file extension"sc25519.lo". > c99: error: Invalid input file extension"verify.lo". > > I'm not sure how to fix this in your build structure. these .lo files are identical to their .o counterparts except they were compiled with -fPIC for linkage into a shared object (.so) for use by dlopen(3). If your system is not going to use client-side FIDO security key support, then it's fine to simply skip this (--disable-security-key at configure time, though possibly we need some makefile surgery too) -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. From bugzilla-daemon at mindrot.org Mon Aug 31 20:19:39 2020 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 31 Aug 2020 10:19:39 +0000 Subject: [Bug 3205] Support HPE NonStop Server Port In-Reply-To: References: Message-ID: https://bugzilla.mindrot.org/show_bug.cgi?id=3205 --- Comment #6 from Darren Tucker --- (In reply to Damien Miller from comment #5) [...] > these .lo files are identical to their .o counterparts except they > were compiled with -fPIC for linkage into a shared object (.so) for > use by dlopen(3). There's a similar problem with AIX, which has an, err, interesting linker. The traditional solution to this is libtool, but that AFAICT that'd require overhauling the entire build system. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.