From bugzilla-daemon at mindrot.org Mon Aug 3 12:44:51 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Mon, 03 Aug 2020 02:44:51 +0000
Subject: [Bug 831] Allow agent forwarding in sftp & scp
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=831
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3162
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #8 from Damien Miller ---
patch applied and will be in openssh-8.4
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3162
[Bug 3162] Tracking bug for 8.4 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
You are watching the reporter of the bug.
From bugzilla-daemon at mindrot.org Mon Aug 3 12:44:52 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Mon, 03 Aug 2020 02:44:52 +0000
Subject: [Bug 3162] Tracking bug for 8.4 release
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3162
Bug 3162 depends on bug 831, which changed state.
Bug 831 Summary: Allow agent forwarding in sftp & scp
https://bugzilla.mindrot.org/show_bug.cgi?id=831
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
From bugzilla-daemon at mindrot.org Mon Aug 3 12:44:51 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Mon, 03 Aug 2020 02:44:51 +0000
Subject: [Bug 3162] Tracking bug for 8.4 release
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3162
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends on| |831
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=831
[Bug 831] Allow agent forwarding in sftp & scp
--
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Mon Aug 3 12:54:01 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Mon, 03 Aug 2020 02:54:01 +0000
Subject: [Bug 3198] Custom critical options and extensions are not lexically
ordered
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3198
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #4 from Damien Miller ---
patch applied - thanks
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Mon Aug 3 12:54:02 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Mon, 03 Aug 2020 02:54:02 +0000
Subject: [Bug 3162] Tracking bug for 8.4 release
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3162
Bug 3162 depends on bug 3198, which changed state.
Bug 3198 Summary: Custom critical options and extensions are not lexically ordered
https://bugzilla.mindrot.org/show_bug.cgi?id=3198
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Mon Aug 3 23:43:54 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Mon, 03 Aug 2020 13:43:54 +0000
Subject: [Bug 3199] New: Pass address family switch to proxy command
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3199
Bug ID: 3199
Summary: Pass address family switch to proxy command
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Keywords: patch
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Created attachment 3438
--> https://bugzilla.mindrot.org/attachment.cgi?id=3438&action=edit
Pass address family switch to proxy command
Generally, proxy command is used to connect to proxy servers and the
address family of the target host is up to the decision of the proxy
command itself (regardless it is netcat, another ssh or something
else).
Currently, hints from commandline (-4, -6) are not used at all and not
passed to proxy command similarly as any other hints from configuration
files (unless the proxy command is ssh too and the proxy host has
specific AddressFamily directive).
My suggestion would be to provide a new replacement percent-token to
inform the proxy-command about the preferred address family (%f) to
provide either -4, -6 or empty string if no preference was given. See
the proposed patch
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Wed Aug 5 09:00:34 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 04 Aug 2020 23:00:34 +0000
Subject: [Bug 960] Support needed for NetBSD utmpx field ut_ss
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=960
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3162
CC| |djm at mindrot.org
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #6 from Damien Miller ---
Most of the patch has been applied - the remainder seems unnecessary.
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3162
[Bug 3162] Tracking bug for 8.4 release
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
From bugzilla-daemon at mindrot.org Wed Aug 5 09:00:35 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 04 Aug 2020 23:00:35 +0000
Subject: [Bug 3162] Tracking bug for 8.4 release
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3162
Bug 3162 depends on bug 960, which changed state.
Bug 960 Summary: Support needed for NetBSD utmpx field ut_ss
https://bugzilla.mindrot.org/show_bug.cgi?id=960
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Wed Aug 5 09:00:34 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 04 Aug 2020 23:00:34 +0000
Subject: [Bug 3162] Tracking bug for 8.4 release
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3162
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends on| |960
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=960
[Bug 960] Support needed for NetBSD utmpx field ut_ss
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
From bugzilla-daemon at mindrot.org Thu Aug 6 08:56:32 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Wed, 05 Aug 2020 22:56:32 +0000
Subject: [Bug 3173] spurious message about pubkey being invalid format
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3173
--- Comment #10 from comm+openssh at squotd.net ---
A fix has apparently been checked in.
https://blog.hqcodeshop.fi/archives/482-OpenSSH-8.3-client-fails-with-load-pubkey-invalid-format.html
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Thu Aug 6 20:46:50 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 06 Aug 2020 10:46:50 +0000
Subject: [Bug 3087] Ed448 support
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3087
sergio changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|WONTFIX |---
Status|RESOLVED |REOPENED
--- Comment #3 from sergio ---
I believe this decision should be reviewed.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
From bugzilla-daemon at mindrot.org Thu Aug 6 20:49:12 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 06 Aug 2020 10:49:12 +0000
Subject: [Bug 3087] Ed448 support
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3087
--- Comment #4 from sergio ---
openssl supports Ed448
gnupg will support Ed448: https://dev.gnupg.org/D505
erlang ssh supports Ed448: https://erlang.org/doc/man/SSH_app.html
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 7 13:44:03 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 07 Aug 2020 03:44:03 +0000
Subject: [Bug 3199] Pass address family switch to proxy command
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3199
Darren Tucker changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
--- Comment #1 from Darren Tucker ---
I'm not sure about these semantics because it's significantly different
to that of the existing TOKENs. Where possible we try to keep them
consistent across all keywords than can use them. I can imagine use
cases where the other keywords might also want access to this
information and as it stands this isn't really suitable for that.
None of the other TOKENs are in the form of a command line flag, and
they always expand into something. This one only expands into
something some of the time. I grant it's convenient for this exact use
case, but my concern is it will be difficult or impossible to use for
any other case.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 7 14:10:20 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 07 Aug 2020 04:10:20 +0000
Subject: [Bug 2670] Add ssh_config option that sets the lifetime of the key
if added via AddKeysToAgent
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=2670
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3165|0 |1
is obsolete| |
Attachment #3188|0 |1
is obsolete| |
Status|NEW |ASSIGNED
Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
CC| |djm at mindrot.org,
| |dtucker at dtucker.net
Attachment #3439| |ok?(dtucker at dtucker.net)
Flags| |
--- Comment #3 from Damien Miller ---
Created attachment 3439
--> https://bugzilla.mindrot.org/attachment.cgi?id=3439&action=edit
AddKeysToAgent with interval support
This adds support for specifying an interval to AddKeysToAgent,
including requesting both per-use confirmation and an interval via
AddKeysToAgent="confirm 5m"
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 7 14:11:11 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 07 Aug 2020 04:11:11 +0000
Subject: [Bug 2191] Feature Proposal: Add an identity to the agent
automatically when loading the identity
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=2191
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |DUPLICATE
Status|NEW |RESOLVED
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller ---
This feature was added a while ago in the form of AddKeysToAgent. The
only missing piece is being able to set a timeout. That is being worked
on in bug 2670.
*** This bug has been marked as a duplicate of bug 2670 ***
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 7 14:11:11 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 07 Aug 2020 04:11:11 +0000
Subject: [Bug 2670] Add ssh_config option that sets the lifetime of the key
if added via AddKeysToAgent
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=2670
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tomo at cx4a.org
--- Comment #4 from Damien Miller ---
*** Bug 2191 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 7 14:12:39 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 07 Aug 2020 04:12:39 +0000
Subject: [Bug 2192] scp output alignment bug with UTF-8/multibyte sequences
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=2192
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #7 from Damien Miller ---
Are you able to replicate this with a recent OpenSSH? There have been
quite a few fixes in this area since 7.x.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 7 14:25:55 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 07 Aug 2020 04:25:55 +0000
Subject: [Bug 3069] sftp issues with [ or ] in path name
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3069
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org,
| |dtucker at dtucker.net
Attachment #3440| |ok?(dtucker at dtucker.net)
Flags| |
--- Comment #1 from Damien Miller ---
Created attachment 3440
--> https://bugzilla.mindrot.org/attachment.cgi?id=3440&action=edit
Retry unglobbed filename on get remote_glob failure
I think this should fix it.
Filenames for sftp get commands are processed using remote_glob() to
wildcard-expand them. In this case it was interpreting and eating the
special characters.
This patch makes the remote_glob() call return the original, unmodified
filename when expansion fails. Pretty much every other remote_glob()
call in the sftp client already does this for precisely this reason.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 7 14:26:05 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 07 Aug 2020 04:26:05 +0000
Subject: [Bug 3069] sftp issues with [ or ] in path name
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3069
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3162
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3162
[Bug 3162] Tracking bug for 8.4 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 7 14:26:05 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 07 Aug 2020 04:26:05 +0000
Subject: [Bug 3162] Tracking bug for 8.4 release
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3162
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends on| |3069
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3069
[Bug 3069] sftp issues with [ or ] in path name
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 7 14:30:51 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 07 Aug 2020 04:30:51 +0000
Subject: [Bug 3070] Using recursive put always copies permissions
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3070
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller ---
I think that's a bit of an overbroad hammer - IMO users generally want
some permissions to be preserved, e.g. X bits.
Unfortunately, the sftp protocol doesn't have notions of umask or
changing only a subset of permission bits - either the client specifies
all of them or none of them.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 7 14:53:40 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 07 Aug 2020 04:53:40 +0000
Subject: [Bug 1542] Send echo on/off flag to SSH_ASKPASS
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=1542
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #25 from Damien Miller ---
OpenSSH 8.2 sets a $SSH_ASKPASS_PROMPT environment variable that passes
context through to the askpass program. The
contrib/gnome-ssh-askpass[23] helper has been updated to use it too.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 7 17:15:37 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 07 Aug 2020 07:15:37 +0000
Subject: [Bug 3199] Pass address family switch to proxy command
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3199
--- Comment #2 from Jakub Jelen ---
Thank you for feedback. That was the reason why I started this
discussion on the mailing list whether the might be some other use
cases that we should consider when implementing this feature.
https://lists.mindrot.org/pipermail/openssh-unix-dev/2020-August/038698.html
I see it is quite strictly tied to (proxy) commands, which is probably
fine (as we already have for example %T only for local commands). The
choice of whole command-line switch was for convenience as -4 and -6
are quite standard and there is usually no way how to express default
family choice (any/unspec) while checking various netcat
implementations. But if somebody can come with more suitable solution,
I am fine with that.
For the sssd use case mentioned on the mailing list, we are quite free
to use anything, for example some environment variable to pass this
information if it would be more suitable (but it would be useless for
netcat or other tools at this moment).
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 7 17:18:36 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 07 Aug 2020 07:18:36 +0000
Subject: [Bug 2049] Request for a configurable option for SFTP to display
login information to the user after a successful login.
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=2049
Darren Tucker changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3162
--- Comment #8 from Darren Tucker ---
Updated patch to current and applied. It's a slight improvement but
I'm not sure it resolves the original report since AFAIK none of the
original reporters tested it for their use case.
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3162
[Bug 3162] Tracking bug for 8.4 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 7 17:18:36 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 07 Aug 2020 07:18:36 +0000
Subject: [Bug 3162] Tracking bug for 8.4 release
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3162
Darren Tucker changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends on| |2049
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2049
[Bug 2049] Request for a configurable option for SFTP to display login
information to the user after a successful login.
--
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 7 17:41:24 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 07 Aug 2020 07:41:24 +0000
Subject: [Bug 3069] sftp issues with [ or ] in path name
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3069
Darren Tucker changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3440|ok?(dtucker at dtucker.net) |ok+
Flags| |
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 7 17:43:20 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 07 Aug 2020 07:43:20 +0000
Subject: [Bug 2670] Add ssh_config option that sets the lifetime of the key
if added via AddKeysToAgent
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=2670
Darren Tucker changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3439|ok?(dtucker at dtucker.net) |ok+
Flags| |
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 7 18:14:22 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 07 Aug 2020 08:14:22 +0000
Subject: [Bug 2192] scp output alignment bug with UTF-8/multibyte sequences
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=2192
--- Comment #8 from Darren Tucker ---
Yeah it's still there. It's kinda hard to follow what progressmeter is
doing composing the status line into a single buffer, we should
probably put the component parts into their own dynamically allocated
buffer and compose the final one with a single asmprintf.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
From bugzilla-daemon at mindrot.org Sat Aug 8 14:22:17 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Sat, 08 Aug 2020 04:22:17 +0000
Subject: [Bug 3200] New: Will future versions of openssh fix CVE-2020-15778?
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3200
Bug ID: 3200
Summary: Will future versions of openssh fix CVE-2020-15778?
Product: Portable OpenSSH
Version: 8.3p1
Hardware: ARM64
OS: Linux
Status: NEW
Severity: security
Priority: P5
Component: scp
Assignee: unassigned-bugs at mindrot.org
Reporter: kircherlike at outlook.com
Although separating the scp function from the ssh is a difficult task,
it is inappropriate to run commands in the scp that transfers files.
Will OpenSSH be able to restore the CVE?
https://github.com/cpandya2909/CVE-2020-15778
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Tue Aug 11 00:26:49 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Mon, 10 Aug 2020 14:26:49 +0000
Subject: =?UTF-8?B?W0J1ZyAzMjAxXSBOZXc6IHByb3ZpZGUgYW4gb3B0aW9uIHRvIHVz?=
=?UTF-8?B?ZSBzZnRwIGluc3RlYWQgb2Ygc3NoICdleGVjIHNoIC1jIOKApicgZm9yIGlu?=
=?UTF-8?B?c3RhbGxpbmcgc3NoLWtleXMgdmlhIHNzaC1jb3B5LWlk?=
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3201
Bug ID: 3201
Summary: provide an option to use sftp instead of ssh 'exec sh
-c ?' for installing ssh-keys via ssh-copy-id
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-copy-id
Assignee: unassigned-bugs at mindrot.org
Reporter: blaimi at blaimi.de
currently the command ssh-copy-id requires shell-access on the
server-side.
To allow the usage of ssh-copy-id on systems where shell-access is not
allowed like on some commercial storage providers (e.g. hetzner
storage-box), the modification of authorized_keys could be done through
downloading, modifying and uploading instead of executing a command on
the server-side.
If nothing prevents this, we could provide some developer-resources to
achieve this with an optional flag like '--use-sftp' or '-s'.
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Tue Aug 11 15:34:07 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 11 Aug 2020 05:34:07 +0000
Subject: =?UTF-8?B?W0J1ZyAzMjAxXSBwcm92aWRlIGFuIG9wdGlvbiB0byB1c2Ugc2Z0?=
=?UTF-8?B?cCBpbnN0ZWFkIG9mIHNzaCAnZXhlYyBzaCAtYyDigKYnIGZvciBpbnN0YWxs?=
=?UTF-8?B?aW5nIHNzaC1rZXlzIHZpYSBzc2gtY29weS1pZA==?=
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3201
Joel Nothman changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |joel.nothman at gmail.com
--- Comment #1 from Joel Nothman ---
+1 that I would find this feature useful, and could make an attempt at
implementing it. The university that I work for provides sftp-only
access to its data stores. This feature would help us support
researchers and students using key-based authentication.
Eerily, I found this bug posted on the same day as I was considering
it.
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Tue Aug 11 20:55:44 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 11 Aug 2020 10:55:44 +0000
Subject: =?UTF-8?B?W0J1ZyAzMjAxXSBwcm92aWRlIGFuIG9wdGlvbiB0byB1c2Ugc2Z0?=
=?UTF-8?B?cCBpbnN0ZWFkIG9mIHNzaCAnZXhlYyBzaCAtYyDigKYnIGZvciBpbnN0YWxs?=
=?UTF-8?B?aW5nIHNzaC1rZXlzIHZpYSBzc2gtY29weS1pZA==?=
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3201
--- Comment #2 from Joel Nothman ---
hard parts of this may include:
* ensuring umask is set correctly
* avoiding race conditions in modifying authorized_keys
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Wed Aug 12 02:46:35 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 11 Aug 2020 16:46:35 +0000
Subject: =?UTF-8?B?W0J1ZyAzMjAxXSBwcm92aWRlIGFuIG9wdGlvbiB0byB1c2Ugc2Z0?=
=?UTF-8?B?cCBpbnN0ZWFkIG9mIHNzaCAnZXhlYyBzaCAtYyDigKYnIGZvciBpbnN0YWxs?=
=?UTF-8?B?aW5nIHNzaC1rZXlzIHZpYSBzc2gtY29weS1pZA==?=
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3201
--- Comment #3 from Matthias Bl?mel ---
I made a draft pull-request:
https://github.com/openssh/openssh-portable/pull/199
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Wed Aug 12 15:35:50 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Wed, 12 Aug 2020 05:35:50 +0000
Subject: [Bug 2670] Add ssh_config option that sets the lifetime of the key
if added via AddKeysToAgent
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=2670
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
Blocks| |3162
--- Comment #5 from Damien Miller ---
This has been committed and will be in OpenSSH 8.4.
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3162
[Bug 3162] Tracking bug for 8.4 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Wed Aug 12 15:35:51 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Wed, 12 Aug 2020 05:35:51 +0000
Subject: [Bug 3162] Tracking bug for 8.4 release
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3162
Bug 3162 depends on bug 2670, which changed state.
Bug 2670 Summary: Add ssh_config option that sets the lifetime of the key if added via AddKeysToAgent
https://bugzilla.mindrot.org/show_bug.cgi?id=2670
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Wed Aug 12 15:35:50 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Wed, 12 Aug 2020 05:35:50 +0000
Subject: [Bug 3162] Tracking bug for 8.4 release
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3162
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends on| |2670
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2670
[Bug 2670] Add ssh_config option that sets the lifetime of the key if
added via AddKeysToAgent
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
From bugzilla-daemon at mindrot.org Tue Aug 18 23:51:43 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 18 Aug 2020 13:51:43 +0000
Subject: =?UTF-8?B?W0J1ZyAzMjAxXSBwcm92aWRlIGFuIG9wdGlvbiB0byB1c2Ugc2Z0?=
=?UTF-8?B?cCBpbnN0ZWFkIG9mIHNzaCAnZXhlYyBzaCAtYyDigKYnIGZvciBpbnN0YWxs?=
=?UTF-8?B?aW5nIHNzaC1rZXlzIHZpYSBzc2gtY29weS1pZA==?=
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3201
--- Comment #4 from Matthias Bl?mel ---
Created attachment 3441
--> https://bugzilla.mindrot.org/attachment.cgi?id=3441&action=edit
patchfile to solve #3201
this is a patchfile for the same changes as in
https://github.com/openssh/openssh-portable/pull/199/commits/81658011c9a7f4330bf8a49ec4b3f2f129215fa1
but ported to http://git.hands.com/ssh-copy-id.git
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Tue Aug 18 23:52:15 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 18 Aug 2020 13:52:15 +0000
Subject: =?UTF-8?B?W0J1ZyAzMjAxXSBwcm92aWRlIGFuIG9wdGlvbiB0byB1c2Ugc2Z0?=
=?UTF-8?B?cCBpbnN0ZWFkIG9mIHNzaCAnZXhlYyBzaCAtYyDigKYnIGZvciBpbnN0YWxs?=
=?UTF-8?B?aW5nIHNzaC1rZXlzIHZpYSBzc2gtY29weS1pZA==?=
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3201
Matthias Bl?mel changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |phil at hands.com
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Sat Aug 22 00:14:32 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 21 Aug 2020 14:14:32 +0000
Subject: =?UTF-8?B?W0J1ZyAzMjAxXSBwcm92aWRlIGFuIG9wdGlvbiB0byB1c2Ugc2Z0?=
=?UTF-8?B?cCBpbnN0ZWFkIG9mIHNzaCAnZXhlYyBzaCAtYyDigKYnIGZvciBpbnN0YWxs?=
=?UTF-8?B?aW5nIHNzaC1rZXlzIHZpYSBzc2gtY29weS1pZA==?=
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3201
--- Comment #5 from Philip Hands ---
Sorry I didn't notice this earlier -- I'll try to have a look at it
shortly. Thanks for the contribution :-)
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Wed Aug 26 18:45:31 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Wed, 26 Aug 2020 08:45:31 +0000
Subject: [Bug 3202] New: Ed25519 key on HSM is not getting listed in ssh-add
-l command
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3202
Bug ID: 3202
Summary: Ed25519 key on HSM is not getting listed in ssh-add -l
command
Product: Portable OpenSSH
Version: 8.2p1
Hardware: ARM64
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-add
Assignee: unassigned-bugs at mindrot.org
Reporter: ranjan.kumar at thalesgroup.com
Created attachment 3442
--> https://bugzilla.mindrot.org/attachment.cgi?id=3442&action=edit
Logs that shows detailed output of each command with cryptoki log and
dmesg.
Steps to Reproduce:
1.Install OpenSSH
2.Install SafeNet LunaClient and setup NTLS.
3.Generate Edward 25519 and RSA Key using SafeNet ckdemo utility.
4.Run below commands:
a.)eval `ssh-agent -P "/usr/safenet/lunaclient/lib/*" -s`
b.)ssh-add -s /usr/safenet/lunaclient/lib/libcklog2.so
c.)ssh-add -l
Actual Output:
2048 SHA256:r/7tkup1Bb76UDVgs5GDfTDvKpTVhhM0SWNY+Mja2Xg Generated RSA
Public Key (RSA)
Expected Output: Both RSA And Ed25519 key should be listed.
5.Create Ed25519 key using ssh-keygen command on HSM: ssh-keygen -t
ed25519 -D /usr/safenet/lunaclient/lib/libcklog2.so
Actual Output:
Enter PIN for 'ranjan':
skipping unsupported key type
failed to fetch key
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCTt5YbM8CVbfAhjhu5QeQJ/P8To47dWjw2oeb2lRycZkW/UmgRdT+wd/i1nqwMaiPhNHW40ivI90ta2KFNGfx+hQAXgFn+UWpFeTDsHbvSCnO0vQh4s8EHPw89Fr4Sl9NXgTZNIbzEOjE7KiPy85zmoBY8rr06jhA4xK7ig3Bq6zkj9AoW/H+ph+F7v3uyeaJVqNbD3SjMbdf8kt9UAlQczHtKdaJm/akH5HlWa38+wDwQsTAnFvbSmiM6/nYcD8f5PA1/tCr5JdsrhhLplYIrfh3Xf/ZBAubYESKeOy1QNR3U4TXSklPVrkPPlx7qpynMS1emVgzen2Fonkga8V4t
Generated RSA Public Key
Expected Output:Ed25519 Key Should be generated
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Wed Aug 26 21:34:54 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Wed, 26 Aug 2020 11:34:54 +0000
Subject: [Bug 3203] New: Could default_ccache_name from krb5.conf be used for
GSSAPI connections?
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3203
Bug ID: 3203
Summary: Could default_ccache_name from krb5.conf be used for
GSSAPI connections?
Product: Portable OpenSSH
Version: 8.3p1
Hardware: ix86
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Kerberos support
Assignee: unassigned-bugs at mindrot.org
Reporter: toby at inf.ed.ac.uk
Hi there,
I'm filing this bug upstream as suggested in this ubuntu bug report:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1889548
I'll recreate my original text from that ticket here:
"
ssh connections from a client with the following in ssh_config...
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
... to an ubuntu 20.04 machine result in KRB5CCNAME being set to
'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in
/etc/krb5.conf:
[libdefaults]
...
default_ccache_name = KEYRING:persistent:%{uid}
This means that we cannot enforce a policy to use KEYRING ccaches
across our systems. Authentications which go via the pam stack (e.g.
login to the machine at the console or over ssh using a password) can
be configured to use a KEYRING ccache, via libpam-krb5 settings in
/etc/krb5.conf.
The FILE: setting seems to be hard-coded in the openssh code
(auth-krb5.c). It would be great if ssh(gssapi-with-mic) connections
either (a) set KRB5CCNAME to the default_ccache_name value, if set in
/etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system
default is used.
"
Redhat already patch for this, but they patch the upstream source quite
heavily (as do ubuntu, but in different ways).
I'm hoping to spend more time on getting a patch to do this on ubuntu,
but I suspect that wouldn't be of much use upstream.
Would there be interest in implementing this functionality upstream?
Thanks
Toby Blake
School of Informatics
University of Edinburgh
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Thu Aug 27 19:28:53 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 27 Aug 2020 09:28:53 +0000
Subject: [Bug 3203] Could default_ccache_name from krb5.conf be used for
GSSAPI connections?
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3203
Jakub Jelen changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jjelen at redhat.com
--- Comment #1 from Jakub Jelen ---
We use several patches to do that in RHEL/Fedora and this was already
proposed in bug #2775, but without any feedback from OpenSSH
developers.
Feel free to use the patches we use (might need updating from version
posted in the bug). But note that there is still many people interested
in using per-session caches.
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Thu Aug 27 19:32:06 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 27 Aug 2020 09:32:06 +0000
Subject: [Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l
command
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3202
Jakub Jelen changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |pkcs11
CC| |jjelen at redhat.com
--- Comment #1 from Jakub Jelen ---
The support for Ed25519 keys is very fresh in PKCS #11 so not even all
pksc11 libraries caught up. But as we have RSA and ECDSA, adding
Ed25519 should not be that hard. I would like to have a look into that
eventually.
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Thu Aug 27 19:37:41 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 27 Aug 2020 09:37:41 +0000
Subject: [Bug 3203] Could default_ccache_name from krb5.conf be used for
GSSAPI connections?
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3203
--- Comment #2 from Toby Blake ---
(In reply to Jakub Jelen from comment #1)
> We use several patches to do that in RHEL/Fedora and this was
> already proposed in bug #2775, but without any feedback from OpenSSH
> developers.
>
> Feel free to use the patches we use (might need updating from
> version posted in the bug). But note that there is still many people
> interested in using per-session caches.
Hi Jakub,
Thanks for the reply. I've tried a (slightly reworked to get it to
apply) version of openssh-7.7p1-gssapi-new-unique.patch but it doesn't
seem to quite do what I want it to do, specifically it always gives me
a new unique ccache, rather than using e.g. KEYRING:persistent:%{uid}.
It may be that in reworking it I've messed it up somewhat so I need to
find some time to look at it in more detail.
Cheers
Toby
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Thu Aug 27 19:54:03 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 27 Aug 2020 09:54:03 +0000
Subject: [Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l
command
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3202
--- Comment #2 from Ranjan ---
Thanks Jakub. We have many customers who want to use ED25519,so can you
please tell when we can expect the support for this will be avaiable?
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Thu Aug 27 20:00:50 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 27 Aug 2020 10:00:50 +0000
Subject: [Bug 3203] Could default_ccache_name from krb5.conf be used for
GSSAPI connections?
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3203
--- Comment #3 from Jakub Jelen ---
Hi,
the current version we use in Fedora lives here so it could have gone
through some updates and fixes since 2 years ago:
https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-7.7p1-gssapi-new-unique.patch
The new unique cache in the given collection is probably the most
sensible way of doing this. Or you suggest that you would like the new
login to override existing tickets in the ccache? Or you still see the
ccache in /tmp being used? What configuration did you try?
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Thu Aug 27 20:55:31 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 27 Aug 2020 10:55:31 +0000
Subject: [Bug 3203] Could default_ccache_name from krb5.conf be used for
GSSAPI connections?
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3203
--- Comment #4 from Toby Blake ---
(In reply to Jakub Jelen from comment #3)
> Hi,
> the current version we use in Fedora lives here so it could have
> gone through some updates and fixes since 2 years ago:
>
> https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-7.
> 7p1-gssapi-new-unique.patch
Hi, this is the patch I've tried to rework for ubuntu.
> The new unique cache in the given collection is probably the most
> sensible way of doing this. Or you suggest that you would like the
> new login to override existing tickets in the ccache? Or you still
> see the ccache in /tmp being used? What configuration did you try?
What I'd like is to be able to set
[libdefaults]
default_ccache_name = KEYRING:persistent:%{uid}
... in /etc/krb5.conf and for (gssapi) ssh connections to use this, in
the same way that I can set it for PAM connections.
This no doubt works under redhat (and indeed it works for us with
Scientific Linux 7.8 with the addition of a backported
openssh-7.5p1-gss-environment.patch, as discussed in
https://bugzilla.redhat.com/show_bug.cgi?id=1199363)
I think I need to look at the gssapi-new-unique patch again, with a
more complete understanding of the relevant code areas. My reworking
of it is definitely not doing what it should do.
The biggest issue in getting this working is the divergent code bases
between redhat and ubuntu (in particular, I suspect, the gsskex patch).
This is why I'd much prefer this issue to be fixed upstream.
Pending that, I'll look again at the the unique patch.
Cheers
Toby
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 28 13:05:34 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 28 Aug 2020 03:05:34 +0000
Subject: [Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l
command
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3202
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #3 from Damien Miller ---
OpenSSH won't implement this until we have some way to test, preferably
both hardware and a software (softhsm or similar) target to test
against.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 28 13:14:24 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 28 Aug 2020 03:14:24 +0000
Subject: [Bug 3200] Will future versions of openssh fix CVE-2020-15778?
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3200
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller ---
this CVE stems from a misunderstanding of how scp works. It is an old
program that *deliberately* invokes the remote shell for glob pattern
expansion.
We're not going to "fix" scp, but we might replace it entirely. There
are significant backwards-compatibility concerns to work through
however.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 28 13:17:28 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 28 Aug 2020 03:17:28 +0000
Subject: [Bug 3178] When authenticating with a -sk key via agent, no 'touch
security key' prompt displayed
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3178
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WORKSFORME
--- Comment #3 from Damien Miller ---
Closing; this works for me. If you are able to reproduce this with an
agent configured to use ssh-askpass, then please reopen.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 28 13:18:21 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 28 Aug 2020 03:18:21 +0000
Subject: [Bug 3179] sshd bind function and IPv6 neighbor discovery
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3179
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WONTFIX
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 28 13:26:31 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 28 Aug 2020 03:26:31 +0000
Subject: [Bug 2929] OpenSSH server should not send the SSH_MSG_EXT_INFO
message after rekeying
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=2929
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|REOPENED |RESOLVED
--- Comment #8 from Damien Miller ---
This was fixed in openssh-8.1 last year
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 28 13:26:31 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 28 Aug 2020 03:26:31 +0000
Subject: [Bug 2915] Tracking bug for 8.0 release
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=2915
Bug 2915 depends on bug 2929, which changed state.
Bug 2929 Summary: OpenSSH server should not send the SSH_MSG_EXT_INFO message after rekeying
https://bugzilla.mindrot.org/show_bug.cgi?id=2929
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |FIXED
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 28 13:28:43 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 28 Aug 2020 03:28:43 +0000
Subject: [Bug 2942] minor memory leak in ssh_set_newkeys()
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=2942
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
CC| |djm at mindrot.org
--- Comment #2 from Damien Miller ---
This was fixed back in OpenSSH 8.0 last year, but I forgot to update
this bug at the time. Thanks!
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 28 13:43:36 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 28 Aug 2020 03:43:36 +0000
Subject: [Bug 2948] implement "copy-data" sftp extension
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=2948
--- Comment #9 from Damien Miller ---
Comment on attachment 3344
--> https://bugzilla.mindrot.org/attachment.cgi?id=3344
sftp server copy-data extension
looks good - some minor comments
>diff --git a/PROTOCOL b/PROTOCOL
>index f75c1c0ae5b0..04a392db33be 100644
...
>+static void
>+process_extended_copy_data(u_int32_t id)
...
>+ /* Disallow reading & writing to the same handle */
>+ if (read_handle == write_handle || read_fd < 0 || write_fd < 0) {
I think this should also check that both the read and write handles do
not refer to the same path? (use handle_to_name())
>+ status = SSH2_FX_FAILURE;
>+ } else {
nit: prefer "goto out" over nesting if/else
>+ if (lseek(read_fd, read_off, SEEK_SET) < 0) {
>+ status = errno_to_portable(errno);
>+ error("process_extended_copy_data: read_seek failed");
nit: ditto
>+ } else if (!(handle_to_flags(write_handle) & O_APPEND) &&
>+ lseek(write_fd, write_off, SEEK_SET) < 0) {
>+ status = errno_to_portable(errno);
>+ error("process_extended_copy_data: write_seek failed");
nit: prefer __func__ to manual inclusion of function name
>+ } else {
>+ /* Process the request in chunks. */
>+ while (read_len || copy_until_eof) {
nit: prefer explicit comparison against zero (i.e "read_len > 0")
>+
>+ ret = read(read_fd, buf, len);
...
>+ ret = write(write_fd, buf, len);
I think this should use atomicio here to be signal safe.
>+ if ((size_t)ret != len) {
>+ debug2("nothing at all written");
>+ status = SSH2_FX_FAILURE;
>+ break;
>+ }
this block can go away with atomicio
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 28 13:47:23 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 28 Aug 2020 03:47:23 +0000
Subject: [Bug 2948] implement "copy-data" sftp extension
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=2948
--- Comment #10 from Damien Miller ---
Comment on attachment 3345
--> https://bugzilla.mindrot.org/attachment.cgi?id=3345
sftp client copy-data extension
This too looks good, minor comments:
>diff --git a/sftp-client.c b/sftp-client.c
>index 4986d6d8d291..cd2844a8585e 100644
>--- a/sftp-client.c
>+++ b/sftp-client.c
...
>+int
>+do_copy(struct sftp_conn *conn, const char *oldpath, const char *newpath)
>+{
...
>+ /* Silently return if the extension is not supported */
>+ if ((conn->exts & SFTP_EXT_COPY_DATA) == 0) {
>+ error("Server does not support copy-data extension");
This is not silent :)
>diff --git a/sftp.1 b/sftp.1
>index 0fd54cae090e..f2eae7f32790 100644
>--- a/sftp.1
>+++ b/sftp.1
...
>+.Ic lchdir , copy , chmod , chown ,
the manpage says the command is "copy", but ...
>diff --git a/sftp.c b/sftp.c
>index 7db86c2d3cf0..3288279172a9 100644
>--- a/sftp.c
>+++ b/sftp.c
...
>+ { "cp", I_COPY, REMOTE },
... it's implemented as "cp"
Either/both is fine, but it needs to be consistent of course.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 28 13:49:19 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 28 Aug 2020 03:49:19 +0000
Subject: [Bug 2948] implement "copy-data" sftp extension
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=2948
--- Comment #11 from Damien Miller ---
Comment on attachment 3344
--> https://bugzilla.mindrot.org/attachment.cgi?id=3344
sftp server copy-data extension
>+ /* Disallow reading & writing to the same handle */
>+ if (read_handle == write_handle || read_fd < 0 || write_fd < 0) {
Maybe mention here that this also ensures that both handles refer to
files rather than directories
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 28 13:52:01 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 28 Aug 2020 03:52:01 +0000
Subject: [Bug 2949] "limits@openssh.com" extension to SFTP to query various
transfer limits
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=2949
--- Comment #5 from Damien Miller ---
sorry for stalling. This looks fine to me
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Fri Aug 28 19:41:32 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 28 Aug 2020 09:41:32 +0000
Subject: [Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l
command
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3202
--- Comment #4 from Jakub Jelen ---
(In reply to Damien Miller from comment #3)
> OpenSSH won't implement this until we have some way to test,
> preferably both hardware and a software (softhsm or similar) target
> to test against.
SoftHSM supports Ed25519 keys already [0] (with some follow-up fixes to
match final PKCS #11 3.0 specs) and for OpenSC we have patches pending
(tested with NitroKey with Gnuk applet) [1] so if anyone is interested
to work on this, there are enough possibilities.
[0] https://github.com/opendnssec/SoftHSMv2/pull/324
[1] https://github.com/OpenSC/OpenSC/pull/1960
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Sat Aug 29 09:33:40 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 28 Aug 2020 23:33:40 +0000
Subject: [Bug 3204] New: Enable user-relative revoked keys files
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3204
Bug ID: 3204
Summary: Enable user-relative revoked keys files
Product: Portable OpenSSH
Version: 8.1p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: macdjord at gmail.com
The `AuthorizedKeysFile` directive supports the %h, %U, and %u tokens,
but the `RevokedKeys` directive does not. Thus it is possible to grant
individual users the ability to add authorized login keys (and indeed
this is the default with `.ssh/authorized_keys`), including authorized
certificate authorities using the `cert-authority` option, but there is
no way to grant them the ability to manage their own lists of revoked
keys.
This should be fixed by enabling support for the %h, %U, and %u tokens
for the `RevokedKeys` directive.
See also: https://bugzilla.mindrot.org/show_bug.cgi?id=2328 , which
proposes a more powerful but more complicated solution to this issue:
allowing `authorized_keys` to specify a revocation list file for each
certificate authority key it defines.
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Sat Aug 29 09:34:56 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 28 Aug 2020 23:34:56 +0000
Subject: [Bug 2328] Per-user certificate revocation list (CRL) in
authorized_keys
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=2328
Jordan Macdonald changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |macdjord at gmail.com
--- Comment #3 from Jordan Macdonald ---
Created a new bug report for the suggestion to define per-user (rather
than per-cert) revocation lists:
https://bugzilla.mindrot.org/show_bug.cgi?id=3204
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Sat Aug 29 09:53:21 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 28 Aug 2020 23:53:21 +0000
Subject: [Bug 3204] Enable user-relative revoked keys files
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3204
--- Comment #1 from Jordan Macdonald ---
Note: Both approaches - this one and the one suggested in
https://bugzilla.mindrot.org/show_bug.cgi?id=2328 - offer distinct
advantages:
* Maintaining separate KRLs for each certificate authority is
best-practice and enables fine-grained control (e.g. revoking the
signature of a particular key by a particular CA but still allowing
that same key to be used if it is also signed by a different authorized
CA)
* However, not everyone follows best practices, and many users will
just want to have one file to append their old/invalid/compromised keys
to without having to specify `crl-file="~/.ssh/revoked_keys"`
separately for every CA in `authorized_keys`
Either option would satisfactorily solve the issue of allowing users to
control their own revocations, but the ideal solution would probably be
to offer both.
Also, if per-user revocation files are supported, it would probably be
a good idea to give `RevokedKeys` a suitable default; I suggest
`.ssh/revoked_keys`. It seems unwise to enable user-specified CAs by
default without offering user-specified revocation.
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Sat Aug 29 09:54:00 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 28 Aug 2020 23:54:00 +0000
Subject: [Bug 3204] Enable user-relative revoked keys files
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3204
Jordan Macdonald changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugzilla.mindrot.or
| |g/show_bug.cgi?id=2328
CC| |macdjord at gmail.com
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Sat Aug 29 09:54:00 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 28 Aug 2020 23:54:00 +0000
Subject: [Bug 2328] Per-user certificate revocation list (CRL) in
authorized_keys
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=2328
Jordan Macdonald changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugzilla.mindrot.or
| |g/show_bug.cgi?id=3204
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Sat Aug 29 10:04:40 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Sat, 29 Aug 2020 00:04:40 +0000
Subject: [Bug 2265] ServerAlive{Interval, CountMax} ignored if using an active
-R or -L tunnel
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=2265
Jordan Macdonald changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |macdjord at gmail.com
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
From bugzilla-daemon at mindrot.org Sun Aug 30 05:09:29 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Sat, 29 Aug 2020 19:09:29 +0000
Subject: [Bug 3205] New: Support HPE NonStop Server Port
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3205
Bug ID: 3205
Summary: Support HPE NonStop Server Port
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Other
Status: NEW
Severity: enhancement
Priority: P5
Component: Build system
Assignee: unassigned-bugs at mindrot.org
Reporter: rsbecker at nexbridge.com
I am working on updating the port for HPE NonStop Itanium and x86 (Big
Endian) platforms. I would like to contribute the changes, once
working, to the main repository for inclusion into the code base.
For reference, I have been maintaining the openssh-portable port for
both platforms through 7.6p1 using OpenSSL 1.0.2. The port for OpenSSL
1.1.1 was just completed and this has enabled me to bring the port up
to date. There are a few changes needed based on configure not handling
some situations but mostly the key difference is that ROOT is 65535 not
0 on this platform. The compiler we have to use is c99 but can upgrade
to c11 or higher in about 3 years when the Itanium platform is
deprecated.
The team I work on is called ITUGLIB and maintain many of the critical
Open Source ports for the platform.
Is this contribution desired?
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Sun Aug 30 13:21:21 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Sun, 30 Aug 2020 03:21:21 +0000
Subject: [Bug 3205] Support HPE NonStop Server Port
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3205
Darren Tucker changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
--- Comment #1 from Darren Tucker ---
Our general policy is that we'll support something as long as someone
is willing to do the work, and that the changes involved don't
compromise support for modern platforms. It sounds like you're willing
to do the work, so the other question is how invasive the required
changes are.
Can you share the existing port or the diff against the stock code of
the same vintage? It doesn't have to be polished, I just want to get a
sense for what's involved.
> x86 (Big Endian)
I didn't know that was even possible.
> The compiler we have to use is c99
right now all of the code (with the exception of some of the
experimental post-quantum stuff not compiled by default) is c89 for
maximum portability so c99 is fine.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Sun Aug 30 22:33:02 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Sun, 30 Aug 2020 12:33:02 +0000
Subject: [Bug 3206] New: sftp client(32bit) chown command does not support
uid >LONG_MAX
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3206
Bug ID: 3206
Summary: sftp client(32bit) chown command does not support uid
>LONG_MAX
Product: Portable OpenSSH
Version: 6.9p1
Hardware: 68k
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: sftp
Assignee: unassigned-bugs at mindrot.org
Reporter: booking00 at sina.cn
Server could accept uid < ULONG_MAX. But client can only accept
uid chown 2147483648 execute.sh
You must supply a numeric argument to the chown command.
case I_CHOWN:
case I_CHGRP:
if ((optidx = parse_ch_flags(cmd, argv, argc, hflag))
== -1)
return -1;
/* Get numeric arg (mandatory) */
if (argc - optidx < 1)
goto need_num_arg;
errno = 0;
l = strtol(argv[optidx], &cp2, base);
if (cp2 == argv[optidx] || *cp2 != '\0' ||
((l == LONG_MIN || l == LONG_MAX) && errno ==
ERANGE) ||
l < 0) {
need_num_arg:
error("You must supply a numeric argument "
"to the %s command.", cmd);
return -1;
}
--
You are receiving this mail because:
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Mon Aug 31 00:29:56 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Sun, 30 Aug 2020 14:29:56 +0000
Subject: [Bug 3205] Support HPE NonStop Server Port
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3205
--- Comment #2 from Randall S. Becker ---
We went to c99 because some of the constructs in the regression suite
do not compile with c89. I don't mind going back to c89 but there will
be a larger set of changes.
I'll share a patch listing here once I get this compiling correctly.
Note: the Big-Endian part has worked since 6.x - does not seem to take
any specific mods to get that working.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
From bugzilla-daemon at mindrot.org Mon Aug 31 00:34:05 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Sun, 30 Aug 2020 14:34:05 +0000
Subject: [Bug 3205] Support HPE NonStop Server Port
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3205
--- Comment #3 from Randall S. Becker ---
One thing that has me confused:
cc -c99 -I. -I. -I/usr/local-ssl1.1/include -Wnowarn=262,1252
-I/usr/local-ssl1.1/include -DSSHDIR=\"/usr/local-ssl1.1/etc\"
-D_PATH_SSH_PROGRAM=\"/usr/local-ssl1.1/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local-ssl1.1/libexec/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/local-ssl1.1/libexec/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/local-ssl1.1/libexec/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/local-ssl1.1/libexec/ssh-pkcs11-helper\"
-D_PATH_SSH_SK_HELPER=\"/usr/local-ssl1.1/libexec/ssh-sk-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -fPIC -shared
-o regress/misc/sk-dummy/sk-dummy.so regress/misc/sk-dummy/sk-dummy.lo
regress/misc/sk-dummy/fatal.lo ed25519.lo hash.lo ge25519.lo fe25519.lo
sc25519.lo verify.lo \
-L. -Lopenbsd-compat -lopenbsd-compat -L. -Lopenbsd-compat/
-L/usr/local-ssl1.1/lib -L/usr/local-ssl1.1/lib -lcrypto -lz
c99: error: Invalid input file
extension"regress/misc/sk-dummy/sk-dummy.lo".
c99: error: Invalid input file
extension"regress/misc/sk-dummy/fatal.lo".
c99: error: Invalid input file extension"ed25519.lo".
c99: error: Invalid input file extension"hash.lo".
c99: error: Invalid input file extension"ge25519.lo".
c99: error: Invalid input file extension"fe25519.lo".
c99: error: Invalid input file extension"sc25519.lo".
c99: error: Invalid input file extension"verify.lo".
I'm not sure how to fix this in your build structure.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
From bugzilla-daemon at mindrot.org Mon Aug 31 00:48:13 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Sun, 30 Aug 2020 14:48:13 +0000
Subject: [Bug 3205] Support HPE NonStop Server Port
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3205
--- Comment #4 from Randall S. Becker ---
Created attachment 3443
--> https://bugzilla.mindrot.org/attachment.cgi?id=3443&action=edit
Git diff for patches associated with the NonStop port
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
From bugzilla-daemon at mindrot.org Mon Aug 31 17:01:56 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Mon, 31 Aug 2020 07:01:56 +0000
Subject: [Bug 3205] Support HPE NonStop Server Port
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3205
Damien Miller changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #5 from Damien Miller ---
(In reply to Randall S. Becker from comment #3)
> One thing that has me confused:
>
> cc -c99 -I. -I. -I/usr/local-ssl1.1/include -Wnowarn=262,1252
> -I/usr/local-ssl1.1/include -DSSHDIR=\"/usr/local-ssl1.1/etc\"
> -D_PATH_SSH_PROGRAM=\"/usr/local-ssl1.1/bin/ssh\"
> -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local-ssl1.1/libexec/ssh-
> askpass\"
> -D_PATH_SFTP_SERVER=\"/usr/local-ssl1.1/libexec/sftp-server\"
> -D_PATH_SSH_KEY_SIGN=\"/usr/local-ssl1.1/libexec/ssh-keysign\"
> -D_PATH_SSH_PKCS11_HELPER=\"/usr/local-ssl1.1/libexec/ssh-pkcs11-
> helper\"
> -D_PATH_SSH_SK_HELPER=\"/usr/local-ssl1.1/libexec/ssh-sk-helper\"
> -D_PATH_SSH_PIDDIR=\"/var/run\"
> -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -fPIC
> -shared -o regress/misc/sk-dummy/sk-dummy.so
> regress/misc/sk-dummy/sk-dummy.lo regress/misc/sk-dummy/fatal.lo
> ed25519.lo hash.lo ge25519.lo fe25519.lo sc25519.lo verify.lo \
> -L. -Lopenbsd-compat -lopenbsd-compat -L. -Lopenbsd-compat/
> -L/usr/local-ssl1.1/lib -L/usr/local-ssl1.1/lib -lcrypto -lz
> c99: error: Invalid input file
> extension"regress/misc/sk-dummy/sk-dummy.lo".
> c99: error: Invalid input file
> extension"regress/misc/sk-dummy/fatal.lo".
> c99: error: Invalid input file extension"ed25519.lo".
> c99: error: Invalid input file extension"hash.lo".
> c99: error: Invalid input file extension"ge25519.lo".
> c99: error: Invalid input file extension"fe25519.lo".
> c99: error: Invalid input file extension"sc25519.lo".
> c99: error: Invalid input file extension"verify.lo".
>
> I'm not sure how to fix this in your build structure.
these .lo files are identical to their .o counterparts except they were
compiled with -fPIC for linkage into a shared object (.so) for use by
dlopen(3). If your system is not going to use client-side FIDO security
key support, then it's fine to simply skip this (--disable-security-key
at configure time, though possibly we need some makefile surgery too)
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
From bugzilla-daemon at mindrot.org Mon Aug 31 20:19:39 2020
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Mon, 31 Aug 2020 10:19:39 +0000
Subject: [Bug 3205] Support HPE NonStop Server Port
In-Reply-To:
References:
Message-ID:
https://bugzilla.mindrot.org/show_bug.cgi?id=3205
--- Comment #6 from Darren Tucker ---
(In reply to Damien Miller from comment #5)
[...]
> these .lo files are identical to their .o counterparts except they
> were compiled with -fPIC for linkage into a shared object (.so) for
> use by dlopen(3).
There's a similar problem with AIX, which has an, err, interesting
linker. The traditional solution to this is libtool, but that AFAICT
that'd require overhauling the entire build system.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.