Call for release testing

Thu Mar 3 09:54:59 EST 2005

Hi,

We are preparing to release another stable OpenSSH soon, so once
again we are asking for your help in testing CVS snapshots.

Changes include:

* ssh(1) now allows the optional specification of an address to bind to
   in port forwarding connections (local, remote and dynamic). See the
   -L, -R options in the ssh(1) man page as well as LocalForward and
   RemoteForward options in ssh_config(5). (Bugzilla #413)

* To control remote bindings while retaining backwards compatibility,
   sshd(8)'s GatewayPorts option has been extended. To allow client
   specified bind addresses for remote (-R) port forwardings, the server
   must be configured with "GatewayPorts clientspecified".

* To support better selection of binding addresses for remote port
   forwardings, sshd(8) now supports the new address specification
   methods in draft-ietf-secsh-connect-24.txt section 7.1. In
   particular, the empty "" address_to_bind is recognised as meaning
   a wildcard bind for all supported protocols (IPv4 and IPv6) whereas
   "localhost" means an all-protocols loopback bind.

* ssh(1) and ssh-keyscan(1) now support hashing of host names and
   addresses added to known_hosts files, controlled by the ssh(1)
   HashKnownHosts configuration directive. This option improves user
   privacy by hiding which hosts have been visited. For this release
   the option will be off by default, but may be turned on once it
   receives sufficient testing.

* Add options for managing keys in known_hosts files to ssh-keygen(1),
   including the ability to search for hosts by name, delete hosts by
   name and convert an unhashed known_hosts file into one with hashed
   names. These are particularly useful for managing known_hosts files
   with hashed hostnames.

* Improve account and password expiry support in sshd(8). Ther server
   will now warn in advance for both account and password expiry.

* sshd(8) will now log the source of connections denied by AllowUsers,
   DenyUsers, AllowGroups and DenyGroups (Bugzilla #909)

* Added AddressFamily option to sshd(8), to allow global control over
   IPv4/IPv6 usage. (Bugzilla #989)

* Improved sftp(1) client, including bugfixes and optimisations for the
   ``ls'' command and command history and editing support using libedit.
   This may be enabled using the --with-libedit configure argument

* Improved the handling of bad data in authorized_keys files,
   eliminating fatal errors on corrupt or very large keys. (Bugzilla
   #884)

* Improved connection multiplexing support in ssh(1). Several bugs
   have been fixed and a new "command mode" has been added to allow the
   control of a running multiplexing master connection, including
   checking that it is up, determining its PID and asking it to exit.

* Have scp(1) and sftp(1) wait for the spawned ssh to exit before they
   exit themselves.  This prevents ssh from being unable to restore
   terminal modes (not normally a problem on OpenBSD but common with
   -Portable on POSIX platforms). (Bugzilla #950)

* Portable OpenSSH:

   - Add *EXPERIMENTAL* BSM audit support for Solaris systems
     (Bugzilla #125)

   - Enable IPv6 on AIX where possible (see README.platform for
     details), working around a misfeature of AIX's getnameinfo.
     (Bugzilla #835)

   - Teach sshd(8) to write failed login records to btmp for failed
     auth attempts (currently only for password, kbdint and C/R, only
     on Linux and HP-UX)

   - sshd(8) now sends output from failing PAM session modules to the
     user before exiting, similar to the way /etc/nologin is handled

   - Store credentials from gssapi-with-mic authentication early enough
     to be available to PAM session modules when privsep=yes.

* Many bug fixes and improvements, for details see the ChangeLog
   and http://bugzilla.mindrot.org/show_bug.cgi?id=914

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable snapshots are available at:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/
or one of its mirrors listed at http://www.openssh.com/portable.html#ftp

Please test!  Running the regression tests supplied with Portable
does not require installation and is a simply:

$ ./configure && make tests

Testing on suitable non-production systems is also appreciated.
Please send reports of success or failure to
openssh-unix-dev at mindrot.org.