Testing for the 4.4p1 release, round 2

Darren Tucker dtucker at zip.com.au
Fri Sep 22 00:20:58 EST 2006

Hi all.

As most of you know, we are preparing OpenSSH 4.4p1 for release.  We have
had one round of testing and I would like to thank all who responded.

We believe that most of the problems reported have been resolved.
If you are so inclined, we would appreciate a quick retest to ensure
that the fixed ones remain fixed and the working ones remain working.

Of the problems identitified, I am only aware of two reported that I do
not believe have been resolved:

regress hangs on Redhat 7.3, reason unknown (maybe IPv6 related?):

regress failure on IRIX w/mipspro compiler (SSH protocol 1 only):

I believe the first is new, but the latter is not.  Unfortunately we are
not able to reproduce either.

And now, a rerun of the earlier message with the details:

Snapshots are available from http://www.mindrot.org/openssh_snap or
from any of the mirrors listed on http://www.openssh.org/portable.html
The latter page also includes instructions for checking out portable
OpenSSH via anonymous CVS.

This release contains many bugfixes and feature improvements. Here
are some highlights:

- Implemented conditional configuration in sshd_config(5) using the
  "Match" directive. This allows some configuration options to be
  selectively overridden if specific criteria (based on user, group,
  hostname and/or address) are met. So far a useful subset of post-
  authentication options are supported and more are expected to be
  added in future releases.
- Added a "ForceCommand" directive to sshd_config(5). Similar to the
  command="..." option accepted in ~/.ssh/authorized_keys, this forces
  the execution of the specified command regardless of what the user
  requested. This is very useful in conjunction with the new "Match"
- Add a "PermitOpen" directive to sshd_config(5). This mirrors the
  permitopen="..." authorized_keys option, allowing fine-grained
  control over the port-forwardings that a user is allowed to
- Add optional logging of transactions to sftp-server(8).
- ssh(1) will now record port numbers for hosts stored in
  ~/.ssh/authorized_keys when a non-standard port has been requested.
- Add an "ExitOnForwardFailure" options to cause ssh(1) to exit (with
  a non-zero exit code) when requested port forwardings could not be
- Extend the sshd_config(5) "SubSystem" directive to allow the
  specification of commandline arguments.
- Add optional support for SELinux, controlled using the --with-selinux
  configure option (experimental)
- Add optional support for Solaris process contracts, enabled using the
  --with-solaris-contracts configure option (experimental)
- Add support for Diffie-Hellman group exchange key agreement with a
  final hash of SHA256. 
- Fixed a lot of bugs. See
  http://bugzilla.mindrot.org/show_bug.cgi?id=1155 for an incomplete
  list (more in the ChangeLog)
- Lots of manpage fixes and improvements
- Many code cleanups, including:
    - Switching to safer memory allocation functions that avoid integer
      overflows when allocating arrays
    - Cleanups of header file usage (ongoing)
    - Fixes to leaks reported by the Coverity static analysis tool

Running the regression tests supplied with Portable does not require
installation, just run:

$ ./configure && make tests

Testing on suitable non-production systems is also appreciated. Please send
reports of success or failure to openssh-unix-dev at mindrot.org, including 
details of your platform, compiler and configure options.


Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list