OpenSSH 5.1: call for testing

Andy Tsouladze andyb1 at andy-t.org
Tue Jul 8 11:22:17 EST 2008


Compiled and tested successfully on
Slackware-12.0, GCC-4.1.2

Regards,

Andy

On Mon, 7 Jul 2008, Damien Miller wrote:

> Hi,
>
> OpenSSH 5.1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release is one of
> the biggest in recent years, with two hackathons' worth of improvements
> and fixes for some of our most recalcitrant bugs.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
>
> Below is a summary of changes. More detail may be found in the
> ChangeLog in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
>
> New features:
>
> * Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1)
>   and ssh-keygen(1). Visual fingerprinnt display is controlled by a new
>   ssh_config(5) option "VisualHostKey". The intent is to render
>   SSH host keys in a visual form that is amenable to easy recall and
>   rejection of changed host keys. This technique inspired by the
>   graphical hash visualisation schemes known as "random art[*]", and
>   by Dan Kaminsky's musings at 23C3 in Berlin.
>   Fingerprint visualisation in is currently disabled by default, as the
>   algorithm used to generate the random art is still subject to change.
>   [*] "Hash Visualization: a New Technique to improve Real-World
>       Security", Perrig A. and Song D., 1999, International Workshop on
>       Cryptographic Techniques and E-Commerce (CrypTEC '99)
>   http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
>
> * sshd_config(5) now supports CIDR address/masklen matching in "Match
>   address" blocks, with a fallback to classic wildcard matching. For
>   example:
>     Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
>         PasswordAuthentication yes
>
> * sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys
>   from="..." restrictions, also with a fallback to classic wildcard
>   matching.
>
> * Added an extended test mode (-T) to sshd(8) to request that it write
>   its effective configuration to stdout and exit. Extended test mode
>   also supports the specification of connection parameters (username,
>   source address and hostname) to test the application of
>   sshd_config(5) Match rules.
>
> * sftp-server(8) now supports extension methods statvfs at openssh.com and
>   fstatvfs at openssh.com that implement statvfs(2)-like operations.
>
> * sftp(1) now has a "df" command to the sftp client that uses the
>   statvfs at openssh.com to produce a df(1)-like display of filesystem
>   space and inode utilisation (requires statvfs at openssh.com support on
>   the server)
>
> * Added a MaxSessions option to sshd_config(5) to allow control of the
>   number of multiplexed sessions supported over a single TCP connection.
>   This allows increasing the number of allowed sessions above the
>   previous default of 10, disabling connection multiplexing
>   (MaxSessions=1) or disallowing login/shell/subsystem sessions
>   entirely (MaxSessions=0).
>
> * Added a no-more-sessions at openssh.com global request extension that is
>   sent from ssh(1) to sshd(8) when the client knows that it will never
>   request another session (i.e. when session multiplexing is disabled).
>   This allows a server to disallow further session requests and
>   terminate the session in cases where the client has been hijacked.
>
> * ssh-keygen(1) now supports the use of the -l option in combination
>   with -F to search for a host in ~/.ssh/known_hosts and display its
>   fingerprint.
>
> * ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of
>   "rsa1".
>
> * Added an AllowAgentForwarding option to sshd_config(8) to control
>   whether authentication agent forwarding is permitted. Note that this
>   is a loose control, as a client may install their own unofficial
>   forwarder.
>
> * Avoid unnecessary malloc/copy/free when receiving network data,
>   resulting in a ~10% speedup
>
> * ssh(1) and sshd(8) will now try additional addresses when connecting
>   to a port forward destination whose DNS name resolves to more than
>   one address. The previous behaviour was to try the only first address
>   and give up if that failed.
>
> * ssh(1) and sshd(8) now support signalling that channels are
>   half-closed for writing, through a channel protocol extension
>   notification "eow at openssh.com". This allows propagation of closed
>   file descriptors, so that commands such as:
>       "ssh -2 localhost od /bin/ls | true"
>   do not send unnecessary data over the wire. (bz#85)
>
> * sshd(8): increased the default size of ssh protocol 1 ephemeral keys
>   from 768 to 1024 bits.
>
> * When ssh(1) has been requested to fork after authentication
>   ("ssh -f") with ExitOnForwardFailure enabled, delay the fork until
>   after replies for any -R forwards have been seen. Allows for robust
>   detection of -R forward failure when using -f.
>
> * "Match group" blocks in sshd_config(5) now support negation of
>   groups. E.g. "Match group staff,!guests"
>
> * sftp(1) and sftp-server(8) now allow chmod-like operations to set
>   set[ug]id/sticky bits.
>
> * The MaxAuthTries option is now permitted in sshd_config(5) match
>   blocks.
>
> * Multiplexed ssh(1) sessions now support a subset of the ~ escapes
>   that are available to a primary connection.
>
> * ssh(1) connection multiplexing will now fall back to creating a new
>   connection in most error cases.
>
> * Added some basic interoperability tests against Twisted Conch.
>
> * Documented OpenSSH's extensions to and deviations from the published
>   SSH protocols (the PROTOCOL file in the distribution)
>
> * Documented OpenSSH's ssh-agent protocol (PROTOCOL.agent).
>
> Bugfixes
>
> * Make ssh(1) deal more gracefully with channel requests that fail.
>   Previously it would optimistically assume that requests would always
>   succeed, which could cause hangs if they did not (e.g. when the
>   server runs out of file descriptors).
>
> * ssh(1) now reports multiplexing errors via the multiplex slave's
>   stderr where possible (subject to LogLevel in the mux master).
>
> * ssh(1) and sshd(8) now send terminate protocol banners with CR+LF for
>   protocol 2 to comply with RFC 4253. Previously they were terminated
>   with CR alone. Protocol 1 banners remain CR terminated.
>
> * Merged duplicate authentication file checks in sshd(8) and refuse to
>   read authorised_keys and .shosts from non-regular files.
>
> * Ensure that sshd(8)'s umask disallows at least group and world write,
>   even if a more permissive one has been inherited.
>
> * Suppress the warning message from sshd(8) when changing to a
>   non-existent user home directory after chrooting.
>
> * Mention that scp(1) follows symlinks when performing recursive
>   copies.
>
> * Prevent sshd(8) from erroneously applying public key restrictions
>   leaned from ~/.ssh/authorized_keys to other authentication methods
>   when public key authentication subsequently fails.
>
> * Fix protocol keepalive timeouts - in some cases, keepalive packets
>   were being sent, but the connection was not being closed when the
>   limit for missing replies was exceeded.
>
> * Fix ssh(1) sending invalid TTY modes when a TTY was forced (ssh -tt)
>   but stdin was not a TTY.
>
> * ssh(1) will now exit with a non-zero exit status if
>   ExitOnForwardFailure was set and forwardings were disabled due to a
>   failed host key check.
>
> * Fix MaxAuthTries tests to disallow a free authentication try to
>   clients that skipped the protocol 2 "none" authentication method.
>
> * bz#1363: Make keepalive timeouts apply while synchronously waiting
>   for a packet, particularly during key renegotiation.
>
> * sshd(8) has been audited to eliminate fd leaks and calls to fatal()
>   in conditions of file descriptor exhaustion.
>
> Portable OpenSSH-specific bugfixes
>
> * Avoid a sshd(8) hang-on-exit on Solaris caused by depending on the
>   success of isatty() on a PTY master (undefined behaviour). Probably
>   affected other platforms too.
>
> * bz#1083: Fixed test for locked accounts on HP/UX with shadowed
>   passwords disabled.
>
> * bz#1386: Disable poll() fallback in atomiciov for Tru64. readv
>   doesn't seem to be a comparable object there, which lead to
>   compilation errors.
>
> * bz#1447: Fall back to racy rename if link returns EXDEV.
>
> * bz#1467: Explicitly handle EWOULDBLOCK wherever we handle EAGAIN, on
>   some platforms (HP nonstop) it is a distinct errno.
>
> * bz#1240: Avoid NULL dereferences in ancient sigaction replacement
>   code.
>
> * bz#1276: Avoid linking against libgssapi, which despite its name
>   doesn't seem to implement all of GSSAPI.
>
> * bz#1112: Use explicit noreturn attribute instead of __dead, fixing
>   compilation problems on Interix.
>
> * bz#1241: Support password expiry on Tru64 SIA systems.
>
> * bz#1462: Fix an UMAC alignment problem that manifested on Itanium
>   platforms.
>
>
> Damien Miller
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

Dr Andy Tsouladze
Sr Unix SysAdmin/System Architect


More information about the openssh-unix-dev mailing list