Call for testing: OpenSSH-5.6

Bostjan Skufca bostjan at a2o.si
Tue Aug 10 16:26:35 EST 2010 

+1 for parent poster's suggestion about dir, should be the same as tar file,
i.e.:
---> openssh-SNAP-20100810.tar.gz    should unpack to
---> openssh-SNAP-20100810
(of course this is from user's perspective, not from developer's)

Anyway, all tests passed on slackware64 13.0.

b.


On 10 August 2010 01:21, Rainer Laatsch <Laatsch at uni-koeln.de> wrote:

> The snapshots until current unvariably unpack to
>  openssh
> Why not add e.g. a timestamp/version-id to the name to inhibit overwriting
> the directory of (say) yesterday? Some extra precautions could then be
> avoided.
>
> Regards,
> R.
>
> =====================================================================
>
>
> On Tue, 10 Aug 2010, Damien Miller wrote:
>
>  Hi,
>>
>> OpenSSH 5.6 is almost ready for release, so we would appreciate testing
>> on as many platforms and systems as possible. This is a moderately large
>> release, with a number of new features and bug fixes.
>>
>> Snapshot releases for portable OpenSSH are available from
>> http://www.mindrot.org/openssh_snap/
>>
>> The OpenBSD version is available in CVS HEAD:
>> http://www.openbsd.org/anoncvs.html
>>
>> Portable OpenSSH is also available via anonymous CVS using the
>> instructions at http://www.openssh.com/portable.html#cvs
>>
>> Running the regression tests supplied with Portable OpenSSH does not
>> require installation and is a simply:
>>
>> $ ./configure && make tests
>>
>> Live testing on suitable non-production systems is also
>> appreciated. Please send reports of success or failure to
>> openssh-unix-dev at mindrot.org.
>>
>> Below is a summary of changes. More detail may be found in the ChangeLog
>> in the portable OpenSSH tarballs.
>>
>> Thanks to the many people who contributed to this release.
>>
>> -------------------------------
>>
>> Features:
>>
>> * Added a ControlPersist option to ssh_config(5) that automatically
>>  starts a background ssh(1) multiplex master when connecting. This
>>  connection can stay alive indefinitely, or can be set to
>>  automatically close after a user-specified duration of inactivity.
>>
>> * Hostbased authentication may now use certificate host keys. CA keys
>>  must be specified in a known_hosts file using the @cert-authority
>>  marker.
>>
>> * ssh-keygen(1) now supports signing certificates using a CA key that
>>  has been stored in a PKCS#11 token.
>>
>> * ssh(1) will now log the hostname and address that we connected to at
>>  LogLevel=verbose after authentication is successful to mitigate
>>  "phishing" attacks by servers with trusted keys that accept
>>  authentication silently and automatically before presenting fake
>>  password/passphrase prompts.
>>
>>  Note that, for such an attack to be successful, the user must have
>>  disabled StrictHostKeyChecking (enabled by default) or an attacker
>>  must have access to a trusted host key for the destination server.
>>
>> * Expand %h to the hostname in ssh_config Hostname options. While this
>>  sounds useless, it is actually handy for working with unqualified
>>  hostnames:
>>
>>    Host *.*
>>       Hostname %h
>>    Host *
>>       Hostname %h.example.org
>>
>> * Allow ssh-keygen(1) to import (-i) and export (-e) of PEM and PKCS#8
>>  keys in addition to RFC4716 (SSH.COM) encodings via a new -m option
>>  (bz#1749)
>>
>> * sshd(8) will now queue debug messages for bad ownership or
>>  permissions on the user's keyfiles encountered during authentication.
>>  These messages will be sent after the user has successfully
>>  authenticated. These messages may be viewed in ssh(1) at
>>  LogLevel=debug or higher.
>>
>> * ssh(1) connection multiplexing now supports remote forwarding with
>>  dynamic port allocation and can report the allocated port back to
>>  the user:
>>
>>    LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost`
>>
>> * sshd(8) now supports indirection in matching of principal names
>>  listed in certificates. By default, if a certificate has an
>>  embedded principals list then the destination username must match
>>  one of the names in the list for it to be accepted for
>>  authentication.
>>
>>  sshd(8) now supports an optional AuthorizedPrincipalsFile to specify
>>  a list of names that may be accepted in place of the username when
>>  authorizing a certificate trusted via the sshd_config(5)
>>  TrustedCAKeys option. Similarly, authentication using a CA trusted
>>  in ~/.ssh/authorized_keys now accepts a principals="name1[,name2,...]"
>>  to specify a list of permitted names.
>>
>>  If either option is absent, the current behaviour of requiring the
>>  username to appear in principals continues to apply. These options
>>  are useful for role accounts, disjoint account namespaces and
>>  "user at realm"-style naming policies in certificates.
>>
>> * Expose some more sshd_config(5) options inside Match blocks:
>>
>>    AuthorizedKeysFile
>>    AuthorizedPrincipalsFile
>>    HostbasedUsesNameFromPacketOnly
>>    PermitTunnel
>>
>> * Revised the format of certificate keys. The new format, identified as
>>  ssh-{dss,rsa}-cert-v01 at openssh.com <rsa%7D-cert-v01 at openssh.com>includes the following changes:
>>
>>    - Addition of a serial number field. This may be specified by the CA
>>      at the time of certificate signing.
>>
>>    - Moving the nonce field to the beginning of the certificate where
>>      it can better protect against chosen-prefix attacks on the
>>      signature hash (currently infeasible against the SHA1 hash used)
>>
>>    - Renaming of the "constraints" field to "critical options"
>>
>>    - Addng of a new non-critical "extensions" field. The "permit-*"
>>      options are now extensions, rather than critical options to
>>      permit non-OpenSSH implementation of this key format to degrade
>>      gracefully when encountering keys with options they do not
>>      recognize.
>>
>>  The older format is still support for authentication and cert generation
>>  (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate).
>>  The older format, introduced in OpenSSH 5.4, will be supported for at
>>  least one year from this release, after which it will be deprecated and
>>  removed.
>>
>> BugFixes:
>>
>> * The PKCS#11 code now retries a lookup for a private key if there's
>>  no matching key with CKA_SIGN attribute enabled; this fixes fixes
>>  MuscleCard support (bz#1736)
>>
>> * Unbreak strdelim() skipping past quoted strings, e.g.
>>
>>      AllowUsers "blah blah" blah
>>
>>  was broken (bz#1757)
>>
>> * sftp(1): fix swapped args in upload_dir_internal(), breaking
>>  recursive upload depth checks and causing verbose printing of
>>  transfers to always be turned on (bz#1797)
>>
>> * Fix a longstanding problem where if you suspend scp(1) at the
>>  password/passphrase prompt the terminal mode is not restored.
>>
>> * Fix PKCS#11 crash on some smartcards by checking the length
>>  returned for C_GetAttributValue for != 0 (bz#1773)
>>
>> * sftp(1): unbreak ls in working directories that contain globbing
>>  characters in their pathnames (bz#1655)
>>
>> * Print warning for missing home directory when ChrootDirectory=none
>>  (bz#1564)
>>
>> * sftp(1): fix memory leak in do_realpath() error path (bz#1771)
>>
>> * ssk-keygen(1): Standardise error messages when attempting to open
>>  private key files to include "progname: filename: error reason"
>>  (bz#1783)
>>
>> * Replace verbose and overflow-prone Linebuf code with
>>  read_keyfile_line() (bz#1565)
>>
>> * Include the user name on "subsystem request for ..." log messages
>>
>> * ssh(1) and sshd(8): remove hardcoded limit of 100 permitopen clauses
>>  and port forwards per direction (bz#1327)
>>
>> * sshd(8): ignore stderr output from subsystems to avoid hangs if a
>>  subsystem or shell initialisation writes to stderr (bz#1750)
>>
>> * Skip the initial check for access with an empty password when
>>  PermitEmptyPasswords=no (bz#1638)
>>
>> * sshd(8): fix logspam when key options (from="..." especially) deny
>>  non-matching keys (bz#1765)
>>
>> * ssh-keygen(1): display a more helpful error message when $HOME is
>>  inaccessible while trying to create .ssh directory (bz#1740)
>>
>> * ssh(1): fix hang when terminating a mux slave using ~. (bz#1758)
>>
>> * ssh-keygen(1): refuse to generate keys longer than
>>  OPENSSL_[RD]SA_MAX_MODULUS_BITS, since we would refuse to use
>>  them anyway (bz#1516)
>>
>> * Suppress spurious tty warning when using -O and stdin is not a tty
>>  (bz#1746)
>>
>> * Kill channel when pty allocation requests fail. Fixed stuck client
>>  if the server refuses pty allocation (bz#1698)
>>
>> Portable OpenSSH Bugfixes:
>>
>> - sshd(8): increase the maximum username length for login recording
>>  to 512 characters (bz#1579)
>>
>> * Initialize the values to be returned from PAM to sane values in case
>>  the PAM method doesn't write to them. (bz#1795)
>>
>> - Let configure find OpenSSL libraries in a lib64 subdirectory. (bz#1756)
>>
>> Checksums:
>> ==========
>>
>> - SHA1 (openssh-5.5.tar.gz) = XXX
>> - SHA1 (openssh-5.5p1.tar.gz) = XXX
>>
>> Reporting Bugs:
>> ===============
>>
>> - Please read http://www.openssh.com/report.html
>>  Security bugs should be reported directly to openssh at openssh.com
>>
>> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
>> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
>> Ben Lindstrom.
>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>>  _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

More information about the openssh-unix-dev mailing list