Call for testing: OpenSSH-5.6

Andy Tsouladze andyb1 at andy-t.org
Wed Aug 11 06:53:55 EST 2010 

Hi there,

All tests passed on slackware-13.0 32-bit.

On slackware-12.0, there were problems.
make works fine, but `make tests' fails.

Attached is the output (stdout and stderr) from `make tests'.  From the 
affected machine:
andyt at majesty: openssh> cat /etc/slackware-version
Slackware 12.0.0
andyt at majesty: openssh> gcc -v
Reading specs from /usr/lib/gcc/i486-slackware-linux/4.1.2/specs
Target: i486-slackware-linux
Configured with: ../gcc-4.1.2/configure --prefix=/usr --enable-shared 
--enable-languages=ada,c,c++,fortran,java,objc --enable-threads=posix 
--enable-__cxa_atexit --disable-checking --with-gnu-ld --verbose 
--with-arch=i486 --target=i486-slackware-linux --host=i486-slackware-linux
Thread model: posix
gcc version 4.1.2

Anything I need to do/re-run to help?

Regards,

Andy

On Tue, 10 Aug 2010, Damien Miller wrote:

> Hi,
>
> OpenSSH 5.6 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a moderately large
> release, with a number of new features and bug fixes.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> -------------------------------
>
> Features:
>
> * Added a ControlPersist option to ssh_config(5) that automatically
>   starts a background ssh(1) multiplex master when connecting. This
>   connection can stay alive indefinitely, or can be set to
>   automatically close after a user-specified duration of inactivity.
>
> * Hostbased authentication may now use certificate host keys. CA keys
>   must be specified in a known_hosts file using the @cert-authority
>   marker.
>
> * ssh-keygen(1) now supports signing certificates using a CA key that
>   has been stored in a PKCS#11 token.
>
> * ssh(1) will now log the hostname and address that we connected to at
>   LogLevel=verbose after authentication is successful to mitigate
>   "phishing" attacks by servers with trusted keys that accept
>   authentication silently and automatically before presenting fake
>   password/passphrase prompts.
>
>   Note that, for such an attack to be successful, the user must have
>   disabled StrictHostKeyChecking (enabled by default) or an attacker
>   must have access to a trusted host key for the destination server.
>
> * Expand %h to the hostname in ssh_config Hostname options. While this
>   sounds useless, it is actually handy for working with unqualified
>   hostnames:
>
>     Host *.*
>        Hostname %h
>     Host *
>        Hostname %h.example.org
>
> * Allow ssh-keygen(1) to import (-i) and export (-e) of PEM and PKCS#8
>   keys in addition to RFC4716 (SSH.COM) encodings via a new -m option
>   (bz#1749)
>
> * sshd(8) will now queue debug messages for bad ownership or
>   permissions on the user's keyfiles encountered during authentication.
>   These messages will be sent after the user has successfully
>   authenticated. These messages may be viewed in ssh(1) at
>   LogLevel=debug or higher.
>
> * ssh(1) connection multiplexing now supports remote forwarding with
>   dynamic port allocation and can report the allocated port back to
>   the user:
>
>     LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost`
>
> * sshd(8) now supports indirection in matching of principal names
>   listed in certificates. By default, if a certificate has an
>   embedded principals list then the destination username must match
>   one of the names in the list for it to be accepted for
>   authentication.
>
>   sshd(8) now supports an optional AuthorizedPrincipalsFile to specify
>   a list of names that may be accepted in place of the username when
>   authorizing a certificate trusted via the sshd_config(5)
>   TrustedCAKeys option. Similarly, authentication using a CA trusted
>   in ~/.ssh/authorized_keys now accepts a principals="name1[,name2,...]"
>   to specify a list of permitted names.
>
>   If either option is absent, the current behaviour of requiring the
>   username to appear in principals continues to apply. These options
>   are useful for role accounts, disjoint account namespaces and
>   "user at realm"-style naming policies in certificates.
>
> * Expose some more sshd_config(5) options inside Match blocks:
>
>     AuthorizedKeysFile
>     AuthorizedPrincipalsFile
>     HostbasedUsesNameFromPacketOnly
>     PermitTunnel
>
> * Revised the format of certificate keys. The new format, identified as
>   ssh-{dss,rsa}-cert-v01 at openssh.com includes the following changes:
>
>     - Addition of a serial number field. This may be specified by the CA
>       at the time of certificate signing.
>
>     - Moving the nonce field to the beginning of the certificate where
>       it can better protect against chosen-prefix attacks on the
>       signature hash (currently infeasible against the SHA1 hash used)
>
>     - Renaming of the "constraints" field to "critical options"
>
>     - Addng of a new non-critical "extensions" field. The "permit-*"
>       options are now extensions, rather than critical options to
>       permit non-OpenSSH implementation of this key format to degrade
>       gracefully when encountering keys with options they do not
>       recognize.
>
>   The older format is still support for authentication and cert generation
>   (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate).
>   The older format, introduced in OpenSSH 5.4, will be supported for at
>   least one year from this release, after which it will be deprecated and
>   removed.
>
> BugFixes:
>
> * The PKCS#11 code now retries a lookup for a private key if there's
>   no matching key with CKA_SIGN attribute enabled; this fixes fixes
>   MuscleCard support (bz#1736)
>
> * Unbreak strdelim() skipping past quoted strings, e.g.
>
>       AllowUsers "blah blah" blah
>
>   was broken (bz#1757)
>
> * sftp(1): fix swapped args in upload_dir_internal(), breaking
>   recursive upload depth checks and causing verbose printing of
>   transfers to always be turned on (bz#1797)
>
> * Fix a longstanding problem where if you suspend scp(1) at the
>   password/passphrase prompt the terminal mode is not restored.
>
> * Fix PKCS#11 crash on some smartcards by checking the length
>   returned for C_GetAttributValue for != 0 (bz#1773)
>
> * sftp(1): unbreak ls in working directories that contain globbing
>   characters in their pathnames (bz#1655)
>
> * Print warning for missing home directory when ChrootDirectory=none
>   (bz#1564)
>
> * sftp(1): fix memory leak in do_realpath() error path (bz#1771)
>
> * ssk-keygen(1): Standardise error messages when attempting to open
>   private key files to include "progname: filename: error reason"
>   (bz#1783)
>
> * Replace verbose and overflow-prone Linebuf code with
>   read_keyfile_line() (bz#1565)
>
> * Include the user name on "subsystem request for ..." log messages
>
> * ssh(1) and sshd(8): remove hardcoded limit of 100 permitopen clauses
>   and port forwards per direction (bz#1327)
>
> * sshd(8): ignore stderr output from subsystems to avoid hangs if a
>   subsystem or shell initialisation writes to stderr (bz#1750)
>
> * Skip the initial check for access with an empty password when
>   PermitEmptyPasswords=no (bz#1638)
>
> * sshd(8): fix logspam when key options (from="..." especially) deny
>   non-matching keys (bz#1765)
>
> * ssh-keygen(1): display a more helpful error message when $HOME is
>   inaccessible while trying to create .ssh directory (bz#1740)
>
> * ssh(1): fix hang when terminating a mux slave using ~. (bz#1758)
>
> * ssh-keygen(1): refuse to generate keys longer than
>   OPENSSL_[RD]SA_MAX_MODULUS_BITS, since we would refuse to use
>   them anyway (bz#1516)
>
> * Suppress spurious tty warning when using -O and stdin is not a tty
>   (bz#1746)
>
> * Kill channel when pty allocation requests fail. Fixed stuck client
>   if the server refuses pty allocation (bz#1698)
>
> Portable OpenSSH Bugfixes:
>
> - sshd(8): increase the maximum username length for login recording
>   to 512 characters (bz#1579)
>
> * Initialize the values to be returned from PAM to sane values in case
>   the PAM method doesn't write to them. (bz#1795)
>
> - Let configure find OpenSSL libraries in a lib64 subdirectory. (bz#1756)
>
> Checksums:
> ==========
>
> - SHA1 (openssh-5.5.tar.gz) = XXX
> - SHA1 (openssh-5.5p1.tar.gz) = XXX
>
> Reporting Bugs:
> ===============
>
> - Please read http://www.openssh.com/report.html
>  Security bugs should be reported directly to openssh at openssh.com
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
> Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


Dr Andy Tsouladze
Sr Unix/Storage SysAdmin

More information about the openssh-unix-dev mailing list