Call for testing: OpenSSH-5.4

Damien Miller djm at mindrot.org
Wed Mar 3 11:45:06 EST 2010 

Thanks for the detailed test results! Darren fixed a portability bug in
the test scripts on the weekend. Could you take a quick look at the start
of regress/cert-hostkey.sh to see if it uses "echo -n" or "echon" in this
block:

# Create a CA key and add it to known hosts
${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/host_ca_key ||\
        fail "ssh-keygen of host_ca_key failed"
(
        echon '@cert-authority '
        echon "$HOSTS "
        cat $OBJ/host_ca_key.pub
) > $OBJ/known_hosts-cert

If it uses "echo -n" then you are using the version with the portability
bug which will cause these tests to fail unexpectedly.

-d

On Tue, 2 Mar 2010, Kevin Brott wrote:

> On Tue, Mar 2, 2010 at 15:30, Damien Miller <djm at mindrot.org> wrote:
>       On Mon, 1 Mar 2010, Iain Morgan wrote:
> 
>       > On OS X (Intel), the snapshot builds but fails the regression
>       tests:
>       >
> > certified host keys: test host cert connect cert not yet valid
> expect failure
> > Invalid certificate time 20200101
> > couldn't sign cert_host_key_rsa
> > certified host keys: test host cert connect cert expired expect
> failure
> > Invalid certificate time 19800101
> > couldn't sign cert_host_key_rsa
> 
> Thanks for the report, this problem is now fixed in CVS and will be in
> tomorrow's snapshot. If you can't wait or are curious, then this is
> the
> diff:
> 
> Index: ssh-keygen.c
> ===================================================================
> RCS file: /var/cvs/openssh/ssh-keygen.c,v
> retrieving revision 1.192
> diff -u -r1.192 ssh-keygen.c
> --- ssh-keygen.c        26 Feb 2010 20:55:06 -0000      1.192
> +++ ssh-keygen.c        2 Mar 2010 23:05:12 -0000
> @@ -1243,13 +1243,29 @@
>  {
>        struct tm tm;
>        time_t tt;
> +       char buf[32], *fmt;
> 
> -       if (strlen(s) != 8 && strlen(s) != 14)
> +       /*
> +        * POSIX strptime says "The application shall ensure that
> there
> +        * is white-space or other non-alphanumeric characters between
> +        * any two conversion specifications" so arrange things this
> way.
> +        */
> +       switch (strlen(s)) {
> +       case 8:
> +               fmt = "%Y/%m/%d";
> +               snprintf(buf, sizeof(buf), "%.4s/%.2s/%.2s", s, s + 4,
> s + 6);
> +               break;
> +       case 14:
> +               fmt = "%Y/%m/%d %H:%M:%S";
> +               snprintf(buf, sizeof(buf), "%.4s/%.2s/%.2s
> %.2s:%.2s:%.2s",
> +                   s, s + 4, s + 6, s + 8, s + 10, s + 12);
> +               break;
> +       default:
>                fatal("Invalid certificate time format %s", s);
> +       }
> 
>        bzero(&tm, sizeof(tm));
> -       if (strptime(s,
> -           strlen(s) == 8 ? "%Y%m%d" : "%Y%m%d%H%M%S", &tm) == NULL)
> +       if (strptime(buf, fmt, &tm) == NULL)
>                fatal("Invalid certificate time %s", s);
>        if ((tt = mktime(&tm)) < 0)
>                fatal("Certificate time %s cannot be represented", s);
> 
> 
> Gah. What I get for going into heads-down mode with my gmail client open in
> edit mode.
> 
> This patch fixes the cert-hostkey.sh regression failure on AIX and HP-UX,
> but the test results for those builds is now:
> ...
> ok certified host keys
> run test cert-userkey.sh ...
> certified user keys: sign user rsa cert
> certified user keys: sign user dsa cert
> certified user keys: user rsa cert connect privsep yes
> Permission denied (publickey,password,keyboard-interactive).
> ssh cert connect failed
> certified user keys: user dsa cert connect privsep yes
> Permission denied (publickey,password,keyboard-interactive).
> ssh cert connect failed
> certified user keys: user rsa cert connect privsep no
> Permission denied (publickey,password,keyboard-interactive).
> ssh cert connect failed
> certified user keys: user dsa cert connect privsep no
> Permission denied (publickey,password,keyboard-interactive).
> ssh cert connect failed
> certified user keys: ensure CA key does not authenticate user
> ssh cert connect with CA key succeeded unexpectedly
> certified user keys: test user cert connect host-certificate expect failure
> certified user keys: test user cert connect empty principals expect success
> ssh cert connect empty principals failed unexpectedly
> certified user keys: test user cert connect wrong principals expect failure
> certified user keys: test user cert connect cert not yet valid expect
> failure
> certified user keys: test user cert connect cert expired expect failure
> certified user keys: test user cert connect cert valid interval expect
> success
> ssh cert connect cert valid interval failed unexpectedly
> certified user keys: test user cert connect wrong source-address expect
> failure
> certified user keys: test user cert connect force-command expect failure
> failed certified user keys
> gmake[1]: *** [t-exec] Error 1
> gmake[1]: Leaving directory `./openssh/regress'
> make: *** [tests] Error 2
> 
> Summary:
>   RH 6.2 - builds - works - agent-ptrace.sh hangs - all other tests pass
>   RHEL 4.6 i686 - build fails in ssh-keygen.c for undefined BSDoptarg -
> openssh.spec broken
>   RHEL 5.4 x86_64 - builds - works - alll tests passed - openssh.spec broken
>   Ubuntu 9.10 x86_64 - builds - works - alll tests passed
>   HP-UX B.11.23 ia64 - builds - works - regression tests fail at
> cert-userkey.sh
>   HP-UX B.11.31 ia64 - gcc - builds - works - regression tests fail at
> cert-userkey.sh
>   HP-UX B.11.31 ia64 - cc/aC++ - builds - works - regression tests fail at
> cert-userkey.sh
>   AIX 5.3sp7 - builds - works - regression tests fail at cert-userkey.sh
>   AIX 6.1sp4 - builds - works - regression tests fail at cert-userkey.sh
> --
> # include <stddisclaimer.h>
> /* Kevin  Brott <Kevin.Brott at gmail.com> */
> 
> 
> 
>

More information about the openssh-unix-dev mailing list