Call for testing: OpenSSH-5.4
Kevin Brott
kevin.brott at gmail.com
Wed Mar 3 13:30:16 EST 2010
That chunk looks okay in regress/cert-hostkey.sh, but since I'm failing in
regress/cert-userkey.sh, I go look and see a block at the top which contains
the following, which looks to be the portability bug:
# Create a CA key and add it to authorized_keys
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
fail "ssh-keygen of user_ca_key failed"
(
echo -n 'cert-authority '
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
Fixing 'echo -n' to 'echon' in regress/cert-userkey.sh causes that test to
pass.
So all but one system builds (RHEL 4.5, I'll dig into that tomorrow), and
regression tests work on everything that builds (except the RH 6.2 build
which is apparently having a gdb issue in agent-ptrace.sh).
Summary 2010.03.02 18:30 PST:
= RH 6.2 i686 - builds - works - agent-ptrace.sh hangs - all other tests
pass
- RHEL 4.6 i686 - BUILD FAILS in ssh-keygen.c for undefined BSDoptarg -
openssh.spec broken
+ RHEL 5.4 x86_64 - builds - works - alll tests passed - openssh.spec
broken
+ Ubuntu 9.10 x86_64 - builds - works - alll tests passed
+ HP-UX B.11.23 ia64 - builds - works - all tests passed
+ HP-UX B.11.31 ia64 - gcc - builds - works - all tests passed
+ HP-UX B.11.31 ia64 - cc/aC++ - builds - works - all tests passed
+ AIX 5.3sp7 - builds - works - all tests passed
+ AIX 6.1sp4 - builds - works - all tests passed
One note on the HP-UX builds - saw several warnings during compile in
auth-options.c like the following, not sure if they're indicative of
anything serious, but it looks like a type conflict.
"auth-options.c", line 421: warning #4212-D: mismatch between character
pointer types "u_char *" and "const char *"
if (strcmp(name, "permit-X11-forwarding") == 0)
^
Couple of more test systems tomorrow, as cycles permit.
=====
On Tue, Mar 2, 2010 at 16:45, Damien Miller <djm at mindrot.org> wrote:
> Thanks for the detailed test results! Darren fixed a portability bug in
> the test scripts on the weekend. Could you take a quick look at the start
> of regress/cert-hostkey.sh to see if it uses "echo -n" or "echon" in this
> block:
>
> # Create a CA key and add it to known hosts
> ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\
> fail "ssh-keygen of host_ca_key failed"
> (
> echon '@cert-authority '
> echon "$HOSTS "
> cat $OBJ/host_ca_key.pub
> ) > $OBJ/known_hosts-cert
>
> If it uses "echo -n" then you are using the version with the portability
> bug which will cause these tests to fail unexpectedly.
>
> -d
>
> On Tue, 2 Mar 2010, Kevin Brott wrote:
>
> > On Tue, Mar 2, 2010 at 15:30, Damien Miller <djm at mindrot.org> wrote:
> > On Mon, 1 Mar 2010, Iain Morgan wrote:
> >
> > > On OS X (Intel), the snapshot builds but fails the regression
> > tests:
> > >
> > > certified host keys: test host cert connect cert not yet valid
> > expect failure
> > > Invalid certificate time 20200101
> > > couldn't sign cert_host_key_rsa
> > > certified host keys: test host cert connect cert expired expect
> > failure
> > > Invalid certificate time 19800101
> > > couldn't sign cert_host_key_rsa
> >
> > Thanks for the report, this problem is now fixed in CVS and will be in
> > tomorrow's snapshot. If you can't wait or are curious, then this is
> > the
> > diff:
> >
> > Index: ssh-keygen.c
> > ===================================================================
> > RCS file: /var/cvs/openssh/ssh-keygen.c,v
> > retrieving revision 1.192
> > diff -u -r1.192 ssh-keygen.c
> > --- ssh-keygen.c 26 Feb 2010 20:55:06 -0000 1.192
> > +++ ssh-keygen.c 2 Mar 2010 23:05:12 -0000
> > @@ -1243,13 +1243,29 @@
> > {
> > struct tm tm;
> > time_t tt;
> > + char buf[32], *fmt;
> >
> > - if (strlen(s) != 8 && strlen(s) != 14)
> > + /*
> > + * POSIX strptime says "The application shall ensure that
> > there
> > + * is white-space or other non-alphanumeric characters between
> > + * any two conversion specifications" so arrange things this
> > way.
> > + */
> > + switch (strlen(s)) {
> > + case 8:
> > + fmt = "%Y/%m/%d";
> > + snprintf(buf, sizeof(buf), "%.4s/%.2s/%.2s", s, s + 4,
> > s + 6);
> > + break;
> > + case 14:
> > + fmt = "%Y/%m/%d %H:%M:%S";
> > + snprintf(buf, sizeof(buf), "%.4s/%.2s/%.2s
> > %.2s:%.2s:%.2s",
> > + s, s + 4, s + 6, s + 8, s + 10, s + 12);
> > + break;
> > + default:
> > fatal("Invalid certificate time format %s", s);
> > + }
> >
> > bzero(&tm, sizeof(tm));
> > - if (strptime(s,
> > - strlen(s) == 8 ? "%Y%m%d" : "%Y%m%d%H%M%S", &tm) == NULL)
> > + if (strptime(buf, fmt, &tm) == NULL)
> > fatal("Invalid certificate time %s", s);
> > if ((tt = mktime(&tm)) < 0)
> > fatal("Certificate time %s cannot be represented", s);
> >
> >
> > Gah. What I get for going into heads-down mode with my gmail client open
> in
> > edit mode.
> >
> > This patch fixes the cert-hostkey.sh regression failure on AIX and HP-UX,
> > but the test results for those builds is now:
> > ...
> > ok certified host keys
> > run test cert-userkey.sh ...
> > certified user keys: sign user rsa cert
> > certified user keys: sign user dsa cert
> > certified user keys: user rsa cert connect privsep yes
> > Permission denied (publickey,password,keyboard-interactive).
> > ssh cert connect failed
> > certified user keys: user dsa cert connect privsep yes
> > Permission denied (publickey,password,keyboard-interactive).
> > ssh cert connect failed
> > certified user keys: user rsa cert connect privsep no
> > Permission denied (publickey,password,keyboard-interactive).
> > ssh cert connect failed
> > certified user keys: user dsa cert connect privsep no
> > Permission denied (publickey,password,keyboard-interactive).
> > ssh cert connect failed
> > certified user keys: ensure CA key does not authenticate user
> > ssh cert connect with CA key succeeded unexpectedly
> > certified user keys: test user cert connect host-certificate expect
> failure
> > certified user keys: test user cert connect empty principals expect
> success
> > ssh cert connect empty principals failed unexpectedly
> > certified user keys: test user cert connect wrong principals expect
> failure
> > certified user keys: test user cert connect cert not yet valid expect
> > failure
> > certified user keys: test user cert connect cert expired expect failure
> > certified user keys: test user cert connect cert valid interval expect
> > success
> > ssh cert connect cert valid interval failed unexpectedly
> > certified user keys: test user cert connect wrong source-address expect
> > failure
> > certified user keys: test user cert connect force-command expect failure
> > failed certified user keys
> > gmake[1]: *** [t-exec] Error 1
> > gmake[1]: Leaving directory `./openssh/regress'
> > make: *** [tests] Error 2
> >
> > Summary:
> > RH 6.2 - builds - works - agent-ptrace.sh hangs - all other tests pass
> > RHEL 4.6 i686 - build fails in ssh-keygen.c for undefined BSDoptarg -
> > openssh.spec broken
> > RHEL 5.4 x86_64 - builds - works - alll tests passed - openssh.spec
> broken
> > Ubuntu 9.10 x86_64 - builds - works - alll tests passed
> > HP-UX B.11.23 ia64 - builds - works - regression tests fail at
> > cert-userkey.sh
> > HP-UX B.11.31 ia64 - gcc - builds - works - regression tests fail at
> > cert-userkey.sh
> > HP-UX B.11.31 ia64 - cc/aC++ - builds - works - regression tests fail
> at
> > cert-userkey.sh
> > AIX 5.3sp7 - builds - works - regression tests fail at cert-userkey.sh
> > AIX 6.1sp4 - builds - works - regression tests fail at cert-userkey.sh
> > --
> > # include <stddisclaimer.h>
> > /* Kevin Brott <Kevin.Brott at gmail.com> */
> >
> >
> >
> >
>
--
# include <stddisclaimer.h>
/* Kevin Brott <Kevin.Brott at gmail.com> */
More information about the openssh-unix-dev
mailing list