From contact at setit.rnu.tn Sat Jan 1 10:33:55 2011 From: contact at setit.rnu.tn (Med Salim BOUHLEL) Date: Sat, 1 Jan 2011 00:33:55 +0100 Subject: Happy New Year 2011 Message-ID: <13482125429762279425337@salm-2db062c067> Assalaam 'alaikum This animated card has been viewed times An year ends is a stone thrown into the depths of the space of time with the farewell resonances and gives birth to a new year with joyful screams. Happy new year Best wishes SALAM yours. Mohamed Salim BOUHLEL General Chair, SETIT 2011 Director of the Higher Institute of Electronics and Communication of Sfax Head of Research Unit:Sciences & Technologies of Image and Telecommunications ( Sfax University ) GSM +216 20 200005 Skype Name: UR-SETIT ============================================================================= This email is sent out to all those on the SETIT database. If you want to be removed from this database, please send an email to unsubscribe.setit at gmail.com with subject Unsubscribe ============================================================================= From djm at mindrot.org Sat Jan 1 21:23:50 2011 From: djm at mindrot.org (Damien Miller) Date: Sat, 1 Jan 2011 21:23:50 +1100 (EST) Subject: Problem with anonymous CVS server In-Reply-To: <20101230161909.GE6057@linux124.nas.nasa.gov> References: <20101230161909.GE6057@linux124.nas.nasa.gov> Message-ID: On Thu, 30 Dec 2010, Iain Morgan wrote: > Hi, > > I noticed the following problem while doing a CVS update from > anoncvs.mindrot.org: > > > $ cvs up > cvs server: cannot open directory /cvs/openssh: Operation not permitted > cvs server: skipping directory > cvs server: cannot read directory .: Operation not permitted Fixed - thanks for the notice (and apologies for the hassle). -d From djm at mindrot.org Sat Jan 1 21:29:02 2011 From: djm at mindrot.org (Damien Miller) Date: Sat, 1 Jan 2011 21:29:02 +1100 (EST) Subject: openssh and keystroke timing attacks (again) In-Reply-To: References: Message-ID: On Mon, 27 Dec 2010, Andrew Clausen wrote: > Hi Damien, > > On 27 December 2010 17:06, Damien Miller wrote: > > I'd like to have better keystroke timing countermeasures in OpenSSH, but > > they are just too intrusive under the current mainloop design. I'd like > > to renovate the mainloop some time and this would make implementing things > > like this quite a bit more easy. > > Yes, I agree that the client_loop() could do with some renovation. > What did you have in mind? Probably converting it to libevent. > For what it's worth, I actually implemented most of my proposal before > finding Jason's patch from 10 years ago. I only implemented the idea > of only checking for input at regular intervals... there are no dummy > messages, but that is trivial to add. I attached my patch (against > the source I lazily acquired via Ubuntu's 10.10 apt-get source > command). > > The main structural ingredient in the patch is a wrapper to select(2). > This allows the caller to specify a list of timing events to be woken > up on, in addition to file activity events. This makes it easier to > "multiplex" multiple timing events such as tcp_keep_alive and > keystroke countermeasures along with the I/O events. The wrapper's > prototype and commentary follow: > > /* This wrapper to select(2) allows the user to supply a list of sleep times > * to be woken up on. The process is woken up either after activity on the > * fds, or when the soonest sleep time arrives. In the latter case, the > * index of the relevant sleep event is recorded in *active_time. > */ > static int > select_times(int nfds, fd_set *readfds, fd_set *writefds, fd_set *exceptfds, > int ntimes, struct timeval **times, int *active_time) That's a nice solution. However, I don't want to add further complexity here at least until I have had one good crack at a libevent conversion. Hopefully I'll get some time to look at this early this year. -d From sxw at inf.ed.ac.uk Sun Jan 2 09:53:54 2011 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Sat, 1 Jan 2011 22:53:54 +0000 Subject: New release of GSSAPI Key Exchange patch Message-ID: [ If you're not familiar with the GSSAPI key exchange patches, or unsure why they make OpenSSH usable in large Kerberos deployments, http://www.sxw.org.uk/computing/patches/openssh.html contains some background information ] Regular readers of these emails will be aware that they've recently all begun with apologies for the delay in producing the patch - this has been down to a poor tool chain, and $work using systems which no longer have a need for these patches to work with the latest and greatest OpenSSH binary. So, the major announcement here is that I've made significant changes to the way in which these patches are produced. This should hopefully both make it easier (and quicker) for me to produce them in future, and make it simpler for others who want to produce patches based upon them. Firstly, I've created a git-cvsimport mirror of the OpenSSH portable repository at https://github.com/SimonWilkinson/openssh/ This is a regularly updated git repository which purely tracks the code available from anoncvs.mindrot.org. Secondly, the GSSAPI OpenSSH key exchange patches are now based on a clone of this git tree. This makes it much easier to track the patches, and to merge them into forthcoming releases. The tree with the patches in is available from https://github.com/SimonWilkinson/gss-openssh/ A patch for each release will continue to be available from my website at http://www.sxw.org.uk/computing/patches/openssh.html As well as updating the patch to OpenSSH 5.6p1, the new release also adds support for a GSSAPIServerIdentity client configuration directive. This allows the user to give the GSSAPI acceptor identity (Kerberos principal) which the server will use to accept their request. It is useful in situations such as port forwarding, where the name that must be used to reach a particular host doesn't match the name that that machine knows itself by. Thanks to Jim Basney for this code! Cheers, Simon. From clausen at econ.upenn.edu Mon Jan 3 05:39:52 2011 From: clausen at econ.upenn.edu (Andrew Clausen) Date: Sun, 2 Jan 2011 13:39:52 -0500 Subject: openssh and keystroke timing attacks (again) In-Reply-To: References: Message-ID: Hi Damien, On 1 January 2011 05:29, Damien Miller wrote: >> Yes, I agree that the client_loop() could do with some renovation. >> What did you have in mind? > > Probably converting it to libevent. That sounds like a good idea. It's a fairly big job though... channels.c would need to be changed substantially, and void channel_prepare_select(fd_set **, fd_set **, int *, u_int*, int); void channel_after_select(fd_set *, fd_set *); would disappear from channels.h. These are called from clientloop.c, serverloop.c and ssh-agent.c, which also need a lot of work. So I don't think I'll have time to do it. But I think it's worth doing! Cheers, Andrew From djm at mindrot.org Mon Jan 3 15:23:23 2011 From: djm at mindrot.org (Damien Miller) Date: Mon, 3 Jan 2011 15:23:23 +1100 (EST) Subject: experimental mercurial repository available Message-ID: Hi, Quite a few people have asked to be able to access OpenSSH sources using a DVCS, so I have made a Mercurial repository available at http://hg.mindrot.org/openssh You can fetch a copy using: hg clone http://hg.mindrot.org/openssh openssh You can also view the web interface directly, which might be handy for fetching diffs of changesets to cherry-pick. The repository is synchronised from CVS using "hg convert" automatically after every commit and updates within 30 minutes. The hg repository is still experimental, so please report any problems to me as you find them. -d From bert.wesarg at googlemail.com Thu Jan 6 08:22:44 2011 From: bert.wesarg at googlemail.com (Bert Wesarg) Date: Wed, 5 Jan 2011 22:22:44 +0100 Subject: [PATCH] fix %n expansion in LocalCommand Message-ID: <1294262564-8401-1-git-send-email-bert.wesarg@googlemail.com> After the commit titled "expand %h to the hostname in ssh_config Hostname options" (2010-07-16), %n always got the same value as %h in the LocalCommand config option. Fix this and add a regression test. --- regress/Makefile | 6 ++++-- regress/host-expand.sh | 18 ++++++++++++++++++ ssh.c | 6 ++++-- 3 files changed, 26 insertions(+), 4 deletions(-) diff --git a/regress/Makefile b/regress/Makefile index 9ebb250..20c40a0 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -56,7 +56,8 @@ LTESTS= connect \ keytype \ kextype \ cert-hostkey \ - cert-userkey + cert-userkey \ + host-expand INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp @@ -75,7 +76,8 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ known_hosts-cert host_ca_key* cert_host_key* \ putty.rsa2 sshd_proxy_orig \ - authorized_principals_${USER} + authorized_principals_${USER} \ + expect actual # Enable all malloc(3) randomisations and checks TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" diff --git a/regress/host-expand.sh b/regress/host-expand.sh new file mode 100644 index 0000000..cd4e03c --- /dev/null +++ b/regress/host-expand.sh @@ -0,0 +1,18 @@ +# Placed in the Public Domain. + +tid="expand %h and %n" + +echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy +printf 'LocalCommand printf "%%%%s\\n" "%%n" "%%h"\n' >> $OBJ/ssh_proxy + +cat >expect <actual + diff -u expect actual || fail "$tid proto $p" +done + diff --git a/ssh.c b/ssh.c index ec690ae..a11e0ae 100644 --- a/ssh.c +++ b/ssh.c @@ -221,7 +221,7 @@ int main(int ac, char **av) { int i, r, opt, exit_status, use_syslog; - char *p, *cp, *line, *argv0, buf[MAXPATHLEN]; + char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg; struct stat st; struct passwd *pw; int dummy, timeout_ms; @@ -693,6 +693,8 @@ main(int ac, char **av) options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT; } + /* preserve host name given on command line for %n expansion */ + host_arg = host; if (options.hostname != NULL) { host = percent_expand(options.hostname, "h", host, (char *)NULL); @@ -707,7 +709,7 @@ main(int ac, char **av) debug3("expanding LocalCommand: %s", options.local_command); cp = options.local_command; options.local_command = percent_expand(cp, "d", pw->pw_dir, - "h", host, "l", thishost, "n", host, "r", options.user, + "h", host, "l", thishost, "n", host_arg, "r", options.user, "p", buf, "u", pw->pw_name, (char *)NULL); debug3("expanded LocalCommand: %s", options.local_command); xfree(cp); -- tg: (6457603..) bw/fix-percent-n (depends on: master) From djm at mindrot.org Thu Jan 6 23:31:24 2011 From: djm at mindrot.org (Damien Miller) Date: Thu, 6 Jan 2011 23:31:24 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 Message-ID: Hi, OpenSSH 5.7 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains a couple of large and intrusive features and changes and quite a number of bug fixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via anonymous CVS using the instructions at http://www.openssh.com/portable.html#cvs or via Mercurial at http://hg.mindrot.org/openssh Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: $ ./configure && make tests Live testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org. Below is a summary of changes. More detail may be found in the ChangeLog in the portable OpenSSH tarballs. Thanks to the many people who contributed to this release. ------------------------------- Features: * Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656) is NOT implemented. Certificate host and user keys using the new ECDSA key types are supported - an ECDSA key may be certified, and an ECDSA key may act as a CA to sign certificates. ECDH in a 256 bit curve field is the preferred key agreement algorithm when both the client and server support it. ECDSA host keys are preferred when learning a host's keys for the first time. * sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the "ln" command in the client. The old "ln" behaviour of creating a symlink is available using its "-s" option or through the preexisting "symlink" command * scp(1): Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts. * ssh(1): automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys, since these are now preferred when learning hostkeys for the first time. * ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput. * sftp(1): the sftp client is now significantly faster, using OpenBSD glob(3) extensions to preserve the results of stat(3) operations performed in the course of its execution rather than performing expensive round trips to fetch them again afterwards. * ssh(1): "atomically" create the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. this allows the mux clients to determine that the server socket is either ready or stale without races. stale server sockets are now automatically removed * ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference. * sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into a generic bandwidth limiter that can be attached using the atomicio callback mechanism and use it to add a bandwidth limit option to sftp(1). BugFixes: * ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent temporary directories * ssh(1): avoid NULL deref on receiving a channel request on an unknown or invalid channel; bz#1842 * sshd(8): remove a debug() that pollutes stderr on client connecting to a server in debug mode; bz#1719, ok dtucker * scp(1): pass through ssh command-line flags and options when doing remote-remote transfers, e.g. to enable agent forwarding which is particularly useful in this case; bz#1837 * sftp-server(8): umask should be parsed as octal * sftp(1): escape '[' in filename tab-completion * ssh(1): Typo in confirmation message. bz#1827 * sshd(8): prevent free() of string in .rodata when overriding AuthorizedKeys in a Match block * Support building against openssl-1.0.0a * sshd(8): Use default shell /bin/sh if $SHELL is "" * ssh(1): kill proxy command on fatal() (we already kill it on clean exit); * ssh(1): install a SIGCHLD handler to reap expiried child process Portable OpenSSH Bugfixes: * Use mandoc as preferred manpage formatter if it is present, followed by nroff and groff respectively. * sshd(8): Relax permission requirement on btmp logs to allow group read/writea * bz#1840: fix warning when configuring --with-ssl-engine * sshd(8): Use correct uid_t/pid_t types instead of int. bz#1817 * sshd(8): bz#1824: Add Solaris Project support. * sshd(8): Check is_selinux_enabled for exact return code since it can apparently return -1 under some conditions. Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom. From jchadima at redhat.com Fri Jan 7 00:08:06 2011 From: jchadima at redhat.com (Jan Chadima) Date: Thu, 6 Jan 2011 08:08:06 -0500 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: Message-ID: <886142099.271576.1294319286726.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> ----- Original Message ----- > Hi, > > OpenSSH 5.7 is almost ready for release, so we would appreciate > testing > on as many platforms and systems as possible. This release contains a > couple of large and intrusive features and changes and quite a number > of > bug fixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Mercurial at http://hg.mindrot.org/openssh > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the > ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Hello, snapshot from Jan 6 2011 failed on rhel6: cd ./regress || exit $?; \ make \ .OBJDIR="${BUILDDIR}/regress" \ .CURDIR="`pwd`" \ BUILDDIR="${BUILDDIR}" \ OBJ="${BUILDDIR}/regress/" \ PATH="${BUILDDIR}:${PATH}" \ TEST_SHELL="${TEST_SHELL}" \ TEST_SSH_SSH="${TEST_SSH_SSH}" \ TEST_SSH_SSHD="${TEST_SSH_SSHD}" \ TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}" \ TEST_SSH_SSHADD="${TEST_SSH_SSHADD}" \ TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" \ TEST_SSH_SSHPKCS11HELPER="${TEST_SSH_SSHPKCS11HELPER}" \ TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" \ TEST_SSH_SFTP="${TEST_SSH_SFTP}" \ TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}" \ TEST_SSH_PLINK="${TEST_SSH_PLINK}" \ TEST_SSH_PUTTYGEN="${TEST_SSH_PUTTYGEN}" \ TEST_SSH_CONCH="${TEST_SSH_CONCH}" \ TEST_SSH_IPV6="yes" \ EXEEXT="" \ tests && echo all tests passed make[1]: Entering directory `/home/jfch/test/openssh/regress' ssh-keygen -if /home/jfch/test/openssh/regress/rsa_ssh2.prv | diff - /home/jfch/test/openssh/regress/rsa_openssh.prv tr '\n' '\r' /home/jfch/test/openssh/regress/rsa_ssh2_cr.prv ssh-keygen -if /home/jfch/test/openssh/regress/rsa_ssh2_cr.prv | diff - /home/jfch/test/openssh/regress/rsa_openssh.prv awk '{print $0 "\r"}' /home/jfch/test/openssh/regress/rsa_ssh2.prv > /home/jfch/test/openssh/regress/rsa_ssh2_crnl.prv ssh-keygen -if /home/jfch/test/openssh/regress/rsa_ssh2_crnl.prv | diff - /home/jfch/test/openssh/regress/rsa_openssh.prv cat /home/jfch/test/openssh/regress/rsa_openssh.prv > /home/jfch/test/openssh/regress//t2.out chmod 600 /home/jfch/test/openssh/regress//t2.out ssh-keygen -yf /home/jfch/test/openssh/regress//t2.out | diff - /home/jfch/test/openssh/regress/rsa_openssh.pub ssh-keygen -ef /home/jfch/test/openssh/regress/rsa_openssh.pub >/home/jfch/test/openssh/regress//rsa_secsh.pub ssh-keygen -if /home/jfch/test/openssh/regress//rsa_secsh.pub | diff - /home/jfch/test/openssh/regress/rsa_openssh.pub rm -f /home/jfch/test/openssh/regress/rsa_secsh.pub ssh-keygen -lf /home/jfch/test/openssh/regress/rsa_openssh.pub |\ awk '{print $2}' | diff - /home/jfch/test/openssh/regress/t4.ok 0a1 > 3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36 make[1]: *** [t4] Error 1 make[1]: Leaving directory `/home/jfch/test/openssh/regress' make: *** [tests] Error 2 -- JFCh From jchadima at redhat.com Fri Jan 7 00:19:40 2011 From: jchadima at redhat.com (Jan Chadima) Date: Thu, 6 Jan 2011 08:19:40 -0500 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: Message-ID: <671187262.271717.1294319980378.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> ----- Original Message ----- > Hi, > > OpenSSH 5.7 is almost ready for release, so we would appreciate > testing > on as many platforms and systems as possible. This release contains a > couple of large and intrusive features and changes and quite a number > of > bug fixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Mercurial at http://hg.mindrot.org/openssh > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the > ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > RHEL 5 pass without problems. -- JFCh From cristian.ionescu-idbohrn at axis.com Fri Jan 7 03:40:32 2011 From: cristian.ionescu-idbohrn at axis.com (Cristian Ionescu-Idbohrn) Date: Thu, 6 Jan 2011 17:40:32 +0100 (CET) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: <1101061732240.7745@somehost> On Thu, 6 Jan 2011, Damien Miller wrote: > > OpenSSH 5.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains a > couple of large and intrusive features and changes and quite a number of > bug fixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ On a debian unstable (aka. sid), this: http://www.mindrot.org/openssh_snap/openssh-SNAP-20110107.tar.gz passes "all" tests; at least says so "all tests passed". Still, this patch: --- regress/cert-userkey.sh.orig 2010-11-05 08:23:38.000000000 +0100 +++ regress/cert-userkey.sh 2011-01-06 17:27:51.000000000 +0100 @@ -5,7 +5,7 @@ tid="certified user keys" # used to disable ECC based tests on platforms without ECC ecdsa="" -if "$TEST_SSH_ECC" = "yes"; then +if [ "$TEST_SSH_ECC" = yes ]; then ecdsa=ecdsa fi is, IMO, sure needed :) Cheers, -- Cristian From andyb1 at andy-t.org Fri Jan 7 04:23:50 2011 From: andyb1 at andy-t.org (Andy Tsouladze) Date: Thu, 6 Jan 2011 11:23:50 -0600 (CST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: > OpenSSH 5.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains a > couple of large and intrusive features and changes and quite a number of > bug fixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ Using openssh-SNAP-20110107.tar.gz: Slackware-12.0 and slackware 13.0 both pass all tests. Regards, Andy Dr Andy Tsouladze Sr Unix/Storage SysAdmin From imorgan at nas.nasa.gov Fri Jan 7 04:54:26 2011 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Thu, 6 Jan 2011 09:54:26 -0800 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: <20110106175426.GF6057@linux124.nas.nasa.gov> On Thu, Jan 06, 2011 at 06:31:24 -0600, Damien Miller wrote: > > * scp(1): Add a new -3 option to scp: Copies between two remote hosts > are transferred through the local host. Without this option the > data is copied directly between the two remote hosts. > Hi Damien, Unfortunately, this breaks the command-line compatibility between scp(1) and sftp(1) that was recently achieved. Admittedly, sftp doesn't support transfers between two remote hosts, but it might be worthwhile to add some dummy support to sftp(1) to preserve the compatibility. In other words, it should accept but ignore -3. -- Iain Morgan From bert.wesarg at googlemail.com Fri Jan 7 06:45:51 2011 From: bert.wesarg at googlemail.com (Bert Wesarg) Date: Thu, 6 Jan 2011 20:45:51 +0100 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: On Thu, Jan 6, 2011 at 13:31, Damien Miller wrote: > > Hi, > > OpenSSH 5.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains a > couple of large and intrusive features and changes and quite a number of > bug fixes. Please consider my patch send yesterday (fix %n expansion in LocalCommand) to fix this regression introduced in 5.6. Thanks. Bert From djm at mindrot.org Fri Jan 7 09:46:43 2011 From: djm at mindrot.org (Damien Miller) Date: Fri, 7 Jan 2011 09:46:43 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: On Thu, 6 Jan 2011, Bert Wesarg wrote: > On Thu, Jan 6, 2011 at 13:31, Damien Miller wrote: > > > > Hi, > > > > OpenSSH 5.7 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This release contains a > > couple of large and intrusive features and changes and quite a number of > > bug fixes. > > Please consider my patch send yesterday (fix %n expansion in > LocalCommand) to fix this regression introduced in 5.6. Applied - thanks -d From djm at mindrot.org Fri Jan 7 09:48:03 2011 From: djm at mindrot.org (Damien Miller) Date: Fri, 7 Jan 2011 09:48:03 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <20110106175426.GF6057@linux124.nas.nasa.gov> References: <20110106175426.GF6057@linux124.nas.nasa.gov> Message-ID: On Thu, 6 Jan 2011, Iain Morgan wrote: > On Thu, Jan 06, 2011 at 06:31:24 -0600, Damien Miller wrote: > > > > * scp(1): Add a new -3 option to scp: Copies between two remote hosts > > are transferred through the local host. Without this option the > > data is copied directly between the two remote hosts. > > > > Hi Damien, > > Unfortunately, this breaks the command-line compatibility between scp(1) > and sftp(1) that was recently achieved. Admittedly, sftp doesn't support > transfers between two remote hosts, but it might be worthwhile to add > some dummy support to sftp(1) to preserve the compatibility. In other > words, it should accept but ignore -3. Well, sftp doesn't support remote->remote transfers at all yet so the commandline syntax isn't 100% complete to begin with. -d From djm at mindrot.org Fri Jan 7 09:54:47 2011 From: djm at mindrot.org (Damien Miller) Date: Fri, 7 Jan 2011 09:54:47 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <1101061732240.7745@somehost> References: <1101061732240.7745@somehost> Message-ID: applied - thanks! (cert-hostkey.sh too) On Thu, 6 Jan 2011, Cristian Ionescu-Idbohrn wrote: > On Thu, 6 Jan 2011, Damien Miller wrote: > > > > OpenSSH 5.7 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This release contains a > > couple of large and intrusive features and changes and quite a number of > > bug fixes. > > > > Snapshot releases for portable OpenSSH are available from > > http://www.mindrot.org/openssh_snap/ > > On a debian unstable (aka. sid), this: > > http://www.mindrot.org/openssh_snap/openssh-SNAP-20110107.tar.gz > > passes "all" tests; at least says so "all tests passed". Still, this > patch: > > --- regress/cert-userkey.sh.orig 2010-11-05 08:23:38.000000000 +0100 > +++ regress/cert-userkey.sh 2011-01-06 17:27:51.000000000 +0100 > @@ -5,7 +5,7 @@ tid="certified user keys" > > # used to disable ECC based tests on platforms without ECC > ecdsa="" > -if "$TEST_SSH_ECC" = "yes"; then > +if [ "$TEST_SSH_ECC" = yes ]; then > ecdsa=ecdsa > fi > > > is, IMO, sure needed :) > > > Cheers, > > -- > Cristian > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From openssh at roumenpetrov.info Fri Jan 7 08:00:32 2011 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Thu, 06 Jan 2011 23:00:32 +0200 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: <4D262D70.90103@roumenpetrov.info> Damien Miller wrote: > Hi, > > OpenSSH 5.7 is almost ready for release, so we would appreciate testing [SNIP] Now make target "distprep" is broken. So either remove dependency from catman-do or provide bootstrap shell script, please. Roumen From djm at mindrot.org Fri Jan 7 13:07:06 2011 From: djm at mindrot.org (Damien Miller) Date: Fri, 7 Jan 2011 13:07:06 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <4D262D70.90103@roumenpetrov.info> References: <4D262D70.90103@roumenpetrov.info> Message-ID: On Thu, 6 Jan 2011, Roumen Petrov wrote: > Damien Miller wrote: > > Hi, > > > > OpenSSH 5.7 is almost ready for release, so we would appreciate testing > [SNIP] > Now make target "distprep" is broken. So either remove dependency from > catman-do or provide bootstrap shell script, please. Works for me. Can you please provide the output of a failing make? -d From bert.wesarg at googlemail.com Fri Jan 7 22:50:21 2011 From: bert.wesarg at googlemail.com (Bert Wesarg) Date: Fri, 7 Jan 2011 12:50:21 +0100 Subject: [RFC/PATCH] ssh: config directive to modify the local environment Message-ID: <1294401021-10682-1-git-send-email-bert.wesarg@googlemail.com> This provides a mechanism to attach arbitrary configure options into the ssh_config file and use them from the LocalCommand and ProxyCommand. Examples: # set FOO to foo LocalEnvMod FOO = foo # append bar to FOO with default separator "," LocalEnvMod FOO += bar # unset FOO LocalEnvMod FOO = # append foo to BAR with separator ":", if BAR is empty no separator will # be used LocalEnvMod BAR +:= foo # prepend baz to BAR with separator ":" LocalEnvMod BAR %:= baz Currently any chararacter can be used as separator. My intended use case for this is to automount arbitrary remote directories via sshfs based on the host by the mux master via LocalCommand. I have a default of 'mount the remote home at ~/Remotes/' but I can add more mount directives based on individual hosts. The LocalEnvMod directive is cumulative and are exectuted in one file in order (ie. from top to buttom), but in reverse order of file parsing. That is directives in ~/.ssh/config are executed after /etc/ssh/ssh_config but command line directives (-oLocalEnvMod=) will be executed last. If there are security concerns what variables are allowed to change, we could use a blacklist (HOME, SHELL, ... come to mind). --- readconf.c | 172 +++++++++++++++++++++++++++++++++++++++- readconf.h | 11 +++ regress/Makefile | 4 +- regress/localenvmod.sh | 210 ++++++++++++++++++++++++++++++++++++++++++++++++ ssh.c | 57 +++++++++++++ 5 files changed, 452 insertions(+), 2 deletions(-) diff --git a/readconf.c b/readconf.c index eb4a8b9..9f862a9 100644 --- a/readconf.c +++ b/readconf.c @@ -135,7 +135,7 @@ typedef enum { oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, oKexAlgorithms, oIPQoS, - oDeprecated, oUnsupported + oDeprecated, oUnsupported, oLocalEnvMod } OpCodes; /* Textual representations of the tokens. */ @@ -245,6 +245,7 @@ static struct { #endif { "kexalgorithms", oKexAlgorithms }, { "ipqos", oIPQoS }, + { "localenvmod", oLocalEnvMod }, { NULL, oBadOption } }; @@ -325,6 +326,45 @@ clear_forwardings(Options *options) } /* + * Adds a command to modify the local environment. Never returns if there is an + * error. + */ + +void +add_local_env_mod(Options *options, const EnvMod *newmod) +{ + EnvMod *mod; + + options->local_env_mods = xrealloc(options->local_env_mods, + options->num_local_env_mods + 1, + sizeof(*options->local_env_mods)); + mod = &options->local_env_mods[options->num_local_env_mods++]; + + mod->name = newmod->name; + mod->operation = newmod->operation; + mod->value = newmod->value; +} + +static void +clear_local_env_mods(Options *options) +{ + int i; + + for (i = 0; i < options->num_local_env_mods; i++) { + xfree(options->local_env_mods[i].name); + xfree(options->local_env_mods[i].value); + } + if (options->num_local_env_mods > 0) { + xfree(options->local_env_mods); + options->num_local_env_mods = 0; + options->local_env_mods = NULL; + } +} + +static int +parse_env_mod(EnvMod *mod, const char *modspec); + +/* * Returns the number of the token pointed to by cp or oBadOption. */ @@ -359,6 +399,7 @@ process_config_line(Options *options, const char *host, long long orig, val64; size_t len; Forward fwd; + EnvMod mod; /* Strip trailing whitespace */ for (len = strlen(line) - 1; len > 0; len--) { @@ -997,6 +1038,20 @@ parse_int: intptr = &options->use_roaming; goto parse_flag; + case oLocalEnvMod: + /* We try to consume the complete line */ + arg = s; + s = s + strlen(s); + + if (parse_env_mod(&mod, arg) == 0) + fatal("%.200s line %d: Bad env mod specification.", + filename, linenum); + + if (*activep) { + add_local_env_mod(options, &mod); + } + break; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -1034,6 +1089,7 @@ read_config_file(const char *filename, const char *host, Options *options, char line[1024]; int active, linenum; int bad_options = 0; + int prev_num_local_env_mods = options->num_local_env_mods; if ((f = fopen(filename, "r")) == NULL) return 0; @@ -1066,6 +1122,36 @@ read_config_file(const char *filename, const char *host, Options *options, if (bad_options > 0) fatal("%s: terminating, %d bad configuration options", filename, bad_options); + + /* swap LocalEnvMod directives from this file in-front of previous ones */ + if (prev_num_local_env_mods != options->num_local_env_mods) { + EnvMod *start = options->local_env_mods; + EnvMod *split = options->local_env_mods + prev_num_local_env_mods; + EnvMod *end = options->local_env_mods + options->num_local_env_mods; + EnvMod tmp, *low, *high; + + low = start; high = split - 1; + while (low < high) { + tmp = *high; + *high-- = *low; + *low++ = tmp; + } + + low = split; high = end - 1; + while (low < high) { + tmp = *high; + *high-- = *low; + *low++ = tmp; + } + + low = start; high = end - 1; + while (low < high) { + tmp = *high; + *high-- = *low; + *low++ = tmp; + } + } + return 1; } @@ -1157,6 +1243,8 @@ initialize_options(Options * options) options->zero_knowledge_password_authentication = -1; options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; + options->local_env_mods = NULL; + options->num_local_env_mods = 0; } /* @@ -1420,3 +1508,85 @@ parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd) } return (0); } + +/* + * variablename[whitespace][{+,%}[separator]]=[whitespace]value + * value may be optional for set command (ie. w/o +) + * SSHFS_MOUNT += mars-fastfs:/fastfs + * SOME_PATH +:= /some/bin + * SOME_PATH %:= /some/other/bin + * '+' and '%' shouldn't be used as separator + * TODO: don't overwrite? + * VAR ?= value + */ +int +parse_env_mod(EnvMod *mod, const char *modspec) +{ + char *p, *cp, *ne, *eq; + size_t len; + + memset(mod, '\0', sizeof(*mod)); + + cp = p = xstrdup(modspec); + + /* skip leading spaces */ + while (isspace(*cp)) + cp++; + + eq = strchr(cp, '='); + + if (!eq) + return 0; + + len = eq - modspec; + if (len == 0) + return 0; + + ne = eq; + if ((len > 2 && eq[-1] == '+') || (len > 3 && eq[-2] == '+') || + (len > 2 && eq[-1] == '%') || (len > 3 && eq[-2] == '%')) { + ne--; + /* append/prepend, comma is default separator */ + mod->operation = ','; + if ((len > 3 && eq[-2] == '+') || (len > 3 && eq[-2] == '%')) { + ne--; + mod->operation = eq[-1]; + } + /* prepend? */ + if ((len > 2 && eq[-1] == '%') || (len > 3 && eq[-2] == '%')) { + mod->operation = -mod->operation; + } + } + /* Remove traling whitespace from variable name */ + while ((ne - 1) > cp && isspace(ne[-1])) + ne--; + /* Terminate variable name */ + *ne = '\0'; + + if (strlen(cp) == 0) + return 0; + + /* Skip leading spaces for variable value */ + eq++; + while (isspace(*eq)) + eq++; + + /* Remove possible double quotes around value */ + len = strlen(eq); + if (len > 1 && eq[0] == '"' && eq[len - 1] == '"') { + eq[len - 1] = '\0'; + eq++; + len -= 2; + } + + /* Allow to unset when */ + if (mod->operation && len == 0) + return 0; + + mod->name = xstrdup(cp); + mod->value = xstrdup(eq); + + xfree(p); + + return 1; +} diff --git a/readconf.h b/readconf.h index ee160df..166631f 100644 --- a/readconf.h +++ b/readconf.h @@ -25,6 +25,13 @@ typedef struct { int connect_port; /* Port to connect on connect_host. */ int allocated_port; /* Dynamically allocated listen port */ } Forward; +/* Data structure for representing a local env modification. */ + +typedef struct { + char *name; /* The name of the variable. */ + int operation; /* The operation (\0 for set, other chars for append with this separator). */ + char *value; /* The operand for the operation. */ +} EnvMod; /* Data structure for representing option data. */ #define MAX_SEND_ENV 256 @@ -132,6 +139,10 @@ typedef struct { int use_roaming; + /* Changes to the local envirionment */ + int num_local_env_mods; + EnvMod *local_env_mods; + } Options; #define SSHCTL_MASTER_NO 0 diff --git a/regress/Makefile b/regress/Makefile index 85fd3a5..b5724f8 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -51,6 +51,7 @@ LTESTS= connect \ cfgmatch \ addrmatch \ localcommand \ + localenvmod \ forcecommand \ portnum \ keytype \ @@ -76,7 +77,8 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ known_hosts-cert host_ca_key* cert_host_key* \ putty.rsa2 sshd_proxy_orig \ - authorized_principals_${USER} expect actual + authorized_principals_${USER} expect actual \ + localenvmods.in localenvmods.expect localenvmods.out ssh_proxy.tmpl # Enable all malloc(3) randomisations and checks TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" diff --git a/regress/localenvmod.sh b/regress/localenvmod.sh new file mode 100644 index 0000000..c986816 --- /dev/null +++ b/regress/localenvmod.sh @@ -0,0 +1,210 @@ +# Placed in the Public Domain. + +tid="localenvmod" + +cp $OBJ/ssh_proxy $OBJ/ssh_proxy.tmpl +echo 'PermitLocalCommand yes' >>$OBJ/ssh_proxy.tmpl + +cat </ /g' >localenvmods.in +FOO=foo +FOO=foo +FOO=foo +FOO=foo +FOO=foo +FOO=foo +FOO=foo +FOO=foo +FOO="foo" +FOO="foo" +FOO="foo" +FOO="foo" +FOO="foo" +FOO="foo" +FOO="foo" +FOO="foo" +EOI + +tid="localenvmod quoting" + +cat </ /g' >localenvmods.expect +foo +foo +foo +foo +foo +foo +foo +foo +foo +foo +foo +foo +foo +foo +foo +foo +EOE + +verbose "test $tid" +exec 4>localenvmods.out +while IFS= read mod; do + trace "test $tid: <$mod>" + ( + cat $OBJ/ssh_proxy.tmpl + printf 'LocalCommand printf "%%%%s\\n" "$FOO"\n' + printf "LocalEnvMod %s\n" "$mod" + ) >$OBJ/ssh_proxy + ${SSH} -n -F $OBJ/ssh_proxy somehost true >&4 || fail "$tid: <$mod>" +done &- + +diff localenvmods.expect localenvmods.out || fail "$tid" + +cat >localenvmods.in <localenvmods.expect <localenvmods.out +while IFS= read mod; do + trace "test $tid: <$mod>" + ( + cat $OBJ/ssh_proxy.tmpl + printf 'LocalCommand printf "%%%%s\\n" "$FOO"\n' + printf "LocalEnvMod %s\n" "$mod" + ) >$OBJ/ssh_proxy + ${SSH} -n -F $OBJ/ssh_proxy somehost true >&4 || fail "$tid: <$mod>" +done &- + +diff localenvmods.expect localenvmods.out || fail "$tid" + +tid="localenvmod set (preset: '')" + +cat >localenvmods.expect <localenvmods.out +while IFS= read mod; do + trace "test $tid: <$mod>" + ( + cat $OBJ/ssh_proxy.tmpl + printf 'LocalCommand printf "%%%%s\\n" "$FOO"\n' + printf "LocalEnvMod %s\n" "$mod" + ) >$OBJ/ssh_proxy + FOO="" ${SSH} -n -F $OBJ/ssh_proxy somehost true >&4 || fail "$tid: <$mod>" +done &- + +diff localenvmods.expect localenvmods.out || fail "$tid" + +tid="localenvmod set (preset: 'bar')" + +cat >localenvmods.expect <localenvmods.out +while IFS= read mod; do + trace "test $tid: <$mod>" + ( + cat $OBJ/ssh_proxy.tmpl + printf 'LocalCommand printf "%%%%s\\n" "$FOO"\n' + printf "LocalEnvMod %s\n" "$mod" + ) >$OBJ/ssh_proxy + FOO=bar ${SSH} -n -F $OBJ/ssh_proxy somehost true >&4 || fail "$tid: <$mod>" +done &- + +diff localenvmods.expect localenvmods.out || fail "$tid" + +tid="localenvmod unset" + +cat >localenvmods.in <localenvmods.expect <localenvmods.out +while IFS= read mod; do + trace "test $tid: <$mod>" + ( + cat $OBJ/ssh_proxy.tmpl + printf 'LocalCommand test "${FOO:+set}" = set || echo true\n' + printf "LocalEnvMod %s\n" "$mod" + ) >$OBJ/ssh_proxy + FOO=bar ${SSH} -n -F $OBJ/ssh_proxy somehost true >&4 || fail "$tid: <$mod>" +done &- + +diff localenvmods.expect localenvmods.out || fail "$tid" + +tid="localenvmod commandline overwrites config file (change)" + +cat >localenvmods.expect <$OBJ/ssh_proxy +${SSH} -n -F $OBJ/ssh_proxy -o"LocalEnvMod=FOO=foo" somehost true >localenvmods.out || fail "$tid" + +diff localenvmods.expect localenvmods.out || fail "$tid" + +tid="localenvmod commandline overwrites config file (unset)" + +cat >localenvmods.expect <$OBJ/ssh_proxy +${SSH} -n -F $OBJ/ssh_proxy -o"LocalEnvMod=FOO=" somehost true >localenvmods.out || fail "$tid" + +diff localenvmods.expect localenvmods.out || fail "$tid" + +# reset tid +tid="localenvmod" diff --git a/ssh.c b/ssh.c index 9409fa7..48ba7b2 100644 --- a/ssh.c +++ b/ssh.c @@ -751,6 +751,63 @@ main(int ac, char **av) if (options.control_path != NULL) muxclient(options.control_path); + if (options.num_local_env_mods > 0) { + char thishost[NI_MAXHOST]; + + if (gethostname(thishost, sizeof(thishost)) == -1) + fatal("gethostname: %s", strerror(errno)); + snprintf(buf, sizeof(buf), "%d", options.port); + + for (i = 0; i < options.num_local_env_mods; i++) { + char sepbuf[2], *oldval; + int prepend = 0; + int op = options.local_env_mods[i].operation; + if (0 > op) { + prepend = 1; + op = -op; + } + sepbuf[0] = op; + sepbuf[1] = '\0'; + debug3("expanding LocalEnvMod: %s %s%s= %s", + options.local_env_mods[i].name, + op ? (prepend ? "%" : "+") : "", + sepbuf, + options.local_env_mods[i].value); + cp = options.local_env_mods[i].value; + options.local_env_mods[i].value = percent_expand(cp, + "d", pw->pw_dir, + "h", host, + "l", thishost, + "n", host, + "r", options.user, + "p", buf, + "u", pw->pw_name, + (char *)NULL); + debug3("expanded LocalEnvMod: %s %s%s= %s", + options.local_env_mods[i].name, + op ? (prepend ? "%" : "+") : "", + sepbuf, + options.local_env_mods[i].value); + xfree(cp); + if (op && + (oldval = getenv(options.local_env_mods[i].name)) && + strlen(oldval) > 0) { + char *newval; + newval = xmalloc(strlen(oldval) + 1 + strlen(options.local_env_mods[i].value) + 1); + strcpy(newval, prepend ? options.local_env_mods[i].value : oldval); + strcat(newval, sepbuf); + strcat(newval, prepend ? oldval : options.local_env_mods[i].value); + setenv(options.local_env_mods[i].name, newval, 1); + } else if (options.local_env_mods[i].value[0]) { + /* set or mod without current value for variable */ + setenv(options.local_env_mods[i].name, + options.local_env_mods[i].value, 1); + } else { + unsetenv(options.local_env_mods[i].name); + } + } + } + timeout_ms = options.connection_timeout * 1000; /* Open a connection to the remote host. */ -- tg: (bc28466..) bw/localenvmod (depends on: master) From bert.wesarg at googlemail.com Fri Jan 7 23:00:55 2011 From: bert.wesarg at googlemail.com (Bert Wesarg) Date: Fri, 7 Jan 2011 13:00:55 +0100 Subject: [RFC/PATCH v2] ssh: config directive to modify the local environment In-Reply-To: <1294401021-10682-1-git-send-email-bert.wesarg@googlemail.com> References: <1294401021-10682-1-git-send-email-bert.wesarg@googlemail.com> Message-ID: <1294401655-11210-1-git-send-email-bert.wesarg@googlemail.com> This provides a mechanism to attach arbitrary configure options into the ssh_config file and use them from the LocalCommand and ProxyCommand. Examples: # set FOO to foo LocalEnvMod FOO = foo # append bar to FOO with default separator "," LocalEnvMod FOO += bar # unset FOO LocalEnvMod FOO = # append foo to BAR with separator ":", if BAR is empty no separator will # be used LocalEnvMod BAR +:= foo # prepend baz to BAR with separator ":" LocalEnvMod BAR %:= baz Currently any chararacter can be used as separator. My intended use case for this is to automount arbitrary remote directories via sshfs based on the host by the mux master via LocalCommand. I have a default of 'mount the remote home at ~/Remotes/' but I can add more mount directives based on individual hosts. The LocalEnvMod directive is cumulative and are exectuted in one file in order (ie. from top to buttom), but in reverse order of file parsing. That is directives in ~/.ssh/config are executed after /etc/ssh/ssh_config but command line directives (-oLocalEnvMod=) will be executed last. If there are security concerns what variables are allowed to change, we could use a blacklist (HOME, SHELL, ... come to mind). --- v2: This time with my own fix for the %n expension. readconf.c | 172 +++++++++++++++++++++++++++++++++++++++- readconf.h | 11 +++ regress/Makefile | 4 +- regress/localenvmod.sh | 210 ++++++++++++++++++++++++++++++++++++++++++++++++ ssh.c | 57 +++++++++++++ 5 files changed, 452 insertions(+), 2 deletions(-) diff --git a/readconf.c b/readconf.c index eb4a8b9..9f862a9 100644 --- a/readconf.c +++ b/readconf.c @@ -135,7 +135,7 @@ typedef enum { oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, oKexAlgorithms, oIPQoS, - oDeprecated, oUnsupported + oDeprecated, oUnsupported, oLocalEnvMod } OpCodes; /* Textual representations of the tokens. */ @@ -245,6 +245,7 @@ static struct { #endif { "kexalgorithms", oKexAlgorithms }, { "ipqos", oIPQoS }, + { "localenvmod", oLocalEnvMod }, { NULL, oBadOption } }; @@ -325,6 +326,45 @@ clear_forwardings(Options *options) } /* + * Adds a command to modify the local environment. Never returns if there is an + * error. + */ + +void +add_local_env_mod(Options *options, const EnvMod *newmod) +{ + EnvMod *mod; + + options->local_env_mods = xrealloc(options->local_env_mods, + options->num_local_env_mods + 1, + sizeof(*options->local_env_mods)); + mod = &options->local_env_mods[options->num_local_env_mods++]; + + mod->name = newmod->name; + mod->operation = newmod->operation; + mod->value = newmod->value; +} + +static void +clear_local_env_mods(Options *options) +{ + int i; + + for (i = 0; i < options->num_local_env_mods; i++) { + xfree(options->local_env_mods[i].name); + xfree(options->local_env_mods[i].value); + } + if (options->num_local_env_mods > 0) { + xfree(options->local_env_mods); + options->num_local_env_mods = 0; + options->local_env_mods = NULL; + } +} + +static int +parse_env_mod(EnvMod *mod, const char *modspec); + +/* * Returns the number of the token pointed to by cp or oBadOption. */ @@ -359,6 +399,7 @@ process_config_line(Options *options, const char *host, long long orig, val64; size_t len; Forward fwd; + EnvMod mod; /* Strip trailing whitespace */ for (len = strlen(line) - 1; len > 0; len--) { @@ -997,6 +1038,20 @@ parse_int: intptr = &options->use_roaming; goto parse_flag; + case oLocalEnvMod: + /* We try to consume the complete line */ + arg = s; + s = s + strlen(s); + + if (parse_env_mod(&mod, arg) == 0) + fatal("%.200s line %d: Bad env mod specification.", + filename, linenum); + + if (*activep) { + add_local_env_mod(options, &mod); + } + break; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -1034,6 +1089,7 @@ read_config_file(const char *filename, const char *host, Options *options, char line[1024]; int active, linenum; int bad_options = 0; + int prev_num_local_env_mods = options->num_local_env_mods; if ((f = fopen(filename, "r")) == NULL) return 0; @@ -1066,6 +1122,36 @@ read_config_file(const char *filename, const char *host, Options *options, if (bad_options > 0) fatal("%s: terminating, %d bad configuration options", filename, bad_options); + + /* swap LocalEnvMod directives from this file in-front of previous ones */ + if (prev_num_local_env_mods != options->num_local_env_mods) { + EnvMod *start = options->local_env_mods; + EnvMod *split = options->local_env_mods + prev_num_local_env_mods; + EnvMod *end = options->local_env_mods + options->num_local_env_mods; + EnvMod tmp, *low, *high; + + low = start; high = split - 1; + while (low < high) { + tmp = *high; + *high-- = *low; + *low++ = tmp; + } + + low = split; high = end - 1; + while (low < high) { + tmp = *high; + *high-- = *low; + *low++ = tmp; + } + + low = start; high = end - 1; + while (low < high) { + tmp = *high; + *high-- = *low; + *low++ = tmp; + } + } + return 1; } @@ -1157,6 +1243,8 @@ initialize_options(Options * options) options->zero_knowledge_password_authentication = -1; options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; + options->local_env_mods = NULL; + options->num_local_env_mods = 0; } /* @@ -1420,3 +1508,85 @@ parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd) } return (0); } + +/* + * variablename[whitespace][{+,%}[separator]]=[whitespace]value + * value may be optional for set command (ie. w/o +) + * SSHFS_MOUNT += mars-fastfs:/fastfs + * SOME_PATH +:= /some/bin + * SOME_PATH %:= /some/other/bin + * '+' and '%' shouldn't be used as separator + * TODO: don't overwrite? + * VAR ?= value + */ +int +parse_env_mod(EnvMod *mod, const char *modspec) +{ + char *p, *cp, *ne, *eq; + size_t len; + + memset(mod, '\0', sizeof(*mod)); + + cp = p = xstrdup(modspec); + + /* skip leading spaces */ + while (isspace(*cp)) + cp++; + + eq = strchr(cp, '='); + + if (!eq) + return 0; + + len = eq - modspec; + if (len == 0) + return 0; + + ne = eq; + if ((len > 2 && eq[-1] == '+') || (len > 3 && eq[-2] == '+') || + (len > 2 && eq[-1] == '%') || (len > 3 && eq[-2] == '%')) { + ne--; + /* append/prepend, comma is default separator */ + mod->operation = ','; + if ((len > 3 && eq[-2] == '+') || (len > 3 && eq[-2] == '%')) { + ne--; + mod->operation = eq[-1]; + } + /* prepend? */ + if ((len > 2 && eq[-1] == '%') || (len > 3 && eq[-2] == '%')) { + mod->operation = -mod->operation; + } + } + /* Remove traling whitespace from variable name */ + while ((ne - 1) > cp && isspace(ne[-1])) + ne--; + /* Terminate variable name */ + *ne = '\0'; + + if (strlen(cp) == 0) + return 0; + + /* Skip leading spaces for variable value */ + eq++; + while (isspace(*eq)) + eq++; + + /* Remove possible double quotes around value */ + len = strlen(eq); + if (len > 1 && eq[0] == '"' && eq[len - 1] == '"') { + eq[len - 1] = '\0'; + eq++; + len -= 2; + } + + /* Allow to unset when */ + if (mod->operation && len == 0) + return 0; + + mod->name = xstrdup(cp); + mod->value = xstrdup(eq); + + xfree(p); + + return 1; +} diff --git a/readconf.h b/readconf.h index ee160df..166631f 100644 --- a/readconf.h +++ b/readconf.h @@ -25,6 +25,13 @@ typedef struct { int connect_port; /* Port to connect on connect_host. */ int allocated_port; /* Dynamically allocated listen port */ } Forward; +/* Data structure for representing a local env modification. */ + +typedef struct { + char *name; /* The name of the variable. */ + int operation; /* The operation (\0 for set, other chars for append with this separator). */ + char *value; /* The operand for the operation. */ +} EnvMod; /* Data structure for representing option data. */ #define MAX_SEND_ENV 256 @@ -132,6 +139,10 @@ typedef struct { int use_roaming; + /* Changes to the local envirionment */ + int num_local_env_mods; + EnvMod *local_env_mods; + } Options; #define SSHCTL_MASTER_NO 0 diff --git a/regress/Makefile b/regress/Makefile index 85fd3a5..b5724f8 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -51,6 +51,7 @@ LTESTS= connect \ cfgmatch \ addrmatch \ localcommand \ + localenvmod \ forcecommand \ portnum \ keytype \ @@ -76,7 +77,8 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ known_hosts-cert host_ca_key* cert_host_key* \ putty.rsa2 sshd_proxy_orig \ - authorized_principals_${USER} expect actual + authorized_principals_${USER} expect actual \ + localenvmods.in localenvmods.expect localenvmods.out ssh_proxy.tmpl # Enable all malloc(3) randomisations and checks TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" diff --git a/regress/localenvmod.sh b/regress/localenvmod.sh new file mode 100644 index 0000000..c986816 --- /dev/null +++ b/regress/localenvmod.sh @@ -0,0 +1,210 @@ +# Placed in the Public Domain. + +tid="localenvmod" + +cp $OBJ/ssh_proxy $OBJ/ssh_proxy.tmpl +echo 'PermitLocalCommand yes' >>$OBJ/ssh_proxy.tmpl + +cat </ /g' >localenvmods.in +FOO=foo +FOO=foo +FOO=foo +FOO=foo +FOO=foo +FOO=foo +FOO=foo +FOO=foo +FOO="foo" +FOO="foo" +FOO="foo" +FOO="foo" +FOO="foo" +FOO="foo" +FOO="foo" +FOO="foo" +EOI + +tid="localenvmod quoting" + +cat </ /g' >localenvmods.expect +foo +foo +foo +foo +foo +foo +foo +foo +foo +foo +foo +foo +foo +foo +foo +foo +EOE + +verbose "test $tid" +exec 4>localenvmods.out +while IFS= read mod; do + trace "test $tid: <$mod>" + ( + cat $OBJ/ssh_proxy.tmpl + printf 'LocalCommand printf "%%%%s\\n" "$FOO"\n' + printf "LocalEnvMod %s\n" "$mod" + ) >$OBJ/ssh_proxy + ${SSH} -n -F $OBJ/ssh_proxy somehost true >&4 || fail "$tid: <$mod>" +done &- + +diff localenvmods.expect localenvmods.out || fail "$tid" + +cat >localenvmods.in <localenvmods.expect <localenvmods.out +while IFS= read mod; do + trace "test $tid: <$mod>" + ( + cat $OBJ/ssh_proxy.tmpl + printf 'LocalCommand printf "%%%%s\\n" "$FOO"\n' + printf "LocalEnvMod %s\n" "$mod" + ) >$OBJ/ssh_proxy + ${SSH} -n -F $OBJ/ssh_proxy somehost true >&4 || fail "$tid: <$mod>" +done &- + +diff localenvmods.expect localenvmods.out || fail "$tid" + +tid="localenvmod set (preset: '')" + +cat >localenvmods.expect <localenvmods.out +while IFS= read mod; do + trace "test $tid: <$mod>" + ( + cat $OBJ/ssh_proxy.tmpl + printf 'LocalCommand printf "%%%%s\\n" "$FOO"\n' + printf "LocalEnvMod %s\n" "$mod" + ) >$OBJ/ssh_proxy + FOO="" ${SSH} -n -F $OBJ/ssh_proxy somehost true >&4 || fail "$tid: <$mod>" +done &- + +diff localenvmods.expect localenvmods.out || fail "$tid" + +tid="localenvmod set (preset: 'bar')" + +cat >localenvmods.expect <localenvmods.out +while IFS= read mod; do + trace "test $tid: <$mod>" + ( + cat $OBJ/ssh_proxy.tmpl + printf 'LocalCommand printf "%%%%s\\n" "$FOO"\n' + printf "LocalEnvMod %s\n" "$mod" + ) >$OBJ/ssh_proxy + FOO=bar ${SSH} -n -F $OBJ/ssh_proxy somehost true >&4 || fail "$tid: <$mod>" +done &- + +diff localenvmods.expect localenvmods.out || fail "$tid" + +tid="localenvmod unset" + +cat >localenvmods.in <localenvmods.expect <localenvmods.out +while IFS= read mod; do + trace "test $tid: <$mod>" + ( + cat $OBJ/ssh_proxy.tmpl + printf 'LocalCommand test "${FOO:+set}" = set || echo true\n' + printf "LocalEnvMod %s\n" "$mod" + ) >$OBJ/ssh_proxy + FOO=bar ${SSH} -n -F $OBJ/ssh_proxy somehost true >&4 || fail "$tid: <$mod>" +done &- + +diff localenvmods.expect localenvmods.out || fail "$tid" + +tid="localenvmod commandline overwrites config file (change)" + +cat >localenvmods.expect <$OBJ/ssh_proxy +${SSH} -n -F $OBJ/ssh_proxy -o"LocalEnvMod=FOO=foo" somehost true >localenvmods.out || fail "$tid" + +diff localenvmods.expect localenvmods.out || fail "$tid" + +tid="localenvmod commandline overwrites config file (unset)" + +cat >localenvmods.expect <$OBJ/ssh_proxy +${SSH} -n -F $OBJ/ssh_proxy -o"LocalEnvMod=FOO=" somehost true >localenvmods.out || fail "$tid" + +diff localenvmods.expect localenvmods.out || fail "$tid" + +# reset tid +tid="localenvmod" diff --git a/ssh.c b/ssh.c index 9409fa7..32b9464 100644 --- a/ssh.c +++ b/ssh.c @@ -751,6 +751,63 @@ main(int ac, char **av) if (options.control_path != NULL) muxclient(options.control_path); + if (options.num_local_env_mods > 0) { + char thishost[NI_MAXHOST]; + + if (gethostname(thishost, sizeof(thishost)) == -1) + fatal("gethostname: %s", strerror(errno)); + snprintf(buf, sizeof(buf), "%d", options.port); + + for (i = 0; i < options.num_local_env_mods; i++) { + char sepbuf[2], *oldval; + int prepend = 0; + int op = options.local_env_mods[i].operation; + if (0 > op) { + prepend = 1; + op = -op; + } + sepbuf[0] = op; + sepbuf[1] = '\0'; + debug3("expanding LocalEnvMod: %s %s%s= %s", + options.local_env_mods[i].name, + op ? (prepend ? "%" : "+") : "", + sepbuf, + options.local_env_mods[i].value); + cp = options.local_env_mods[i].value; + options.local_env_mods[i].value = percent_expand(cp, + "d", pw->pw_dir, + "h", host, + "l", thishost, + "n", host_arg, + "r", options.user, + "p", buf, + "u", pw->pw_name, + (char *)NULL); + debug3("expanded LocalEnvMod: %s %s%s= %s", + options.local_env_mods[i].name, + op ? (prepend ? "%" : "+") : "", + sepbuf, + options.local_env_mods[i].value); + xfree(cp); + if (op && + (oldval = getenv(options.local_env_mods[i].name)) && + strlen(oldval) > 0) { + char *newval; + newval = xmalloc(strlen(oldval) + 1 + strlen(options.local_env_mods[i].value) + 1); + strcpy(newval, prepend ? options.local_env_mods[i].value : oldval); + strcat(newval, sepbuf); + strcat(newval, prepend ? oldval : options.local_env_mods[i].value); + setenv(options.local_env_mods[i].name, newval, 1); + } else if (options.local_env_mods[i].value[0]) { + /* set or mod without current value for variable */ + setenv(options.local_env_mods[i].name, + options.local_env_mods[i].value, 1); + } else { + unsetenv(options.local_env_mods[i].name); + } + } + } + timeout_ms = options.connection_timeout * 1000; /* Open a connection to the remote host. */ -- tg: (bc28466..) bw/localenvmod (depends on: master) From jchadima at redhat.com Sat Jan 8 01:20:29 2011 From: jchadima at redhat.com (Jan F Chadima) Date: Fri, 7 Jan 2011 15:20:29 +0100 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <886142099.271576.1294319286726.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> References: <886142099.271576.1294319286726.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> Message-ID: <7133715F-D0D4-4DAE-BFDC-44413AEFA4DA@redhat.com> > Hello, > snapshot from Jan 6 2011 failed on rhel6: > > cd ./regress || exit $?; \ > make \ > .OBJDIR="${BUILDDIR}/regress" \ > .CURDIR="`pwd`" \ > BUILDDIR="${BUILDDIR}" \ > OBJ="${BUILDDIR}/regress/" \ > PATH="${BUILDDIR}:${PATH}" \ > TEST_SHELL="${TEST_SHELL}" \ > TEST_SSH_SSH="${TEST_SSH_SSH}" \ > TEST_SSH_SSHD="${TEST_SSH_SSHD}" \ > TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}" \ > TEST_SSH_SSHADD="${TEST_SSH_SSHADD}" \ > TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" \ > TEST_SSH_SSHPKCS11HELPER="${TEST_SSH_SSHPKCS11HELPER}" \ > TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" \ > TEST_SSH_SFTP="${TEST_SSH_SFTP}" \ > TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}" \ > TEST_SSH_PLINK="${TEST_SSH_PLINK}" \ > TEST_SSH_PUTTYGEN="${TEST_SSH_PUTTYGEN}" \ > TEST_SSH_CONCH="${TEST_SSH_CONCH}" \ > TEST_SSH_IPV6="yes" \ > EXEEXT="" \ > tests && echo all tests passed > make[1]: Entering directory `/home/jfch/test/openssh/regress' > ssh-keygen -if /home/jfch/test/openssh/regress/rsa_ssh2.prv | diff - /home/jfch/test/openssh/regress/rsa_openssh.prv > tr '\n' '\r' /home/jfch/test/openssh/regress/rsa_ssh2_cr.prv > ssh-keygen -if /home/jfch/test/openssh/regress/rsa_ssh2_cr.prv | diff - /home/jfch/test/openssh/regress/rsa_openssh.prv > awk '{print $0 "\r"}' /home/jfch/test/openssh/regress/rsa_ssh2.prv > /home/jfch/test/openssh/regress/rsa_ssh2_crnl.prv > ssh-keygen -if /home/jfch/test/openssh/regress/rsa_ssh2_crnl.prv | diff - /home/jfch/test/openssh/regress/rsa_openssh.prv > cat /home/jfch/test/openssh/regress/rsa_openssh.prv > /home/jfch/test/openssh/regress//t2.out > chmod 600 /home/jfch/test/openssh/regress//t2.out > ssh-keygen -yf /home/jfch/test/openssh/regress//t2.out | diff - /home/jfch/test/openssh/regress/rsa_openssh.pub > ssh-keygen -ef /home/jfch/test/openssh/regress/rsa_openssh.pub >/home/jfch/test/openssh/regress//rsa_secsh.pub > ssh-keygen -if /home/jfch/test/openssh/regress//rsa_secsh.pub | diff - /home/jfch/test/openssh/regress/rsa_openssh.pub > rm -f /home/jfch/test/openssh/regress/rsa_secsh.pub > ssh-keygen -lf /home/jfch/test/openssh/regress/rsa_openssh.pub |\ > awk '{print $2}' | diff - /home/jfch/test/openssh/regress/t4.ok > 0a1 >> 3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36 > make[1]: *** [t4] Error 1 > make[1]: Leaving directory `/home/jfch/test/openssh/regress' > make: *** [tests] Error 2 > > Hi, the problem with RHEL6 was caused by the FIPS mode switched on. This caused do disable the MD5 routine in openssl. Maybe this should be solved by replacing MD5 hash by some more reliable one in FIPS mode ... or generally. > > > -- > JFCh > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From dkg at fifthhorseman.net Sat Jan 8 03:42:08 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 07 Jan 2011 11:42:08 -0500 Subject: [RFC/PATCH v2] ssh: config directive to modify the local environment In-Reply-To: <1294401655-11210-1-git-send-email-bert.wesarg@googlemail.com> References: <1294401021-10682-1-git-send-email-bert.wesarg@googlemail.com> <1294401655-11210-1-git-send-email-bert.wesarg@googlemail.com> Message-ID: <4D274260.9070304@fifthhorseman.net> On 01/07/2011 07:00 AM, Bert Wesarg wrote: > This provides a mechanism to attach arbitrary configure options into the > ssh_config file and use them from the LocalCommand and ProxyCommand. The user can already do this by just exporting a given environment before invoking ssh, right, or by embedding the environment variables in the LocalCommand or ProxyCommand itself: ssh -oProxyCommand='env FOO=bar BAZ=qux othercommand' foo at bar.example However, I'd be interested in seeing this kind of work done to export the ssh config itself to the child processes: https://bugzilla.mindrot.org/show_bug.cgi?id=1766 That way, it would be possible for options like TCPKeepAlive to be respected by compliant ProxyCommands. This would require standardizing on a form -- maybe all-downcased, prefixed with openssh_ ? So the client process would get an environment that says: openssh_tcpkeepalive=yes openssh_user=foo openssh_addressfamily=inet6 ... openssh_hostname=bar.example This would let people make significantly better proxycommands and localcommands, i think. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: From imorgan at nas.nasa.gov Sat Jan 8 06:51:19 2011 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Fri, 7 Jan 2011 11:51:19 -0800 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: <20110107195119.GG6057@linux124.nas.nasa.gov> On Thu, Jan 06, 2011 at 06:31:24 -0600, Damien Miller wrote: > > Hi, > > OpenSSH 5.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains a > couple of large and intrusive features and changes and quite a number of > bug fixes. > Hi, The 20110110 snapshot builds on RHEL 5 (x86_64), Solaris 9 (SPARC), and FMac OS X (Intel). It passes the regression tests on the RHEL 5 system, but fails on the other two. Initially, the OS X case failed with: ok banner run test rekey.sh ... no rekeying occured failed rekey during transfer data make[1]: *** [t-exec] Error 1 However, after editing my PATH, it now fails in keytype.sh. The Solaris system likewise fails in keytype.sh. In both cases, I suspect that the version of OpenSSL may be an issue, although previous OpenSSH releases (5.6 for example) have tested correctly on these systems. -- Iain Morgan From djm at mindrot.org Sat Jan 8 08:12:54 2011 From: djm at mindrot.org (Damien Miller) Date: Sat, 8 Jan 2011 08:12:54 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <20110107195119.GG6057@linux124.nas.nasa.gov> References: <20110107195119.GG6057@linux124.nas.nasa.gov> Message-ID: On Fri, 7 Jan 2011, Iain Morgan wrote: > Hi, > > The 20110110 snapshot builds on RHEL 5 (x86_64), Solaris 9 (SPARC), and > FMac OS X (Intel). It passes the regression tests on the RHEL 5 system, > but fails on the other two. > > Initially, the OS X case failed with: > > ok banner > run test rekey.sh ... > no rekeying occured > failed rekey during transfer data > make[1]: *** [t-exec] Error 1 > > However, after editing my PATH, it now fails in keytype.sh. The Solaris > system likewise fails in keytype.sh. Do you have an error message from this failure? Also, what $PATH change did you have to make? > In both cases, I suspect that the version of OpenSSL may be an issue, > although previous OpenSSH releases (5.6 for example) have tested > correctly on these systems. Which version of OSX are you using? -d From bert.wesarg at googlemail.com Sat Jan 8 06:50:34 2011 From: bert.wesarg at googlemail.com (Bert Wesarg) Date: Fri, 7 Jan 2011 20:50:34 +0100 Subject: [RFC/PATCH v2] ssh: config directive to modify the local environment In-Reply-To: <4D274260.9070304@fifthhorseman.net> References: <1294401021-10682-1-git-send-email-bert.wesarg@googlemail.com> <1294401655-11210-1-git-send-email-bert.wesarg@googlemail.com> <4D274260.9070304@fifthhorseman.net> Message-ID: On Fri, Jan 7, 2011 at 17:42, Daniel Kahn Gillmor wrote: > On 01/07/2011 07:00 AM, Bert Wesarg wrote: >> This provides a mechanism to attach arbitrary configure options into the >> ssh_config file and use them from the LocalCommand and ProxyCommand. > > The user can already do this by just exporting a given environment > before invoking ssh, right, or by embedding the environment variables in > the LocalCommand or ProxyCommand itself: > > ?ssh -oProxyCommand='env FOO=bar BAZ=qux othercommand' foo at bar.example Sure. But honestly I think that will become quiet cumbersome if you have more than 2 variables, which depend on the connecting host. > > However, I'd be interested in seeing this kind of work done to export > the ssh config itself to the child processes: > > ?https://bugzilla.mindrot.org/show_bug.cgi?id=1766 I know about this. I would suggest to extend the expand code to handle this. > > That way, it would be possible for options like TCPKeepAlive to be > respected by compliant ProxyCommands. That would be: ProxyCommand command %{TCPKeepAlive} This way we could handle the case internally. I also think that my proposed LocalEnvMod would benefit from this. I can provide a patch the next week. The old % syntax ould be deprecated over time. Bert > > ? ? ? ?--dkg > > From imorgan at nas.nasa.gov Sat Jan 8 09:33:50 2011 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Fri, 7 Jan 2011 14:33:50 -0800 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <20110107195119.GG6057@linux124.nas.nasa.gov> Message-ID: <20110107223350.GA17093@linux124.nas.nasa.gov> On Fri, Jan 07, 2011 at 15:12:54 -0600, Damien Miller wrote: > On Fri, 7 Jan 2011, Iain Morgan wrote: > > > Hi, > > > > The 20110110 snapshot builds on RHEL 5 (x86_64), Solaris 9 (SPARC), and > > FMac OS X (Intel). It passes the regression tests on the RHEL 5 system, > > but fails on the other two. > > > > Initially, the OS X case failed with: > > > > ok banner > > run test rekey.sh ... > > no rekeying occured > > failed rekey during transfer data > > make[1]: *** [t-exec] Error 1 > > > > However, after editing my PATH, it now fails in keytype.sh. The Solaris > > system likewise fails in keytype.sh. > > Do you have an error message from this failure? Also, what $PATH change did > you have to make? Sorry about that, I meant to include the error. I had my own build of OpenSsL at the head of the PATH during the first build attempt. I removed it from my PATH to avoid confusion when I was checking the system-provided version. After that, the error in the regression tests changed. I would not have expected the PATH change to be relevant, but it was the only thing that I had changed. The error is as follows: ok port number parsing run test keytype.sh ... keygen dsa, 1024 bits: 0.21 real 0.21 user 0.00 sys keygen rsa, 2048 bits: 0.74 real 0.74 user 0.00 sys keygen rsa, 3072 bits: 3.01 real 2.99 user 0.00 sys userkey dsa-1024, hostkey dsa-1024: No DSA host key is known for localhost-with-alias and you have requested strict checking. Host key verification failed. 0.01 real 0.00 user 0.00 sys ssh userkey dsa-1024, hostkey dsa-1024 failed userkey dsa-1024, hostkey dsa-1024: No DSA host key is known for localhost-with-alias and you have requested strict checking. Host key verification failed. 0.01 real 0.00 user 0.00 sys ssh userkey dsa-1024, hostkey dsa-1024 failed userkey dsa-1024, hostkey dsa-1024: No DSA host key is known for localhost-with-alias and you have requested strict checking. Host key verification failed. 0.01 real 0.00 user 0.00 sys ssh userkey dsa-1024, hostkey dsa-1024 failed userkey rsa-2048, hostkey rsa-2048: No RSA host key is known for localhost-with-alias and you have requested strict checking. Host key verification failed. 0.02 real 0.00 user 0.00 sys ssh userkey rsa-2048, hostkey rsa-2048 failed userkey rsa-2048, hostkey rsa-2048: No RSA host key is known for localhost-with-alias and you have requested strict checking. Host key verification failed. 0.02 real 0.00 user 0.00 sys ssh userkey rsa-2048, hostkey rsa-2048 failed userkey rsa-2048, hostkey rsa-2048: No RSA host key is known for localhost-with-alias and you have requested strict checking. Host key verification failed. 0.02 real 0.00 user 0.00 sys ssh userkey rsa-2048, hostkey rsa-2048 failed userkey rsa-3072, hostkey rsa-3072: No RSA host key is known for localhost-with-alias and you have requested strict checking. Host key verification failed. 0.04 real 0.00 user 0.00 sys ssh userkey rsa-3072, hostkey rsa-3072 failed userkey rsa-3072, hostkey rsa-3072: No RSA host key is known for localhost-with-alias and you have requested strict checking. Host key verification failed. 0.04 real 0.00 user 0.00 sys ssh userkey rsa-3072, hostkey rsa-3072 failed userkey rsa-3072, hostkey rsa-3072: No RSA host key is known for localhost-with-alias and you have requested strict checking. Host key verification failed. 0.04 real 0.00 user 0.00 sys ssh userkey rsa-3072, hostkey rsa-3072 failed failed login with different key types make[1]: *** [t-exec] Error 1 > > > In both cases, I suspect that the version of OpenSSL may be an issue, > > although previous OpenSSH releases (5.6 for example) have tested > > correctly on these systems. > > Which version of OSX are you using? > > -d -- Iain Morgan From openssh at roumenpetrov.info Sat Jan 8 09:46:48 2011 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Sat, 08 Jan 2011 00:46:48 +0200 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <4D262D70.90103@roumenpetrov.info> Message-ID: <4D2797D8.6010104@roumenpetrov.info> Damien Miller wrote: > On Thu, 6 Jan 2011, Roumen Petrov wrote: > > >> Damien Miller wrote: >> >>> Hi, >>> >>> OpenSSH 5.7 is almost ready for release, so we would appreciate testing >>> >> [SNIP] >> Now make target "distprep" is broken. So either remove dependency from >> catman-do or provide bootstrap shell script, please. >> > Works for me. Can you please provide the output of a failing make? > > -d > On user request in the past for bootstrap script the suggestion was to run make -f Makefile.in distprep. Now this don't work. As this is documented I guess that ordinary users will just follow the guides found in internet . As example I found this documentation http://dev.globus.org/wiki/GSI-OpenSSH/CVS_Procedures . Roumen From dkg at fifthhorseman.net Sat Jan 8 09:51:25 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 07 Jan 2011 17:51:25 -0500 Subject: [RFC/PATCH v2] ssh: config directive to modify the local environment In-Reply-To: References: <1294401021-10682-1-git-send-email-bert.wesarg@googlemail.com> <1294401655-11210-1-git-send-email-bert.wesarg@googlemail.com> <4D274260.9070304@fifthhorseman.net> Message-ID: <4D2798ED.7040709@fifthhorseman.net> On 01/07/2011 02:50 PM, Bert Wesarg wrote: > I know about this. I would suggest to extend the expand code to handle this. > >> That way, it would be possible for options like TCPKeepAlive to be >> respected by compliant ProxyCommands. > > That would be: > > ProxyCommand command %{TCPKeepAlive} hm. this seems cumbersome to me in the same way that you're suggesting that env FOO=whatever would be cumbersome. It's also not transparently extensible -- that is, if a new option is introduced, or an update to a tool that provides a {proxy|local}command enables it to handle an existing option, all users would have to manually tweak their config files to add the relevant option. I'd much rather see something like ExportEnvironmentToCommands all be able to handle it without further fiddling by the user as the tools evolve. > This way we could handle the case internally. I also think that my > proposed LocalEnvMod would benefit from this. > I can provide a patch the next week. The old % syntax ould be > deprecated over time. Meaning %p and %h would no longer work? i don't see why we'd need to deprecate that any more than we'd want to get rid of ssh's -6 argument in favor of -oAddressFamily=inet6 -- why would we need to deprecate them? Thanks for your work on this, Bert! --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: From djm at mindrot.org Sat Jan 8 20:48:01 2011 From: djm at mindrot.org (Damien Miller) Date: Sat, 8 Jan 2011 20:48:01 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <4D2797D8.6010104@roumenpetrov.info> References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> Message-ID: On Sat, 8 Jan 2011, Roumen Petrov wrote: > Damien Miller wrote: > > On Thu, 6 Jan 2011, Roumen Petrov wrote: > > > > > > > Damien Miller wrote: > > > > > > > Hi, > > > > > > > > OpenSSH 5.7 is almost ready for release, so we would appreciate testing > > > > > > > [SNIP] > > > Now make target "distprep" is broken. So either remove dependency from > > > catman-do or provide bootstrap shell script, please. > > > > > Works for me. Can you please provide the output of a failing make? > > > > -d > > > > On user request in the past for bootstrap script the suggestion was to run > make -f Makefile.in distprep. Now this don't work. As this is documented I > guess that ordinary users will just follow the guides found in internet . Sure, but what is the error message? From djm at mindrot.org Sat Jan 8 22:01:43 2011 From: djm at mindrot.org (Damien Miller) Date: Sat, 8 Jan 2011 22:01:43 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <20110107223350.GA17093@linux124.nas.nasa.gov> References: <20110107195119.GG6057@linux124.nas.nasa.gov> <20110107223350.GA17093@linux124.nas.nasa.gov> Message-ID: On Fri, 7 Jan 2011, Iain Morgan wrote: > userkey dsa-1024, hostkey dsa-1024: No DSA host key is known for localhost-with-alias and you have requested strict checking. These should be fixed in the next (20110108) snapshot. It was a bug in the regress script. -d From djm at mindrot.org Sat Jan 8 22:24:22 2011 From: djm at mindrot.org (Damien Miller) Date: Sat, 8 Jan 2011 22:24:22 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <886142099.271576.1294319286726.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> References: <886142099.271576.1294319286726.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> Message-ID: On Thu, 6 Jan 2011, Jan Chadima wrote: > Hello, > snapshot from Jan 6 2011 failed on rhel6: Thanks for testing. Unfortunately, I don't have ready access to rhel6 so I'll have to ask for your help in debugging this. > cat /home/jfch/test/openssh/regress/rsa_openssh.prv > /home/jfch/test/openssh/regress//t2.out > chmod 600 /home/jfch/test/openssh/regress//t2.out > ssh-keygen -yf /home/jfch/test/openssh/regress//t2.out | diff - /home/jfch/test/openssh/regress/rsa_openssh.pub > ssh-keygen -ef /home/jfch/test/openssh/regress/rsa_openssh.pub >/home/jfch/test/openssh/regress//rsa_secsh.pub > ssh-keygen -if /home/jfch/test/openssh/regress//rsa_secsh.pub | diff - /home/jfch/test/openssh/regress/rsa_openssh.pub > rm -f /home/jfch/test/openssh/regress/rsa_secsh.pub > ssh-keygen -lf /home/jfch/test/openssh/regress/rsa_openssh.pub |\ > awk '{print $2}' | diff - /home/jfch/test/openssh/regress/t4.ok > 0a1 > > 3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36 What are the contents of /home/jfch/test/openssh/regress/rsa_openssh.pub and the output of "ssh-keygen -lf /home/jfch/test/openssh/regress/rsa_openssh.pub" ? Thanks, Damien From djm at mindrot.org Sat Jan 8 22:26:16 2011 From: djm at mindrot.org (Damien Miller) Date: Sat, 8 Jan 2011 22:26:16 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> Message-ID: On Sat, 8 Jan 2011, Damien Miller wrote: > Sure, but what is the error message? ok, I see it now. I'd recommend "make -f Makefile.in distprep MANFMT=nroff" (or MANFMT=mandoc if you have it). -d From openssh at roumenpetrov.info Sun Jan 9 02:50:57 2011 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Sat, 08 Jan 2011 17:50:57 +0200 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> Message-ID: <4D2887E1.9020306@roumenpetrov.info> Damien Miller wrote: > On Sat, 8 Jan 2011, Roumen Petrov wrote: > > >> Damien Miller wrote: >> >>> On Thu, 6 Jan 2011, Roumen Petrov wrote: >>> >>> >>> >>>> Damien Miller wrote: >>>> >>>> >>>>> Hi, >>>>> >>>>> OpenSSH 5.7 is almost ready for release, so we would appreciate testing >>>>> >>>>> >>>> [SNIP] >>>> Now make target "distprep" is broken. So either remove dependency from >>>> catman-do or provide bootstrap shell script, please. >>>> >>>> >>> Works for me. Can you please provide the output of a failing make? >>> >>> -d >>> >>> >> On user request in the past for bootstrap script the suggestion was to run >> make -f Makefile.in distprep. Now this don't work. As this is documented I >> guess that ordinary users will just follow the guides found in internet . >> > Sure, but what is the error message? > @MANFMT@: command not found and zero size for catman files( *.0 files ). Roumen -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/ From openssh at roumenpetrov.info Sun Jan 9 02:57:17 2011 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Sat, 08 Jan 2011 17:57:17 +0200 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> Message-ID: <4D28895D.4070507@roumenpetrov.info> Damien Miller wrote: [SNIP] > ok, I see it now. I'd recommend "make -f Makefile.in distprep > MANFMT=nroff" > (or MANFMT=mandoc if you have it). > > It is not for me. It is for the manuals that users could found in internet and in the next decade ordinary users will complain. > -d > Roumen From openssh at roumenpetrov.info Sun Jan 9 04:59:28 2011 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Sat, 08 Jan 2011 19:59:28 +0200 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: <4D28A600.5050909@roumenpetrov.info> Damien Miller wrote: > Hi, > > OpenSSH 5.7 is almost ready for release [SNIP] > One minor issue /etc/ssh/ssh_host_ecdsa_key is not listed in PATHSUBS command in Makefile.in like other host key paths. Roumen From djm at mindrot.org Sun Jan 9 09:15:37 2011 From: djm at mindrot.org (Damien Miller) Date: Sun, 9 Jan 2011 09:15:37 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <4D28895D.4070507@roumenpetrov.info> References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> <4D28895D.4070507@roumenpetrov.info> Message-ID: On Sat, 8 Jan 2011, Roumen Petrov wrote: > Damien Miller wrote: > [SNIP] > > > ok, I see it now. I'd recommend "make -f Makefile.in distprep > > MANFMT=nroff" (or MANFMT=mandoc if you have it). > > It is not for me. It is for the manuals that users could found in > internet and in the next decade ordinary users will complain. Ordinary users don't need this step if they are building from a snapshot or distribution tarball since I do this step as part of the release process. It is only necessary for builds from CVS. If the users are building from CVS, then they must be able to figure out how to adapt to changes in the build process. -d From djm at mindrot.org Sun Jan 9 09:20:16 2011 From: djm at mindrot.org (Damien Miller) Date: Sun, 9 Jan 2011 09:20:16 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <4D28A600.5050909@roumenpetrov.info> References: <4D28A600.5050909@roumenpetrov.info> Message-ID: On Sat, 8 Jan 2011, Roumen Petrov wrote: > Damien Miller wrote: > > Hi, > > > > OpenSSH 5.7 is almost ready for release [SNIP] > > > One minor issue /etc/ssh/ssh_host_ecdsa_key is not listed in PATHSUBS > command in Makefile.in like other host key paths. Fixed - thanks. -d From cristian.ionescu-idbohrn at axis.com Sun Jan 9 09:49:58 2011 From: cristian.ionescu-idbohrn at axis.com (Cristian Ionescu-Idbohrn) Date: Sat, 8 Jan 2011 23:49:58 +0100 (CET) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> <4D28895D.4070507@roumenpetrov.info> Message-ID: <1101082343140.7745@somehost> On Sun, 9 Jan 2011, Damien Miller wrote: > On Sat, 8 Jan 2011, Roumen Petrov wrote: > > > Damien Miller wrote: > > [SNIP] > > > > > ok, I see it now. I'd recommend "make -f Makefile.in distprep > > > MANFMT=nroff" (or MANFMT=mandoc if you have it). > > > > It is not for me. It is for the manuals that users could found in > > internet and in the next decade ordinary users will complain. > > Ordinary users don't need this step if they are building from a snapshot > or distribution tarball since I do this step as part of the release > process. It is only necessary for builds from CVS. If the users are > building from CVS, then they must be able to figure out how to adapt to > changes in the build process. That approach will not make the project more attractive to the masses, I fear. OTOH, this project might not aim for mass attraction. Ruther the opposite? But I may be totally wrong in that assumption. Am I not? Cheers, -- Cristian From jmpoure at gooze.eu Sun Jan 9 19:09:23 2011 From: jmpoure at gooze.eu (Jean-Michel =?ISO-8859-1?Q?Pour=E9?= - GOOZE) Date: Sun, 09 Jan 2011 09:09:23 +0100 Subject: Asking PIN on usb dongle insert Message-ID: <1294560563.3298.2.camel@acer> Dear Friends, This questions is about smartcard/usb token support in OpenSSH. pcsc-lite now supports udev rules. It should be possible to trigger ssh-add -s /usr/lib/openssh-pkcs11.so when inserting a USB token. At the same time there should be a way to trigger ssh-add -e /usr/lib/openssh-pkcs11.so on USB token removal. Did some of you test this scenario? Kind regards, -- Jean-Michel Pour? - Gooze - http://www.gooze.eu From peter at stuge.se Mon Jan 10 05:29:18 2011 From: peter at stuge.se (Peter Stuge) Date: Sun, 9 Jan 2011 19:29:18 +0100 Subject: Asking PIN on usb dongle insert In-Reply-To: <1294560563.3298.2.camel@acer> References: <1294560563.3298.2.camel@acer> Message-ID: <20110109182918.26204.qmail@stuge.se> Hi, Jean-Michel Pour? - GOOZE wrote: > This questions is about smartcard/usb token support in OpenSSH. > > pcsc-lite now supports udev rules. > > It should be possible to trigger ssh-add -s /usr/lib/openssh-pkcs11.so > when inserting a USB token. > At the same time there should be a way to trigger ssh-add > -e /usr/lib/openssh-pkcs11.so on USB token removal. > > Did some of you test this scenario? As you may know, ssh-add communicates with ssh-agent, which as you may also know is not available from udev. But you could probably hack something up with dbus. //Peter From vinschen at redhat.com Mon Jan 10 21:03:11 2011 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 10 Jan 2011 11:03:11 +0100 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: <20110110100311.GA30309@calimero.vinschen.de> On Jan 6 23:31, Damien Miller wrote: > > Hi, > > OpenSSH 5.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains a > couple of large and intrusive features and changes and quite a number of > bug fixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Mercurial at http://hg.mindrot.org/openssh > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests Builds OOTB on Cygwin 1.7.7. All tests pass (except, as usual, sftp-glob). Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From scott_n at xypro.com Sat Jan 8 07:06:44 2011 From: scott_n at xypro.com (Scott Neugroschl) Date: Fri, 7 Jan 2011 12:06:44 -0800 Subject: Call for testing: OpenSSH-5.7 References: Message-ID: <78DD71C304F38B41885A242996B96F7302874009@xyservd.XYPRO-23.LOCAL> > -----Original Message----- > From: Scott Neugroschl > Sent: Friday, January 07, 2011 11:18 AM > To: openssh-unix-dev at mindrot.org > Subject: RE: Call for testing: OpenSSH-5.7 > > > OpenSSH 5.7 is almost ready for release, so we would appreciate > testing > > on as many platforms and systems as possible. This release contains a > > couple of large and intrusive features and changes and quite a number > > of > > bug fixes. > > > > Snapshot releases for portable OpenSSH are available from > > http://www.mindrot.org/openssh_snap/ > > > > openssh-SNAP-20110108.tar.gz passes all tests on Mandriva 2010.2 > Follow-up -- that's the 32-bit version. From scott_n at xypro.com Sat Jan 8 06:18:28 2011 From: scott_n at xypro.com (Scott Neugroschl) Date: Fri, 7 Jan 2011 11:18:28 -0800 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: <78DD71C304F38B41885A242996B96F7302873FCE@xyservd.XYPRO-23.LOCAL> > OpenSSH 5.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains a > couple of large and intrusive features and changes and quite a number > of > bug fixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > openssh-SNAP-20110108.tar.gz passes all tests on Mandriva 2010.2 From thesource at ldb-jab.org Tue Jan 11 01:02:13 2011 From: thesource at ldb-jab.org (LDB) Date: Mon, 10 Jan 2011 09:02:13 -0500 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: <4D2B1165.10702@master.ldb-jab.org> On 01/06/2011 07:31 AM, Damien Miller wrote: > > Hi, > > OpenSSH 5.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains a > couple of large and intrusive features and changes and quite a number of > bug fixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Mercurial at http://hg.mindrot.org/openssh > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > ------------------------------- openssh-SNAP-20110111 passed ALL tests on openSUSE 11.3 (x86_64) From imorgan at nas.nasa.gov Wed Jan 12 06:54:22 2011 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Tue, 11 Jan 2011 11:54:22 -0800 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <20110107195119.GG6057@linux124.nas.nasa.gov> <20110107223350.GA17093@linux124.nas.nasa.gov> Message-ID: <20110111195422.GO13155@linux124.nas.nasa.gov> On Sat, Jan 08, 2011 at 05:01:43 -0600, Damien Miller wrote: > On Fri, 7 Jan 2011, Iain Morgan wrote: > > > userkey dsa-1024, hostkey dsa-1024: No DSA host key is known for localhost-with-alias and you have requested strict checking. > > These should be fixed in the next (20110108) snapshot. It was a bug in the > regress script. > > -d Confirmed. The 20110112 snapshot builds and tests correctly on RHEL 5 (x86_64), Solaris 9 (SPARC), and Mac OS X (Intel). -- Iain Morgan From djm at mindrot.org Wed Jan 12 13:37:49 2011 From: djm at mindrot.org (Damien Miller) Date: Wed, 12 Jan 2011 13:37:49 +1100 (EST) Subject: [openssh-commits] CVS: fuyu.mindrot.org: openssh In-Reply-To: <201101120234.p0C2Y4c7014467@fuyu.mindrot.org> References: <201101120234.p0C2Y4c7014467@fuyu.mindrot.org> Message-ID: This commit message was supposed to be: - (djm) [configure.ac] Turn on -Wno-unused-result for gcc >= 4.4 to avoid silly warnings on write() calls we don't care succeed or not. I fixed the CVS log retrospectively On Wed, 12 Jan 2011, Damien Miller wrote: > CVSROOT: /var/cvs > Module name: openssh > Changes by: djm at fuyu.mindrot.org 11/01/12 13:34:04 > > Modified files: > . : ChangeLog configure.ac > > Log message: > > Diff commands: > cvs -nQq rdiff -u -r1.5786 -r1.5787 openssh/ChangeLog > cvs -nQq rdiff -u -r1.461 -r1.462 openssh/configure.ac > > ViewVC: > http://anoncvs.mindrot.org/index.cgi/openssh/ChangeLog?r1=1.5786;r2=1.5787&view=patch > http://anoncvs.mindrot.org/index.cgi/openssh/configure.ac?r1=1.461;r2=1.462&view=patch > > Please note that there may be a delay before commits are available > on the public ViewVC site. > _______________________________________________ > openssh-commits mailing list > openssh-commits at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-commits > From bert.wesarg at googlemail.com Fri Jan 14 08:37:46 2011 From: bert.wesarg at googlemail.com (Bert Wesarg) Date: Thu, 13 Jan 2011 22:37:46 +0100 Subject: experimental mercurial repository available In-Reply-To: References: Message-ID: Hi, On Mon, Jan 3, 2011 at 05:23, Damien Miller wrote: > Hi, > > Quite a few people have asked to be able to access OpenSSH sources using a > DVCS, so I have made a Mercurial repository available at > http://hg.mindrot.org/openssh I can't access the repo anymore. Any reason for this? Thanks. Bert From bert.wesarg at googlemail.com Fri Jan 14 08:40:14 2011 From: bert.wesarg at googlemail.com (Bert Wesarg) Date: Thu, 13 Jan 2011 22:40:14 +0100 Subject: [PATCH] mux: update PROTOCOL.mux and fix error messages on client side Message-ID: <2d22f98f1d0f1b51597f9ceebc1e50fb74c72d66.1294954439.git.bert.wesarg@googlemail.com> --- PROTOCOL.mux | 24 ++++++++++++------------ mux.c | 10 +++++----- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/PROTOCOL.mux b/PROTOCOL.mux index 1d8c463..958e0d5 100644 --- a/PROTOCOL.mux +++ b/PROTOCOL.mux @@ -28,7 +28,7 @@ defined. To open a new multiplexed session, a client may send the following request: - uint32 MUX_C_MSG_NEW_SESSION + uint32 MUX_C_NEW_SESSION uint32 request id string reserved bool want tty flag @@ -99,7 +99,7 @@ The server will reply with one of MUX_S_OK or MUX_S_PERMISSION_DENIED. A client may request the master to establish a port forward: - uint32 MUX_C_OPEN_FORWARD + uint32 MUX_C_OPEN_FWD uint32 request id uint32 forwarding type string listen host @@ -118,24 +118,23 @@ For dynamically allocated listen port the server replies with uint32 client request id uint32 allocated remote listen port -5. Requesting closure of port forwards +6. Requesting closure of port forwards + +Note: currently unimplemented (server will always reply with MUX_S_FAILURE). A client may request the master to establish a port forward: - uint32 MUX_C_OPEN_FORWARD + uint32 MUX_C_CLOSE_FWD uint32 request id - uint32 forwarding type string listen host string listen port string connect host string connect port -forwarding type may be MUX_FWD_LOCAL, MUX_FWD_REMOTE, MUX_FWD_DYNAMIC. - A server may reply with a MUX_S_OK, a MUX_S_PERMISSION_DENIED or a MUX_S_FAILURE. -6. Requesting stdio forwarding +7. Requesting stdio forwarding A client may request the master to establish a stdio forwarding: @@ -153,7 +152,7 @@ The contents of "reserved" are currently ignored. A server may reply with a MUX_S_SESSION_OPEED, a MUX_S_PERMISSION_DENIED or a MUX_S_FAILURE. -7. Status messages +8. Status messages The MUX_S_OK message is empty: @@ -170,14 +169,15 @@ The MUX_S_PERMISSION_DENIED and MUX_S_FAILURE include a reason: uint32 client request id string reason -7. Protocol numbers +9. Protocol numbers #define MUX_MSG_HELLO 0x00000001 #define MUX_C_NEW_SESSION 0x10000002 #define MUX_C_ALIVE_CHECK 0x10000004 #define MUX_C_TERMINATE 0x10000005 -#define MUX_C_OPEN_FORWARD 0x10000006 -#define MUX_C_CLOSE_FORWARD 0x10000007 +#define MUX_C_OPEN_FWD 0x10000006 +#define MUX_C_CLOSE_FWD 0x10000007 +#define MUX_C_NEW_STDIO_FWD 0x10000008 #define MUX_S_OK 0x80000001 #define MUX_S_PERMISSION_DENIED 0x80000002 #define MUX_S_FAILURE 0x80000003 diff --git a/mux.c b/mux.c index f1f7e6b..9b3633b 100644 --- a/mux.c +++ b/mux.c @@ -1530,7 +1530,7 @@ mux_client_request_forward(int fd, u_int ftype, Forward *fwd) case MUX_S_FAILURE: e = buffer_get_string(&m, NULL); buffer_free(&m); - error("%s: session request failed: %s", __func__, e); + error("%s: forwarding request failed: %s", __func__, e); return -1; default: fatal("%s: unexpected response from master 0x%08x", @@ -1649,12 +1649,12 @@ mux_client_request_session(int fd) case MUX_S_PERMISSION_DENIED: e = buffer_get_string(&m, NULL); buffer_free(&m); - error("Master refused forwarding request: %s", e); + error("Master refused session request: %s", e); return -1; case MUX_S_FAILURE: e = buffer_get_string(&m, NULL); buffer_free(&m); - error("%s: forwarding request failed: %s", __func__, e); + error("%s: session request failed: %s", __func__, e); return -1; default: buffer_free(&m); @@ -1781,11 +1781,11 @@ mux_client_request_stdio_fwd(int fd) case MUX_S_PERMISSION_DENIED: e = buffer_get_string(&m, NULL); buffer_free(&m); - fatal("Master refused forwarding request: %s", e); + fatal("Master refused stdio forwarding request: %s", e); case MUX_S_FAILURE: e = buffer_get_string(&m, NULL); buffer_free(&m); - fatal("%s: stdio forwarding request failed: %s", __func__, e); + fatal("%s: stdio stdio forwarding request failed: %s", __func__, e); default: buffer_free(&m); error("%s: unexpected response from master 0x%08x", -- 1.7.3.3.1603.g7f137 From djm at mindrot.org Fri Jan 14 08:50:57 2011 From: djm at mindrot.org (Damien Miller) Date: Fri, 14 Jan 2011 08:50:57 +1100 (EST) Subject: experimental mercurial repository available In-Reply-To: References: Message-ID: On Thu, 13 Jan 2011, Bert Wesarg wrote: > Hi, > > On Mon, Jan 3, 2011 at 05:23, Damien Miller wrote: > > Hi, > > > > Quite a few people have asked to be able to access OpenSSH sources using a > > DVCS, so I have made a Mercurial repository available at > > http://hg.mindrot.org/openssh > > I can't access the repo anymore. Any reason for this? Fixed, sorry about that. -d From djm at mindrot.org Fri Jan 14 08:55:56 2011 From: djm at mindrot.org (Damien Miller) Date: Fri, 14 Jan 2011 08:55:56 +1100 (EST) Subject: [PATCH] mux: update PROTOCOL.mux and fix error messages on client side In-Reply-To: <2d22f98f1d0f1b51597f9ceebc1e50fb74c72d66.1294954439.git.bert.wesarg@googlemail.com> References: <2d22f98f1d0f1b51597f9ceebc1e50fb74c72d66.1294954439.git.bert.wesarg@googlemail.com> Message-ID: applied, except: > - fatal("%s: stdio forwarding request failed: %s", __func__, e); > + fatal("%s: stdio stdio forwarding request failed: %s", __func__, e); thanks From djm at mindrot.org Fri Jan 14 15:08:29 2011 From: djm at mindrot.org (Damien Miller) Date: Fri, 14 Jan 2011 15:08:29 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: Hi, Thanks everyone for their test reports. Last night Tim Rice and I fixed some makefile and regress test problems that were causing some tests not to run completely. If you have the opportunity, we'd appreciate if you could rerun your tests with the latest snapshot (20110114). Thanks, Damien From andyb1 at andy-t.org Fri Jan 14 15:25:27 2011 From: andyb1 at andy-t.org (Andy Tsouladze) Date: Thu, 13 Jan 2011 22:25:27 -0600 (CST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: > If you have the opportunity, we'd appreciate if you could rerun your tests > with the latest snapshot (20110114). Compiles and passes all tests on slackware-12.0 and slackware-13.0. Regards, Andy Dr Andy Tsouladze Sr Unix/Storage SysAdmin From bert.wesarg at googlemail.com Fri Jan 14 19:42:50 2011 From: bert.wesarg at googlemail.com (Bert Wesarg) Date: Fri, 14 Jan 2011 09:42:50 +0100 Subject: [PATCH] mux: update PROTOCOL.mux and fix error messages on client side In-Reply-To: References: <2d22f98f1d0f1b51597f9ceebc1e50fb74c72d66.1294954439.git.bert.wesarg@googlemail.com> Message-ID: On Thu, Jan 13, 2011 at 22:55, Damien Miller wrote: > applied, except: > >> - ? ? ? ? ? ? fatal("%s: stdio forwarding request failed: %s", __func__, e); >> + ? ? ? ? ? ? fatal("%s: stdio stdio forwarding request failed: %s", __func__, e); > Yeah, sorry, and thanks for spotting. > thanks > From vinschen at redhat.com Sat Jan 15 00:08:45 2011 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 14 Jan 2011 14:08:45 +0100 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: <20110114130844.GA30229@calimero.vinschen.de> On Jan 14 15:08, Damien Miller wrote: > Hi, > > Thanks everyone for their test reports. Last night Tim Rice and I fixed > some makefile and regress test problems that were causing some tests > not to run completely. > > If you have the opportunity, we'd appreciate if you could rerun your tests > with the latest snapshot (20110114). All tests still pass on Cygwin, except for sftp-glob. However, I'm a bit tired having to change regress/Makefile all the time to run the tests. Therefore, would you mind to apply the below patch? It disables the sftp globbing tests testing backslashes in filenames. These can't work due to backslashes being directory separators on Windows(*). Thanks, Corinna (*) It occured to me that Cygwin could enable some sort of "strict POSIX" mode, which disallows to enter DOS paths, and which in turn would convert backslashes to simple characters allowed in filenames. There's already code in Cygwin which handles other characters not allowed in Windows filenames (<, >, ?, *, |) by transposing them into the UNICODE private use area U+f0XX. However, this "strict POSIX" mode isn't implemented yet, and even *if* it gets implemented it would be the user's choice to use it, so I'd rather disable the affected tests in sftp-glob.sh. Index: regress/sftp-glob.sh =================================================================== RCS file: /cvs/openssh/regress/sftp-glob.sh,v retrieving revision 1.5 diff -u -p -r1.5 sftp-glob.sh --- regress/sftp-glob.sh 6 Oct 2009 23:43:57 -0000 1.5 +++ regress/sftp-glob.sh 14 Jan 2011 13:02:29 -0000 @@ -45,7 +45,14 @@ SPACE="${DIR}/g-q space" rm -rf ${BASE} mkdir -p ${DIR} touch "${DATA}" "${GLOB1}" "${GLOB2}" "${QUOTE}" -touch "${QSLASH}" "${ESLASH}" "${SLASH}" "${SPACE}" +case `uname -s` in +CYGWIN*) + ;; +*) + touch "${QSLASH}" "${ESLASH}" "${SLASH}" + ;; +esac +touch "${SPACE}" # target message expected unexpected sftp_ls "${DIR}/fil*" "file glob" "${DATA}" "" @@ -55,12 +62,18 @@ sftp_ls "${DIR}/g-wild\*" "escape sftp_ls "${DIR}/g-quote\\\"" "escaped quote" "g-quote\"" "" sftp_ls "\"${DIR}/g-quote\\\"\"" "quoted quote" "g-quote\"" "" sftp_ls "'${DIR}/g-quote\"'" "single-quoted quote" "g-quote\"" "" -sftp_ls "${DIR}/g-sl\\\\ash" "escaped slash" "g-sl\\ash" "" -sftp_ls "'${DIR}/g-sl\\\\ash'" "quoted slash" "g-sl\\ash" "" -sftp_ls "${DIR}/g-slash\\\\" "escaped slash at EOL" "g-slash\\" "" -sftp_ls "'${DIR}/g-slash\\\\'" "quoted slash at EOL" "g-slash\\" "" -sftp_ls "${DIR}/g-qs\\\\\\\"" "escaped slash+quote" "g-qs\\\"" "" -sftp_ls "'${DIR}/g-qs\\\\\"'" "quoted slash+quote" "g-qs\\\"" "" +case `uname -s` in +CYGWIN*) + ;; +*) + sftp_ls "${DIR}/g-sl\\\\ash" "escaped slash" "g-sl\\ash" "" + sftp_ls "'${DIR}/g-sl\\\\ash'" "quoted slash" "g-sl\\ash" "" + sftp_ls "${DIR}/g-slash\\\\" "escaped slash at EOL" "g-slash\\" "" + sftp_ls "'${DIR}/g-slash\\\\'" "quoted slash at EOL" "g-slash\\" "" + sftp_ls "${DIR}/g-qs\\\\\\\"" "escaped slash+quote" "g-qs\\\"" "" + sftp_ls "'${DIR}/g-qs\\\\\"'" "quoted slash+quote" "g-qs\\\"" "" + ;; +esac sftp_ls "${DIR}/g-q\\ space" "escaped space" "g-q space" "" sftp_ls "'${DIR}/g-q space'" "quoted space" "g-q space" "" -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From kevin.brott at gmail.com Fri Jan 14 18:44:38 2011 From: kevin.brott at gmail.com (Kevin Brott) Date: Thu, 13 Jan 2011 23:44:38 -0800 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: <4D2FFEE6.7090809@gmail.com> On 01/13/11 20:08, Damien Miller wrote: > Hi, > > Thanks everyone for their test reports. Last night Tim Rice and I fixed > some makefile and regress test problems that were causing some tests > not to run completely. > > If you have the opportunity, we'd appreciate if you could rerun your tests > with the latest snapshot (20110114). > Work's been slamming - but I'll have our usual suite of test systems compiling it first thing in the morning PST. From cristian.ionescu-idbohrn at axis.com Sat Jan 15 05:05:35 2011 From: cristian.ionescu-idbohrn at axis.com (Cristian Ionescu-Idbohrn) Date: Fri, 14 Jan 2011 19:05:35 +0100 (CET) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: <1101141851530.11541@somehost> On Fri, 14 Jan 2011, Damien Miller wrote: > > If you have the opportunity, we'd appreciate if you could rerun your tests > with the latest snapshot (20110114). Debian unstable (aka sid): "all tests passed" but, you might consider filtering out stderr in these tests: ... scp: detect non-directory target .../openssh/regress/copy2: Not a directory ok scp ... run test sftp-cmds.sh ... rm: cannot remove directory: `.' rm: cannot remove directory: `..' ... sftp commands: rmdir sftp commands: lmkdir sftp commands: lchdir rm: cannot remove directory: `.' rm: cannot remove directory: `..' ok sftp commands Cheers, -- Cristian From scott_n at xypro.com Sat Jan 15 05:27:48 2011 From: scott_n at xypro.com (Scott Neugroschl) Date: Fri, 14 Jan 2011 10:27:48 -0800 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: <78DD71C304F38B41885A242996B96F730287478D@xyservd.XYPRO-23.LOCAL> > From: Damien Miller > > If you have the opportunity, we'd appreciate if you could rerun your > tests > with the latest snapshot (20110114). > Mandriva 2010.2 -- all tests passed From scottmc2 at gmail.com Sat Jan 15 06:06:11 2011 From: scottmc2 at gmail.com (scott mc) Date: Fri, 14 Jan 2011 11:06:11 -0800 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <78DD71C304F38B41885A242996B96F730287478D@xyservd.XYPRO-23.LOCAL> References: <78DD71C304F38B41885A242996B96F730287478D@xyservd.XYPRO-23.LOCAL> Message-ID: The tests stalls on Haiku at "test basic sftp put/get: buffer_size 5 num_requests 1", and had to ctrl-c out of it after over 30 minutes of waiting. This was with the snapshot from the 14th. Here's a pastebin of the run up to that point: http://haiku.pastebin.com/q3gbAsDn Keep in mind that Haiku is still Alpha, so there's a good chance this is due to something wrong in Haiku. -scottmc From fredports at mufley.com Sat Jan 15 06:30:38 2011 From: fredports at mufley.com (Frederico Costa (Ports)) Date: Fri, 14 Jan 2011 19:30:38 +0000 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <78DD71C304F38B41885A242996B96F730287478D@xyservd.XYPRO-23.LOCAL> Message-ID: Hi there... Just new to the list, and learning my way around, but i can say that i have run the tests on the following systems: FreeBSD 7.3-RELEASE-p1 FreeBSD 8.2-RC1 And all tests passed on both for the openssh-SNAP-20110114.tar.gz Have a good weekend.. Fred --- Frederico Costa fredports at mufley.com On Fri, 14 Jan 2011 11:06:11 -0800, scott mc wrote: > The tests stalls on Haiku at "test basic sftp put/get: buffer_size 5 > num_requests 1", and had to ctrl-c out of it after over 30 minutes of > waiting. > This was with the snapshot from the 14th. > Here's a pastebin of the run up to that point: > http://haiku.pastebin.com/q3gbAsDn > Keep in mind that Haiku is still Alpha, so there's a good chance this > is due to something wrong in Haiku. > > -scottmc > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From fredports at mufley.com Sat Jan 15 04:48:47 2011 From: fredports at mufley.com (Frederico Costa (ports)) Date: Fri, 14 Jan 2011 17:48:47 +0000 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <4D2FFEE6.7090809@gmail.com> References: <4D2FFEE6.7090809@gmail.com> Message-ID: <4D308C7F.3060702@mufley.com> Hi there... Just new to the list, and learning my way around, but i can say that i have run the tests on the following systems: FreeBSD 7.3-RELEASE-p1 FreeBSD 8.2-RC1 And all tests passed on both for the openssh-SNAP-20110114.tar.gz Have a good weekend.. Fred --- Frederico Costa fredports at mufley.com On 14/01/2011 07:44, Kevin Brott wrote: > On 01/13/11 20:08, Damien Miller wrote: >> Hi, >> >> Thanks everyone for their test reports. Last night Tim Rice and I fixed >> some makefile and regress test problems that were causing some tests >> not to run completely. >> >> If you have the opportunity, we'd appreciate if you could rerun your tests >> with the latest snapshot (20110114). >> > > Work's been slamming - but I'll have our usual suite of test systems compiling it first thing in the morning PST. > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From keisial at gmail.com Sat Jan 15 07:52:57 2011 From: keisial at gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Fri, 14 Jan 2011 21:52:57 +0100 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> Message-ID: <4D30B7A9.3080306@gmail.com> Damien Miller wrote: > On Sat, 8 Jan 2011, Damien Miller wrote: > >> Sure, but what is the error message? > ok, I see it now. I'd recommend "make -f Makefile.in distprep MANFMT=nroff" > (or MANFMT=mandoc if you have it). > > -d Is that the prefered way for creating the configure? I get a lot of "AC_LANG_CONFTEST: no AC_LANG_SOURCE call detected in body" warnings with autoconf 2.68 $ autoreconf --version autoreconf (GNU Autoconf) 2.68 That warning was added in autoconf 2.68, because failing to provide AC_LANG_SOURCE could result in a "broken configure" [1]. [1] http://www.mail-archive.com/bug-autoconf at gnu.org/msg03052.html From djm at mindrot.org Sat Jan 15 08:24:35 2011 From: djm at mindrot.org (Damien Miller) Date: Sat, 15 Jan 2011 08:24:35 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <20110114130844.GA30229@calimero.vinschen.de> References: <20110114130844.GA30229@calimero.vinschen.de> Message-ID: On Fri, 14 Jan 2011, Corinna Vinschen wrote: > On Jan 14 15:08, Damien Miller wrote: > > Hi, > > > > Thanks everyone for their test reports. Last night Tim Rice and I fixed > > some makefile and regress test problems that were causing some tests > > not to run completely. > > > > If you have the opportunity, we'd appreciate if you could rerun your tests > > with the latest snapshot (20110114). > > All tests still pass on Cygwin, except for sftp-glob. > > However, I'm a bit tired having to change regress/Makefile all the time > to run the tests. Therefore, would you mind to apply the below patch? > > It disables the sftp globbing tests testing backslashes in filenames. > These can't work due to backslashes being directory separators on > Windows(*). I think we should propogate the host type into the regress environment, since there are a couple of other platform quirks that we can use it for (e.g. Darwin/OSX's failure of the agent-ptrace test). Index: Makefile.in =================================================================== RCS file: /var/cvs/openssh/Makefile.in,v retrieving revision 1.318 diff -u -p -r1.318 Makefile.in --- Makefile.in 14 Jan 2011 03:47:40 -0000 1.318 +++ Makefile.in 14 Jan 2011 21:23:04 -0000 @@ -30,6 +30,7 @@ RAND_HELPER=$(libexecdir)/ssh-rand-helpe PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ STRIP_OPT=@STRIP_OPT@ +HOSTTYPE=@HOSTTYPE@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \ -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ @@ -416,6 +417,7 @@ tests interop-tests: $(TARGETS) TEST_SSH_CONCH="conch"; \ TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \ TEST_SSH_ECC="@TEST_SSH_ECC@" ; \ + HOSTTYPE="@HOSTTYPE@" ; \ cd $(srcdir)/regress || exit $$?; \ $(MAKE) \ .OBJDIR="$${BUILDDIR}/regress" \ @@ -438,6 +440,7 @@ tests interop-tests: $(TARGETS) TEST_SSH_CONCH="$${TEST_SSH_CONCH}" \ TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \ TEST_SSH_ECC="$${TEST_SSH_ECC}" \ + HOSTTYPE="$${HOSTTYPE}" \ EXEEXT="$(EXEEXT)" \ $@ && echo all tests passed Index: configure.ac =================================================================== RCS file: /var/cvs/openssh/configure.ac,v retrieving revision 1.464 diff -u -p -r1.464 configure.ac --- configure.ac 13 Jan 2011 06:35:46 -0000 1.464 +++ configure.ac 14 Jan 2011 21:23:04 -0000 @@ -371,6 +371,8 @@ SPC_MSG="no" SP_MSG="no" # Check for some target-specific stuff +HOSTTYPE=$host +AC_SUBST(HOSTTYPE) case "$host" in *-*-aix*) # Some versions of VAC won't allow macro redefinitions at Index: regress/sftp-glob.sh =================================================================== RCS file: /var/cvs/openssh/regress/sftp-glob.sh,v retrieving revision 1.5 diff -u -p -r1.5 sftp-glob.sh --- regress/sftp-glob.sh 6 Oct 2009 23:43:57 -0000 1.5 +++ regress/sftp-glob.sh 14 Jan 2011 21:23:04 -0000 @@ -3,11 +3,25 @@ tid="sftp glob" +case "$HOSTTYPE" in +*-*-cygwin*) + CYGWIN=1 + ;; +*) + CYGWIN= + ;; +esac + sftp_ls() { target=$1 errtag=$2 expected=$3 unexpected=$4 + skip=$5 + if test "x$skip" != "x" ; then + verbose "$tid: $errtag skipped for $HOSTTYPE" + return + fi verbose "$tid: $errtag" printf "ls -l %s" "${target}" | \ ${SFTP} -b - -D ${SFTPSERVER} 2>/dev/null | \ @@ -44,8 +58,8 @@ SPACE="${DIR}/g-q space" rm -rf ${BASE} mkdir -p ${DIR} -touch "${DATA}" "${GLOB1}" "${GLOB2}" "${QUOTE}" -touch "${QSLASH}" "${ESLASH}" "${SLASH}" "${SPACE}" +touch "${DATA}" "${GLOB1}" "${GLOB2}" "${QUOTE}" "${SPACE}" +test "x$CYGWIN" = "x" && touch "${QSLASH}" "${ESLASH}" "${SLASH}" # target message expected unexpected sftp_ls "${DIR}/fil*" "file glob" "${DATA}" "" @@ -55,14 +69,15 @@ sftp_ls "${DIR}/g-wild\*" "escape sftp_ls "${DIR}/g-quote\\\"" "escaped quote" "g-quote\"" "" sftp_ls "\"${DIR}/g-quote\\\"\"" "quoted quote" "g-quote\"" "" sftp_ls "'${DIR}/g-quote\"'" "single-quoted quote" "g-quote\"" "" -sftp_ls "${DIR}/g-sl\\\\ash" "escaped slash" "g-sl\\ash" "" -sftp_ls "'${DIR}/g-sl\\\\ash'" "quoted slash" "g-sl\\ash" "" -sftp_ls "${DIR}/g-slash\\\\" "escaped slash at EOL" "g-slash\\" "" -sftp_ls "'${DIR}/g-slash\\\\'" "quoted slash at EOL" "g-slash\\" "" -sftp_ls "${DIR}/g-qs\\\\\\\"" "escaped slash+quote" "g-qs\\\"" "" -sftp_ls "'${DIR}/g-qs\\\\\"'" "quoted slash+quote" "g-qs\\\"" "" sftp_ls "${DIR}/g-q\\ space" "escaped space" "g-q space" "" sftp_ls "'${DIR}/g-q space'" "quoted space" "g-q space" "" + +sftp_ls "${DIR}/g-sl\\\\ash" "escaped slash" "g-sl\\ash" "" $CYGWIN +sftp_ls "'${DIR}/g-sl\\\\ash'" "quoted slash" "g-sl\\ash" "" $CYGWIN +sftp_ls "${DIR}/g-slash\\\\" "escaped slash at EOL" "g-slash\\" "" $CYGWIN +sftp_ls "'${DIR}/g-slash\\\\'" "quoted slash at EOL" "g-slash\\" "" $CYGWIN +sftp_ls "${DIR}/g-qs\\\\\\\"" "escaped slash+quote" "g-qs\\\"" "" $CYGWIN +sftp_ls "'${DIR}/g-qs\\\\\"'" "quoted slash+quote" "g-qs\\\"" "" $CYGWIN rm -rf ${BASE} From djm at mindrot.org Sat Jan 15 08:26:53 2011 From: djm at mindrot.org (Damien Miller) Date: Sat, 15 Jan 2011 08:26:53 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <4D30B7A9.3080306@gmail.com> References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> <4D30B7A9.3080306@gmail.com> Message-ID: I wouldn't recommend the use of 2.68 yet; new autoconf versions have almost always caused breakage on at least one platform. We still use 2.61. Could you please file a bug at https://bugzilla.mindrot.org/ about the problem? We might as well get ready for newer autoconf for when we do switch. -d On Fri, 14 Jan 2011, ?ngel Gonz?lez wrote: > Damien Miller wrote: > > On Sat, 8 Jan 2011, Damien Miller wrote: > > > >> Sure, but what is the error message? > > ok, I see it now. I'd recommend "make -f Makefile.in distprep MANFMT=nroff" > > (or MANFMT=mandoc if you have it). > > > > -d > Is that the prefered way for creating the configure? > I get a lot of "AC_LANG_CONFTEST: no AC_LANG_SOURCE call detected in > body" warnings with autoconf 2.68 > > $ autoreconf --version > autoreconf (GNU Autoconf) 2.68 > > That warning was added in autoconf 2.68, because failing to provide > AC_LANG_SOURCE > could result in a "broken configure" [1]. > > [1] http://www.mail-archive.com/bug-autoconf at gnu.org/msg03052.html > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From tim at multitalents.net Sat Jan 15 08:44:38 2011 From: tim at multitalents.net (Tim Rice) Date: Fri, 14 Jan 2011 13:44:38 -0800 (PST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <4D30B7A9.3080306@gmail.com> References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> <4D30B7A9.3080306@gmail.com> Message-ID: On Fri, 14 Jan 2011, ?ngel Gonz?lez wrote: > Is that the prefered way for creating the configure? > I get a lot of "AC_LANG_CONFTEST: no AC_LANG_SOURCE call detected in > body" warnings with autoconf 2.68 > > $ autoreconf --version > autoreconf (GNU Autoconf) 2.68 > > That warning was added in autoconf 2.68, because failing to provide > AC_LANG_SOURCE > could result in a "broken configure" [1]. > > [1] http://www.mail-archive.com/bug-autoconf at gnu.org/msg03052.html As Damien mentioned in another post, we use autoconf 2.61. That said, we could be consistant on the use of AC_LANG_SOURCE. Does this patch make your 2.68 happy? ---------- --- configure.ac.old 2011-01-11 21:17:45.210746003 -0800 +++ configure.ac 2011-01-14 13:33:54.295871066 -0800 @@ -23,7 +23,7 @@ AC_MSG_CHECKING([if $CC supports $1]) saved_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS $1" - AC_COMPILE_IFELSE([void main(void) { return 0; }], + AC_COMPILE_IFELSE([AC_LANG_SOURCE([[void main(void) { return 0; }]])], [ AC_MSG_RESULT(yes) ], [ AC_MSG_RESULT(no) CFLAGS="$saved_CFLAGS" ] @@ -1953,11 +1953,11 @@ if test "x$check_for_conflicting_getspnam" = "x1"; then AC_MSG_CHECKING(for conflicting getspnam in shadow.h) - AC_COMPILE_IFELSE( + AC_COMPILE_IFELSE([AC_LANG_SOURCE([ [ #include int main(void) {exit(0);} - ], + ]])], [ AC_MSG_RESULT(no) ], @@ -3214,7 +3217,7 @@ dnl make sure we're using the real structure members and not defines AC_CACHE_CHECK([for msg_accrights field in struct msghdr], ac_cv_have_accrights_in_msghdr, [ - AC_COMPILE_IFELSE( + AC_COMPILE_IFELSE([AC_LANG_SOURCE([ [ #include #include @@ -3228,7 +3231,7 @@ m.msg_accrights = 0; exit(0); } - ], + ]])], [ ac_cv_have_accrights_in_msghdr="yes" ], [ ac_cv_have_accrights_in_msghdr="no" ] ) @@ -3277,7 +3280,7 @@ AC_CACHE_CHECK([for msg_control field in struct msghdr], ac_cv_have_control_in_msghdr, [ - AC_COMPILE_IFELSE( + AC_COMPILE_IFELSE([AC_LANG_SOURCE([ [ #include #include @@ -3291,7 +3294,7 @@ m.msg_control = 0; exit(0); } - ], + ]])], [ ac_cv_have_control_in_msghdr="yes" ], [ ac_cv_have_control_in_msghdr="no" ] ) ---------- -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From raubvogel at gmail.com Sat Jan 15 08:49:36 2011 From: raubvogel at gmail.com (Mauricio Tavares) Date: Fri, 14 Jan 2011 16:49:36 -0500 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> <4D30B7A9.3080306@gmail.com> Message-ID: <4D30C4F0.8060800@gmail.com> Besides the expected user error (quickly solved after I bitchslapped myself), I had no problem compiling openssh-SNAP-20110115.tar.gz in Solaris 10 sparc (using sunfreeware's gcc) and on OSX 10.5.8 PPC. If nobody has done it yet, I can do in 10.6.something/intel and maybe AIX 5.something/Solaris8/whatever else I find here doing nothing. From kevin.brott at gmail.com Sat Jan 15 08:28:01 2011 From: kevin.brott at gmail.com (Kevin Brott) Date: Fri, 14 Jan 2011 13:28:01 -0800 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: On Thu, Jan 13, 2011 at 20:08, Damien Miller wrote: > Hi, > > Thanks everyone for their test reports. Last night Tim Rice and I fixed > some makefile and regress test problems that were causing some tests > not to run completely. > > If you have the opportunity, we'd appreciate if you could rerun your tests > with the latest snapshot (20110114). > > Thanks, > Damien > > Using openssh-SNAP-20110115.tar.gz OS Build_Target CC OpenSSL BUILDS TESTS ============== ======================== ================ ======= ====== ====================== RHEL 2.1 i686-pc-linux-gnu gcc 2.9.6 0.9.8o *1*2* FAILS *3* (5.6 passed) RHEL 3.0 tu6 i686-pc-linux-gnu gcc 3.2.3 0.9.7a *2* FAILS *3* (5.6 passed) RHEL 4.0 nu5 i686-pc-linux-gnu gcc 3.4.6 0.9.7a *2* FAILS *3* (5.6 passed) RH 8.0 i686-pc-linux-gnu gcc 3.2.2 0.9.7a YES FAILS *4* (5.6 passed) FedoraCore r2 i686-pc-linux-gnu gcc 3.3.3 0.9.7a *2* all tests passed Ubuntu 6.06.2 i686-pc-linux-gnu gcc 4.0.3 0.9.8a YES all tests passed Ubuntu 7.10 i686-pc-linux-gnu gcc 4.1.3 0.9.8o YES all tests passed Ubuntu 10.10 x86_64-unknown-linux-gnu gcc 4.4.5 0.9.8o YES all tests passed RH 6.2 i686-pc-linux-gnu egcs 2.91.66 0.9.8j YES all tests passed RHEL 5.4 x86_64-redhat-linux gcc 4.1.2 0.9.8e YES all tests passed AIX 5.2 tl10sp4 powerpc-ibm-aix5.2.0.0 gcc 3.3.2 0.9.8f YES all tests passed AIX 5.3 tl7sp2 powerpc-ibm-aix5.3.0.0 gcc 4.2.0 0.9.8k YES all tests passed AIX 6.1 tl4sp6 powerpc-ibm-aix6.1.0.0 gcc 4.2.0 0.9.8k YES all tests passed HP-UX 11.11 hppa2.0w-hp-hpux11.11 gcc 3.4.3 0.9.7m YES all tests passed HP-UX 11.23 ia64-hp-hpux11.23 gcc 4.1.1 0.9.7m *5* all tests passed HP-UX 11.31 ia64-hp-hpux11.31 gcc 4.3.3 0.9.8n YES all tests passed HP-UX 11.31 ia64-hp-hpux11.31 HP C/aC++ A.06.20 0.9.8n YES all tests passed *1* OS shipped with openssl 0.9.6b & openssh 5.6 will not configure/build \ however, building against 0.9.8o installed in local/tmp directory works *2* OS shipped with an old version of zlib - openssh will build/compile \ against 1.2.5 installed in local/tmp directory or using the \ --without-zlib-version-check configure flag *3* run test yes-head.sh ... Write failed flushing stdout buffer. yes|head returns 1024 lines instead of 2000 failed yes pipe head gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress' gmake: *** [tests] Error 2 *4* run test agent-ptrace.sh ... ptrace succeeded?: exit code 1 failed disallow agent ptrace attach gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress' gmake: *** [tests] Error 2 *5* HP-UX 11.23 on ia64 required --disable-utmpx to build -- # include /* Kevin Brott */ From tim at multitalents.net Sat Jan 15 09:01:03 2011 From: tim at multitalents.net (Tim Rice) Date: Fri, 14 Jan 2011 14:01:03 -0800 (PST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <4D30C4F0.8060800@gmail.com> References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> <4D30B7A9.3080306@gmail.com> <4D30C4F0.8060800@gmail.com> Message-ID: On Fri, 14 Jan 2011, Mauricio Tavares wrote: > Besides the expected user error (quickly solved after I bitchslapped > myself), I had no problem compiling openssh-SNAP-20110115.tar.gz in Solaris 10 > sparc (using sunfreeware's gcc) and on OSX 10.5.8 PPC. If nobody has done it > yet, I can do in 10.6.something/intel and maybe AIX > 5.something/Solaris8/whatever else I find here doing nothing. Even if someone has, it is worth doing, you may use a different compiler or configure options. Thanks. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From raubvogel at gmail.com Sat Jan 15 09:04:12 2011 From: raubvogel at gmail.com (Mauricio Tavares) Date: Fri, 14 Jan 2011 17:04:12 -0500 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> <4D30B7A9.3080306@gmail.com> <4D30C4F0.8060800@gmail.com> Message-ID: <4D30C85C.40900@gmail.com> On 01/14/2011 05:01 PM, Tim Rice wrote: > On Fri, 14 Jan 2011, Mauricio Tavares wrote: > >> Besides the expected user error (quickly solved after I bitchslapped >> myself), I had no problem compiling openssh-SNAP-20110115.tar.gz in Solaris 10 >> sparc (using sunfreeware's gcc) and on OSX 10.5.8 PPC. If nobody has done it >> yet, I can do in 10.6.something/intel and maybe AIX >> 5.something/Solaris8/whatever else I find here doing nothing. > > Even if someone has, it is worth doing, you may use a different compiler > or configure options. > > Thanks. > Will do. BTW, only thing I notices was that .configure in Solaris would not check for ar and ralink in /usr/ccs/bin/, which is where Solaris likes to hide 'em. So, all I did was PATH=$PATH:/usr/ccs/bin/ ./configure PATH=$PATH:/usr/ccs/bin/ make tests and it was happy and the proverbial clam. From tim at multitalents.net Sat Jan 15 09:21:31 2011 From: tim at multitalents.net (Tim Rice) Date: Fri, 14 Jan 2011 14:21:31 -0800 (PST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <4D30C85C.40900@gmail.com> References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> <4D30B7A9.3080306@gmail.com> <4D30C4F0.8060800@gmail.com> <4D30C85C.40900@gmail.com> Message-ID: On Fri, 14 Jan 2011, Mauricio Tavares wrote: > Will do. BTW, only thing I notices was that .configure in Solaris > would not check for ar and ralink in /usr/ccs/bin/, which is where Solaris > likes to hide 'em. So, all I did was > > PATH=$PATH:/usr/ccs/bin/ ./configure > PATH=$PATH:/usr/ccs/bin/ make tests > > and it was happy and the proverbial clam. We make no attempt to guess a user's build environment in configure. We expect the user to have the compiler/linker tools in his/her PATH. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From thesource at ldb-jab.org Sat Jan 15 09:43:43 2011 From: thesource at ldb-jab.org (LDB) Date: Fri, 14 Jan 2011 17:43:43 -0500 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: <4D30D19F.7030507@master.ldb-jab.org> On 01/13/2011 11:08 PM, Damien Miller wrote: > > If you have the opportunity, we'd appreciate if you could rerun your tests > with the latest snapshot (20110114). > > Thanks, > Damien > openssh-SNAP-20110114 passed ALL tests on openSUSE 11.3 (x86_64) openssh-SNAP-20110115 passed ALL tests on openSUSE 11.3 (x86_64) From imorgan at nas.nasa.gov Sat Jan 15 10:00:41 2011 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Fri, 14 Jan 2011 15:00:41 -0800 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: <20110114230041.GA4614@linux124.nas.nasa.gov> On Thu, Jan 13, 2011 at 22:08:29 -0600, Damien Miller wrote: > Hi, > > Thanks everyone for their test reports. Last night Tim Rice and I fixed > some makefile and regress test problems that were causing some tests > not to run completely. > > If you have the opportunity, we'd appreciate if you could rerun your tests > with the latest snapshot (20110114). > The 20110115 snapshot built and tested successfully on the following platforms: RHEL 5 (x86_64) Solaris 9 (SPARC) Mac OS X (Intel) SLES 10 (x86_64) SLES 10 (IA64) SLES 11 (x86_64) By the way, I had occasion to try the -3 support in scp. It works well, but it's a little unfortunate that the progress meter does not seem to work with this option. -- Iain Morgan From openssh at roumenpetrov.info Sat Jan 15 10:04:34 2011 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Sat, 15 Jan 2011 01:04:34 +0200 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> <4D30B7A9.3080306@gmail.com> Message-ID: <4D30D682.7020705@roumenpetrov.info> Tim Rice wrote: > On Fri, 14 Jan 2011, ?ngel Gonz?lez wrote: > > >> Is that the prefered way for creating the configure? >> I get a lot of "AC_LANG_CONFTEST: no AC_LANG_SOURCE call detected in >> body" warnings with autoconf 2.68 >> >> $ autoreconf --version >> autoreconf (GNU Autoconf) 2.68 >> >> That warning was added in autoconf 2.68, because failing to provide >> AC_LANG_SOURCE >> could result in a "broken configure" [1]. >> >> [1] http://www.mail-archive.com/bug-autoconf at gnu.org/msg03052.html >> > As Damien mentioned in another post, we use autoconf 2.61. > That said, we could be consistant on the use of AC_LANG_SOURCE. > Does this patch make your 2.68 happy? > ---------- > --- configure.ac.old 2011-01-11 21:17:45.210746003 -0800 > +++ configure.ac 2011-01-14 13:33:54.295871066 -0800 > @@ -23,7 +23,7 @@ > AC_MSG_CHECKING([if $CC supports $1]) > saved_CFLAGS="$CFLAGS" > CFLAGS="$CFLAGS $1" > - AC_COMPILE_IFELSE([void main(void) { return 0; }], > + AC_COMPILE_IFELSE([AC_LANG_SOURCE([[void main(void) { return 0; }]])], > [ AC_MSG_RESULT(yes) ], > [ AC_MSG_RESULT(no) > CFLAGS="$saved_CFLAGS" ] > @@ -1953,11 +1953,11 @@ > > if test "x$check_for_conflicting_getspnam" = "x1"; then > AC_MSG_CHECKING(for conflicting getspnam in shadow.h) > - AC_COMPILE_IFELSE( > + AC_COMPILE_IFELSE([AC_LANG_SOURCE([ > [ > #include > int main(void) {exit(0);} > - ], > + ]])], > [ > .... You may consider to use *AC_LANG_PROGRAM* instead. Roumen -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/ From keisial at gmail.com Sat Jan 15 11:21:29 2011 From: keisial at gmail.com (=?UTF-8?B?w4FuZ2VsIEdvbnrDoWxleg==?=) Date: Sat, 15 Jan 2011 01:21:29 +0100 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> <4D30B7A9.3080306@gmail.com> Message-ID: <4D30E889.3070107@gmail.com> Tim Rice wrote: > On Fri, 14 Jan 2011, ?ngel Gonz?lez wrote: >> Is that the prefered way for creating the configure? >> I get a lot of "AC_LANG_CONFTEST: no AC_LANG_SOURCE call detected in >> body" warnings with autoconf 2.68 >> >> $ autoreconf --version >> autoreconf (GNU Autoconf) 2.68 >> >> That warning was added in autoconf 2.68, because failing to provide >> AC_LANG_SOURCE >> could result in a "broken configure" [1]. >> >> [1] http://www.mail-archive.com/bug-autoconf at gnu.org/msg03052.html > As Damien mentioned in another post, we use autoconf 2.61. You wanted testing. The new autoconf warn about what autoconf guys consider wrong syntax, thus I report. :) Note that it's a warning, not an error. It still creates a configure and the resulting file passes the tests. > That said, we could be consistant on the use of AC_LANG_SOURCE. > Does this patch make your 2.68 happy? It does seem to make it happier. 81 error lines instead of 288. The errors may be coming from some included file, though. Here are the errors after applying your patch http://pastebin.com/hywKkavP From tim at multitalents.net Sat Jan 15 12:20:16 2011 From: tim at multitalents.net (Tim Rice) Date: Fri, 14 Jan 2011 17:20:16 -0800 (PST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <4D30D682.7020705@roumenpetrov.info> References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> <4D30B7A9.3080306@gmail.com> <4D30D682.7020705@roumenpetrov.info> Message-ID: On Sat, 15 Jan 2011, Roumen Petrov wrote: > You may consider to use *AC_LANG_PROGRAM* instead. > > Roumen I'll look at that post 5.7 -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From Laatsch at uni-koeln.de Sat Jan 15 13:11:25 2011 From: Laatsch at uni-koeln.de (Rainer Laatsch) Date: Sat, 15 Jan 2011 03:11:25 +0100 (CET) Subject: OPENSSH 5.7: openssh-SNAP-20110115 SUCCESS on Scientific Linux SL release 5.4 (Boron) Message-ID: make[1]: Leaving directory `/Data/openssh-SNAP-20110115/regress' all tests passed root at host103# uname -a Linux host103.localdomain 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:56:26 EST 2010 i686 athlon i386 GNU/Linux root at host103# cat /etc/*release* Scientific Linux SL release 5.4 (Boron) root at host103# cat /proc/version Linux version 2.6.18-194.26.1.el5 (brewbuilder at norob.fnal.gov) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-48)) #1 SMP Tue Nov 9 12:56:26 EST 2010 From tim at multitalents.net Sat Jan 15 17:16:36 2011 From: tim at multitalents.net (Tim Rice) Date: Fri, 14 Jan 2011 22:16:36 -0800 (PST) Subject: autoconf.ac [was Re: Call for testing: OpenSSH-5.7] In-Reply-To: <4D30E889.3070107@gmail.com> References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> <4D30B7A9.3080306@gmail.com> <4D30E889.3070107@gmail.com> Message-ID: On Sat, 15 Jan 2011, ?~Angel Gonz??lez wrote: > Tim Rice wrote: > > On Fri, 14 Jan 2011, ???ngel Gonz???lez wrote: > >> $ autoreconf --version > >> autoreconf (GNU Autoconf) 2.68 > > That said, we could be consistant on the use of AC_LANG_SOURCE. > > Does this patch make your 2.68 happy? > It does seem to make it happier. 81 error lines instead of 288. > The errors may be coming from some included file, though. OK, I couldn't resist. Here is a patch (attached so mailers don't mangle it) that adds some additional M4 quoting, and uses AC_LANG_PROGRAM as sugested by Roumen. Autoconf 2.68 is happy with it and autoconf 2.61 still likes it. Using it with autoconf 2.61, there are no regressions on the 8 machines I tested on (config.h identical). It may be to late to get this in for 5.7. I'll let Damien decide. > Here are the errors after applying your patch http://pastebin.com/hywKkavP Best to post the output to the list. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- --- openssh/configure.ac 2011-01-14 21:19:32.677494041 -0800 +++ tst/configure.ac 2011-01-14 21:10:30.201542002 -0800 @@ -23,7 +23,7 @@ AC_MSG_CHECKING([if $CC supports $1]) saved_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS $1" - AC_COMPILE_IFELSE([void main(void) { return 0; }], + AC_COMPILE_IFELSE([AC_LANG_SOURCE([[void main(void) { return 0; }]])], [ AC_MSG_RESULT(yes) ], [ AC_MSG_RESULT(no) CFLAGS="$saved_CFLAGS" ] @@ -92,20 +92,20 @@ # Use LOGIN_PROGRAM from environment if possible if test ! -z "$LOGIN_PROGRAM" ; then - AC_DEFINE_UNQUOTED(LOGIN_PROGRAM_FALLBACK, "$LOGIN_PROGRAM", + AC_DEFINE_UNQUOTED([LOGIN_PROGRAM_FALLBACK], ["$LOGIN_PROGRAM"], [If your header files don't define LOGIN_PROGRAM, then use this (detected) from environment and PATH]) else # Search for login AC_PATH_PROG(LOGIN_PROGRAM_FALLBACK, login) if test ! -z "$LOGIN_PROGRAM_FALLBACK" ; then - AC_DEFINE_UNQUOTED(LOGIN_PROGRAM_FALLBACK, "$LOGIN_PROGRAM_FALLBACK") + AC_DEFINE_UNQUOTED([LOGIN_PROGRAM_FALLBACK], ["$LOGIN_PROGRAM_FALLBACK"]) fi fi AC_PATH_PROG(PATH_PASSWD_PROG, passwd) if test ! -z "$PATH_PASSWD_PROG" ; then - AC_DEFINE_UNQUOTED(_PATH_PASSWD_PROG, "$PATH_PASSWD_PROG", + AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"], [Full path of your "passwd" program]) fi @@ -150,14 +150,12 @@ AC_MSG_CHECKING(if $CC accepts -fno-builtin-memset) saved_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS -fno-builtin-memset" - AC_LINK_IFELSE( [AC_LANG_SOURCE([[ -#include -int main(void){char b[10]; memset(b, 0, sizeof(b));} - ]])], + AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], + [[char b[10]; memset(b, 0, sizeof(b));]])], [ AC_MSG_RESULT(yes) ], [ AC_MSG_RESULT(no) CFLAGS="$saved_CFLAGS" ] -) + ) # -fstack-protector-all doesn't always work for some GCC versions # and/or platforms, so we test if we can. If it's not supported @@ -170,19 +168,19 @@ CFLAGS="$CFLAGS $t -Werror" LDFLAGS="$LDFLAGS $t -Werror" AC_LINK_IFELSE( - [AC_LANG_SOURCE([ -#include -int main(void){char x[[256]]; snprintf(x, sizeof(x), "XXX"); return 0;} - ])], + [AC_LANG_PROGRAM([[#include ]], + [[ + char x[[256]]; snprintf(x, sizeof(x), "XXX"); return 0; + ]])], [ AC_MSG_RESULT(yes) CFLAGS="$saved_CFLAGS $t" LDFLAGS="$saved_LDFLAGS $t" AC_MSG_CHECKING(if $t works) AC_RUN_IFELSE( - [AC_LANG_SOURCE([ -#include -int main(void){char x[[256]]; snprintf(x, sizeof(x), "XXX"); return 0;} - ])], + [AC_LANG_PROGRAM([[#include ]], + [[ + char x[[256]]; snprintf(x, sizeof(x), "XXX"); return 0; + ]])], [ AC_MSG_RESULT(yes) break ], [ AC_MSG_RESULT(no) ], @@ -211,7 +209,7 @@ fi if test "x$no_attrib_nonnull" != "x1" ; then - AC_DEFINE(HAVE_ATTRIBUTE__NONNULL__, 1, [Have attribute nonnull]) + AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull]) fi AC_ARG_WITH(rpath, @@ -380,11 +378,10 @@ # not fatal. AC_MSG_CHECKING(if compiler allows macro redefinitions) AC_COMPILE_IFELSE( - [AC_LANG_SOURCE([[ + [AC_LANG_PROGRAM([[ #define testmacro foo -#define testmacro bar -int main(void) { exit(0); } - ]])], +#define testmacro bar]], + [[exit(0);]])], [ AC_MSG_RESULT(yes) ], [ AC_MSG_RESULT(no) CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`" @@ -418,10 +415,10 @@ fi LDFLAGS="$saved_LDFLAGS" dnl Check for authenticate. Might be in libs.a on older AIXes - AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE, 1, + AC_CHECK_FUNC(authenticate, [AC_DEFINE([WITH_AIXAUTHENTICATE], [1], [Define if you want to enable AIX4's authenticate function])], [AC_CHECK_LIB(s,authenticate, - [ AC_DEFINE(WITH_AIXAUTHENTICATE) + [ AC_DEFINE([WITH_AIXAUTHENTICATE]) LIBS="$LIBS -ls" ]) ]) @@ -435,7 +432,7 @@ [#include ], [(void)loginfailed("user","host","tty",0);], [AC_MSG_RESULT(yes) - AC_DEFINE(AIX_LOGINFAILED_4ARG, 1, + AC_DEFINE([AIX_LOGINFAILED_4ARG], [1], [Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT(no)] @@ -445,51 +442,51 @@ ) AC_CHECK_FUNCS(getgrset setauthdb) AC_CHECK_DECL(F_CLOSEM, - AC_DEFINE(HAVE_FCNTL_CLOSEM, 1, [Use F_CLOSEM fcntl for closefrom]), + AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]), [], [ #include #include ] ) check_for_aix_broken_getaddrinfo=1 - AC_DEFINE(BROKEN_REALPATH, 1, [Define if you have a broken realpath.]) - AC_DEFINE(SETEUID_BREAKS_SETUID, 1, + AC_DEFINE([BROKEN_REALPATH], [1], [Define if you have a broken realpath.]) + AC_DEFINE([SETEUID_BREAKS_SETUID], [1], [Define if your platform breaks doing a seteuid before a setuid]) - AC_DEFINE(BROKEN_SETREUID, 1, [Define if your setreuid() is broken]) - AC_DEFINE(BROKEN_SETREGID, 1, [Define if your setregid() is broken]) + AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken]) + AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken]) dnl AIX handles lastlog as part of its login message - AC_DEFINE(DISABLE_LASTLOG, 1, [Define if you don't want to use lastlog]) - AC_DEFINE(LOGIN_NEEDS_UTMPX, 1, + AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog]) + AC_DEFINE([LOGIN_NEEDS_UTMPX], [1], [Some systems need a utmpx entry for /bin/login to work]) - AC_DEFINE(SPT_TYPE,SPT_REUSEARGV, + AC_DEFINE([SPT_TYPE],[SPT_REUSEARGV], [Define to a Set Process Title type if your system is supported by bsd-setproctitle.c]) - AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID, 1, + AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1], [AIX 5.2 and 5.3 (and presumably newer) require this]) - AC_DEFINE(PTY_ZEROREAD, 1, [read(1) can return 0 for a non-closed fd]) + AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd]) ;; *-*-cygwin*) check_for_libcrypt_later=1 LIBS="$LIBS /usr/lib/textreadmode.o" - AC_DEFINE(HAVE_CYGWIN, 1, [Define if you are on Cygwin]) - AC_DEFINE(USE_PIPES, 1, [Use PIPES instead of a socketpair()]) - AC_DEFINE(DISABLE_SHADOW, 1, + AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin]) + AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()]) + AC_DEFINE([DISABLE_SHADOW], [1], [Define if you want to disable shadow passwords]) - AC_DEFINE(NO_X11_UNIX_SOCKETS, 1, + AC_DEFINE([NO_X11_UNIX_SOCKETS], [1], [Define if X11 doesn't support AF_UNIX sockets on that system]) - AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT, 1, + AC_DEFINE([NO_IPPORT_RESERVED_CONCEPT], [1], [Define if the concept of ports only accessible to superusers isn't known]) - AC_DEFINE(DISABLE_FD_PASSING, 1, + AC_DEFINE([DISABLE_FD_PASSING], [1], [Define if your platform needs to skip post auth file descriptor passing]) - AC_DEFINE(SSH_IOBUFSZ, 65535, [Windows is sensitive to read buffer size]) + AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size]) ;; *-*-dgux*) - AC_DEFINE(IP_TOS_IS_BROKEN, 1, + AC_DEFINE([IP_TOS_IS_BROKEN], [1], [Define if your system choked on IP TOS setting]) - AC_DEFINE(SETEUID_BREAKS_SETUID) - AC_DEFINE(BROKEN_SETREUID) - AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) ;; *-*-darwin*) AC_MSG_CHECKING(if we have working getaddrinfo) @@ -500,24 +497,24 @@ exit(1); }], [AC_MSG_RESULT(working)], [AC_MSG_RESULT(buggy) - AC_DEFINE(BROKEN_GETADDRINFO, 1, [getaddrinfo is broken (if present)])], + AC_DEFINE([BROKEN_GETADDRINFO], [1], [getaddrinfo is broken (if present)])], [AC_MSG_RESULT(assume it is working)]) - AC_DEFINE(SETEUID_BREAKS_SETUID) - AC_DEFINE(BROKEN_SETREUID) - AC_DEFINE(BROKEN_SETREGID) - AC_DEFINE(BROKEN_GLOB, 1, [OS X glob does not do what we expect]) - AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1, + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect]) + AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1], [Define if your resolver libs need this for getrrsetbyname]) - AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way]) - AC_DEFINE(SSH_TUN_COMPAT_AF, 1, + AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way]) + AC_DEFINE([SSH_TUN_COMPAT_AF], [1], [Use tunnel device compatibility to OpenBSD]) - AC_DEFINE(SSH_TUN_PREPEND_AF, 1, + AC_DEFINE([SSH_TUN_PREPEND_AF], [1], [Prepend the address family to IP tunnel traffic]) m4_pattern_allow(AU_IPv) AC_CHECK_DECL(AU_IPv4, [], - AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records]) + AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) [#include ] - AC_DEFINE(LASTLOG_WRITE_PUTUTXLINE, 1, + AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1], [Define if pututxline updates lastlog too]) ) ;; @@ -527,20 +524,20 @@ *-*-haiku*) LIBS="$LIBS -lbsd " AC_CHECK_LIB(network, socket) - AC_DEFINE(HAVE_U_INT64_T) + AC_DEFINE([HAVE_U_INT64_T]) MANTYPE=man ;; *-*-hpux*) # first we define all of the options common to all HP-UX releases CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1" IPADDR_IN_DISPLAY=yes - AC_DEFINE(USE_PIPES) - AC_DEFINE(LOGIN_NO_ENDOPT, 1, + AC_DEFINE([USE_PIPES]) + AC_DEFINE([LOGIN_NO_ENDOPT], [1], [Define if your login program cannot handle end of options ("--")]) - AC_DEFINE(LOGIN_NEEDS_UTMPX) - AC_DEFINE(LOCKED_PASSWD_STRING, "*", + AC_DEFINE([LOGIN_NEEDS_UTMPX]) + AC_DEFINE([LOCKED_PASSWD_STRING], ["*"], [String used in /etc/passwd to denote locked account]) - AC_DEFINE(SPT_TYPE,SPT_PSTAT) + AC_DEFINE([SPT_TYPE],SPT_PSTAT) MAIL="/var/mail/username" LIBS="$LIBS -lsec" AC_CHECK_LIB(xnet, t_error, , @@ -554,13 +551,13 @@ fi ;; *-*-hpux11*) - AC_DEFINE(PAM_SUN_CODEBASE, 1, + AC_DEFINE([PAM_SUN_CODEBASE], [1], [Define if you are using Solaris-derived PAM which passes pam_messages to the conversation function with an extra level of indirection]) - AC_DEFINE(DISABLE_UTMP, 1, + AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp]) - AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins]) + AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins]) check_for_hpux_broken_getaddrinfo=1 check_for_conflicting_getspnam=1 ;; @@ -569,7 +566,7 @@ # lastly, we define options specific to minor releases case "$host" in *-*-hpux10.26) - AC_DEFINE(HAVE_SECUREWARE, 1, + AC_DEFINE([HAVE_SECUREWARE], [1], [Define if you have SecureWare-based protected password database]) disable_ptmx_check=yes @@ -579,79 +576,79 @@ ;; *-*-irix5*) PATH="$PATH:/usr/etc" - AC_DEFINE(BROKEN_INET_NTOA, 1, + AC_DEFINE([BROKEN_INET_NTOA], [1], [Define if you system's inet_ntoa is busted (e.g. Irix gcc issue)]) - AC_DEFINE(SETEUID_BREAKS_SETUID) - AC_DEFINE(BROKEN_SETREUID) - AC_DEFINE(BROKEN_SETREGID) - AC_DEFINE(WITH_ABBREV_NO_TTY, 1, + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([WITH_ABBREV_NO_TTY], [1], [Define if you shouldn't strip 'tty' from your ttyname in [uw]tmp]) - AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") + AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"]) ;; *-*-irix6*) PATH="$PATH:/usr/etc" - AC_DEFINE(WITH_IRIX_ARRAY, 1, + AC_DEFINE([WITH_IRIX_ARRAY], [1], [Define if you have/want arrays (cluster-wide session managment, not C arrays)]) - AC_DEFINE(WITH_IRIX_PROJECT, 1, + AC_DEFINE([WITH_IRIX_PROJECT], [1], [Define if you want IRIX project management]) - AC_DEFINE(WITH_IRIX_AUDIT, 1, + AC_DEFINE([WITH_IRIX_AUDIT], [1], [Define if you want IRIX audit trails]) - AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS, 1, + AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE([WITH_IRIX_JOBS], [1], [Define if you want IRIX kernel jobs])]) - AC_DEFINE(BROKEN_INET_NTOA) - AC_DEFINE(SETEUID_BREAKS_SETUID) - AC_DEFINE(BROKEN_SETREUID) - AC_DEFINE(BROKEN_SETREGID) - AC_DEFINE(BROKEN_UPDWTMPX, 1, [updwtmpx is broken (if present)]) - AC_DEFINE(WITH_ABBREV_NO_TTY) - AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") + AC_DEFINE([BROKEN_INET_NTOA]) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)]) + AC_DEFINE([WITH_ABBREV_NO_TTY]) + AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"]) ;; *-*-k*bsd*-gnu | *-*-kopensolaris*-gnu) check_for_libcrypt_later=1 - AC_DEFINE(PAM_TTY_KLUDGE) - AC_DEFINE(LOCKED_PASSWD_PREFIX, "!") - AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) - AC_DEFINE(_PATH_BTMP, "/var/log/btmp", [log for bad login attempts]) - AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins]) + AC_DEFINE([PAM_TTY_KLUDGE]) + AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"]) + AC_DEFINE([SPT_TYPE],[SPT_REUSEARGV]) + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) + AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins]) ;; *-*-linux*) no_dev_ptmx=1 check_for_libcrypt_later=1 check_for_openpty_ctty_bug=1 - AC_DEFINE(PAM_TTY_KLUDGE, 1, + AC_DEFINE([PAM_TTY_KLUDGE], [1], [Work around problematic Linux PAM modules handling of PAM_TTY]) - AC_DEFINE(LOCKED_PASSWD_PREFIX, "!", + AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"], [String used in /etc/passwd to denote locked account]) - AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) - AC_DEFINE(LINK_OPNOTSUPP_ERRNO, EPERM, + AC_DEFINE([SPT_TYPE],[SPT_REUSEARGV]) + AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM], [Define to whatever link() returns for "not supported" if it doesn't return EOPNOTSUPP.]) - AC_DEFINE(_PATH_BTMP, "/var/log/btmp", [log for bad login attempts]) - AC_DEFINE(USE_BTMP) - AC_DEFINE(LINUX_OOM_ADJUST, 1, [Adjust Linux out-of-memory killer]) + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) + AC_DEFINE([USE_BTMP]) + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) inet6_default_4in6=yes case `uname -r` in 1.*|2.0.*) - AC_DEFINE(BROKEN_CMSG_TYPE, 1, + AC_DEFINE([BROKEN_CMSG_TYPE], [1], [Define if cmsg_type is not passed correctly]) ;; esac # tun(4) forwarding compat code AC_CHECK_HEADERS(linux/if_tun.h) if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then - AC_DEFINE(SSH_TUN_LINUX, 1, + AC_DEFINE([SSH_TUN_LINUX], [1], [Open tunnel devices the Linux tun/tap way]) - AC_DEFINE(SSH_TUN_COMPAT_AF, 1, + AC_DEFINE([SSH_TUN_COMPAT_AF], [1], [Use tunnel device compatibility to OpenBSD]) - AC_DEFINE(SSH_TUN_PREPEND_AF, 1, + AC_DEFINE([SSH_TUN_PREPEND_AF], [1], [Prepend the address family to IP tunnel traffic]) fi ;; mips-sony-bsd|mips-sony-newsos4) - AC_DEFINE(NEED_SETPGRP, 1, [Need setpgrp to acquire controlling tty]) + AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty]) SONY=1 ;; *-*-netbsd*) @@ -659,63 +656,63 @@ if test "x$withval" != "xno" ; then need_dash_r=1 fi - AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way]) + AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way]) AC_CHECK_HEADER([net/if_tap.h], , - AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support])) - AC_DEFINE(SSH_TUN_PREPEND_AF, 1, + AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) + AC_DEFINE([SSH_TUN_PREPEND_AF], [1], [Prepend the address family to IP tunnel traffic]) ;; *-*-freebsd*) check_for_libcrypt_later=1 - AC_DEFINE(LOCKED_PASSWD_PREFIX, "*LOCKED*", [Account locked with pw(1)]) - AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way]) + AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)]) + AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way]) AC_CHECK_HEADER([net/if_tap.h], , - AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support])) - AC_DEFINE(BROKEN_GLOB, 1, [FreeBSD glob does not do what we need]) + AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) + AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need]) ;; *-*-bsdi*) - AC_DEFINE(SETEUID_BREAKS_SETUID) - AC_DEFINE(BROKEN_SETREUID) - AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) ;; *-next-*) conf_lastlog_location="/usr/adm/lastlog" conf_utmp_location=/etc/utmp conf_wtmp_location=/usr/adm/wtmp MAIL=/usr/spool/mail - AC_DEFINE(HAVE_NEXT, 1, [Define if you are on NeXT]) - AC_DEFINE(BROKEN_REALPATH) - AC_DEFINE(USE_PIPES) - AC_DEFINE(BROKEN_SAVED_UIDS, 1, [Needed for NeXT]) + AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT]) + AC_DEFINE([BROKEN_REALPATH]) + AC_DEFINE([USE_PIPES]) + AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT]) ;; *-*-openbsd*) - AC_DEFINE(HAVE_ATTRIBUTE__SENTINEL__, 1, [OpenBSD's gcc has sentinel]) - AC_DEFINE(HAVE_ATTRIBUTE__BOUNDED__, 1, [OpenBSD's gcc has bounded]) - AC_DEFINE(SSH_TUN_OPENBSD, 1, [Open tunnel devices the OpenBSD way]) - AC_DEFINE(SYSLOG_R_SAFE_IN_SIGHAND, 1, + AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel]) + AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded]) + AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way]) + AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1], [syslog_r function is safe to use in in a signal handler]) ;; *-*-solaris*) if test "x$withval" != "xno" ; then need_dash_r=1 fi - AC_DEFINE(PAM_SUN_CODEBASE) - AC_DEFINE(LOGIN_NEEDS_UTMPX) - AC_DEFINE(LOGIN_NEEDS_TERM, 1, + AC_DEFINE([PAM_SUN_CODEBASE]) + AC_DEFINE([LOGIN_NEEDS_UTMPX]) + AC_DEFINE([LOGIN_NEEDS_TERM], [1], [Some versions of /bin/login need the TERM supplied on the commandline]) - AC_DEFINE(PAM_TTY_KLUDGE) - AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID, 1, + AC_DEFINE([PAM_TTY_KLUDGE]) + AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1], [Define if pam_chauthtok wants real uid set to the unpriv'ed user]) - AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") + AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"]) # Pushing STREAMS modules will cause sshd to acquire a controlling tty. - AC_DEFINE(SSHD_ACQUIRES_CTTY, 1, + AC_DEFINE([SSHD_ACQUIRES_CTTY], [1], [Define if sshd somehow reacquires a controlling TTY after setsid()]) - AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd + AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd in case the name is longer than 8 chars]) - AC_DEFINE(BROKEN_TCGETATTR_ICANON, 1, [tcgetattr with ICANON may hang]) + AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang]) external_path_file=/etc/default/login # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" @@ -723,8 +720,8 @@ sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'` if test "$sol2ver" -ge 8; then AC_MSG_RESULT(yes) - AC_DEFINE(DISABLE_UTMP) - AC_DEFINE(DISABLE_WTMP, 1, + AC_DEFINE([DISABLE_UTMP]) + AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp]) else AC_MSG_RESULT(no) @@ -733,7 +730,7 @@ [ --with-solaris-contracts Enable Solaris process contracts (experimental)], [ AC_CHECK_LIB(contract, ct_tmpl_activate, - [ AC_DEFINE(USE_SOLARIS_PROCESS_CONTRACTS, 1, + [ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1], [Define if you have Solaris process contracts]) SSHDLIBS="$SSHDLIBS -lcontract" AC_SUBST(SSHDLIBS) @@ -744,7 +741,7 @@ [ --with-solaris-projects Enable Solaris projects (experimental)], [ AC_CHECK_LIB(project, setproject, - [ AC_DEFINE(USE_SOLARIS_PROJECTS, 1, + [ AC_DEFINE([USE_SOLARIS_PROJECTS], [1], [Define if you have Solaris projects]) SSHDLIBS="$SSHDLIBS -lproject" AC_SUBST(SSHDLIBS) @@ -755,19 +752,19 @@ *-*-sunos4*) CPPFLAGS="$CPPFLAGS -DSUNOS4" AC_CHECK_FUNCS(getpwanam) - AC_DEFINE(PAM_SUN_CODEBASE) + AC_DEFINE([PAM_SUN_CODEBASE]) conf_utmp_location=/etc/utmp conf_wtmp_location=/var/adm/wtmp conf_lastlog_location=/var/adm/lastlog - AC_DEFINE(USE_PIPES) + AC_DEFINE([USE_PIPES]) ;; *-ncr-sysv*) LIBS="$LIBS -lc89" - AC_DEFINE(USE_PIPES) - AC_DEFINE(SSHD_ACQUIRES_CTTY) - AC_DEFINE(SETEUID_BREAKS_SETUID) - AC_DEFINE(BROKEN_SETREUID) - AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE([USE_PIPES]) + AC_DEFINE([SSHD_ACQUIRES_CTTY]) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) ;; *-sni-sysv*) # /usr/ucblib MUST NOT be searched on ReliantUNIX @@ -775,12 +772,12 @@ # -lresolv needs to be at the end of LIBS or DNS lookups break AC_CHECK_LIB(resolv, res_query, [ LIBS="$LIBS -lresolv" ]) IPADDR_IN_DISPLAY=yes - AC_DEFINE(USE_PIPES) - AC_DEFINE(IP_TOS_IS_BROKEN) - AC_DEFINE(SETEUID_BREAKS_SETUID) - AC_DEFINE(BROKEN_SETREUID) - AC_DEFINE(BROKEN_SETREGID) - AC_DEFINE(SSHD_ACQUIRES_CTTY) + AC_DEFINE([USE_PIPES]) + AC_DEFINE([IP_TOS_IS_BROKEN]) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([SSHD_ACQUIRES_CTTY]) external_path_file=/etc/default/login # /usr/ucblib/libucb.a no longer needed on ReliantUNIX # Attention: always take care to bind libsocket and libnsl before libc, @@ -788,36 +785,36 @@ ;; # UnixWare 1.x, UnixWare 2.x, and others based on code from Univel. *-*-sysv4.2*) - AC_DEFINE(USE_PIPES) - AC_DEFINE(SETEUID_BREAKS_SETUID) - AC_DEFINE(BROKEN_SETREUID) - AC_DEFINE(BROKEN_SETREGID) - AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd]) - AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") + AC_DEFINE([USE_PIPES]) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd]) + AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"]) ;; # UnixWare 7.x, OpenUNIX 8 *-*-sysv5*) CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf" - AC_DEFINE(UNIXWARE_LONG_PASSWORDS, 1, [Support passwords > 8 chars]) - AC_DEFINE(USE_PIPES) - AC_DEFINE(SETEUID_BREAKS_SETUID) - AC_DEFINE(BROKEN_GETADDRINFO) - AC_DEFINE(BROKEN_SETREUID) - AC_DEFINE(BROKEN_SETREGID) - AC_DEFINE(PASSWD_NEEDS_USERNAME) + AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars]) + AC_DEFINE([USE_PIPES]) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_GETADDRINFO]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([PASSWD_NEEDS_USERNAME]) case "$host" in *-*-sysv5SCO_SV*) # SCO OpenServer 6.x TEST_SHELL=/u95/bin/sh - AC_DEFINE(BROKEN_LIBIAF, 1, + AC_DEFINE([BROKEN_LIBIAF], [1], [ia_uinfo routines not supported by OS yet]) - AC_DEFINE(BROKEN_UPDWTMPX) + AC_DEFINE([BROKEN_UPDWTMPX]) AC_CHECK_LIB(prot, getluid,[ LIBS="$LIBS -lprot" AC_CHECK_FUNCS(getluid setluid,,,-lprot) - AC_DEFINE(HAVE_SECUREWARE) - AC_DEFINE(DISABLE_SHADOW) + AC_DEFINE([HAVE_SECUREWARE]) + AC_DEFINE([DISABLE_SHADOW]) ],,) ;; - *) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") + *) AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"]) check_for_libcrypt_later=1 ;; esac @@ -835,51 +832,51 @@ fi LIBS="$LIBS -lprot -lx -ltinfo -lm" no_dev_ptmx=1 - AC_DEFINE(USE_PIPES) - AC_DEFINE(HAVE_SECUREWARE) - AC_DEFINE(DISABLE_SHADOW) - AC_DEFINE(DISABLE_FD_PASSING) - AC_DEFINE(SETEUID_BREAKS_SETUID) - AC_DEFINE(BROKEN_GETADDRINFO) - AC_DEFINE(BROKEN_SETREUID) - AC_DEFINE(BROKEN_SETREGID) - AC_DEFINE(WITH_ABBREV_NO_TTY) - AC_DEFINE(BROKEN_UPDWTMPX) - AC_DEFINE(PASSWD_NEEDS_USERNAME) + AC_DEFINE([USE_PIPES]) + AC_DEFINE([HAVE_SECUREWARE]) + AC_DEFINE([DISABLE_SHADOW]) + AC_DEFINE([DISABLE_FD_PASSING]) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_GETADDRINFO]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([WITH_ABBREV_NO_TTY]) + AC_DEFINE([BROKEN_UPDWTMPX]) + AC_DEFINE([PASSWD_NEEDS_USERNAME]) AC_CHECK_FUNCS(getluid setluid) MANTYPE=man TEST_SHELL=ksh ;; *-*-unicosmk*) - AC_DEFINE(NO_SSH_LASTLOG, 1, + AC_DEFINE([NO_SSH_LASTLOG], [1], [Define if you don't want to use lastlog in session.c]) - AC_DEFINE(SETEUID_BREAKS_SETUID) - AC_DEFINE(BROKEN_SETREUID) - AC_DEFINE(BROKEN_SETREGID) - AC_DEFINE(USE_PIPES) - AC_DEFINE(DISABLE_FD_PASSING) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([USE_PIPES]) + AC_DEFINE([DISABLE_FD_PASSING]) LDFLAGS="$LDFLAGS" LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm" MANTYPE=cat ;; *-*-unicosmp*) - AC_DEFINE(SETEUID_BREAKS_SETUID) - AC_DEFINE(BROKEN_SETREUID) - AC_DEFINE(BROKEN_SETREGID) - AC_DEFINE(WITH_ABBREV_NO_TTY) - AC_DEFINE(USE_PIPES) - AC_DEFINE(DISABLE_FD_PASSING) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([WITH_ABBREV_NO_TTY]) + AC_DEFINE([USE_PIPES]) + AC_DEFINE([DISABLE_FD_PASSING]) LDFLAGS="$LDFLAGS" LIBS="$LIBS -lgen -lacid -ldb" MANTYPE=cat ;; *-*-unicos*) - AC_DEFINE(SETEUID_BREAKS_SETUID) - AC_DEFINE(BROKEN_SETREUID) - AC_DEFINE(BROKEN_SETREGID) - AC_DEFINE(USE_PIPES) - AC_DEFINE(DISABLE_FD_PASSING) - AC_DEFINE(NO_SSH_LASTLOG) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([USE_PIPES]) + AC_DEFINE([DISABLE_FD_PASSING]) + AC_DEFINE([NO_SSH_LASTLOG]) LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal" LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm" MANTYPE=cat @@ -899,65 +896,61 @@ if test -z "$no_osfsia" ; then if test -f /etc/sia/matrix.conf; then AC_MSG_RESULT(yes) - AC_DEFINE(HAVE_OSF_SIA, 1, + AC_DEFINE([HAVE_OSF_SIA], [1], [Define if you have Digital Unix Security Integration Architecture]) - AC_DEFINE(DISABLE_LOGIN, 1, + AC_DEFINE([DISABLE_LOGIN], [1], [Define if you don't want to use your system's login() call]) - AC_DEFINE(DISABLE_FD_PASSING) + AC_DEFINE([DISABLE_FD_PASSING]) LIBS="$LIBS -lsecurity -ldb -lm -laud" SIA_MSG="yes" else AC_MSG_RESULT(no) - AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin", + AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"], [String used in /etc/passwd to denote locked account]) fi fi - AC_DEFINE(BROKEN_GETADDRINFO) - AC_DEFINE(SETEUID_BREAKS_SETUID) - AC_DEFINE(BROKEN_SETREUID) - AC_DEFINE(BROKEN_SETREGID) - AC_DEFINE(BROKEN_READV_COMPARISON, 1, [Can't do comparisons on readv]) + AC_DEFINE([BROKEN_GETADDRINFO]) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv]) ;; *-*-nto-qnx*) - AC_DEFINE(USE_PIPES) - AC_DEFINE(NO_X11_UNIX_SOCKETS) - AC_DEFINE(MISSING_NFDBITS, 1, [Define on *nto-qnx systems]) - AC_DEFINE(MISSING_HOWMANY, 1, [Define on *nto-qnx systems]) - AC_DEFINE(MISSING_FD_MASK, 1, [Define on *nto-qnx systems]) - AC_DEFINE(DISABLE_LASTLOG) - AC_DEFINE(SSHD_ACQUIRES_CTTY) - AC_DEFINE(BROKEN_SHADOW_EXPIRE, 1, [QNX shadow support is broken]) + AC_DEFINE([USE_PIPES]) + AC_DEFINE([NO_X11_UNIX_SOCKETS]) + AC_DEFINE([MISSING_NFDBITS], [1], [Define on *nto-qnx systems]) + AC_DEFINE([MISSING_HOWMANY], [1], [Define on *nto-qnx systems]) + AC_DEFINE([MISSING_FD_MASK], [1], [Define on *nto-qnx systems]) + AC_DEFINE([DISABLE_LASTLOG]) + AC_DEFINE([SSHD_ACQUIRES_CTTY]) + AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken]) enable_etc_default_login=no # has incompatible /etc/default/login case "$host" in *-*-nto-qnx6*) - AC_DEFINE(DISABLE_FD_PASSING) + AC_DEFINE([DISABLE_FD_PASSING]) ;; esac ;; *-*-ultrix*) - AC_DEFINE(BROKEN_GETGROUPS, 1, [getgroups(0,NULL) will return -1]) - AC_DEFINE(BROKEN_MMAP, 1, [Ultrix mmap can't map files]) - AC_DEFINE(NEED_SETPGRP) - AC_DEFINE(HAVE_SYS_SYSLOG_H, 1, [Force use of sys/syslog.h on Ultrix]) + AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1]) + AC_DEFINE([BROKEN_MMAP], [1], [Ultrix mmap can't map files]) + AC_DEFINE([NEED_SETPGRP]) + AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix]) ;; *-*-lynxos) CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__" - AC_DEFINE(MISSING_HOWMANY) - AC_DEFINE(BROKEN_SETVBUF, 1, [LynxOS has broken setvbuf() implementation]) + AC_DEFINE([MISSING_HOWMANY]) + AC_DEFINE([BROKEN_SETVBUF], [1], [LynxOS has broken setvbuf() implementation]) ;; esac AC_MSG_CHECKING(compiler and flags for sanity) -AC_RUN_IFELSE( - [AC_LANG_SOURCE([ -#include -int main(){exit(0);} - ])], +AC_RUN_IFELSE([AC_LANG_PROGRAM([[#include ]], [[exit(0);]])], [ AC_MSG_RESULT(yes) ], [ AC_MSG_RESULT(no) @@ -1003,7 +996,7 @@ ]) if test "x$ac_cv_have_broken_dirname" = "xno" ; then LIBS="$LIBS -lgen" - AC_DEFINE(HAVE_DIRNAME) + AC_DEFINE([HAVE_DIRNAME]) AC_CHECK_HEADERS(libgen.h) fi ]) @@ -1011,7 +1004,7 @@ AC_CHECK_FUNC(getspnam, , AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen")) -AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME, 1, +AC_SEARCH_LIBS(basename, gen, AC_DEFINE([HAVE_BASENAME], [1], [Define if you have the basename function.])) dnl zlib is required @@ -1055,7 +1048,7 @@ fi CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}" LIBS="$LIBS -lz" - AC_TRY_LINK_FUNC(deflate, AC_DEFINE(HAVE_LIBZ), + AC_TRY_LINK_FUNC(deflate, AC_DEFINE([HAVE_LIBZ]), [ AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***]) ] @@ -1072,11 +1065,10 @@ ) AC_MSG_CHECKING(for possibly buggy zlib) -AC_RUN_IFELSE([AC_LANG_SOURCE([[ +AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include -#include -int main() -{ +#include ]], + [[ int a=0, b=0, c=0, d=0, n, v; n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d); if (n != 3 && n != 4) @@ -1093,7 +1085,6 @@ exit(0); exit(2); -} ]])], AC_MSG_RESULT(no), [ AC_MSG_RESULT(yes) @@ -1117,13 +1108,13 @@ [], [ AC_CHECK_LIB(resolv, strcasecmp, LIBS="$LIBS -lresolv") ] ) AC_CHECK_FUNCS(utimes, - [], [ AC_CHECK_LIB(c89, utimes, [AC_DEFINE(HAVE_UTIMES) + [], [ AC_CHECK_LIB(c89, utimes, [AC_DEFINE([HAVE_UTIMES]) LIBS="$LIBS -lc89"]) ] ) dnl Checks for libutil functions AC_CHECK_HEADERS(libutil.h) -AC_SEARCH_LIBS(login, util bsd, [AC_DEFINE(HAVE_LOGIN, 1, +AC_SEARCH_LIBS(login, util bsd, [AC_DEFINE([HAVE_LOGIN], [1], [Define if your libraries define login()])]) AC_CHECK_FUNCS(fmt_scaled logout updwtmp logwtmp) @@ -1139,7 +1130,7 @@ #endif ], [ - AC_DEFINE(GLOB_HAS_ALTDIRFUNC, 1, + AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1], [Define if your system glob() function has the GLOB_ALTDIRFUNC extension]) AC_MSG_RESULT(yes) @@ -1155,7 +1146,7 @@ [ #include ], [glob_t g; g.gl_matchc = 1;], [ - AC_DEFINE(GLOB_HAS_GL_MATCHC, 1, + AC_DEFINE([GLOB_HAS_GL_MATCHC], [1], [Define if your system glob() function has gl_matchc options in glob_t]) AC_MSG_RESULT(yes) @@ -1177,7 +1168,7 @@ g.gl_statv = NULL; ], [ - AC_DEFINE(GLOB_HAS_GL_STATV, 1, + AC_DEFINE([GLOB_HAS_GL_STATV], [1], [Define if your system glob() function has gl_statv options in glob_t]) AC_MSG_RESULT(yes) @@ -1191,27 +1182,27 @@ AC_MSG_CHECKING([whether struct dirent allocates space for d_name]) AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ + [AC_LANG_PROGRAM([[ #include -#include -int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));} +#include ]], + [[struct dirent d;exit(sizeof(d.d_name)<=sizeof(char)); ]])], [AC_MSG_RESULT(yes)], [ AC_MSG_RESULT(no) - AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME, 1, + AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1], [Define if your struct dirent expects you to allocate extra space for d_name]) ], [ AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME]) - AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) + AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME]) ] ) AC_MSG_CHECKING([for /proc/pid/fd directory]) if test -d "/proc/$$/fd" ; then - AC_DEFINE(HAVE_PROC_PID, 1, [Define if you have /proc/$pid/fd]) + AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd]) AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) @@ -1229,16 +1220,17 @@ LDFLAGS="$LDFLAGS -L${withval}/lib" fi - AC_DEFINE(SKEY, 1, [Define if you want S/Key support]) + AC_DEFINE([SKEY], [1], [Define if you want S/Key support]) LIBS="-lskey $LIBS" SKEY_MSG="yes" AC_MSG_CHECKING([for s/key support]) AC_LINK_IFELSE( - [AC_LANG_SOURCE([[ + [AC_LANG_PROGRAM([[ #include #include -int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); } + ]], + [[char *ff = skey_keyinfo(""); ff=""; exit(0); ]])], [AC_MSG_RESULT(yes)], [ @@ -1251,7 +1243,7 @@ #include ], [(void)skeychallenge(NULL,"name","",0);], [AC_MSG_RESULT(yes) - AC_DEFINE(SKEYCHALLENGE_4ARG, 1, + AC_DEFINE([SKEYCHALLENGE_4ARG], [1], [Define if your skeychallenge() function takes 4 arguments (NetBSD)])], [AC_MSG_RESULT(no)] @@ -1303,7 +1295,7 @@ [hosts_access(0);], [ AC_MSG_RESULT(yes) - AC_DEFINE(LIBWRAP, 1, + AC_DEFINE([LIBWRAP], [1], [Define if you want TCP Wrappers support]) SSHDLIBS="$SSHDLIBS -lwrap" @@ -1350,7 +1342,7 @@ fi OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'` AC_CHECK_LIB(edit, el_init, - [ AC_DEFINE(USE_LIBEDIT, 1, [Use libedit for sftp]) + [ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp]) LIBEDIT_MSG="yes" AC_SUBST(LIBEDIT) ], @@ -1359,14 +1351,11 @@ ) AC_MSG_CHECKING(if libedit version is compatible) AC_COMPILE_IFELSE( - [AC_LANG_SOURCE([[ -#include -int main(void) -{ - int i = H_SETSIZE; - el_init("", NULL, NULL, NULL); - exit(0); -} + [AC_LANG_PROGRAM([[#include ]], + [[ + int i = H_SETSIZE; + el_init("", NULL, NULL, NULL); + exit(0); ]])], [ AC_MSG_RESULT(yes) ], [ AC_MSG_RESULT(no) @@ -1399,12 +1388,12 @@ [AC_MSG_ERROR(BSM enabled and required function not found)]) # These are optional AC_CHECK_FUNCS(getaudit_addr aug_get_machine) - AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module]) + AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module]) ;; debug) AUDIT_MODULE=debug AC_MSG_RESULT(debug) - AC_DEFINE(SSH_AUDIT_EVENTS, 1, Use audit debugging module) + AC_DEFINE([SSH_AUDIT_EVENTS], [1], Use audit debugging module) ;; no) AC_MSG_RESULT(no) @@ -1515,14 +1504,10 @@ ) AC_LINK_IFELSE( -[ -#include -int main(void) -{ - return (isblank('a')); -} -], - [AC_DEFINE(HAVE_ISBLANK, 1, [Define if you have isblank(3C).]) + [AC_LANG_PROGRAM( + [[#include ]], + [[return (isblank('a'));]])], + [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).]) ]) # PKCS#11 support requires dlopen() and co @@ -1532,7 +1517,7 @@ # IRIX has a const char return value for gai_strerror() AC_CHECK_FUNCS(gai_strerror,[ - AC_DEFINE(HAVE_GAI_STRERROR) + AC_DEFINE([HAVE_GAI_STRERROR]) AC_TRY_COMPILE([ #include #include @@ -1542,10 +1527,10 @@ char *str; str = gai_strerror(0);],[ - AC_DEFINE(HAVE_CONST_GAI_STRERROR_PROTO, 1, + AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1], [Define if gai_strerror() returns const char *])])]) -AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP, 1, +AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE([HAVE_NANOSLEEP], [1], [Some systems put nanosleep outside of libc])) dnl Make sure prototypes are defined for these before using them. @@ -1561,7 +1546,7 @@ dnl tcsendbreak might be a macro AC_CHECK_DECL(tcsendbreak, - [AC_DEFINE(HAVE_TCSENDBREAK)], + [AC_DEFINE([HAVE_TCSENDBREAK])], [AC_CHECK_FUNCS(tcsendbreak)], [#include ] ) @@ -1603,13 +1588,14 @@ dnl Some platorms have setresuid that isn't implemented, test for this AC_MSG_CHECKING(if setresuid seems to work) AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ + [AC_LANG_PROGRAM([[ #include -#include -int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} +#include ]], + [[ + errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0); ]])], [AC_MSG_RESULT(yes)], - [AC_DEFINE(BROKEN_SETRESUID, 1, + [AC_DEFINE([BROKEN_SETRESUID], [1], [Define if your setresuid() is broken]) AC_MSG_RESULT(not implemented)], [AC_MSG_WARN([cross compiling: not checking setresuid])] @@ -1620,13 +1606,14 @@ dnl Some platorms have setresgid that isn't implemented, test for this AC_MSG_CHECKING(if setresgid seems to work) AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ + [AC_LANG_PROGRAM([[ #include -#include -int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} +#include ]], + [[ + errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0); ]])], [AC_MSG_RESULT(yes)], - [AC_DEFINE(BROKEN_SETRESGID, 1, + [AC_DEFINE([BROKEN_SETRESGID], [1], [Define if your setresgid() is broken]) AC_MSG_RESULT(not implemented)], [AC_MSG_WARN([cross compiling: not checking setresuid])] @@ -1645,30 +1632,28 @@ AC_CHECK_FUNCS(getlastlogxbyname) AC_CHECK_FUNC(daemon, - [AC_DEFINE(HAVE_DAEMON, 1, [Define if your libraries define daemon()])], + [AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])], [AC_CHECK_LIB(bsd, daemon, - [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])] + [LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])] ) AC_CHECK_FUNC(getpagesize, - [AC_DEFINE(HAVE_GETPAGESIZE, 1, + [AC_DEFINE([HAVE_GETPAGESIZE], [1], [Define if your libraries define getpagesize()])], [AC_CHECK_LIB(ucb, getpagesize, - [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)])] + [LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])] ) # Check for broken snprintf if test "x$ac_cv_func_snprintf" = "xyes" ; then AC_MSG_CHECKING([whether snprintf correctly terminates long strings]) AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ -#include -int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');} - ]])], + [AC_LANG_PROGRAM([[#include ]], + [[char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');]])], [AC_MSG_RESULT(yes)], [ AC_MSG_RESULT(no) - AC_DEFINE(BROKEN_SNPRINTF, 1, + AC_DEFINE([BROKEN_SNPRINTF], [1], [Define if your snprintf is busted]) AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor]) ], @@ -1683,7 +1668,7 @@ test "x$ac_cv_func_vsnprintf" = "xyes" ; then AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow]) AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ + [AC_LANG_PROGRAM([[ #include #include #include @@ -1693,16 +1678,15 @@ size_t ret; va_list ap; va_start(ap, fmt); ret = vsnprintf(str, count, fmt, ap); va_end(ap); return ret; -} -int main(void) -{ +}]], + [[ char x[1]; exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1); -} ]])], + ]])], [AC_MSG_RESULT(yes)], [ AC_MSG_RESULT(no) - AC_DEFINE(BROKEN_SNPRINTF, 1, + AC_DEFINE([BROKEN_SNPRINTF], [1], [Define if your snprintf is busted]) AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor]) ], @@ -1714,15 +1698,14 @@ # check that the fmt argument is const char * or just char *. # This is only useful for when BROKEN_SNPRINTF AC_MSG_CHECKING([whether snprintf can declare const char *fmt]) -AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include - int snprintf(char *a, size_t b, const char *c, ...) { return 0; } - int main(void) { snprintf(0, 0, 0); } - ]])], +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include + int snprintf(char *a, size_t b, const char *c, ...) { return 0; }]], + [[snprintf(0, 0, 0);]])], [AC_MSG_RESULT(yes) - AC_DEFINE(SNPRINTF_CONST, [const], + AC_DEFINE([SNPRINTF_CONST], [const], [Define as const if snprintf() can declare const char *fmt])], [AC_MSG_RESULT(no) - AC_DEFINE(SNPRINTF_CONST, [/* not const */])]) + AC_DEFINE([SNPRINTF_CONST], [/* not const */])]) # Check for missing getpeereid (or equiv) support NO_PEERCHECK="" @@ -1733,7 +1716,7 @@ #include ], [int i = SO_PEERCRED;], [ AC_MSG_RESULT(yes) - AC_DEFINE(HAVE_SO_PEERCRED, 1, [Have PEERCRED socket option]) + AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option]) ], [AC_MSG_RESULT(no) NO_PEERCHECK=1] @@ -1744,24 +1727,24 @@ if test "x$ac_cv_func_mkdtemp" = "xyes" ; then AC_MSG_CHECKING([for (overly) strict mkstemp]) AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ -#include -main() { char template[]="conftest.mkstemp-test"; + [AC_LANG_PROGRAM([[ +#include ]], + [[ +char template[]="conftest.mkstemp-test"; if (mkstemp(template) == -1) exit(1); unlink(template); exit(0); -} ]])], [ AC_MSG_RESULT(no) ], [ AC_MSG_RESULT(yes) - AC_DEFINE(HAVE_STRICT_MKSTEMP, 1, [Silly mkstemp()]) + AC_DEFINE([HAVE_STRICT_MKSTEMP], [1], [Silly mkstemp()]) ], [ AC_MSG_RESULT(yes) - AC_DEFINE(HAVE_STRICT_MKSTEMP) + AC_DEFINE([HAVE_STRICT_MKSTEMP]) ] ) fi @@ -1770,15 +1753,12 @@ if test ! -z "$check_for_openpty_ctty_bug"; then AC_MSG_CHECKING(if openpty correctly handles controlling tty) AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ + [AC_LANG_PROGRAM([[ #include #include #include -#include - -int -main() -{ +#include ]], + [[ pid_t pid; int fd, ptyfd, ttyfd, status; @@ -1801,14 +1781,13 @@ else exit(0); /* Did not acquire ctty: OK */ } -} ]])], [ AC_MSG_RESULT(yes) ], [ AC_MSG_RESULT(no) - AC_DEFINE(SSHD_ACQUIRES_CTTY) + AC_DEFINE([SSHD_ACQUIRES_CTTY]) ], [ AC_MSG_RESULT(cross-compiling, assuming yes) @@ -1820,7 +1799,7 @@ test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then AC_MSG_CHECKING(if getaddrinfo seems to work) AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ + [AC_LANG_PROGRAM([[ #include #include #include @@ -1828,10 +1807,8 @@ #include #define TEST_PORT "2222" - -int -main(void) -{ + ]], + [[ int err, sock; struct addrinfo *gai_ai, *ai, hints; char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL; @@ -1873,14 +1850,13 @@ } } exit(0); -} ]])], [ AC_MSG_RESULT(yes) ], [ AC_MSG_RESULT(no) - AC_DEFINE(BROKEN_GETADDRINFO) + AC_DEFINE([BROKEN_GETADDRINFO]) ], [ AC_MSG_RESULT(cross-compiling, assuming yes) @@ -1892,7 +1868,7 @@ test "x$check_for_aix_broken_getaddrinfo" = "x1"; then AC_MSG_CHECKING(if getaddrinfo seems to work) AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ + [AC_LANG_PROGRAM([[ #include #include #include @@ -1900,10 +1876,8 @@ #include #define TEST_PORT "2222" - -int -main(void) -{ + ]], + [[ int err, sock; struct addrinfo *gai_ai, *ai, hints; char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL; @@ -1933,17 +1907,16 @@ } } exit(0); -} ]])], [ AC_MSG_RESULT(yes) - AC_DEFINE(AIX_GETNAMEINFO_HACK, 1, + AC_DEFINE([AIX_GETNAMEINFO_HACK], [1], [Define if you have a getaddrinfo that fails for the all-zeros IPv6 address]) ], [ AC_MSG_RESULT(no) - AC_DEFINE(BROKEN_GETADDRINFO) + AC_DEFINE([BROKEN_GETADDRINFO]) ], [ AC_MSG_RESULT(cross-compiling, assuming no) @@ -1953,17 +1926,14 @@ if test "x$check_for_conflicting_getspnam" = "x1"; then AC_MSG_CHECKING(for conflicting getspnam in shadow.h) - AC_COMPILE_IFELSE( - [ -#include -int main(void) {exit(0);} - ], + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include ]], + [[exit(0);]])], [ AC_MSG_RESULT(no) ], [ AC_MSG_RESULT(yes) - AC_DEFINE(GETSPNAM_CONFLICTING_DEFS, 1, + AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1], [Conflicting defs for getspnam]) ] ) @@ -2010,7 +1980,7 @@ ] ) LIBS="-lcrypto $LIBS" -AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL, 1, +AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE([HAVE_OPENSSL], [1], [Define if your ssl headers are included with #include ]), [ @@ -2023,7 +1993,7 @@ CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}" AC_CHECK_HEADER([openssl/opensslv.h], , AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])) - AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL), + AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE([HAVE_OPENSSL]), [ AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***]) ] @@ -2034,12 +2004,13 @@ # Determine OpenSSL header version AC_MSG_CHECKING([OpenSSL header version]) AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ + [AC_LANG_PROGRAM([[ #include #include #include #define DATA "conftest.sslincver" -int main(void) { + ]], + [[ FILE *fd; int rc; @@ -2051,7 +2022,6 @@ exit(1); exit(0); -} ]])], [ ssl_header_ver=`cat conftest.sslincver` @@ -2069,13 +2039,14 @@ # Determine OpenSSL library version AC_MSG_CHECKING([OpenSSL library version]) AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ + [AC_LANG_PROGRAM([[ #include #include #include #include #define DATA "conftest.ssllibver" -int main(void) { + ]], + [[ FILE *fd; int rc; @@ -2087,7 +2058,6 @@ exit(1); exit(0); -} ]])], [ ssl_library_ver=`cat conftest.ssllibver` @@ -2113,11 +2083,10 @@ # Sanity check OpenSSL headers AC_MSG_CHECKING([whether OpenSSL's headers match the library]) AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ + [AC_LANG_PROGRAM([[ #include -#include -int main(void) { exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); } - ]])], +#include ]], + [[exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);]])], [ AC_MSG_RESULT(yes) ], @@ -2143,10 +2112,8 @@ AC_MSG_CHECKING([if programs using OpenSSL functions will link]) AC_LINK_IFELSE( - [AC_LANG_SOURCE([[ -#include -int main(void) { SSLeay_add_all_algorithms(); } - ]])], + [AC_LANG_PROGRAM([[#include ]], + [[SSLeay_add_all_algorithms();]])], [ AC_MSG_RESULT(yes) ], @@ -2156,10 +2123,8 @@ LIBS="$LIBS -ldl" AC_MSG_CHECKING([if programs using OpenSSL need -ldl]) AC_LINK_IFELSE( - [AC_LANG_SOURCE([[ -#include -int main(void) { SSLeay_add_all_algorithms(); } - ]])], + [AC_LANG_PROGRAM([[#include ]], + [[SSLeay_add_all_algorithms();]])], [ AC_MSG_RESULT(yes) ], @@ -2183,7 +2148,7 @@ ENGINE_load_builtin_engines();ENGINE_register_all_complete(); ], [ AC_MSG_RESULT(yes) - AC_DEFINE(USE_OPENSSL_ENGINE, 1, + AC_DEFINE([USE_OPENSSL_ENGINE], [1], [Enable OpenSSL engine support]) ], [ AC_MSG_ERROR(OpenSSL ENGINE support not found)] @@ -2194,34 +2159,32 @@ # Check for OpenSSL without EVP_aes_{192,256}_cbc AC_MSG_CHECKING([whether OpenSSL has crippled AES support]) AC_LINK_IFELSE( - [AC_LANG_SOURCE([[ + [AC_LANG_PROGRAM([[ #include -#include -int main(void) { exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);} - ]])], +#include ]], + [[exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);]])], [ AC_MSG_RESULT(no) ], [ AC_MSG_RESULT(yes) - AC_DEFINE(OPENSSL_LOBOTOMISED_AES, 1, + AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1], [libcrypto is missing AES 192 and 256 bit functions]) ] ) AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) AC_LINK_IFELSE( - [AC_LANG_SOURCE([[ + [AC_LANG_PROGRAM([[ #include -#include -int main(void) { if(EVP_DigestUpdate(NULL, NULL,0)) exit(0); } - ]])], +#include ]], + [[if(EVP_DigestUpdate(NULL, NULL,0)) exit(0);]])], [ AC_MSG_RESULT(yes) ], [ AC_MSG_RESULT(no) - AC_DEFINE(OPENSSL_EVP_DIGESTUPDATE_VOID, 1, + AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1], [Define if EVP_DigestUpdate returns void]) ] ) @@ -2244,18 +2207,17 @@ # Check complete ECC support in OpenSSL AC_MSG_CHECKING([whether OpenSSL has complete ECC support]) AC_LINK_IFELSE( - [AC_LANG_SOURCE([[ + [AC_LANG_PROGRAM([[ #include #include -#include -int main(void) { +#include ]], + [[ EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); const EVP_MD *m = EVP_sha512(); /* We need this too */ -} ]])], [ AC_MSG_RESULT(yes) - AC_DEFINE(OPENSSL_HAS_ECC, 1, + AC_DEFINE([OPENSSL_HAS_ECC], [1], [libcrypto includes complete ECC support]) TEST_SSH_ECC=yes COMMENT_OUT_ECC="" @@ -2273,7 +2235,7 @@ AC_CHECK_LIB(iaf, ia_openinfo, [ LIBS="$LIBS -liaf" AC_CHECK_FUNCS(set_id, [SSHDLIBS="$SSHDLIBS -liaf" - AC_DEFINE(HAVE_LIBIAF, 1, + AC_DEFINE([HAVE_LIBIAF], [1], [Define if system has libiaf that supports set_id]) ]) ]) @@ -2284,11 +2246,10 @@ # Check wheter OpenSSL seeds itself AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ + [AC_LANG_PROGRAM([[ #include -#include -int main(void) { exit(RAND_status() == 1 ? 0 : 1); } - ]])], +#include ]], + [[exit(RAND_status() == 1 ? 0 : 1);]])], [ OPENSSL_SEEDS_ITSELF=yes AC_MSG_RESULT(yes) @@ -2328,7 +2289,7 @@ PAM_MSG="yes" SSHDLIBS="$SSHDLIBS -lpam" - AC_DEFINE(USE_PAM, 1, + AC_DEFINE([USE_PAM], [1], [Define if you want to enable PAM support]) if test $ac_cv_lib_dl_dlopen = yes; then @@ -2361,7 +2322,7 @@ [(void)pam_strerror((pam_handle_t *)NULL, -1);], [AC_MSG_RESULT(no)], [ - AC_DEFINE(HAVE_OLD_PAM, 1, + AC_DEFINE([HAVE_OLD_PAM], [1], [Define if you have an old version of PAM which takes only one argument to pam_strerror]) AC_MSG_RESULT(yes) @@ -2391,7 +2352,7 @@ # Which randomness source do we use? if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then # OpenSSL only - AC_DEFINE(OPENSSL_PRNG_ONLY, 1, + AC_DEFINE([OPENSSL_PRNG_ONLY], [1], [Define if you want OpenSSL's internally seeded PRNG only]) RAND_MSG="OpenSSL internal ONLY" INSTALL_SSH_RAND_HELPER="" @@ -2420,7 +2381,7 @@ esac if test ! -z "$withval" ; then PRNGD_PORT="$withval" - AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT, + AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT], [Port number of PRNGD/EGD random number socket]) fi ] @@ -2452,7 +2413,7 @@ AC_MSG_WARN(Entropy socket is not readable) fi PRNGD_SOCKET="$withval" - AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET", + AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"], [Location of PRNGD/EGD random number socket]) fi ], @@ -2464,7 +2425,7 @@ for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then PRNGD_SOCKET="$sock" - AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") + AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"]) break; fi done @@ -2488,7 +2449,7 @@ fi ] ) -AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout, +AC_DEFINE_UNQUOTED([ENTROPY_TIMEOUT_MSEC], [$entropy_timeout], [Builtin PRNG command timeout]) SSH_PRIVSEP_USER=sshd @@ -2501,7 +2462,7 @@ fi ] ) -AC_DEFINE_UNQUOTED(SSH_PRIVSEP_USER, "$SSH_PRIVSEP_USER", +AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"], [non-privileged user for privilege separation]) AC_SUBST(SSH_PRIVSEP_USER) @@ -2579,7 +2540,7 @@ if test -z "$have_llong_max"; then AC_MSG_CHECKING([for max value of long long]) AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ + [AC_LANG_PROGRAM([[ #include /* Why is this so damn hard? */ #ifdef __GNUC__ @@ -2615,8 +2576,8 @@ return -1; return 0; } - -int main(void) { + ]], + [[ FILE *f; long long i, llmin, llmax = 0; @@ -2650,18 +2611,17 @@ if (fclose(f) < 0) exit(5); exit(0); -} ]])], [ llong_min=`$AWK '{print $1}' conftest.llminmax` llong_max=`$AWK '{print $2}' conftest.llminmax` AC_MSG_RESULT($llong_max) - AC_DEFINE_UNQUOTED(LLONG_MAX, [${llong_max}LL], + AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL], [max value of long long calculated by configure]) AC_MSG_CHECKING([for min value of long long]) AC_MSG_RESULT($llong_min) - AC_DEFINE_UNQUOTED(LLONG_MIN, [${llong_min}LL], + AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL], [min value of long long calculated by configure]) ], [ @@ -2684,7 +2644,7 @@ ) ]) if test "x$ac_cv_have_u_int" = "xyes" ; then - AC_DEFINE(HAVE_U_INT, 1, [define if you have u_int data type]) + AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type]) have_u_int=1 fi @@ -2697,7 +2657,7 @@ ) ]) if test "x$ac_cv_have_intxx_t" = "xyes" ; then - AC_DEFINE(HAVE_INTXX_T, 1, [define if you have intxx_t data type]) + AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type]) have_intxx_t=1 fi @@ -2709,7 +2669,7 @@ [ #include ], [ int8_t a; int16_t b; int32_t c; a = b = c = 1;], [ - AC_DEFINE(HAVE_INTXX_T) + AC_DEFINE([HAVE_INTXX_T]) AC_MSG_RESULT(yes) ], [ AC_MSG_RESULT(no) ] @@ -2734,7 +2694,7 @@ ) ]) if test "x$ac_cv_have_int64_t" = "xyes" ; then - AC_DEFINE(HAVE_INT64_T, 1, [define if you have int64_t data type]) + AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type]) fi AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [ @@ -2746,7 +2706,7 @@ ) ]) if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then - AC_DEFINE(HAVE_U_INTXX_T, 1, [define if you have u_intxx_t data type]) + AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type]) have_u_intxx_t=1 fi @@ -2756,7 +2716,7 @@ [ #include ], [ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;], [ - AC_DEFINE(HAVE_U_INTXX_T) + AC_DEFINE([HAVE_U_INTXX_T]) AC_MSG_RESULT(yes) ], [ AC_MSG_RESULT(no) ] @@ -2772,7 +2732,7 @@ ) ]) if test "x$ac_cv_have_u_int64_t" = "xyes" ; then - AC_DEFINE(HAVE_U_INT64_T, 1, [define if you have u_int64_t data type]) + AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type]) have_u_int64_t=1 fi @@ -2782,7 +2742,7 @@ [ #include ], [ u_int64_t a; a = 1], [ - AC_DEFINE(HAVE_U_INT64_T) + AC_DEFINE([HAVE_U_INT64_T]) AC_MSG_RESULT(yes) ], [ AC_MSG_RESULT(no) ] @@ -2801,7 +2761,7 @@ ) ]) if test "x$ac_cv_have_uintxx_t" = "xyes" ; then - AC_DEFINE(HAVE_UINTXX_T, 1, + AC_DEFINE([HAVE_UINTXX_T], [1], [define if you have uintxx_t data type]) fi fi @@ -2812,7 +2772,7 @@ [ #include ], [ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;], [ - AC_DEFINE(HAVE_UINTXX_T) + AC_DEFINE([HAVE_UINTXX_T]) AC_MSG_RESULT(yes) ], [ AC_MSG_RESULT(no) ] @@ -2833,8 +2793,8 @@ a = b = c = e = f = g = 1; ], [ - AC_DEFINE(HAVE_U_INTXX_T) - AC_DEFINE(HAVE_INTXX_T) + AC_DEFINE([HAVE_U_INTXX_T]) + AC_DEFINE([HAVE_INTXX_T]) AC_MSG_RESULT(yes) ], [AC_MSG_RESULT(no)] @@ -2853,7 +2813,7 @@ ) ]) if test "x$ac_cv_have_u_char" = "xyes" ; then - AC_DEFINE(HAVE_U_CHAR, 1, [define if you have u_char data type]) + AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type]) fi TYPE_SOCKLEN_T @@ -2887,7 +2847,7 @@ ) ]) if test "x$ac_cv_have_size_t" = "xyes" ; then - AC_DEFINE(HAVE_SIZE_T, 1, [define if you have size_t data type]) + AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type]) fi AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [ @@ -2901,7 +2861,7 @@ ) ]) if test "x$ac_cv_have_ssize_t" = "xyes" ; then - AC_DEFINE(HAVE_SSIZE_T, 1, [define if you have ssize_t data type]) + AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type]) fi AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [ @@ -2915,7 +2875,7 @@ ) ]) if test "x$ac_cv_have_clock_t" = "xyes" ; then - AC_DEFINE(HAVE_CLOCK_T, 1, [define if you have clock_t data type]) + AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type]) fi AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [ @@ -2940,7 +2900,7 @@ ) ]) if test "x$ac_cv_have_sa_family_t" = "xyes" ; then - AC_DEFINE(HAVE_SA_FAMILY_T, 1, + AC_DEFINE([HAVE_SA_FAMILY_T], [1], [define if you have sa_family_t data type]) fi @@ -2955,7 +2915,7 @@ ) ]) if test "x$ac_cv_have_pid_t" = "xyes" ; then - AC_DEFINE(HAVE_PID_T, 1, [define if you have pid_t data type]) + AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type]) fi AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [ @@ -2969,7 +2929,7 @@ ) ]) if test "x$ac_cv_have_mode_t" = "xyes" ; then - AC_DEFINE(HAVE_MODE_T, 1, [define if you have mode_t data type]) + AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type]) fi @@ -2985,7 +2945,7 @@ ) ]) if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then - AC_DEFINE(HAVE_STRUCT_SOCKADDR_STORAGE, 1, + AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1], [define if you have struct sockaddr_storage data type]) fi @@ -3001,7 +2961,7 @@ ) ]) if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then - AC_DEFINE(HAVE_STRUCT_SOCKADDR_IN6, 1, + AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1], [define if you have struct sockaddr_in6 data type]) fi @@ -3017,7 +2977,7 @@ ) ]) if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then - AC_DEFINE(HAVE_STRUCT_IN6_ADDR, 1, + AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1], [define if you have struct in6_addr data type]) dnl Now check for sin6_scope_id @@ -3043,7 +3003,7 @@ ) ]) if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then - AC_DEFINE(HAVE_STRUCT_ADDRINFO, 1, + AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1], [define if you have struct addrinfo data type]) fi @@ -3056,7 +3016,7 @@ ) ]) if test "x$ac_cv_have_struct_timeval" = "xyes" ; then - AC_DEFINE(HAVE_STRUCT_TIMEVAL, 1, [define if you have struct timeval]) + AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval]) have_struct_timeval=1 fi @@ -3096,7 +3056,7 @@ #else main() { exit(0); } #endif - ]])], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ], + ]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ], AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ) fi @@ -3121,7 +3081,7 @@ OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmpx.h, HAVE_TV_IN_UTMPX) AC_CHECK_MEMBERS([struct stat.st_blksize]) -AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE(__res_state, state, +AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state], [Define if we don't have struct __res_state in resolv.h])], [ #include @@ -3146,7 +3106,7 @@ ) ]) if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then - AC_DEFINE(HAVE_SS_FAMILY_IN_SS, 1, [Fields in struct sockaddr_storage]) + AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage]) fi AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage], @@ -3162,7 +3122,7 @@ ) ]) if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then - AC_DEFINE(HAVE___SS_FAMILY_IN_SS, 1, + AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage]) fi @@ -3178,7 +3138,7 @@ ) ]) if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then - AC_DEFINE(HAVE_PW_CLASS_IN_PASSWD, 1, + AC_DEFINE([HAVE_PW_CLASS_IN_PASSWD], [1], [Define if your password has a pw_class field]) fi @@ -3194,7 +3154,7 @@ ) ]) if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then - AC_DEFINE(HAVE_PW_EXPIRE_IN_PASSWD, 1, + AC_DEFINE([HAVE_PW_EXPIRE_IN_PASSWD], [1], [Define if your password has a pw_expire field]) fi @@ -3210,19 +3170,20 @@ ) ]) if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then - AC_DEFINE(HAVE_PW_CHANGE_IN_PASSWD, 1, + AC_DEFINE([HAVE_PW_CHANGE_IN_PASSWD], [1], [Define if your password has a pw_change field]) fi dnl make sure we're using the real structure members and not defines AC_CACHE_CHECK([for msg_accrights field in struct msghdr], ac_cv_have_accrights_in_msghdr, [ - AC_COMPILE_IFELSE( + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([ [ #include #include #include -int main() { + ]], + [[ #ifdef msg_accrights #error "msg_accrights is a macro" exit(1); @@ -3230,14 +3191,13 @@ struct msghdr m; m.msg_accrights = 0; exit(0); -} - ], + ]])], [ ac_cv_have_accrights_in_msghdr="yes" ], [ ac_cv_have_accrights_in_msghdr="no" ] ) ]) if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then - AC_DEFINE(HAVE_ACCRIGHTS_IN_MSGHDR, 1, + AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1], [Define if your system uses access rights style file descriptor passing]) fi @@ -3265,7 +3225,7 @@ #include ], [fsid_t t; t.val[0] = 0;], [ AC_MSG_RESULT(yes) - AC_DEFINE(FSID_HAS_VAL, 1, fsid_t has member val) ], + AC_DEFINE([FSID_HAS_VAL], [1], fsid_t has member val) ], [ AC_MSG_RESULT(no) ]) AC_MSG_CHECKING(if f_fsid has member __val) @@ -3274,18 +3234,19 @@ #include ], [fsid_t t; t.__val[0] = 0;], [ AC_MSG_RESULT(yes) - AC_DEFINE(FSID_HAS___VAL, 1, fsid_t has member __val) ], + AC_DEFINE([FSID_HAS___VAL], [1], fsid_t has member __val) ], [ AC_MSG_RESULT(no) ]) ]) AC_CACHE_CHECK([for msg_control field in struct msghdr], ac_cv_have_control_in_msghdr, [ - AC_COMPILE_IFELSE( + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([ [ #include #include #include -int main() { + ]], + [[ #ifdef msg_control #error "msg_control is a macro" exit(1); @@ -3293,14 +3254,13 @@ struct msghdr m; m.msg_control = 0; exit(0); -} - ], + ]])], [ ac_cv_have_control_in_msghdr="yes" ], [ ac_cv_have_control_in_msghdr="no" ] ) ]) if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then - AC_DEFINE(HAVE_CONTROL_IN_MSGHDR, 1, + AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1], [Define if your system uses ancillary data style file descriptor passing]) fi @@ -3313,7 +3273,7 @@ ) ]) if test "x$ac_cv_libc_defines___progname" = "xyes" ; then - AC_DEFINE(HAVE___PROGNAME, 1, [Define if libc defines __progname]) + AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname]) fi AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [ @@ -3326,7 +3286,7 @@ ) ]) if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then - AC_DEFINE(HAVE___FUNCTION__, 1, + AC_DEFINE([HAVE___FUNCTION__], [1], [Define if compiler implements __FUNCTION__]) fi @@ -3340,7 +3300,7 @@ ) ]) if test "x$ac_cv_cc_implements___func__" = "xyes" ; then - AC_DEFINE(HAVE___func__, 1, [Define if compiler implements __func__]) + AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__]) fi AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [ @@ -3353,7 +3313,7 @@ ) ]) if test "x$ac_cv_have_va_copy" = "xyes" ; then - AC_DEFINE(HAVE_VA_COPY, 1, [Define if va_copy exists]) + AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists]) fi AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [ @@ -3366,7 +3326,7 @@ ) ]) if test "x$ac_cv_have___va_copy" = "xyes" ; then - AC_DEFINE(HAVE___VA_COPY, 1, [Define if __va_copy exists]) + AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists]) fi AC_CACHE_CHECK([whether getopt has optreset support], @@ -3381,7 +3341,7 @@ ) ]) if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then - AC_DEFINE(HAVE_GETOPT_OPTRESET, 1, + AC_DEFINE([HAVE_GETOPT_OPTRESET], [1], [Define if your getopt(3) defines and uses optreset]) fi @@ -3393,7 +3353,7 @@ ) ]) if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then - AC_DEFINE(HAVE_SYS_ERRLIST, 1, + AC_DEFINE([HAVE_SYS_ERRLIST], [1], [Define if your system defines sys_errlist[]]) fi @@ -3406,49 +3366,39 @@ ) ]) if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then - AC_DEFINE(HAVE_SYS_NERR, 1, [Define if your system defines sys_nerr]) + AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr]) fi # Check libraries needed by DNS fingerprint support -AC_SEARCH_LIBS(getrrsetbyname, resolv, - [AC_DEFINE(HAVE_GETRRSETBYNAME, 1, +AC_SEARCH_LIBS([getrrsetbyname], [resolv], + [AC_DEFINE([HAVE_GETRRSETBYNAME], [1], [Define if getrrsetbyname() exists])], [ # Needed by our getrrsetbyname() - AC_SEARCH_LIBS(res_query, resolv) - AC_SEARCH_LIBS(dn_expand, resolv) + AC_SEARCH_LIBS([res_query], [resolv]) + AC_SEARCH_LIBS([dn_expand], [resolv]) AC_MSG_CHECKING(if res_query will link) - AC_LINK_IFELSE([ -#include "confdefs.h" -#include -#include -#include -#include -#include -int main() -{ - res_query (0, 0, 0, 0, 0); - return 0; -} - ], + AC_LINK_IFELSE([AC_LANG_PROGRAM( + [[#include + #include + #include + #include + #include ]], + [[ res_query (0, 0, 0, 0, 0); + return 0;]])], AC_MSG_RESULT(yes), [AC_MSG_RESULT(no) saved_LIBS="$LIBS" LIBS="$LIBS -lresolv" AC_MSG_CHECKING(for res_query in -lresolv) - AC_LINK_IFELSE([ -#include "confdefs.h" -#include -#include -#include -#include -#include -int main() -{ - res_query (0, 0, 0, 0, 0); - return 0; -} - ], + AC_LINK_IFELSE([AC_LANG_PROGRAM( + [[#include + #include + #include + #include + #include ]], + [[ res_query (0, 0, 0, 0, 0); + return 0;]])], [AC_MSG_RESULT(yes)], [LIBS="$saved_LIBS" AC_MSG_RESULT(no)]) @@ -3458,25 +3408,24 @@ [#include #include ]) AC_CHECK_MEMBER(HEADER.ad, - [AC_DEFINE(HAVE_HEADER_AD, 1, + [AC_DEFINE([HAVE_HEADER_AD], [1], [Define if HEADER.ad exists in arpa/nameser.h])],, [#include ]) ]) AC_MSG_CHECKING(if struct __res_state _res is an extern) -AC_LINK_IFELSE([ -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#include -#include -#include -extern struct __res_state _res; -int main() { return 0; } - ], +AC_LINK_IFELSE([AC_LANG_PROGRAM( + [[#include + #if HAVE_SYS_TYPES_H + # include + #endif + #include + #include + #include + extern struct __res_state _res;]], + [[return 0;]])], [AC_MSG_RESULT(yes) - AC_DEFINE(HAVE__RES_EXTERN, 1, + AC_DEFINE([HAVE__RES_EXTERN], [1], [Define if you have struct __res_state _res as an extern]) ], [ AC_MSG_RESULT(no) ] @@ -3489,7 +3438,7 @@ [ --with-selinux Enable SELinux support], [ if test "x$withval" != "xno" ; then save_LIBS="$LIBS" - AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.]) + AC_DEFINE([WITH_SELINUX],[1],[Define if you want SELinux support.]) SELINUX_MSG="yes" AC_CHECK_HEADER([selinux/selinux.h], , AC_MSG_ERROR(SELinux support requires selinux.h header)) @@ -3515,7 +3464,7 @@ KRB5ROOT=${withval} fi - AC_DEFINE(KRB5, 1, [Define if you want Kerberos 5 support]) + AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support]) KRB5_MSG="yes" AC_PATH_PROG([KRB5CONF],[krb5-config], @@ -3526,7 +3475,7 @@ AC_MSG_CHECKING(for gssapi support) if $KRB5CONF | grep gssapi >/dev/null ; then AC_MSG_RESULT(yes) - AC_DEFINE(GSSAPI, 1, + AC_DEFINE([GSSAPI], [1], [Define this if you want GSSAPI support in the version 2 protocol]) k5confopts=gssapi @@ -3541,7 +3490,7 @@ AC_TRY_COMPILE([ #include ], [ char *tmp = heimdal_version; ], [ AC_MSG_RESULT(yes) - AC_DEFINE(HEIMDAL, 1, + AC_DEFINE([HEIMDAL], [1], [Define this if you are using the Heimdal version of Kerberos V5]) ], AC_MSG_RESULT(no) @@ -3553,7 +3502,7 @@ AC_TRY_COMPILE([ #include ], [ char *tmp = heimdal_version; ], [ AC_MSG_RESULT(yes) - AC_DEFINE(HEIMDAL) + AC_DEFINE([HEIMDAL]) K5LIBS="-lkrb5" K5LIBS="$K5LIBS -lcom_err -lasn1" AC_CHECK_LIB(roken, net_write, @@ -3568,10 +3517,10 @@ AC_SEARCH_LIBS(dn_expand, resolv) AC_CHECK_LIB(gssapi_krb5, gss_init_sec_context, - [ AC_DEFINE(GSSAPI) + [ AC_DEFINE([GSSAPI]) K5LIBS="-lgssapi_krb5 $K5LIBS" ], [ AC_CHECK_LIB(gssapi, gss_init_sec_context, - [ AC_DEFINE(GSSAPI) + [ AC_DEFINE([GSSAPI]) K5LIBS="-lgssapi $K5LIBS" ], AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]), $K5LIBS) @@ -3605,7 +3554,7 @@ AC_CHECK_HEADERS(gssapi_generic.h gssapi/gssapi_generic.h) LIBS="$LIBS $K5LIBS" - AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS, 1, + AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE([USE_AFS], [1], [Define this if you want to use libkafs' AFS support])) fi ] @@ -3661,7 +3610,7 @@ XAUTH_PATH="undefined" AC_SUBST(XAUTH_PATH) else - AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path", + AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"], [Define if xauth is found in your path]) XAUTH_PATH=$xauth_path AC_SUBST(XAUTH_PATH) @@ -3670,7 +3619,7 @@ # Check for mail directory (last resort if we cannot get it from headers) if test ! -z "$MAIL" ; then maildir=`dirname $MAIL` - AC_DEFINE_UNQUOTED(MAIL_DIRECTORY, "$maildir", + AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"], [Set this to your mail directory if you don't have maillock.h]) fi @@ -3682,7 +3631,7 @@ if test "x$disable_ptmx_check" != "xyes" ; then AC_CHECK_FILE("/dev/ptmx", [ - AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX, 1, + AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1], [Define if you have /dev/ptmx]) have_dev_ptmx=1 ] @@ -3693,7 +3642,7 @@ if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then AC_CHECK_FILE("/dev/ptc", [ - AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC, 1, + AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1], [Define if you have /dev/ptc]) have_dev_ptc=1 ] @@ -3741,7 +3690,7 @@ [ --with-md5-passwords Enable use of MD5 passwords], [ if test "x$withval" != "xno" ; then - AC_DEFINE(HAVE_MD5_PASSWORDS, 1, + AC_DEFINE([HAVE_MD5_PASSWORDS], [1], [Define if you want to allow MD5 passwords]) MD5_MSG="yes" fi @@ -3753,7 +3702,7 @@ [ --without-shadow Disable shadow password support], [ if test "x$withval" = "xno" ; then - AC_DEFINE(DISABLE_SHADOW) + AC_DEFINE([DISABLE_SHADOW]) disable_shadow=yes fi ] @@ -3772,7 +3721,7 @@ if test "x$sp_expire_available" = "xyes" ; then AC_MSG_RESULT(yes) - AC_DEFINE(HAS_SHADOW_EXPIRE, 1, + AC_DEFINE([HAS_SHADOW_EXPIRE], [1], [Define if you want to use shadow password expire field]) else AC_MSG_RESULT(no) @@ -3782,7 +3731,7 @@ # Use ip address instead of hostname in $DISPLAY if test ! -z "$IPADDR_IN_DISPLAY" ; then DISPLAY_HACK_MSG="yes" - AC_DEFINE(IPADDR_IN_DISPLAY, 1, + AC_DEFINE([IPADDR_IN_DISPLAY], [1], [Define if you need to use IP address instead of hostname in $DISPLAY]) else @@ -3791,7 +3740,7 @@ [ --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY], [ if test "x$withval" != "xno" ; then - AC_DEFINE(IPADDR_IN_DISPLAY) + AC_DEFINE([IPADDR_IN_DISPLAY]) DISPLAY_HACK_MSG="yes" fi ] @@ -3820,7 +3769,7 @@ AC_CHECK_FILE("/etc/default/login", [ external_path_file=/etc/default/login ]) if test "x$external_path_file" = "x/etc/default/login"; then - AC_DEFINE(HAVE_ETC_DEFAULT_LOGIN, 1, + AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1], [Define if your system has /etc/default/login]) fi fi @@ -3859,7 +3808,7 @@ otherwise scp will not work.]) fi AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ + [AC_LANG_PROGRAM([[ /* find out what STDPATH is */ #include #ifdef HAVE_PATHS_H @@ -3876,9 +3825,8 @@ #include #include #define DATA "conftest.stdpath" - -main() -{ + ]], + [[ FILE *fd; int rc; @@ -3890,7 +3838,6 @@ exit(1); exit(0); -} ]])], [ user_path=`cat conftest.stdpath` ], [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ], @@ -3915,7 +3862,7 @@ fi ] ) if test "x$external_path_file" != "x/etc/login.conf" ; then - AC_DEFINE_UNQUOTED(USER_PATH, "$user_path", [Specify default $PATH]) + AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH]) AC_SUBST(user_path) fi @@ -3925,7 +3872,7 @@ [ if test -n "$withval" && test "x$withval" != "xno" && \ test "x${withval}" != "xyes"; then - AC_DEFINE_UNQUOTED(SUPERUSER_PATH, "$withval", + AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"], [Define if you want a different $PATH for the superuser]) superuser_path=$withval @@ -3941,7 +3888,7 @@ [ if test "x$withval" != "xno" ; then AC_MSG_RESULT(yes) - AC_DEFINE(IPV4_IN_IPV6, 1, + AC_DEFINE([IPV4_IN_IPV6], [1], [Detect IPv4 in IPv6 mapped addresses and treat as IPv4]) IPV4_IN6_HACK_MSG="yes" @@ -3951,7 +3898,7 @@ ],[ if test "x$inet6_default_4in6" = "xyes"; then AC_MSG_RESULT([yes (default)]) - AC_DEFINE(IPV4_IN_IPV6) + AC_DEFINE([IPV4_IN_IPV6]) IPV4_IN6_HACK_MSG="yes" else AC_MSG_RESULT([no (default)]) @@ -3965,7 +3912,7 @@ [ --with-bsd-auth Enable BSD auth support], [ if test "x$withval" != "xno" ; then - AC_DEFINE(BSD_AUTH, 1, + AC_DEFINE([BSD_AUTH], [1], [Define if you have BSD auth support]) BSD_AUTH_MSG=yes fi @@ -3995,7 +3942,7 @@ ] ) -AC_DEFINE_UNQUOTED(_PATH_SSH_PIDDIR, "$piddir", [Specify location of ssh.pid]) +AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"], [Specify location of ssh.pid]) AC_SUBST(piddir) dnl allow user to disable some login recording features @@ -4003,7 +3950,7 @@ [ --disable-lastlog disable use of lastlog even if detected [no]], [ if test "x$enableval" = "xno" ; then - AC_DEFINE(DISABLE_LASTLOG) + AC_DEFINE([DISABLE_LASTLOG]) fi ] ) @@ -4011,7 +3958,7 @@ [ --disable-utmp disable use of utmp even if detected [no]], [ if test "x$enableval" = "xno" ; then - AC_DEFINE(DISABLE_UTMP) + AC_DEFINE([DISABLE_UTMP]) fi ] ) @@ -4019,7 +3966,7 @@ [ --disable-utmpx disable use of utmpx even if detected [no]], [ if test "x$enableval" = "xno" ; then - AC_DEFINE(DISABLE_UTMPX, 1, + AC_DEFINE([DISABLE_UTMPX], [1], [Define if you don't want to use utmpx]) fi ] @@ -4028,7 +3975,7 @@ [ --disable-wtmp disable use of wtmp even if detected [no]], [ if test "x$enableval" = "xno" ; then - AC_DEFINE(DISABLE_WTMP) + AC_DEFINE([DISABLE_WTMP]) fi ] ) @@ -4036,7 +3983,7 @@ [ --disable-wtmpx disable use of wtmpx even if detected [no]], [ if test "x$enableval" = "xno" ; then - AC_DEFINE(DISABLE_WTMPX, 1, + AC_DEFINE([DISABLE_WTMPX], [1], [Define if you don't want to use wtmpx]) fi ] @@ -4045,7 +3992,7 @@ [ --disable-libutil disable use of libutil (login() etc.) [no]], [ if test "x$enableval" = "xno" ; then - AC_DEFINE(DISABLE_LOGIN) + AC_DEFINE([DISABLE_LOGIN]) fi ] ) @@ -4053,7 +4000,7 @@ [ --disable-pututline disable use of pututline() etc. ([uw]tmp) [no]], [ if test "x$enableval" = "xno" ; then - AC_DEFINE(DISABLE_PUTUTLINE, 1, + AC_DEFINE([DISABLE_PUTUTLINE], [1], [Define if you don't want to use pututline() etc. to write [uw]tmp]) fi @@ -4063,7 +4010,7 @@ [ --disable-pututxline disable use of pututxline() etc. ([uw]tmpx) [no]], [ if test "x$enableval" = "xno" ; then - AC_DEFINE(DISABLE_PUTUTXLINE, 1, + AC_DEFINE([DISABLE_PUTUTXLINE], [1], [Define if you don't want to use pututxline() etc. to write [uw]tmpx]) fi @@ -4073,7 +4020,7 @@ [ --with-lastlog=FILE|DIR specify lastlog location [common locations]], [ if test "x$withval" = "xno" ; then - AC_DEFINE(DISABLE_LASTLOG) + AC_DEFINE([DISABLE_LASTLOG]) elif test -n "$withval" && test "x${withval}" != "xyes"; then conf_lastlog_location=$withval fi @@ -4140,7 +4087,7 @@ fi if test -n "$conf_lastlog_location"; then - AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location", + AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"], [Define if you want to specify the path to your lastlog file]) fi @@ -4166,12 +4113,12 @@ fi done if test -z "$conf_utmp_location"; then - AC_DEFINE(DISABLE_UTMP) + AC_DEFINE([DISABLE_UTMP]) fi fi fi if test -n "$conf_utmp_location"; then - AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location", + AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"], [Define if you want to specify the path to your utmp file]) fi @@ -4197,12 +4144,12 @@ fi done if test -z "$conf_wtmp_location"; then - AC_DEFINE(DISABLE_WTMP) + AC_DEFINE([DISABLE_WTMP]) fi fi fi if test -n "$conf_wtmp_location"; then - AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location", + AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"], [Define if you want to specify the path to your wtmp file]) fi @@ -4226,10 +4173,10 @@ ) if test -z "$conf_wtmpx_location"; then if test x"$system_wtmpx_path" = x"no" ; then - AC_DEFINE(DISABLE_WTMPX) + AC_DEFINE([DISABLE_WTMPX]) fi else - AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location", + AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"], [Define if you want to specify the path to your wtmpx file]) fi From djm at mindrot.org Sat Jan 15 18:25:40 2011 From: djm at mindrot.org (Damien Miller) Date: Sat, 15 Jan 2011 18:25:40 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: On Fri, 14 Jan 2011, Kevin Brott wrote: > Using openssh-SNAP-20110115.tar.gz Thanks for the comprehensive testing. > OS Build_Target CC OpenSSL BUILDS > TESTS > ============== ======================== ================ ======= ====== > ====================== > RHEL 2.1 i686-pc-linux-gnu gcc 2.9.6 0.9.8o *1*2* > FAILS *3* (5.6 passed) > RHEL 3.0 tu6 i686-pc-linux-gnu gcc 3.2.3 0.9.7a *2* > FAILS *3* (5.6 passed) > RHEL 4.0 nu5 i686-pc-linux-gnu gcc 3.4.6 0.9.7a *2* > FAILS *3* (5.6 passed) These ones are surprising; I can't see any changes in the channels code that could explain the output truncation. I'm downloading various CentOS versions that should approximate these systems to try to recreate the failure. -d From vinschen at redhat.com Sat Jan 15 20:35:18 2011 From: vinschen at redhat.com (Corinna Vinschen) Date: Sat, 15 Jan 2011 10:35:18 +0100 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <20110114130844.GA30229@calimero.vinschen.de> Message-ID: <20110115093518.GA16201@calimero.vinschen.de> On Jan 15 08:24, Damien Miller wrote: > On Fri, 14 Jan 2011, Corinna Vinschen wrote: > > > On Jan 14 15:08, Damien Miller wrote: > > > Hi, > > > > > > Thanks everyone for their test reports. Last night Tim Rice and I fixed > > > some makefile and regress test problems that were causing some tests > > > not to run completely. > > > > > > If you have the opportunity, we'd appreciate if you could rerun your tests > > > with the latest snapshot (20110114). > > > > All tests still pass on Cygwin, except for sftp-glob. > > > > However, I'm a bit tired having to change regress/Makefile all the time > > to run the tests. Therefore, would you mind to apply the below patch? > > > > It disables the sftp globbing tests testing backslashes in filenames. > > These can't work due to backslashes being directory separators on > > Windows(*). > > I think we should propogate the host type into the regress environment, > since there are a couple of other platform quirks that we can use it for > (e.g. Darwin/OSX's failure of the agent-ptrace test). That's a good idea. I just don't think you should use "CYGWIN" as the name of the variable. It should rather reflect the affected restriction so you can abstract from the name of the host system. I think that would be clearer: case $HOSTNAME in host1) restriction1=yes ;; host2) restriction2=yes ;; host3) restriction1=yes restriction2=yes test1 args $restriction1 test2 args $restriction2 So, in this case, what about changing $CYGWIN to something along the lines of $no_bs_in_fname? Other than that your patch works fine on Cygwin. Thanks, Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From jchadima at redhat.com Sat Jan 15 20:47:33 2011 From: jchadima at redhat.com (Jan Chadima) Date: Sat, 15 Jan 2011 04:47:33 -0500 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: Message-ID: <1483466478.309.1295084853285.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> The build in FIPS enabled RHEL6 does not still work. -- JFCh From openssh at roumenpetrov.info Sat Jan 15 22:54:05 2011 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Sat, 15 Jan 2011 13:54:05 +0200 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: <4D318ADD.4080308@roumenpetrov.info> Damien Miller wrote: > Hi, > > OpenSSH 5.7 is almost ready for release, [SNIP] As this version adds new key type the test case expose but not fixed by previous releases. The make tXXX targets in file regress/Makefile use command ssh-keygen instead macro TEST_SSH_SSHKEYGEN as result tests use program from host system and t9 cannot pass on system with ecc sypport. CLEANFILES in same make file lack new keys key.ecdsa-* The target t3 use own output file rsa_secsh.pub with name not compatible with other tXXX tests . More expected is t3.out. The file created by this test is not removed properly and is not listed in CLEANFILES. What about to add t3.out to CLEANFILES and to rewrite this particular tests to: t3: $(TEST_SSH_SSHKEYGEN) -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/t3.out $(TEST_SSH_SSHKEYGEN) -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub Regards, Roumen From openssh at roumenpetrov.info Sat Jan 15 23:09:36 2011 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Sat, 15 Jan 2011 14:09:36 +0200 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> <4D30B7A9.3080306@gmail.com> <4D30D682.7020705@roumenpetrov.info> Message-ID: <4D318E80.40808@roumenpetrov.info> Tim Rice wrote: > On Sat, 15 Jan 2011, Roumen Petrov wrote: > > >> You may consider to use *AC_LANG_PROGRAM* instead. >> >> Roumen >> > I'll look at that post 5.7 > yes, as this macro may require to add always exit(0) in the body (for some old compilers). Regards, Roumen -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/ From fishcustard at gmail.com Sun Jan 16 07:57:43 2011 From: fishcustard at gmail.com (Danny Mitchell) Date: Sun, 16 Jan 2011 07:57:43 +1100 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: 20110116 builds cleanly and passes all tests on debian 5.0.7 64-bit (stable) with openssl-1.0.0c. -- ----------------------------------------------------------------------------------------- Wocky | A poem for the lonely: hello. fishcustard at gmail.com | -- Spike Milligan ----------------------------------------------------------------------------------------- From djm at mindrot.org Sun Jan 16 14:19:43 2011 From: djm at mindrot.org (Damien Miller) Date: Sun, 16 Jan 2011 14:19:43 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: On Sat, 15 Jan 2011, Damien Miller wrote: > On Fri, 14 Jan 2011, Kevin Brott wrote: > > > Using openssh-SNAP-20110115.tar.gz > > Thanks for the comprehensive testing. > > > OS Build_Target CC OpenSSL BUILDS > > TESTS > > ============== ======================== ================ ======= ====== > > ====================== > > RHEL 2.1 i686-pc-linux-gnu gcc 2.9.6 0.9.8o *1*2* > > FAILS *3* (5.6 passed) > > RHEL 3.0 tu6 i686-pc-linux-gnu gcc 3.2.3 0.9.7a *2* > > FAILS *3* (5.6 passed) > > RHEL 4.0 nu5 i686-pc-linux-gnu gcc 3.4.6 0.9.7a *2* > > FAILS *3* (5.6 passed) > > These ones are surprising; I can't see any changes in the channels code > that could explain the output truncation. I'm downloading various > CentOS versions that should approximate these systems to try to recreate > the failure. I have replicated the problem on CentOS 3.9 and found the commit that triggers it (http://hg.mindrot.org/openssh/rev/10166). It only seems to affect SSH1, but I still don't understand why it fails though. -d From peter at stuge.se Sun Jan 16 15:15:50 2011 From: peter at stuge.se (Peter Stuge) Date: Sun, 16 Jan 2011 05:15:50 +0100 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: <20110116041550.6295.qmail@stuge.se> Damien Miller wrote: > > > RHEL 2.1 i686-pc-linux-gnu gcc 2.9.6 0.9.8o *1*2* FAILS *3* (5.6 passed) > > > RHEL 3.0 tu6 i686-pc-linux-gnu gcc 3.2.3 0.9.7a *2* FAILS *3* (5.6 passed) > > > RHEL 4.0 nu5 i686-pc-linux-gnu gcc 3.4.6 0.9.7a *2* FAILS *3* (5.6 passed) > > > > These ones are surprising; > > I have replicated the problem on CentOS 3.9 and found the commit that > triggers it (http://hg.mindrot.org/openssh/rev/10166). It only seems > to affect SSH1, but I still don't understand why it fails though. Is SIGCHLD being sent and received? Ie. is the new code actually involved? //Peter From dtucker at zip.com.au Sun Jan 16 16:47:34 2011 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 16 Jan 2011 16:47:34 +1100 Subject: [openssh-commits] CVS: fuyu.mindrot.org: openssh In-Reply-To: <201101131105.p0DB5FZ5004985@fuyu.mindrot.org> References: <201101131105.p0DB5FZ5004985@fuyu.mindrot.org> Message-ID: <20110116054733.GA29435@gate.dtucker.net> On Thu, Jan 13, 2011 at 10:05:15PM +1100, Damien Miller wrote: > Log message: > - (djm) [regress/kextype.sh] Testing diffie-hellman-group-exchange-sha256 > should not depend on ECC support ... but it should depend on actually having SHA256. Fixed regrest test failures on old (<=0.9.6, I think) openssls. Longer term (ie after release) I think we should cook up a function in test-exec.sh that looks in config.h and use that in the tests. Index: Makefile.in =================================================================== RCS file: /home/dtucker/openssh/cvs/openssh/Makefile.in,v retrieving revision 1.318 diff -u -p -r1.318 Makefile.in --- Makefile.in 14 Jan 2011 03:47:40 -0000 1.318 +++ Makefile.in 16 Jan 2011 05:29:19 -0000 @@ -416,6 +416,7 @@ tests interop-tests: $(TARGETS) TEST_SSH_CONCH="conch"; \ TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \ TEST_SSH_ECC="@TEST_SSH_ECC@" ; \ + TEST_SSH_SHA256="@TEST_SSH_SHA256@" ; \ cd $(srcdir)/regress || exit $$?; \ $(MAKE) \ .OBJDIR="$${BUILDDIR}/regress" \ @@ -438,6 +439,7 @@ tests interop-tests: $(TARGETS) TEST_SSH_CONCH="$${TEST_SSH_CONCH}" \ TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \ TEST_SSH_ECC="$${TEST_SSH_ECC}" \ + TEST_SSH_SHA256="$${TEST_SSH_SHA256}" \ EXEEXT="$(EXEEXT)" \ $@ && echo all tests passed Index: configure.ac =================================================================== RCS file: /home/dtucker/openssh/cvs/openssh/configure.ac,v retrieving revision 1.464 diff -u -p -r1.464 configure.ac --- configure.ac 13 Jan 2011 06:35:46 -0000 1.464 +++ configure.ac 16 Jan 2011 05:28:26 -0000 @@ -2239,7 +2239,9 @@ if test "x$check_for_libcrypt_later" = " fi # Search for SHA256 support in libc and/or OpenSSL -AC_CHECK_FUNCS(SHA256_Update EVP_sha256) +AC_CHECK_FUNCS(SHA256_Update EVP_sha256, [TEST_SSH_SHA256=yes], + [TEST_SSH_SHA256=no]) +AC_SUBST(TEST_SSH_SHA256) # Check complete ECC support in OpenSSL AC_MSG_CHECKING([whether OpenSSL has complete ECC support]) Index: regress/kextype.sh =================================================================== RCS file: /home/dtucker/openssh/cvs/openssh/regress/kextype.sh,v retrieving revision 1.5 diff -u -p -r1.5 kextype.sh --- regress/kextype.sh 13 Jan 2011 11:05:15 -0000 1.5 +++ regress/kextype.sh 16 Jan 2011 05:19:27 -0000 @@ -10,7 +10,9 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak if test "$TEST_SSH_ECC" = "yes"; then kextypes="ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521" fi -kextypes="$kextypes diffie-hellman-group-exchange-sha256" +if test "$TEST_SSH_SHA256" = "yes"; then + kextypes="$kextypes diffie-hellman-group-exchange-sha256" +fi kextypes="$kextypes diffie-hellman-group-exchange-sha1" kextypes="$kextypes diffie-hellman-group14-sha1" kextypes="$kextypes diffie-hellman-group1-sha1" -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Sun Jan 16 20:01:58 2011 From: djm at mindrot.org (Damien Miller) Date: Sun, 16 Jan 2011 20:01:58 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: On Sun, 16 Jan 2011, Damien Miller wrote: > I have replicated the problem on CentOS 3.9 and found the commit that > triggers it (http://hg.mindrot.org/openssh/rev/10166). It only seems to > affect SSH1, but I still don't understand why it fails though. Here's a fix. The SIGCHLD handler just exposed a latent bug. Index: clientloop.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v retrieving revision 1.229 diff -u -p -r1.229 clientloop.c --- clientloop.c 11 Jan 2011 06:13:10 -0000 1.229 +++ clientloop.c 16 Jan 2011 09:00:02 -0000 @@ -1579,9 +1579,9 @@ client_loop(int have_pty, int escape_cha /* Output any buffered data for stdout. */ while (buffer_len(&stdout_buffer) > 0) { - len = write(fileno(stdout), buffer_ptr(&stdout_buffer), - buffer_len(&stdout_buffer)); - if (len <= 0) { + len = atomicio(vwrite, fileno(stdout), + buffer_ptr(&stdout_buffer), buffer_len(&stdout_buffer)); + if (len != buffer_len(&stdout_buffer)) { error("Write failed flushing stdout buffer."); break; } @@ -1590,9 +1590,9 @@ client_loop(int have_pty, int escape_cha /* Output any buffered data for stderr. */ while (buffer_len(&stderr_buffer) > 0) { - len = write(fileno(stderr), buffer_ptr(&stderr_buffer), - buffer_len(&stderr_buffer)); - if (len <= 0) { + len = atomicio(vwrite, fileno(stderr), + buffer_ptr(&stderr_buffer), buffer_len(&stderr_buffer)); + if (len != buffer_len(&stderr_buffer)) { error("Write failed flushing stderr buffer."); break; } From djm at mindrot.org Sun Jan 16 20:10:24 2011 From: djm at mindrot.org (Damien Miller) Date: Sun, 16 Jan 2011 20:10:24 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <1483466478.309.1295084853285.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> References: <1483466478.309.1295084853285.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> Message-ID: On Sat, 15 Jan 2011, Jan Chadima wrote: > The build in FIPS enabled RHEL6 does not still work. We don't (yet) support building against FIPS enabled OpenSSL. From djm at mindrot.org Sun Jan 16 23:34:18 2011 From: djm at mindrot.org (Damien Miller) Date: Sun, 16 Jan 2011 23:34:18 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <4D318ADD.4080308@roumenpetrov.info> References: <4D318ADD.4080308@roumenpetrov.info> Message-ID: On Sat, 15 Jan 2011, Roumen Petrov wrote: > Damien Miller wrote: > > Hi, > > > > OpenSSH 5.7 is almost ready for release, > [SNIP] > As this version adds new key type the test case expose but not fixed by > previous releases. > > The make tXXX targets in file regress/Makefile use command ssh-keygen instead > macro TEST_SSH_SSHKEYGEN as result tests use program from host system and t9 > cannot pass on system with ecc sypport. > > CLEANFILES in same make file lack new keys key.ecdsa-* > > The target t3 use own output file rsa_secsh.pub with name not compatible with > other tXXX tests . More expected is t3.out. The file created by this test is > not removed properly and is not listed in CLEANFILES. > > What about to add t3.out to CLEANFILES and to rewrite this particular tests > to: > t3: > $(TEST_SSH_SSHKEYGEN) -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/t3.out > $(TEST_SSH_SSHKEYGEN) -if $(OBJ)/t3.out | diff - > ${.CURDIR}/rsa_openssh.pub thanks for the report. Here's a diff: Index: Makefile =================================================================== RCS file: /var/cvs/openssh/regress/Makefile,v retrieving revision 1.46 diff -u -p -r1.46 Makefile --- Makefile 13 Jan 2011 10:08:30 -0000 1.46 +++ Makefile 16 Jan 2011 12:33:43 -0000 @@ -65,7 +65,7 @@ INTEROP_TESTS= putty-transfer putty-ciph #LTESTS= cipher-speed USER!= id -un -CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ +CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ t8.out t8.out.pub t9.out t9.out.pub \ authorized_keys_${USER} known_hosts pidfile \ ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \ @@ -75,66 +75,68 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.ou scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \ sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ known_hosts-cert host_ca_key* cert_host_key* \ - putty.rsa2 sshd_proxy_orig ssh_proxy_bak key.[rd]sa-* \ + putty.rsa2 sshd_proxy_orig ssh_proxy_bak \ + key.rsa-* key.dsa-* key.ecdsa-* \ authorized_principals_${USER} expect actual # Enable all malloc(3) randomisations and checks TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" +TEST_SSH_SSHKEYGEN?=ssh-keygen + t1: - ssh-keygen -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv + ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv - ssh-keygen -if ${.OBJDIR}/rsa_ssh2_cr.prv | diff - ${.CURDIR}/rsa_openssh.prv + ${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_cr.prv | diff - ${.CURDIR}/rsa_openssh.prv awk '{print $$0 "\r"}' ${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_crnl.prv - ssh-keygen -if ${.OBJDIR}/rsa_ssh2_crnl.prv | diff - ${.CURDIR}/rsa_openssh.prv + ${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_crnl.prv | diff - ${.CURDIR}/rsa_openssh.prv t2: cat ${.CURDIR}/rsa_openssh.prv > $(OBJ)/t2.out chmod 600 $(OBJ)/t2.out - ssh-keygen -yf $(OBJ)/t2.out | diff - ${.CURDIR}/rsa_openssh.pub + ${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t2.out | diff - ${.CURDIR}/rsa_openssh.pub t3: - ssh-keygen -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/rsa_secsh.pub - ssh-keygen -if $(OBJ)/rsa_secsh.pub | diff - ${.CURDIR}/rsa_openssh.pub - rm -f ${.CURDIR}/rsa_secsh.pub + ${TEST_SSH_SSHKEYGEN} -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/t3.out + ${TEST_SSH_SSHKEYGEN} -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub t4: - ssh-keygen -lf ${.CURDIR}/rsa_openssh.pub |\ + ${TEST_SSH_SSHKEYGEN} -lf ${.CURDIR}/rsa_openssh.pub |\ awk '{print $$2}' | diff - ${.CURDIR}/t4.ok t5: - ssh-keygen -Bf ${.CURDIR}/rsa_openssh.pub |\ + ${TEST_SSH_SSHKEYGEN} -Bf ${.CURDIR}/rsa_openssh.pub |\ awk '{print $$2}' | diff - ${.CURDIR}/t5.ok t6: - ssh-keygen -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1 - ssh-keygen -if ${.CURDIR}/dsa_ssh2.pub > $(OBJ)/t6.out2 + ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1 + ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.pub > $(OBJ)/t6.out2 chmod 600 $(OBJ)/t6.out1 - ssh-keygen -yf $(OBJ)/t6.out1 | diff - $(OBJ)/t6.out2 + ${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t6.out1 | diff - $(OBJ)/t6.out2 $(OBJ)/t7.out: - ssh-keygen -q -t rsa -N '' -f $@ + ${TEST_SSH_SSHKEYGEN} -q -t rsa -N '' -f $@ t7: $(OBJ)/t7.out - ssh-keygen -lf $(OBJ)/t7.out > /dev/null - ssh-keygen -Bf $(OBJ)/t7.out > /dev/null + ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t7.out > /dev/null + ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t7.out > /dev/null $(OBJ)/t8.out: - ssh-keygen -q -t dsa -N '' -f $@ + ${TEST_SSH_SSHKEYGEN} -q -t dsa -N '' -f $@ t8: $(OBJ)/t8.out - ssh-keygen -lf $(OBJ)/t8.out > /dev/null - ssh-keygen -Bf $(OBJ)/t8.out > /dev/null + ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t8.out > /dev/null + ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t8.out > /dev/null $(OBJ)/t9.out: test "${TEST_SSH_ECC}" != yes || \ - ssh-keygen -q -t ecdsa -N '' -f $@ + ${TEST_SSH_SSHKEYGEN} -q -t ecdsa -N '' -f $@ t9: $(OBJ)/t9.out test "${TEST_SSH_ECC}" != yes || \ - ssh-keygen -lf $(OBJ)/t9.out > /dev/null + ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t9.out > /dev/null test "${TEST_SSH_ECC}" != yes || \ - ssh-keygen -Bf $(OBJ)/t9.out > /dev/null + ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t9.out > /dev/null t-exec: ${LTESTS:=.sh} @if [ "x$?" = "x" ]; then exit 0; fi; \ From djm at mindrot.org Sun Jan 16 23:34:59 2011 From: djm at mindrot.org (Damien Miller) Date: Sun, 16 Jan 2011 23:34:59 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: On Sun, 16 Jan 2011, Damien Miller wrote: > On Sun, 16 Jan 2011, Damien Miller wrote: > > > I have replicated the problem on CentOS 3.9 and found the commit that > > triggers it (http://hg.mindrot.org/openssh/rev/10166). It only seems to > > affect SSH1, but I still don't understand why it fails though. > > Here's a fix. The SIGCHLD handler just exposed a latent bug. Committed. This will be in tonight's snapshot (20110117) due in an hour or so. -d From keisial at gmail.com Mon Jan 17 04:52:53 2011 From: keisial at gmail.com (=?UTF-8?B?w4FuZ2VsIEdvbnrDoWxleg==?=) Date: Sun, 16 Jan 2011 18:52:53 +0100 Subject: autoconf.ac [was Re: Call for testing: OpenSSH-5.7] In-Reply-To: References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> <4D30B7A9.3080306@gmail.com> <4D30E889.3070107@gmail.com> Message-ID: <4D333075.1080700@gmail.com> Tim Rice wrote: > On Sat, 15 Jan 2011, ?~Angel Gonz?lez wrote: >>> That said, we could be consistant on the use of AC_LANG_SOURCE. >>> Does this patch make your 2.68 happy? >> It does seem to make it happier. 81 error lines instead of 288. >> The errors may be coming from some included file, though. > OK, I couldn't resist. Here is a patch (attached so mailers don't mangle it) > that adds some additional M4 quoting, and uses AC_LANG_PROGRAM as sugested > by Roumen. Autoconf 2.68 is happy with it and autoconf 2.61 still likes it. > Using it with autoconf 2.61, there are no regressions on the 8 machines I > tested on (config.h identical). It may be to late to get this in for 5.7. > I'll let Damien decide. Confirmed that it removes the warnings. >> Here are the errors after applying your patch http://pastebin.com/hywKkavP > Best to post the output to the list. That list of warnings is mostly noise, and quite large, so I wanted to spare it to most readers of this thread which was already going off topic. Noted for the future. From tim at multitalents.net Mon Jan 17 07:00:05 2011 From: tim at multitalents.net (Tim Rice) Date: Sun, 16 Jan 2011 12:00:05 -0800 (PST) Subject: autoconf.ac [was Re: Call for testing: OpenSSH-5.7] In-Reply-To: References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> <4D30B7A9.3080306@gmail.com> <4D30E889.3070107@gmail.com> Message-ID: On Fri, 14 Jan 2011, Tim Rice wrote: > OK, I couldn't resist. Here is a patch (attached so mailers don't mangle it) > that adds some additional M4 quoting, and uses AC_LANG_PROGRAM as suggested > by Roumen. Autoconf 2.68 is happy with it and autoconf 2.61 still likes it. > Using it with autoconf 2.61, there are no regressions on the 8 machines I > tested on (config.h identical). It may be to late to get this in for 5.7. > I'll let Damien decide. Now the diff is larger that the file. (configure.ac.gz attached) Consistent M4 quoting throughout, updated obsolete AC_TRY_COMPILE with AC_COMPILE_IFELSE, updated obsolete AC_TRY_LINK with AC_LINK_IFELSE, updated obsolete AC_TRY_RUN with AC_RUN_IFELSE, misc white space changes for consistency/readability. I left the obsolete AC_TRY_LINK_FUNC for now. There is probably more that could be done but I only did things that I had a high comfort level putting into 5.7. Rather than reviewing 4000+ lines of diff, it is simpler see if config.h comes out the same. The steps are comething like this configure a current snapshot save the config.h run make distclean save a copy of configure & configure.ac If you have autsoconf 2.61 installed move the attached copy of configure.ac.gz into place and gunzip it. run aotoconf if not, grab my prebuilt one at http://www.multitalents.net/openssh/configure-1.464-test Now rename it to configure and run configure with the same options as before. Now do a diff on the 2 config.h files. I fully expect there will be no difference. If there is, I'd like to know. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From djm at mindrot.org Mon Jan 17 12:07:22 2011 From: djm at mindrot.org (Damien Miller) Date: Mon, 17 Jan 2011 12:07:22 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <20110115093518.GA16201@calimero.vinschen.de> References: <20110114130844.GA30229@calimero.vinschen.de> <20110115093518.GA16201@calimero.vinschen.de> Message-ID: On Sat, 15 Jan 2011, Corinna Vinschen wrote: > > I think we should propogate the host type into the regress environment, > > since there are a couple of other platform quirks that we can use it for > > (e.g. Darwin/OSX's failure of the agent-ptrace test). > > That's a good idea. I just don't think you should use "CYGWIN" as the > name of the variable. It should rather reflect the affected restriction > so you can abstract from the name of the host system. I think that would > be clearer Darren suggested a better way that avoid passing umpteen variables through the recursive make invocation; grep for specific defines in config.h. This diff implements this approach and tidies up a few existing cases: Index: configure.ac =================================================================== RCS file: /var/cvs/openssh/configure.ac,v retrieving revision 1.465 diff -u -p -r1.465 configure.ac --- configure.ac 16 Jan 2011 07:28:12 -0000 1.465 +++ configure.ac 17 Jan 2011 01:03:03 -0000 @@ -483,6 +483,7 @@ int main(void) { exit(0); } [Define if your platform needs to skip post auth file descriptor passing]) AC_DEFINE(SSH_IOBUFSZ, 65535, [Windows is sensitive to read buffer size]) + AC_DEFINE(FILESYSTEM_NO_BACKSLASH, 1, [File names may not contain backslash characters]) ;; *-*-dgux*) AC_DEFINE(IP_TOS_IS_BROKEN, 1, Index: regress/agent-getpeereid.sh =================================================================== RCS file: /var/cvs/openssh/regress/agent-getpeereid.sh,v retrieving revision 1.8 diff -u -p -r1.8 agent-getpeereid.sh --- regress/agent-getpeereid.sh 17 Jan 2011 00:52:42 -0000 1.8 +++ regress/agent-getpeereid.sh 17 Jan 2011 01:03:03 -0000 @@ -7,10 +7,7 @@ UNPRIV=nobody ASOCK=${OBJ}/agent SSH_AUTH_SOCK=/nonexistent -if grep "#undef.*HAVE_GETPEEREID" ${BUILDDIR}/config.h >/dev/null 2>&1 && \ - grep "#undef.*HAVE_GETPEERUCRED" ${BUILDDIR}/config.h >/dev/null && \ - grep "#undef.*HAVE_SO_PEERCRED" ${BUILDDIR}/config.h >/dev/null -then +if ! config_defined HAVE_GETPEEREID HAVE_GETPEERUCRED HAVE_SO_PEERCRED ; then echo "skipped (not supported on this platform)" exit 0 fi Index: regress/multiplex.sh =================================================================== RCS file: /var/cvs/openssh/regress/multiplex.sh,v retrieving revision 1.18 diff -u -p -r1.18 multiplex.sh --- regress/multiplex.sh 6 Oct 2009 23:30:57 -0000 1.18 +++ regress/multiplex.sh 17 Jan 2011 01:03:03 -0000 @@ -5,8 +5,7 @@ CTL=/tmp/openssh.regress.ctl-sock.$$ tid="connection multiplexing" -if grep "#define.*DISABLE_FD_PASSING" ${BUILDDIR}/config.h >/dev/null 2>&1 -then +if config_defined DISABLE_FD_PASSING ; then echo "skipped (not supported on this platform)" exit 0 fi Index: regress/sftp-glob.sh =================================================================== RCS file: /var/cvs/openssh/regress/sftp-glob.sh,v retrieving revision 1.5 diff -u -p -r1.5 sftp-glob.sh --- regress/sftp-glob.sh 6 Oct 2009 23:43:57 -0000 1.5 +++ regress/sftp-glob.sh 17 Jan 2011 01:03:03 -0000 @@ -3,11 +3,18 @@ tid="sftp glob" +config_defined FILESYSTEM_NO_BACKSLASH && nobs="not supported on this platform" + sftp_ls() { target=$1 errtag=$2 expected=$3 unexpected=$4 + skip=$5 + if test "x$skip" != "x" ; then + verbose "$tid: $errtag (skipped: $skip)" + return + fi verbose "$tid: $errtag" printf "ls -l %s" "${target}" | \ ${SFTP} -b - -D ${SFTPSERVER} 2>/dev/null | \ @@ -44,8 +51,8 @@ SPACE="${DIR}/g-q space" rm -rf ${BASE} mkdir -p ${DIR} -touch "${DATA}" "${GLOB1}" "${GLOB2}" "${QUOTE}" -touch "${QSLASH}" "${ESLASH}" "${SLASH}" "${SPACE}" +touch "${DATA}" "${GLOB1}" "${GLOB2}" "${QUOTE}" "${SPACE}" +test "x$nobs" = "x" && touch "${QSLASH}" "${ESLASH}" "${SLASH}" # target message expected unexpected sftp_ls "${DIR}/fil*" "file glob" "${DATA}" "" @@ -55,14 +62,14 @@ sftp_ls "${DIR}/g-wild\*" "escape sftp_ls "${DIR}/g-quote\\\"" "escaped quote" "g-quote\"" "" sftp_ls "\"${DIR}/g-quote\\\"\"" "quoted quote" "g-quote\"" "" sftp_ls "'${DIR}/g-quote\"'" "single-quoted quote" "g-quote\"" "" -sftp_ls "${DIR}/g-sl\\\\ash" "escaped slash" "g-sl\\ash" "" -sftp_ls "'${DIR}/g-sl\\\\ash'" "quoted slash" "g-sl\\ash" "" -sftp_ls "${DIR}/g-slash\\\\" "escaped slash at EOL" "g-slash\\" "" -sftp_ls "'${DIR}/g-slash\\\\'" "quoted slash at EOL" "g-slash\\" "" -sftp_ls "${DIR}/g-qs\\\\\\\"" "escaped slash+quote" "g-qs\\\"" "" -sftp_ls "'${DIR}/g-qs\\\\\"'" "quoted slash+quote" "g-qs\\\"" "" sftp_ls "${DIR}/g-q\\ space" "escaped space" "g-q space" "" sftp_ls "'${DIR}/g-q space'" "quoted space" "g-q space" "" +sftp_ls "${DIR}/g-sl\\\\ash" "escaped slash" "g-sl\\ash" "" "$nobs" +sftp_ls "'${DIR}/g-sl\\\\ash'" "quoted slash" "g-sl\\ash" "" "$nobs" +sftp_ls "${DIR}/g-slash\\\\" "escaped slash at EOL" "g-slash\\" "" "$nobs" +sftp_ls "'${DIR}/g-slash\\\\'" "quoted slash at EOL" "g-slash\\" "" "$nobs" +sftp_ls "${DIR}/g-qs\\\\\\\"" "escaped slash+quote" "g-qs\\\"" "" "$nobs" +sftp_ls "'${DIR}/g-qs\\\\\"'" "quoted slash+quote" "g-qs\\\"" "" "$nobs" rm -rf ${BASE} Index: regress/test-exec.sh =================================================================== RCS file: /var/cvs/openssh/regress/test-exec.sh,v retrieving revision 1.41 diff -u -p -r1.41 test-exec.sh --- regress/test-exec.sh 12 Aug 2010 16:43:13 -0000 1.41 +++ regress/test-exec.sh 17 Jan 2011 01:03:03 -0000 @@ -221,6 +221,17 @@ fatal () exit $RESULT } +# Check whether preprocessor symbols are defined in config.h. +config_defined () +{ + str=$1 + while test "x$2" != "x" ; do + str="$str|$2" + shift + done + egrep "^#define.*($str)" ${BUILDDIR}/config.h >/dev/null 2>&1 +} + RESULT=0 PIDFILE=$OBJ/pidfile From tim at multitalents.net Mon Jan 17 16:43:37 2011 From: tim at multitalents.net (Tim Rice) Date: Sun, 16 Jan 2011 21:43:37 -0800 (PST) Subject: autoconf.ac [was Re: Call for testing: OpenSSH-5.7] In-Reply-To: References: <4D262D70.90103@roumenpetrov.info> <4D2797D8.6010104@roumenpetrov.info> <4D30B7A9.3080306@gmail.com> <4D30E889.3070107@gmail.com> Message-ID: On Sun, 16 Jan 2011, Tim Rice wrote: > On Fri, 14 Jan 2011, Tim Rice wrote: > > > I'll let Damien decide. > > Now the diff is larger that the file. (configure.ac.gz attached) > > Consistent M4 quoting throughout, > updated obsolete AC_TRY_COMPILE with AC_COMPILE_IFELSE, > updated obsolete AC_TRY_LINK with AC_LINK_IFELSE, > updated obsolete AC_TRY_RUN with AC_RUN_IFELSE, > misc white space changes for consistency/readability. > I left the obsolete AC_TRY_LINK_FUNC for now. > > There is probably more that could be done but I only did things > that I had a high comfort level putting into 5.7. > > Rather than reviewing 4000+ lines of diff, it is simpler see if config.h > comes out the same. The steps are comething like this Did anyone spot the mistakes? After a break, I reliazed the thing to do is diff the 2 generated cofigure files. It made it easy to spot these. ......... --- ../openssh/configure.ac.new 2011-01-16 20:36:34.995637068 -0800 +++ configure.ac.corrected 2011-01-16 21:35:30.576837070 -0800 @@ -171,7 +171,7 @@ AC_LINK_IFELSE( [AC_LANG_PROGRAM([[ #include ]], [[ - char x[[256]]; snprintf(x, sizeof(x), "XXX"); return 0; + char x[256]; snprintf(x, sizeof(x), "XXX"); return 0; ]])], [ AC_MSG_RESULT([yes]) CFLAGS="$saved_CFLAGS $t" @@ -180,7 +180,7 @@ AC_RUN_IFELSE( [AC_LANG_PROGRAM([[ #include ]], [[ - char x[[256]]; snprintf(x, sizeof(x), "XXX"); return 0; + char x[256]; snprintf(x, sizeof(x), "XXX"); return 0; ]])], [ AC_MSG_RESULT([yes]) break ], @@ -1243,7 +1245,7 @@ #include ]], [[ (void)skeychallenge(NULL,"name","",0); -i ]])], + ]])], [ AC_MSG_RESULT([yes]) AC_DEFINE([SKEYCHALLENGE_4ARG], [1], ......... -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From vinschen at redhat.com Tue Jan 18 02:27:24 2011 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 17 Jan 2011 16:27:24 +0100 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <20110114130844.GA30229@calimero.vinschen.de> <20110115093518.GA16201@calimero.vinschen.de> Message-ID: <20110117152724.GA2292@calimero.vinschen.de> On Jan 17 12:07, Damien Miller wrote: > On Sat, 15 Jan 2011, Corinna Vinschen wrote: > > > > I think we should propogate the host type into the regress environment, > > > since there are a couple of other platform quirks that we can use it for > > > (e.g. Darwin/OSX's failure of the agent-ptrace test). > > > > That's a good idea. I just don't think you should use "CYGWIN" as the > > name of the variable. It should rather reflect the affected restriction > > so you can abstract from the name of the host system. I think that would > > be clearer > > Darren suggested a better way that avoid passing umpteen variables > through the recursive make invocation; grep for specific defines in > config.h. > > This diff implements this approach and tidies up a few existing cases: Works fine on Cygwin. Thanks, Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From marquess at opensslfoundation.com Tue Jan 18 00:47:07 2011 From: marquess at opensslfoundation.com (Steve Marquess) Date: Mon, 17 Jan 2011 08:47:07 -0500 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <1483466478.309.1295084853285.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> Message-ID: <4D34485B.8080902@opensslfoundation.com> Damien Miller wrote: > On Sat, 15 Jan 2011, Jan Chadima wrote: > > >> The build in FIPS enabled RHEL6 does not still work. >> > > We don't (yet) support building against FIPS enabled OpenSSL. > Out of curiosity, what is needed to make that happen? That's a semi-rhetorical question; a well crafted patch would surely go a long way. I've had that on my rainy day to-do list for a long time. I have been building FIPS enabled versions of OpenSSH for my DoD clients for some time, and I know others have done the same. My feeble excuses for not doing a better job of sharing with the community vary over time; at the moment I'm more than fully committed with a day job and a newly launched OpenSSL FIPS Object Module validation. Anyone interested in taking working code that FIPS enables OpenSSH and transforming it into something suitable for direct inclusion? The result will be very much noticed in the U.S. DoD where OpenSSH is widely used in violation of the FIPS 140-2 validation mandate. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marquess at opensslfoundation.com From mike at pair.com Tue Jan 18 02:40:58 2011 From: mike at pair.com (Mike Kelly) Date: Mon, 17 Jan 2011 10:40:58 -0500 Subject: Questions about ChrootDirectory Message-ID: <20110117104058.3eb9dde4@pit84.pair.com> Hello, I'm aware of the fact that ChrootDirectory requires that the target directory is root-owned, and I think I've mostly understood why that is necessary, at least within the context of someone who has full shell access. However, I am wondering if that possibility for privilege escalation still exists with a configuration like this: Match Group sftp ForceCommand internal-sftp ChrootDirectory %h Assuming some patch were applied to openssh to allow ChrootDirectory to work here on a non-root-owned home directory, wouldn't this mean that any user in the sftp group would only be able to manipulate files within their home directory, and nothing else? Is there some potential for privilege escalation or execution of commands that I've missed? And, just to confirm, am I correct in understanding that scp will not work with this configuration, since scp wants a shell? Thanks. -- Mike Kelly From cmadams at hiwaay.net Tue Jan 18 04:22:04 2011 From: cmadams at hiwaay.net (Chris Adams) Date: Mon, 17 Jan 2011 11:22:04 -0600 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <4D34485B.8080902@opensslfoundation.com> References: <1483466478.309.1295084853285.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> <4D34485B.8080902@opensslfoundation.com> Message-ID: <20110117172204.GC31160@hiwaay.net> Once upon a time, Steve Marquess said: > Anyone interested in taking working code that FIPS enables OpenSSH and > transforming it into something suitable for direct inclusion? The > result will be very much noticed in the U.S. DoD where OpenSSH is widely > used in violation of the FIPS 140-2 validation mandate. Red Hat uses a FIPS patch for OpenSSH in RHEL and Fedora; has anybody looked at that? -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From jchadima at redhat.com Tue Jan 18 05:31:16 2011 From: jchadima at redhat.com (Jan Chadima) Date: Mon, 17 Jan 2011 13:31:16 -0500 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <20110117172204.GC31160@hiwaay.net> Message-ID: <358425298.37814.1295289076838.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> ----- Original Message ----- > Once upon a time, Steve Marquess > said: > > Anyone interested in taking working code that FIPS enables OpenSSH > > and > > transforming it into something suitable for direct inclusion? The > > result will be very much noticed in the U.S. DoD where OpenSSH is > > widely > > used in violation of the FIPS 140-2 validation mandate. > > Red Hat uses a FIPS patch for OpenSSH in RHEL and Fedora; has anybody > looked at that? > The Red Hat maintainers ..... :) -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- JFCh From tgc at jupiterrise.com Tue Jan 18 08:04:27 2011 From: tgc at jupiterrise.com (Tom Christensen) Date: Mon, 17 Jan 2011 22:04:27 +0100 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: <4D34AEDB.7060904@jupiterrise.com> Damien Miller wrote: > Hi, > > OpenSSH 5.7 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains a > couple of large and intrusive features and changes and quite a number of > bug fixes. > Building the 20110118 snapshot on IRIX 5.3 dies with: gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-builtin-memset -std=gnu99 -I. -I.. -I. -I./.. -I/usr/tgcware/include/openssl -I/usr/tgcware/include -DHAVE_CONFIG_H -c port-tun.c In file included from port-tun.c:24: /usr/include/netinet/ip.h:34: error: redefinition of `struct ip' /usr/include/netinet/ip.h:112: error: redefinition of `struct ip_timestamp' /usr/include/netinet/ip.h:124: error: redefinition of `union ipt_timestamp' /usr/include/netinet/ip.h:126: error: redefinition of `struct ipt_ta' make[1]: *** [port-tun.o] Error 1 I had to remove #include and #include from defines.h and #include from includes.h to make the build complete. I haven't looked closely at the testsuite results but it looks like it's no worse off than with 5.6p1. -tgc From jean-yves.faye at c-s.fr Tue Jan 18 20:27:41 2011 From: jean-yves.faye at c-s.fr (Jean-Yves FAYE) Date: Tue, 18 Jan 2011 10:27:41 +0100 Subject: ssh-add with stdin and read_passphrase Message-ID: <4D355D0D.8090806@c-s.fr> I would like to use ssh-add to unlock a key with a password provided through a web interface. It seems even though ssh-add calls read_passphrase with RP_ALLOW_STDIN at ssh-add.c:173, stdin is not used as a last resort without a valid terminal or display. Is it an intended behaviour ? And if so, what are the security implications of using popen() to write the password to ssh-add (not using echo password|ssh-add of course). I used this patch solves the issue : diff -Nru openssh-5.6p1/readpass.c openssh-5.6p1-b/readpass.c --- openssh-5.6p1/readpass.c 2006-08-05 04:39:40.000000000 +0200 +++ openssh-5.6p1-b/readpass.c 2011-01-18 09:52:34.000000000 +0100 @@ -123,6 +123,7 @@ if (!isatty(STDIN_FILENO)) { debug("read_passphrase: stdin is not a tty"); use_askpass = 1; + rppflags |= RPP_STDIN; } } else { rppflags |= RPP_REQUIRE_TTY; Thanks Jean-Yves Faye From peter at stuge.se Tue Jan 18 20:35:23 2011 From: peter at stuge.se (Peter Stuge) Date: Tue, 18 Jan 2011 10:35:23 +0100 Subject: ssh-add with stdin and read_passphrase In-Reply-To: <4D355D0D.8090806@c-s.fr> References: <4D355D0D.8090806@c-s.fr> Message-ID: <20110118093524.32488.qmail@stuge.se> Jean-Yves FAYE wrote: > I would like to use ssh-add to unlock a key with a password provided > through a web interface. > > It seems even though ssh-add calls read_passphrase with RP_ALLOW_STDIN > at ssh-add.c:173, stdin is not used as a last resort without a valid > terminal or display. Is it an intended behaviour ? And if so, what are > the security implications of using popen() to write the password to > ssh-add (not using echo password|ssh-add of course). > > > I used this patch solves the issue : Maybe you could provide an SSH_ASKPASS instead, and avoid patching. //Peter From jean-yves.faye at c-s.fr Tue Jan 18 21:40:17 2011 From: jean-yves.faye at c-s.fr (Jean-Yves FAYE) Date: Tue, 18 Jan 2011 11:40:17 +0100 Subject: ssh-add with stdin and read_passphrase In-Reply-To: <20110118093524.32488.qmail@stuge.se> References: <4D355D0D.8090806@c-s.fr> <20110118093524.32488.qmail@stuge.se> Message-ID: <4D356E11.7000408@c-s.fr> Le 18/01/2011 10:35, Peter Stuge a ?crit : > Jean-Yves FAYE wrote: >> I would like to use ssh-add to unlock a key with a password provided >> through a web interface. >> >> It seems even though ssh-add calls read_passphrase with RP_ALLOW_STDIN >> at ssh-add.c:173, stdin is not used as a last resort without a valid >> terminal or display. Is it an intended behaviour ? And if so, what are >> the security implications of using popen() to write the password to >> ssh-add (not using echo password|ssh-add of course). >> >> >> I used this patch solves the issue : > > Maybe you could provide an SSH_ASKPASS instead, and avoid patching. > > That was one of my alternatives, with some twists and a less straightforward way than pipe to stdin, without using disk. Another alternative i thought of was to decipher the key within the php script and provide it to ssh-agent, but it may be difficult to implement. I was mostly wondering if it was the intended behavior, given the RP_ALLOW_STDIN flag. Jean-Yves Faye From imorgan at nas.nasa.gov Wed Jan 19 08:40:12 2011 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Tue, 18 Jan 2011 13:40:12 -0800 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <4D34485B.8080902@opensslfoundation.com> References: <1483466478.309.1295084853285.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> <4D34485B.8080902@opensslfoundation.com> Message-ID: <20110118214012.GB4614@linux124.nas.nasa.gov> On Mon, Jan 17, 2011 at 07:47:07 -0600, Steve Marquess wrote: > Damien Miller wrote: > > On Sat, 15 Jan 2011, Jan Chadima wrote: > > > > > >> The build in FIPS enabled RHEL6 does not still work. > >> > > > > We don't (yet) support building against FIPS enabled OpenSSL. > > > > Out of curiosity, what is needed to make that happen? > > That's a semi-rhetorical question; a well crafted patch would surely go > a long way. I've had that on my rainy day to-do list for a long time. > I have been building FIPS enabled versions of OpenSSH for my DoD clients > for some time, and I know others have done the same. My feeble excuses > for not doing a better job of sharing with the community vary over time; > at the moment I'm more than fully committed with a day job and a newly > launched OpenSSL FIPS Object Module validation. > > Anyone interested in taking working code that FIPS enables OpenSSH and > transforming it into something suitable for direct inclusion? The > result will be very much noticed in the U.S. DoD where OpenSSH is widely > used in violation of the FIPS 140-2 validation mandate. > > -Steve M. > Hi Steve, I'm interested in seeing that happen, but alas can't commit any time to it. I would, however, like to take this opportunity to make a few comments. I have never taken a close look at the various patches that have been posted on this mailing list to enable FIPS support, but as I understand it they are fairly invasive. As we all know, the more invasive the changes are, the longer it will take for them to be included. Also, there may be some reluctance to include changes required for FIPS-mode support in the OpenBSD version of OpenSSH, since the FIPS Object Module is not validated for that platform. Is there any realistic way to take an incremental approach to adding FIPS support? For example, replacing arc4random() with an acceptable CSPRNG. Doing that would bring us a step closer to compliance. -- Iain Morgan From kirkland at ubuntu.com Wed Jan 19 08:50:19 2011 From: kirkland at ubuntu.com (Dustin Kirkland) Date: Tue, 18 Jan 2011 15:50:19 -0600 Subject: ssh-import-id In-Reply-To: References: Message-ID: Thanks, everyone, for your insightful comments, discussion, and pointers to other utilities! In my reading of this thread, I do not see any concentrated interest in the ssh-import-id utility by the upstream openssh project itself. No worries by us -- we just thought we'd offer it, in case it were interesting to other Unixes and Linuxes besides Ubuntu. At this point, we are shipping the utility in a package of its own, and available in a bzr repository. You can find all of these linked from this project page: * https://launchpad.net/ssh-import-id The source code is available by branching with 'bzr branch lp:ssh-import-id', or browsing: * http://bazaar.launchpad.net/~ssh-import-id/ssh-import-id/trunk/files The current code there is licensed under the GPLv3, but we would gladly re-license it in the future to a compatible license, should openssh ever grow an interest in this tool. Thanks again for your consideration! Cheers, -- :-Dustin Dustin Kirkland Ubuntu Core Developer From marquess at opensslfoundation.com Wed Jan 19 09:05:17 2011 From: marquess at opensslfoundation.com (Steve Marquess) Date: Tue, 18 Jan 2011 17:05:17 -0500 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <20110118214012.GB4614@linux124.nas.nasa.gov> References: <1483466478.309.1295084853285.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> <4D34485B.8080902@opensslfoundation.com> <20110118214012.GB4614@linux124.nas.nasa.gov> Message-ID: <4D360E9D.905@opensslfoundation.com> Iain Morgan wrote: > ... >> Anyone interested in taking working code that FIPS enables OpenSSH and >> transforming it into something suitable for direct inclusion? The >> result will be very much noticed in the U.S. DoD where OpenSSH is widely >> used in violation of the FIPS 140-2 validation mandate. >> >> -Steve M. >> >> > > Hi Steve, > > I'm interested in seeing that happen, but alas can't commit any time to > it. I would, however, like to take this opportunity to make a few > comments. > > I have never taken a close look at the various patches that have been > posted on this mailing list to enable FIPS support, but as I understand > it they are fairly invasive. As we all know, the more invasive the > changes are, the longer it will take for them to be included. Yes, the modifications in total are ugly because FIPS 140-2 imposes a number of restrictions. For one thing many types of cryptography are disallowed in the FIPS mode of operation. The "FIPS capable" OpenSSL library (OpenSSL built with the FIPS module to present one seamless external API) will automagically fail on attempts to use disallowed crypto, but not gracefully. Much of the complexity of the patches comes from graceful exception handling. > Also, > there may be some reluctance to include changes required for FIPS-mode > support in the OpenBSD version of OpenSSH, since the FIPS Object Module > is not validated for that platform. > Actually, the OpenSSL FIPS Object Module v1.2.2 *is* usable on the OpenBSD platform, by virtue of what is called "vendor affirmation" (CMVP Implementation Guidance document, section G.5). In brief, if the same source code validated for one or more test platforms is "merely recompiled" for another platform (no source code hacks), then the resulting module may be "vendor affirmed" as validated. This is discussed in more detail in section 5 of the User Guide (http://www.openssl.org/docs/fips/UserGuide.pdf). The OpenBSD platform is sufficiently similar to other tested platforms to allow vendor affirmation. Incidentally, a new validation effort has just been launched and should an OpenBSD benefactor desire it, the OpenBSD platform could be added as a formal test platform for only a few thousand dollars. > Is there any realistic way to take an incremental approach to adding > FIPS support? For example, replacing arc4random() with an acceptable > CSPRNG. Doing that would bring us a step closer to compliance. > Certainly, there are a number of tweaks required for FIPS mode that would not be inappropriate to apply unconditionally. That would at least make life easier for those of us who hack OpenSSH to add FIPS support. At the moment I'm in the same situation of not having spare time to invest in that effort, though. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marquess at opensslfoundation.com From scott_n at xypro.com Wed Jan 19 10:24:54 2011 From: scott_n at xypro.com (Scott Neugroschl) Date: Tue, 18 Jan 2011 15:24:54 -0800 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <4D360E9D.905@opensslfoundation.com> References: <1483466478.309.1295084853285.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com><4D34485B.8080902@opensslfoundation.com><20110118214012.GB4614@linux124.nas.nasa.gov> <4D360E9D.905@opensslfoundation.com> Message-ID: <78DD71C304F38B41885A242996B96F7302874B44@xyservd.XYPRO-23.LOCAL> > -----Original Message----- > From: Steve Marquess > > Yes, the modifications in total are ugly because FIPS 140-2 imposes a > number of restrictions. For one thing many types of cryptography are > disallowed in the FIPS mode of operation. The "FIPS capable" OpenSSL > library (OpenSSL built with the FIPS module to present one seamless > external API) will automagically fail on attempts to use disallowed > crypto, but not gracefully. Much of the complexity of the patches > comes > from graceful exception handling. > One way to deal with this is to modify the list of allowed algorithms when reading the ssh/sshd config file. From jchadima at redhat.com Wed Jan 19 21:06:11 2011 From: jchadima at redhat.com (Jan Chadima) Date: Wed, 19 Jan 2011 05:06:11 -0500 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <78DD71C304F38B41885A242996B96F7302874B44@xyservd.XYPRO-23.LOCAL> Message-ID: <318479606.77648.1295431571576.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> ----- Original Message ----- > > -----Original Message----- > > From: Steve Marquess > > > > Yes, the modifications in total are ugly because FIPS 140-2 imposes > > a > > number of restrictions. For one thing many types of cryptography are > > disallowed in the FIPS mode of operation. The "FIPS capable" OpenSSL > > library (OpenSSL built with the FIPS module to present one seamless > > external API) will automagically fail on attempts to use disallowed > > crypto, but not gracefully. Much of the complexity of the patches > > comes > > from graceful exception handling. > > > > One way to deal with this is to modify the list of allowed algorithms > when reading the ssh/sshd config file. > I'm attaching the red hat solution. It is not 100% nice code, but 100% functional. There are 2 main areas where the openssh have to be changed to be fips compatible 1) ciphers .... must be reduced in fips mode 2) md5 used generally in fingerprints have to be replaced.... > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- JFCh -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-5.6p1-fips.patch Type: text/x-patch Size: 25113 bytes Desc: not available URL: From kevin.brott at gmail.com Thu Jan 20 09:32:56 2011 From: kevin.brott at gmail.com (Kevin Brott) Date: Wed, 19 Jan 2011 14:32:56 -0800 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: Using openssh-SNAP-20110120.tar.gz ./configure && make tests OS Build_Target CC OpenSSL BUILD TEST ============== ======================== ============== ================= ===== ================= RH 6.2 i686-pc-linux-gnu egcs 2.91.66 0.9.8j YES all tests passed RH 8.0 i686-pc-linux-gnu gcc 3.2.2 0.9.7a YES all tests passed RHEL 2.1 i686-pc-linux-gnu gcc 2.9.6 0.9.8o *1*2* all tests passed RHEL 3.0 tu6 i686-pc-linux-gnu gcc 3.2.3 0.9.7a *2* all tests passed RHEL 4.0 nu5 i686-pc-linux-gnu gcc 3.4.6 0.9.7a *2* all tests passed RHEL 5.1 x86_64-redhat-linux gcc 4.1.2 0.9.8b YES all tests passed RHEL 5.3 x86_64-redhat-linux gcc 4.1.2 0.9.8e-fips-rhel5 YES all tests passed RHEL 5.4 i686-pc-linux-gnu gcc 4.1.2 0.9.8e-fips-rhel5 YES all tests passed RHEL 5.4 x86_64-redhat-linux gcc 4.1.2 0.9.8e-fips-rhel5 YES all tests passed RHEL 5.5 i686-pc-linux-gnu gcc 4.1.2 0.9.8e-fips-rhel5 YES all tests passed RHEL 5.5 x86_64-redhat-linux gcc 4.1.2 0.9.8e-fips-rhel5 YES all tests passed RHEL 5.6 i686-pc-linux-gnu gcc 4.1.2 0.9.8e-fips-rhel5 YES all tests passed FedoraCore r2 i686-pc-linux-gnu gcc 3.3.3 0.9.7a *2* all tests passed Ubuntu 6.06.2 i686-pc-linux-gnu gcc 4.0.3 0.9.8a YES all tests passed Ubuntu 7.10 i686-pc-linux-gnu gcc 4.1.3 0.9.8o YES all tests passed Ubuntu 10.10 x86_64-linux-gnu gcc 4.4.5 0.9.8o YES all tests passed AIX 5.2 tl10sp4 powerpc-ibm-aix5.2.0.0 gcc 3.3.2 0.9.8f YES all tests passed AIX 5.3 tl7sp2 powerpc-ibm-aix5.3.0.0 gcc 4.2.0 0.9.8k YES all tests passed AIX 6.1 tl4sp6 powerpc-ibm-aix6.1.0.0 gcc 4.2.0 0.9.8k YES all tests passed HP-UX 11.11 hppa2.0w-hp-hpux11.11 gcc 3.4.3 0.9.7m *2* all tests passed HP-UX 11.23 ia64-hp-hpux11.23 gcc 4.1.1 0.9.8o *3* all tests passed HP-UX 11.31 ia64-hp-hpux11.31 gcc 4.3.3 0.9.8n YES all tests passed HP-UX 11.31 ia64-hp-hpux11.31 C/aC++ A.06.20 0.9.8n YES all tests passed *1* OS shipped with openssl 0.9.6b & openssh 5.6 will not configure/build \ however, building against 0.9.8o temp installed under /var/tmp/ssh works *2* OS shipped with an old version of zlib - openssh will build/compile \ against 1.2.5 installed under /var/tmp/ssh directory or using the \ --without-zlib-version-check configure flag *3* HP-UX 11.23 on ia64 requires --disable-utmpx to build On Sun, Jan 16, 2011 at 04:34, Damien Miller wrote: > On Sun, 16 Jan 2011, Damien Miller wrote: > > > On Sun, 16 Jan 2011, Damien Miller wrote: > > > > > I have replicated the problem on CentOS 3.9 and found the commit that > > > triggers it (http://hg.mindrot.org/openssh/rev/10166). It only seems > to > > > affect SSH1, but I still don't understand why it fails though. > > > > Here's a fix. The SIGCHLD handler just exposed a latent bug. > > Committed. This will be in tonight's snapshot (20110117) due in an hour or > so. > > -d > -- # include /* Kevin Brott */ From djm at mindrot.org Thu Jan 20 09:39:02 2011 From: djm at mindrot.org (Damien Miller) Date: Thu, 20 Jan 2011 09:39:02 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: On Wed, 19 Jan 2011, Kevin Brott wrote: > > Using openssh-SNAP-20110120.tar.gz > > ./configure && make tests [snip extensive list of platform tests - thanks!] > *1* OS shipped with openssl 0.9.6b & openssh 5.6 will not configure/build \ > however, building against 0.9.8o temp installed under /var/tmp/ssh > works Could you post the error message here? > *2* OS shipped with an old version of zlib - openssh will build/compile \ > against 1.2.5 installed under /var/tmp/ssh directory or using the \ > --without-zlib-version-check configure flag > > *3* HP-UX 11.23 on ia64 requires --disable-utmpx to build Could you post the error here as well as the ./configure-detected host type? (e.g. x86_64-unknown-linux-gnu) Thanks, Damien > > On Sun, Jan 16, 2011 at 04:34, Damien Miller wrote: > On Sun, 16 Jan 2011, Damien Miller wrote: > > > On Sun, 16 Jan 2011, Damien Miller wrote: > > > > > I have replicated the problem on CentOS 3.9 and found the > commit that > > > triggers it (http://hg.mindrot.org/openssh/rev/10166). It > only seems to > > > affect SSH1, but I still don't understand why it fails > though. > > > > Here's a fix. The SIGCHLD handler just exposed a latent bug. > > Committed. This will be in tonight's snapshot (20110117) due in an > hour or > so. > > -d > > > > > -- > # include > /* Kevin Brott */ > > > > From tim at multitalents.net Thu Jan 20 14:27:17 2011 From: tim at multitalents.net (Tim Rice) Date: Wed, 19 Jan 2011 19:27:17 -0800 (PST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: On Wed, 19 Jan 2011, Kevin Brott wrote: > Using openssh-SNAP-20110120.tar.gz > RHEL 2.1 i686-pc-linux-gnu gcc 2.9.6 0.9.8o > *1*2* all tests passed > > *1* OS shipped with openssl 0.9.6b & openssh 5.6 will not configure/build \ > however, building against 0.9.8o temp installed under /var/tmp/ssh > works I have a 0.9.6e OpenLinux 3.1.1 machine working here so ethier it's some change between b and e or how OpenSSL was built on RHEL 2.1. What is the output of "openssl version -a" on that machine? -- Tim Rice Multitalents tim at multitalents.net From dtucker at zip.com.au Thu Jan 20 17:44:44 2011 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 20 Jan 2011 17:44:44 +1100 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: <4D37D9DC.3050502@zip.com.au> On 20/01/11 9:39 AM, Damien Miller wrote: > On Wed, 19 Jan 2011, Kevin Brott wrote: [...] >> *1* OS shipped with openssl 0.9.6b& openssh 5.6 will not configure/build \ >> however, building against 0.9.8o temp installed under /var/tmp/ssh >> works > > Could you post the error message here? I think that vintage of Redhat shipped with the -engine variant of OpenSSL. I can see an error if I try to compile against openssl-engine-0.9.6b, but I'm not sure if there's anything we can do about it: ssh-pkcs11.c:309: undefined reference to `RSA_get_default_method' -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Jan 20 18:29:40 2011 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 20 Jan 2011 18:29:40 +1100 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <4D37D9DC.3050502@zip.com.au> References: <4D37D9DC.3050502@zip.com.au> Message-ID: <20110120072940.GA9265@gate.dtucker.net> On Thu, Jan 20, 2011 at 05:44:44PM +1100, Darren Tucker wrote: > On 20/01/11 9:39 AM, Damien Miller wrote: > >On Wed, 19 Jan 2011, Kevin Brott wrote: > [...] > >>*1* OS shipped with openssl 0.9.6b& openssh 5.6 will not configure/build \ > >>however, building against 0.9.8o temp installed under /var/tmp/ssh > >>works > > > >Could you post the error message here? > > I think that vintage of Redhat shipped with the -engine variant of > OpenSSL. I can see an error if I try to compile against > openssl-engine-0.9.6b, but I'm not sure if there's anything we can > do about it: > > ssh-pkcs11.c:309: undefined reference to `RSA_get_default_method' OK so the problem seems to be that openssl-engine-.0.96b does not implement that function (it does document it, however). openssl-0.9.6b *does* implement it, though, and it seems to be a wrapper to support optionally building with the RSA reference implementation. I think the following patch should make it work. By rights you should rerun "autoreconf" to rebuild configure after applying this patch then rerun configure, however in this particular case just rerunning "make" would probably also work. Index: configure.ac =================================================================== RCS file: /home/dtucker/openssh/cvs/openssh/configure.ac,v retrieving revision 1.468 diff -u -p -r1.468 configure.ac --- configure.ac 19 Jan 2011 12:12:30 -0000 1.468 +++ configure.ac 20 Jan 2011 07:04:06 -0000 @@ -2180,7 +2180,7 @@ int main(void) { SSLeay_add_all_algorith ] ) -AC_CHECK_FUNCS(RSA_generate_key_ex DSA_generate_parameters_ex BN_is_prime_ex) +AC_CHECK_FUNCS(RSA_generate_key_ex DSA_generate_parameters_ex BN_is_prime_ex RSA_get_default_method) AC_ARG_WITH(ssl-engine, [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], Index: openbsd-compat/openssl-compat.c =================================================================== RCS file: /home/dtucker/openssh/cvs/openssh/openbsd-compat/openssl-compat.c,v retrieving revision 1.12 diff -u -p -r1.12 openssl-compat.c --- openbsd-compat/openssl-compat.c 4 Dec 2010 21:46:05 -0000 1.12 +++ openbsd-compat/openssl-compat.c 20 Jan 2011 07:14:43 -0000 @@ -120,6 +120,14 @@ DSA_generate_parameters_ex(DSA *dsa, int } #endif +#ifndef RSA_GET_DEFAULT_METHOD +RSA_METHOD * +RSA_get_default_method(void) +{ + return RSA_PKCS1_SSLeay(); +} +#endif + #ifdef USE_OPENSSL_ENGINE void ssh_SSLeay_add_all_algorithms(void) Index: openbsd-compat/openssl-compat.h =================================================================== RCS file: /home/dtucker/openssh/cvs/openssh/openbsd-compat/openssl-compat.h,v retrieving revision 1.17 diff -u -p -r1.17 openssl-compat.h --- openbsd-compat/openssl-compat.h 4 Dec 2010 12:20:50 -0000 1.17 +++ openbsd-compat/openssl-compat.h 20 Jan 2011 07:06:22 -0000 @@ -121,6 +121,10 @@ int DSA_generate_parameters_ex(DSA *, in int RSA_generate_key_ex(RSA *, int, BIGNUM *, void *); # endif +# ifndef RSA_GET_DEFAULT_METHOD +RSA_METHOD *RSA_get_default_method(void); +# endif + int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *, unsigned char *, int); int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int); -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From marquess at opensslfoundation.com Fri Jan 21 00:30:05 2011 From: marquess at opensslfoundation.com (Steve Marquess) Date: Thu, 20 Jan 2011 08:30:05 -0500 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <318479606.77648.1295431571576.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> References: <318479606.77648.1295431571576.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> Message-ID: <4D3838DD.3010409@opensslfoundation.com> Jan Chadima wrote: > > ... > > I'm attaching the red hat solution. It is not 100% nice code, but > 100% functional. There are 2 main areas where the openssh have to be > changed to be fips compatible 1) ciphers .... must be reduced in fips > mode 2) md5 used generally in fingerprints have to be replaced.... This is pretty close to what I've been using in collaboration with Steve Henson and Tim Hudson. Several comments: 1) We should really avoid CTR mode entirely, it's not FIPS approved and the validated CBC can be used instead. 2) A visual indication of the FIPS mode of operation is very helpful in surviving risk assessments in DoD, which vary from sloppily casual to pointlessly anal but never involve deep technical proficiency on the part of the reviewer. An indication on the sshd banner is an easy way to quickly conclude the yes-we-really-are discussions; I append "FIPS" to the banner. 3) Steve Henson suggested to me some time ago a technique of policing cipher and mac selection. Instead of a hard coded list of supported algorithms, check for FIPS mode compatibility on the fly. For instance, in mac_setup: #ifdef OPENSSL_FIPS if (FIPS_mode() && (macs[i].type != SSH_EVP || !(macs[i].mdfunc()->flags & EVP_MD_FLAG_FIPS))) { debug2("mac_setup: %s disabled for FIPS", name); continue; } #endif ...which automatically handles any new ciphers added to the list and/or new algorithms from a future validation. -Steve M. -- Steve Marquess The OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marquess at opensslfoundation.com From jan.pechanec at oracle.com Fri Jan 21 02:32:40 2011 From: jan.pechanec at oracle.com (Jan Pechanec) Date: Thu, 20 Jan 2011 16:32:40 +0100 (CET) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <4D3838DD.3010409@opensslfoundation.com> References: <318479606.77648.1295431571576.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> <4D3838DD.3010409@opensslfoundation.com> Message-ID: On Thu, 20 Jan 2011, Steve Marquess wrote: > Jan Chadima wrote: >> >> ... >> >> I'm attaching the red hat solution. It is not 100% nice code, but >> 100% functional. There are 2 main areas where the openssh have to be >> changed to be fips compatible 1) ciphers .... must be reduced in fips >> mode 2) md5 used generally in fingerprints have to be replaced.... > > This is pretty close to what I've been using in collaboration with Steve Henson > and Tim Hudson. Several comments: > > 1) We should really avoid CTR mode entirely, it's not FIPS approved and the > validated CBC can be used instead. hi Steve, are you talking about FIPS certified OpenSSL or about the mode as such? I know that OpenSSL does not support AES CTR in EVP (not until 1.0.1, I saw a commit there) but FIPS-140-2 Annex A references 800-38A which lists CTR mode as one of the allowed modes. So, I assumed AES CTR was allowed in FIPS-140-2 and that it just can't be used in FIPS-140-2 mode in OpenSSH since OpenSSH partially implements the mode by itself. thanks, Jan. http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf > > 2) A visual indication of the FIPS mode of operation is very helpful in > surviving risk assessments in DoD, which vary from sloppily casual to > pointlessly anal but never involve deep technical proficiency on the part of > the reviewer. An indication on the sshd banner is an easy way to quickly > conclude the yes-we-really-are discussions; I append "FIPS" to the banner. > > 3) Steve Henson suggested to me some time ago a technique of policing cipher > and mac selection. Instead of a hard coded list of supported algorithms, check > for FIPS mode compatibility on the fly. For instance, in mac_setup: > > #ifdef OPENSSL_FIPS > if (FIPS_mode() && (macs[i].type != SSH_EVP || > !(macs[i].mdfunc()->flags & EVP_MD_FLAG_FIPS))) { > debug2("mac_setup: %s disabled for FIPS", name); > continue; > } > #endif > > ...which automatically handles any new ciphers added to the list and/or new > algorithms from a future validation. > > -Steve M. > > -- Jan Pechanec http://blogs.sun.com/janp From marquess at opensslfoundation.com Fri Jan 21 04:09:21 2011 From: marquess at opensslfoundation.com (Steve Marquess) Date: Thu, 20 Jan 2011 12:09:21 -0500 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <318479606.77648.1295431571576.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> <4D3838DD.3010409@opensslfoundation.com> Message-ID: <4D386C41.30608@opensslfoundation.com> Jan Pechanec wrote: > ... >> >> 1) We should really avoid CTR mode entirely, it's not FIPS approved and the >> validated CBC can be used instead. >> > > hi Steve, are you talking about FIPS certified OpenSSL or about > the mode as such? I know that OpenSSL does not support AES CTR in EVP > (not until 1.0.1, I saw a commit there) but FIPS-140-2 Annex A > references 800-38A which lists CTR mode as one of the allowed modes. So, > I assumed AES CTR was allowed in FIPS-140-2 and that it just can't be > used in FIPS-140-2 mode in OpenSSH since OpenSSH partially implements > the mode by itself. > Well, use of CTR is arguably legal but IMHO questionable. AES-CTR is not included in the #1051 validation (see http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#695), and there is no compelling reason to use it (with or without FIPS 140-2). -Steve M. -- Steve Marquess The OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marquess at opensslfoundation.com From djm at mindrot.org Fri Jan 21 07:34:26 2011 From: djm at mindrot.org (Damien Miller) Date: Fri, 21 Jan 2011 07:34:26 +1100 (EST) Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <4D386C41.30608@opensslfoundation.com> References: <318479606.77648.1295431571576.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> <4D3838DD.3010409@opensslfoundation.com> <4D386C41.30608@opensslfoundation.com> Message-ID: On Thu, 20 Jan 2011, Steve Marquess wrote: > Well, use of CTR is arguably legal but IMHO questionable. AES-CTR is not > included in the #1051 validation (see > http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#695), and there > is no compelling reason to use it (with or without FIPS 140-2). Actually, http://www.openssh.com/txt/cbc.adv Removing CTR and RC4 leaves only vulnerable CBC mode ciphers. -d From kevin.brott at gmail.com Fri Jan 21 13:10:58 2011 From: kevin.brott at gmail.com (Kevin Brott) Date: Thu, 20 Jan 2011 18:10:58 -0800 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: Message-ID: On Wed, Jan 19, 2011 at 14:39, Damien Miller wrote: > On Wed, 19 Jan 2011, Kevin Brott wrote: > > > > > Using openssh-SNAP-20110120.tar.gz > > > > ./configure && make tests > > [snip extensive list of platform tests - thanks!] > > > *1* OS shipped with openssl 0.9.6b & openssh 5.6 will not configure/build > \ > > however, building against 0.9.8o temp installed under /var/tmp/ssh > > works > > Could you post the error message here? > > # openssl version OpenSSL 0.9.6b [engine] 9 Jul 2001 # gcc -v Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs gcc version 2.96 20000731 (Red Hat Linux 7.2 2.96-116.7.2) ./configure --without-zlib-version-check && make tests ....SNIP... gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o roaming_common.o roaming_client.o -L. -Lopenbsd-compat/ -lssh -lopenbsd-compat -lresolv -lcrypto -ldl -lutil -lz -lnsl -lcrypt ./libssh.a(ssh-pkcs11.o): In function `pkcs11_rsa_wrap': /var/tmp/ssh/openssh/ssh-pkcs11.c:309: undefined reference to `RSA_get_default_method' collect2: ld returned 1 exit status gmake: *** [ssh] Error 1 > *2* OS shipped with an old version of zlib - openssh will build/compile \ > > against 1.2.5 installed under /var/tmp/ssh directory or using the \ > > --without-zlib-version-check configure flag > > > > *3* HP-UX 11.23 on ia64 requires --disable-utmpx to build > > Could you post the error here as well as the ./configure-detected host > type? (e.g. x86_64-unknown-linux-gnu) > > Oh *bugger *- ignore this note/issue. I'd forgotten this build host was one where we'd temporarily renamed /usr/include/utmpx.h to dodge configure issues with an obstinate piece of gnu-ware. Once I set it back to it's right name - everything works perfectly with *./configure && gmake tests *BUILD=YES,"all tests passed". > Thanks, > Damien > NP ...enjoy. :) > > > On Sun, Jan 16, 2011 at 04:34, Damien Miller wrote: > > On Sun, 16 Jan 2011, Damien Miller wrote: > > > > > On Sun, 16 Jan 2011, Damien Miller wrote: > > > > > > > I have replicated the problem on CentOS 3.9 and found the > > commit that > > > > triggers it (http://hg.mindrot.org/openssh/rev/10166). It > > only seems to > > > > affect SSH1, but I still don't understand why it fails > > though. > > > > > > Here's a fix. The SIGCHLD handler just exposed a latent bug. > > > > Committed. This will be in tonight's snapshot (20110117) due in an > > hour or > > so. > > > -- # include /* Kevin Brott */ From kevin.brott at gmail.com Fri Jan 21 13:20:14 2011 From: kevin.brott at gmail.com (Kevin Brott) Date: Thu, 20 Jan 2011 18:20:14 -0800 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <20110120072940.GA9265@gate.dtucker.net> References: <4D37D9DC.3050502@zip.com.au> <20110120072940.GA9265@gate.dtucker.net> Message-ID: Hrm - that doesn't quite seem to work ... # patch -p0 -i ./patch patching file configure.ac Hunk #1 succeeded at 2180 with fuzz 1. patching file openbsd-compat/openssl-compat.c Hunk #1 succeeded at 21 with fuzz 2 (offset -99 lines). patching file openbsd-compat/openssl-compat.h Hunk #1 succeeded at 121 with fuzz 2. # autoreconf # ./configure --without-zlib-version-check && make tests ... gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -fno-builtin-memset -std=gnu99 -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c openssl-compat.c openssl-compat.c:25: parse error before `*' openssl-compat.c:27: warning: return type defaults to `int' openssl-compat.c: In function `RSA_get_default_method': openssl-compat.c:28: warning: implicit declaration of function `RSA_PKCS1_SSLeay' openssl-compat.c:28: warning: return makes pointer from integer without a cast In file included from /usr/include/openssl/evp.h:118, from openssl-compat.h:21, from openssl-compat.c:40: /usr/include/openssl/rsa.h: At top level: /usr/include/openssl/rsa.h:213: warning: type mismatch with previous implicit declaration openssl-compat.c:28: warning: previous implicit declaration of `RSA_PKCS1_SSLeay' /usr/include/openssl/rsa.h:213: warning: `RSA_PKCS1_SSLeay' was previously implicitly declared to return `int' make[1]: *** [openssl-compat.o] Error 1 make[1]: Leaving directory `/var/tmp/ssh/openssh/openbsd-compat' make: *** [openbsd-compat/libopenbsd-compat.a] Error 2 ... ===== On Wed, Jan 19, 2011 at 23:29, Darren Tucker wrote: > On Thu, Jan 20, 2011 at 05:44:44PM +1100, Darren Tucker wrote: > > On 20/01/11 9:39 AM, Damien Miller wrote: > > >On Wed, 19 Jan 2011, Kevin Brott wrote: > > [...] > > >>*1* OS shipped with openssl 0.9.6b& openssh 5.6 will not > configure/build \ > > >>however, building against 0.9.8o temp installed under /var/tmp/ssh > > >>works > > > > > >Could you post the error message here? > > > > I think that vintage of Redhat shipped with the -engine variant of > > OpenSSL. I can see an error if I try to compile against > > openssl-engine-0.9.6b, but I'm not sure if there's anything we can > > do about it: > > > > ssh-pkcs11.c:309: undefined reference to `RSA_get_default_method' > > OK so the problem seems to be that openssl-engine-.0.96b does not > implement that function (it does document it, however). openssl-0.9.6b > *does* implement it, though, and it seems to be a wrapper to support > optionally building with the RSA reference implementation. > > I think the following patch should make it work. By rights you should > rerun "autoreconf" to rebuild configure after applying this patch then > rerun configure, however in this particular case just rerunning "make" > would probably also work. > > Index: configure.ac > =================================================================== > RCS file: /home/dtucker/openssh/cvs/openssh/configure.ac,v > retrieving revision 1.468 > diff -u -p -r1.468 configure.ac > --- configure.ac 19 Jan 2011 12:12:30 -0000 1.468 > +++ configure.ac 20 Jan 2011 07:04:06 -0000 > @@ -2180,7 +2180,7 @@ int main(void) { SSLeay_add_all_algorith > ] > ) > > -AC_CHECK_FUNCS(RSA_generate_key_ex DSA_generate_parameters_ex > BN_is_prime_ex) > +AC_CHECK_FUNCS(RSA_generate_key_ex DSA_generate_parameters_ex > BN_is_prime_ex RSA_get_default_method) > > AC_ARG_WITH(ssl-engine, > [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support > ], > Index: openbsd-compat/openssl-compat.c > =================================================================== > RCS file: > /home/dtucker/openssh/cvs/openssh/openbsd-compat/openssl-compat.c,v > retrieving revision 1.12 > diff -u -p -r1.12 openssl-compat.c > --- openbsd-compat/openssl-compat.c 4 Dec 2010 21:46:05 -0000 > 1.12 > +++ openbsd-compat/openssl-compat.c 20 Jan 2011 07:14:43 -0000 > @@ -120,6 +120,14 @@ DSA_generate_parameters_ex(DSA *dsa, int > } > #endif > > +#ifndef RSA_GET_DEFAULT_METHOD > +RSA_METHOD * > +RSA_get_default_method(void) > +{ > + return RSA_PKCS1_SSLeay(); > +} > +#endif > + > #ifdef USE_OPENSSL_ENGINE > void > ssh_SSLeay_add_all_algorithms(void) > Index: openbsd-compat/openssl-compat.h > =================================================================== > RCS file: > /home/dtucker/openssh/cvs/openssh/openbsd-compat/openssl-compat.h,v > retrieving revision 1.17 > diff -u -p -r1.17 openssl-compat.h > --- openbsd-compat/openssl-compat.h 4 Dec 2010 12:20:50 -0000 > 1.17 > +++ openbsd-compat/openssl-compat.h 20 Jan 2011 07:06:22 -0000 > @@ -121,6 +121,10 @@ int DSA_generate_parameters_ex(DSA *, in > int RSA_generate_key_ex(RSA *, int, BIGNUM *, void *); > # endif > > +# ifndef RSA_GET_DEFAULT_METHOD > +RSA_METHOD *RSA_get_default_method(void); > +# endif > + > int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char > *, > unsigned char *, int); > int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int); > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > -- # include /* Kevin Brott */ From dtucker at zip.com.au Fri Jan 21 19:29:36 2011 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 21 Jan 2011 19:29:36 +1100 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <4D37D9DC.3050502@zip.com.au> <20110120072940.GA9265@gate.dtucker.net> Message-ID: <20110121082936.GA24000@gate.dtucker.net> On Thu, Jan 20, 2011 at 06:20:14PM -0800, Kevin Brott wrote: > Hrm - that doesn't quite seem to work ... OK, I found I forgot to add the "HAVE_" in front of the symbol and I'm guessing that I need to include the rsa header (although I didn't need it on my test installation). Please try this patch. Index: configure.ac =================================================================== RCS file: /home/dtucker/openssh/cvs/openssh/configure.ac,v retrieving revision 1.468 diff -u -p -r1.468 configure.ac --- configure.ac 19 Jan 2011 12:12:30 -0000 1.468 +++ configure.ac 20 Jan 2011 07:04:06 -0000 @@ -2180,7 +2180,7 @@ int main(void) { SSLeay_add_all_algorith ] ) -AC_CHECK_FUNCS(RSA_generate_key_ex DSA_generate_parameters_ex BN_is_prime_ex) +AC_CHECK_FUNCS(RSA_generate_key_ex DSA_generate_parameters_ex BN_is_prime_ex RSA_get_default_method) AC_ARG_WITH(ssl-engine, [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], Index: openbsd-compat/openssl-compat.c =================================================================== RCS file: /home/dtucker/openssh/cvs/openssh/openbsd-compat/openssl-compat.c,v retrieving revision 1.12 diff -u -p -r1.12 openssl-compat.c --- openbsd-compat/openssl-compat.c 4 Dec 2010 21:46:05 -0000 1.12 +++ openbsd-compat/openssl-compat.c 21 Jan 2011 07:53:40 -0000 @@ -26,6 +26,10 @@ # include #endif +#ifndef HAVE_RSA_GET_DEFAULT_METHOD +# include +#endif + #include "log.h" #define SSH_DONT_OVERLOAD_OPENSSL_FUNCS @@ -120,6 +124,14 @@ DSA_generate_parameters_ex(DSA *dsa, int } #endif +#ifndef HAVE_RSA_GET_DEFAULT_METHOD +RSA_METHOD * +RSA_get_default_method(void) +{ + return RSA_PKCS1_SSLeay(); +} +#endif + #ifdef USE_OPENSSL_ENGINE void ssh_SSLeay_add_all_algorithms(void) Index: openbsd-compat/openssl-compat.h =================================================================== RCS file: /home/dtucker/openssh/cvs/openssh/openbsd-compat/openssl-compat.h,v retrieving revision 1.17 diff -u -p -r1.17 openssl-compat.h --- openbsd-compat/openssl-compat.h 4 Dec 2010 12:20:50 -0000 1.17 +++ openbsd-compat/openssl-compat.h 21 Jan 2011 08:02:14 -0000 @@ -78,6 +78,10 @@ extern const EVP_CIPHER *evp_acss(void); # define EVP_CIPHER_CTX_key_length(c) ((c)->key_len) #endif +#ifndef HAVE_RSA_GET_DEFAULT_METHOD +RSA_METHOD *RSA_get_default_method(void); +#endif + /* * We overload some of the OpenSSL crypto functions with ssh_* equivalents * which cater for older and/or less featureful OpenSSL version. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From marquess at opensslfoundation.com Fri Jan 21 23:47:20 2011 From: marquess at opensslfoundation.com (Steve Marquess) Date: Fri, 21 Jan 2011 07:47:20 -0500 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: References: <318479606.77648.1295431571576.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> <4D3838DD.3010409@opensslfoundation.com> <4D386C41.30608@opensslfoundation.com> Message-ID: <4D398058.3080305@opensslfoundation.com> Damien Miller wrote: > On Thu, 20 Jan 2011, Steve Marquess wrote: > > >> Well, use of CTR is arguably legal but IMHO questionable. AES-CTR is not >> included in the #1051 validation (see >> http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#695), and there >> is no compelling reason to use it (with or without FIPS 140-2). >> > > Actually, http://www.openssh.com/txt/cbc.adv > > Removing CTR and RC4 leaves only vulnerable CBC mode ciphers. > Good point. The standard FIPS-centric response to this situation is to do what policy requires. It's a sad fact that, all other things being equal, FIPS 140-2 validated crypto implementations are less secure (in the real-world sense of resistance to evil attack) than non-validated equivalents. When you spend too much time working in that arena it's easy to forget that's not a good thing. The long term solution is to include CTR mode in the currently ongoing validation, which we plan to do. In any event we have to be sure not to just make up an EVP_CIPHER because that results in using the low-level APIs which don't utilize the the approved interface for the FIPS module. Instead we would want to build up a CTR mode in terms of EVP ECB mode. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marquess at opensslfoundation.com From albert.strasheim at gmail.com Sat Jan 22 17:29:12 2011 From: albert.strasheim at gmail.com (Albert Strasheim) Date: Sat, 22 Jan 2011 08:29:12 +0200 Subject: SRP for OpenSSH Message-ID: Hello all Support for Secure Remote Password (SRP) for OpenSSH was last discussed in 2004: http://marc.info/?l=openssh-unix-dev&w=2&r=1&s=SRP&q=b There's a SRP patch for OpenSSL that's about 2 years in the making: http://rt.openssl.org/Ticket/Display.html?id=1794 Tom Wu from Stanford has been working on that. Has anything changed since 2004 that would make inclusion of SRP in OpenSSH possible now? Regards Albert From djgosselin at gmail.com Sun Jan 23 12:45:42 2011 From: djgosselin at gmail.com (David and Jamie Gosselin) Date: Sat, 22 Jan 2011 20:45:42 -0500 Subject: Contributing Code to OpenSSH Message-ID: Hello everyone, I have found a bug (memory leak) in the OpenSSH code for which I would like to submit a patch; how do contributors go about the submission process? The website does not appear to afford such an opportunity to give back. Thank you, David From peter at stuge.se Sun Jan 23 14:31:05 2011 From: peter at stuge.se (Peter Stuge) Date: Sun, 23 Jan 2011 04:31:05 +0100 Subject: Contributing Code to OpenSSH In-Reply-To: References: Message-ID: <20110123033105.26322.qmail@stuge.se> Hi David, David and Jamie Gosselin wrote: > I have found a bug (memory leak) in the OpenSSH code for which I > would like to submit a patch; how do contributors go about the > submission process? I suggest to use CVS or mercurial to check out the current source code, fix the bug, then use either cvs diff or hg commit + hg export to generate a patch file. Send that patch file to this mailing list for review and inclusion in the codebase. Another approach is to file a bug in the web based bugzilla bug tracker for the project. //Peter From dtucker at zip.com.au Sun Jan 23 16:52:49 2011 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 23 Jan 2011 16:52:49 +1100 Subject: Contributing Code to OpenSSH In-Reply-To: References: Message-ID: <4D3BC231.70508@zip.com.au> On 01/23/2011 12:45 PM, David and Jamie Gosselin wrote: > Hello everyone, > > I have found a bug (memory leak) in the OpenSSH code for which I > would like to submit a patch; how do contributors go about the > submission process? The website does not appear to afford such an > opportunity to give back. You can either mail the patch to this list (note that it must be sent as either a mime type of text or inline otherwise it will be stripped by the list server) or via http://bugzilla.mindrot.org (both of these are covered at http://www.openssh.com/report.html, along with a couple of other things). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mfriedl at gmail.com Mon Jan 24 05:14:13 2011 From: mfriedl at gmail.com (Markus Friedl) Date: Sun, 23 Jan 2011 19:14:13 +0100 Subject: SRP for OpenSSH In-Reply-To: References: Message-ID: OpenSSH already has jpake support. -m On Saturday, January 22, 2011, Albert Strasheim wrote: > Hello all > > Support for Secure Remote Password (SRP) for OpenSSH was last discussed in 2004: > > http://marc.info/?l=openssh-unix-dev&w=2&r=1&s=SRP&q=b > > There's a SRP patch for OpenSSL that's about 2 years in the making: > > http://rt.openssl.org/Ticket/Display.html?id=1794 > > Tom Wu from Stanford has been working on that. > > Has anything changed since 2004 that would make inclusion of SRP in > OpenSSH possible now? > > Regards > > Albert > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From albert.strasheim at gmail.com Mon Jan 24 06:04:16 2011 From: albert.strasheim at gmail.com (Albert Strasheim) Date: Sun, 23 Jan 2011 21:04:16 +0200 Subject: SRP for OpenSSH In-Reply-To: References: Message-ID: Hello On Sun, Jan 23, 2011 at 8:14 PM, Markus Friedl wrote: > OpenSSH already has jpake support. Have the concerns about JPAKE mentioned in the comments in this blog: http://rdist.root.org/2010/09/08/clench-is-inferior-to-tlssrp/ been resolved? For example: "The JPAKE in OpenSSH is unfinished and I don?t recommend enabling it". Regards Albert > On Saturday, January 22, 2011, Albert Strasheim > wrote: >> Hello all >> >> Support for Secure Remote Password (SRP) for OpenSSH was last discussed in 2004: >> >> http://marc.info/?l=openssh-unix-dev&w=2&r=1&s=SRP&q=b >> >> There's a SRP patch for OpenSSL that's about 2 years in the making: >> >> http://rt.openssl.org/Ticket/Display.html?id=1794 >> >> Tom Wu from Stanford has been working on that. >> >> Has anything changed since 2004 that would make inclusion of SRP in >> OpenSSH possible now? >> >> Regards >> >> Albert From djm at cvs.openbsd.org Mon Jan 24 12:45:12 2011 From: djm at cvs.openbsd.org (Damien Miller) Date: Sun, 23 Jan 2011 18:45:12 -0700 (MST) Subject: Announce: OpenSSH 5.7 released Message-ID: <201101240145.p0O1jCZM024957@cvs.openbsd.org> OpenSSH 5.7 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html Changes since OpenSSH 5.6 ========================= Features: * Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656) is NOT implemented. Certificate host and user keys using the new ECDSA key types are supported - an ECDSA key may be certified, and an ECDSA key may act as a CA to sign certificates. ECDH in a 256 bit curve field is the preferred key agreement algorithm when both the client and server support it. ECDSA host keys are preferred when learning a host's keys for the first time, or can be learned using ssh-keyscan(1). * sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the "ln" command in the client. The old "ln" behaviour of creating a symlink is available using its "-s" option or through the preexisting "symlink" command * scp(1): Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts. * ssh(1): automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys, since these are now preferred when learning hostkeys for the first time. * ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput. bz#1733 * sftp(1): the sftp client is now significantly faster at performing directory listings, using OpenBSD glob(3) extensions to preserve the results of stat(3) operations performed in the course of its execution rather than performing expensive round trips to fetch them again afterwards. * ssh(1): "atomically" create the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. This allows the mux clients to determine that the server socket is either ready or stale without races. stale server sockets are now automatically removed. (also fixes bz#1711) * ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference. * sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into a generic bandwidth limiter that can be attached using the atomicio callback mechanism and use it to add a bandwidth limit option to sftp(1). bz#1147 BugFixes: * ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent temporary directories. bz#1809 * ssh(1): avoid NULL deref on receiving a channel request on an unknown or invalid channel; bz#1842 * sshd(8): remove a debug() that pollutes stderr on client connecting to a server in debug mode; bz#1719 * scp(1): pass through ssh command-line flags and options when doing remote-remote transfers, e.g. to enable agent forwarding which is particularly useful in this case; bz#1837 * sftp-server(8): umask should be parsed as octal * sftp(1): escape '[' in filename tab-completion * ssh(1): Typo in confirmation message. bz#1827 * sshd(8): prevent free() of string in .rodata when overriding AuthorizedKeys in a Match block * sshd(8): Use default shell /bin/sh if $SHELL is "" * ssh(1): kill proxy command on fatal() (we already killed it on clean exit); * ssh(1): install a SIGCHLD handler to reap expiried child process; bz#1812 * Support building against openssl-1.0.0a Portable OpenSSH Bugfixes: * Use mandoc as preferred manpage formatter if it is present, followed by nroff and groff respectively. * sshd(8): Relax permission requirement on btmp logs to allow group read/write * bz#1840: fix warning when configuring --with-ssl-engine * sshd(8): Use correct uid_t/pid_t types instead of int. bz#1817 * sshd(8): bz#1824: Add Solaris Project support. * sshd(8): Check is_selinux_enabled for exact return code since it can apparently return -1 under some conditions. Checksums: ========== - SHA1 (openssh-5.7.tar.gz) = 67cb91772a33fb3a004b39bcdb9148218365494c - SHA1 (openssh-5.7p1.tar.gz) = 423e27475f06e1055847dfff7f61e1ac632b5372 Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom. From phil.pennock at globnix.org Mon Jan 24 22:45:41 2011 From: phil.pennock at globnix.org (Phil Pennock) Date: Mon, 24 Jan 2011 06:45:41 -0500 Subject: ECDSA and first connection; bug? Message-ID: <20110124114541.GA69546@redoubt.spodhuis.org> Folks, I read the 5.7 release announcement and updated, to try out ECDSA. Most parts worked very smoothly. The inability to create SSHFP records is understandable, since IANA haven't allocated a code yet. One apparent bug: I think StrictHostKeyChecking=ask is broken for ECDSA. % ssh -o HostKeyAlgorithms=ecdsa-sha2-nistp256 localhost @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is 22:20:32:f8:fb:65:87:09:33:a9:b6:c9:b0:5e:14:b8. Please contact your system administrator. Add correct host key in /home/pdp/.ssh/known_hosts to get rid of this message. Offending RSA key in /home/pdp/.ssh/known_hosts:2 ECDSA host key for localhost has changed and you have requested strict checking. Host key verification failed. No difference if I explicitly give { -o StrictHostKeyChecking=ask }. If I have a host which I've connected to with RSA and then I connect with DSS, then if recollection serves, I'll get a warning that there's no known DSA key, I'll see the fingerprint for the RSA and DSA keys, and get asked if I'm sure I want to continue. For ECDSA, I can use ssh-keyscan, or manual hacking in of the pubkey (from local disk) and things work. But I shouldn't need to do this, should I? I saw the "automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts" note; that manages to hide this problem, but if I explicitly ask, I should be able to auth. Am I missing something, or is this broken, with ssh(1) getting confused about RSA keys vs ECDSA keys? (fuller details of what I did at http://bridge.grumpy-troll.org/2011/01/openssh.html ) Thanks, -Phil From amk at spamfence.net Tue Jan 25 03:08:13 2011 From: amk at spamfence.net (Andreas M. Kirchwitz) Date: Mon, 24 Jan 2011 16:08:13 +0000 (UTC) Subject: Announce: OpenSSH 5.7 released References: <201101240145.p0O1jCZM024957@cvs.openbsd.org> Message-ID: Damien Miller wrote: > OpenSSH 5.7 has just been released. It will be available from the > mirrors listed at http://www.openssh.com/ shortly. Thanks for the new release! Updated from OpenSSH 5.6p1 to 5.7p1 on Fedora 14 Linux (32 Bit), and there seems to be a minor glitch with SELinux support (if configured with --with-selinux). ssh.c now contains direct SELinux function calls (matchpathcon, setfscreatecon), and compilation fails because the C headers (selinux/selinux.h) are not included. This can be fixed by adding this to ssh.c: #ifdef WITH_SELINUX #include #endif However, then linking of ssh.o fails, because the SELinux library (-lselinux) is only used for sshd by default. This can be fixed by changing the rule for ssh.*: ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lselinux $(LIBS) After that, OpenSSH compiles and works fine. ;-) Previously, all SELinux related stuff was cleanly encapsulated in openbsd-compat/port-linux.c, so that might explain the new dependencies that come through the changes in ssh.c. I think most people who compile OpenSSH from source should be able to fix this, so it's really not a big thing. But just wanted to let you know so it might be fixed in the next version. Keep up the good work ... Andreas =============================================================================== OpenSSH 5.7p1 SELinux patch =============================================================================== --- Makefile.orig 2011-01-24 12:12:05.000000000 +0100 +++ Makefile 2011-01-24 12:14:42.000000000 +0100 @@ -142,7 +142,7 @@ $(RANLIB) $@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) - $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lselinux $(LIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) --- ssh.c.orig 2011-01-06 23:51:18.000000000 +0100 +++ ssh.c 2011-01-24 12:15:12.000000000 +0100 @@ -109,6 +109,10 @@ #include "ssh-pkcs11.h" #endif +#ifdef WITH_SELINUX +#include +#endif + extern char *__progname; /* Flag indicating whether debug mode is on. May be set on the command line. */ From djm at mindrot.org Tue Jan 25 09:25:02 2011 From: djm at mindrot.org (Damien Miller) Date: Tue, 25 Jan 2011 09:25:02 +1100 (EST) Subject: ECDSA and first connection; bug? In-Reply-To: <20110124114541.GA69546@redoubt.spodhuis.org> References: <20110124114541.GA69546@redoubt.spodhuis.org> Message-ID: On Mon, 24 Jan 2011, Phil Pennock wrote: > Folks, > > I read the 5.7 release announcement and updated, to try out ECDSA. Most > parts worked very smoothly. The inability to create SSHFP records is > understandable, since IANA haven't allocated a code yet. > > One apparent bug: I think StrictHostKeyChecking=ask is broken for ECDSA. > > % ssh -o HostKeyAlgorithms=ecdsa-sha2-nistp256 localhost > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ This is deliberate. Previously, a malicious server could arrange for ssh(1) to display a less-scary message for a changed hostkey if its host key happened to be a different type to one that has already been learned. Now there should be no surprises since ssh(1) will automatically request hostkey type matching keys that are already known, though this does not occur when you override HostkeyAlgorithms (like you did). We talked about whether we should retain the old message in this case or not, but thought the safest thing to do would be consistent with the non-explicit- HostkeyAlgorithms case. For learning different hostkey types, we recommend ssh-keyscan. I'd like to do a protocol message for a server to send all its hostkeys to the client, but this would require a KEX extension and I'm not sure how compatible this would be with non-OpenSSH implementations. -d From tj at castaglia.org Tue Jan 25 09:40:50 2011 From: tj at castaglia.org (TJ Saunders) Date: Mon, 24 Jan 2011 14:40:50 -0800 (PST) Subject: ECDSA and first connection; bug? In-Reply-To: References: <20110124114541.GA69546@redoubt.spodhuis.org> Message-ID: > I'd like to do a protocol message for a server to send all its hostkeys > to the client, but this would require a KEX extension and I'm not sure > how compatible this would be with non-OpenSSH implementations. What about supporting the publickey subsystem: http://tools.ietf.org/html/draft-ietf-secsh-publickey-subsystem-08 and adding a message for requesting the hostkeys using that protocol? That draft specifically states: The public keys added, removed, and listed using this protocol are specific and limited to those of the authenticated user. But the protocol could be extended to allow for polling of the server's hostkeys. TJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thus I live in the world rather as a spectator of mankind than as one of the species. -Joseph Addison ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From djm at mindrot.org Tue Jan 25 11:17:19 2011 From: djm at mindrot.org (Damien Miller) Date: Tue, 25 Jan 2011 11:17:19 +1100 (EST) Subject: Announce: OpenSSH 5.7 released In-Reply-To: References: <201101240145.p0O1jCZM024957@cvs.openbsd.org> Message-ID: On Mon, 24 Jan 2011, Andreas M. Kirchwitz wrote: > Damien Miller wrote: > > > OpenSSH 5.7 has just been released. It will be available from the > > mirrors listed at http://www.openssh.com/ shortly. > > Thanks for the new release! > > Updated from OpenSSH 5.6p1 to 5.7p1 on Fedora 14 Linux (32 Bit), > and there seems to be a minor glitch with SELinux support > (if configured with --with-selinux). > > ssh.c now contains direct SELinux function calls (matchpathcon, > setfscreatecon), and compilation fails because the C headers > (selinux/selinux.h) are not included. [snip] Thanks for the report and sorry for the hassle. I'd like to commit this fix: Index: Makefile.in =================================================================== RCS file: /var/cvs/openssh/Makefile.in,v retrieving revision 1.320 diff -u -p -r1.320 Makefile.in --- Makefile.in 17 Jan 2011 10:15:29 -0000 1.320 +++ Makefile.in 25 Jan 2011 00:16:03 -0000 @@ -46,6 +46,7 @@ LD=@LD@ CFLAGS=@CFLAGS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ LIBS=@LIBS@ +SSHLIBS=@SSHLIBS@ SSHDLIBS=@SSHDLIBS@ LIBEDIT=@LIBEDIT@ AR=@AR@ @@ -142,7 +143,7 @@ libssh.a: $(LIBSSH_OBJS) $(RANLIB) $@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) - $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) Index: configure.ac =================================================================== RCS file: /var/cvs/openssh/configure.ac,v retrieving revision 1.467 diff -u -p -r1.467 configure.ac --- configure.ac 17 Jan 2011 10:15:30 -0000 1.467 +++ configure.ac 25 Jan 2011 00:16:03 -0000 @@ -737,7 +737,6 @@ mips-sony-bsd|mips-sony-newsos4) [ AC_DEFINE(USE_SOLARIS_PROCESS_CONTRACTS, 1, [Define if you have Solaris process contracts]) SSHDLIBS="$SSHDLIBS -lcontract" - AC_SUBST(SSHDLIBS) SPC_MSG="yes" ], ) ], ) @@ -748,7 +747,6 @@ mips-sony-bsd|mips-sony-newsos4) [ AC_DEFINE(USE_SOLARIS_PROJECTS, 1, [Define if you have Solaris projects]) SSHDLIBS="$SSHDLIBS -lproject" - AC_SUBST(SSHDLIBS) SP_MSG="yes" ], ) ], ) @@ -3509,11 +3507,14 @@ AC_ARG_WITH(selinux, LIBS="$LIBS -lselinux" ], AC_MSG_ERROR(SELinux support requires libselinux library)) + SSHLIBS="$SSHLIBS $LIBSELINUX" SSHDLIBS="$SSHDLIBS $LIBSELINUX" AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) LIBS="$save_LIBS" fi ] ) +AC_SUBST(SSHLIBS) +AC_SUBST(SSHDLIBS) # Check whether user wants Kerberos 5 support KRB5_MSG="no" @@ -4334,6 +4335,9 @@ echo " Linker flags: ${LDFLAGS}" echo " Libraries: ${LIBS}" if test ! -z "${SSHDLIBS}"; then echo " +for sshd: ${SSHDLIBS}" +fi +if test ! -z "${SSHLIBS}"; then +echo " +for ssh: ${SSHLIBS}" fi echo "" Index: ssh.c =================================================================== RCS file: /var/cvs/openssh/ssh.c,v retrieving revision 1.350 diff -u -p -r1.350 ssh.c --- ssh.c 6 Jan 2011 22:51:18 -0000 1.350 +++ ssh.c 25 Jan 2011 00:16:03 -0000 @@ -852,15 +852,12 @@ main(int ac, char **av) strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) { #ifdef WITH_SELINUX - char *scon; - - matchpathcon(buf, 0700, &scon); - setfscreatecon(scon); + ssh_selinux_setfscreatecon(buf); #endif if (mkdir(buf, 0700) < 0) error("Could not create directory '%.200s'.", buf); #ifdef WITH_SELINUX - setfscreatecon(NULL); + ssh_selinux_setfscreatecon(NULL); #endif } /* load options.identity_files */ Index: openbsd-compat/port-linux.c =================================================================== RCS file: /var/cvs/openssh/openbsd-compat/port-linux.c,v retrieving revision 1.11 diff -u -p -r1.11 port-linux.c --- openbsd-compat/port-linux.c 17 Jan 2011 07:50:24 -0000 1.11 +++ openbsd-compat/port-linux.c 25 Jan 2011 00:16:04 -0000 @@ -205,6 +205,20 @@ ssh_selinux_change_context(const char *n xfree(oldctx); xfree(newctx); } + +void +ssh_selinux_setfscreatecon(const char *path) +{ + security_context_t context; + + if (path == NULL) { + setfscreatecon(NULL); + return; + } + matchpathcon(path, 0700, &context); + setfscreatecon(context); +} + #endif /* WITH_SELINUX */ #ifdef LINUX_OOM_ADJUST Index: openbsd-compat/port-linux.h =================================================================== RCS file: /var/cvs/openssh/openbsd-compat/port-linux.h,v retrieving revision 1.4 diff -u -p -r1.4 port-linux.h --- openbsd-compat/port-linux.h 8 Dec 2009 02:39:48 -0000 1.4 +++ openbsd-compat/port-linux.h 25 Jan 2011 00:16:04 -0000 @@ -24,6 +24,7 @@ int ssh_selinux_enabled(void); void ssh_selinux_setup_pty(char *, const char *); void ssh_selinux_setup_exec_context(char *); void ssh_selinux_change_context(const char *); +void ssh_selinux_setfscreatecon(const char *); #endif #ifdef LINUX_OOM_ADJUST From dtucker at zip.com.au Tue Jan 25 12:03:27 2011 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 25 Jan 2011 12:03:27 +1100 Subject: Announce: OpenSSH 5.7 released In-Reply-To: References: <201101240145.p0O1jCZM024957@cvs.openbsd.org> Message-ID: <4D3E215F.5000900@zip.com.au> On 01/25/2011 11:17 AM, Damien Miller wrote: > On Mon, 24 Jan 2011, Andreas M. Kirchwitz wrote: [...] >> ssh.c now contains direct SELinux function calls (matchpathcon, >> setfscreatecon), and compilation fails because the C headers >> (selinux/selinux.h) are not included. > > [snip] > > Thanks for the report and sorry for the hassle. I'd like to commit this > fix: Yeah sorry about that, it looks like this one was my fault. The patch is ok by me, I've also added --with-selinux to the "kitchen sink" test build which should catch dumb mistakes like this in future. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From sxw at inf.ed.ac.uk Tue Jan 25 21:51:53 2011 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Tue, 25 Jan 2011 10:51:53 +0000 Subject: Announce: GSSAPI Key Exchange Patch for OpenSSH 5.7p1 Message-ID: Hi, I'm pleased to announce the availability of my GSSAPI Key Exchange patch for OpenSSH 5.7p1. In addition to adding support for key exchange, vital for enterprise users of SSH and Kerberos, it also adds a number of other GSSAPI related features: *) Cascading Credential Renewal - when enabled, credentials renewed on your local workstation are automatically forwarded to hosts which you have logged in to. *) Load balancer support - GSSAPI connections are now supported to hosts behind a round-robin DNS load balancer *) Multi-homed host support - GSSAPI connections can be performed to hosts where each interface has a unique name *) Identity selection - the client and server identity can be selected, increasing flexibility in complex authentication scenarios. The latest version of the code is available from the git repository at https://github.com/SimonWilkinson/gss-openssh/ Patches can be downloaded from http://www.sxw.org.uk/computing/patches/openssh.html The only changes in this release are those necessary for the patch to apply to the 5.7p1 tree. Cheers, Simon. From bert.wesarg at googlemail.com Thu Jan 27 05:18:38 2011 From: bert.wesarg at googlemail.com (Bert Wesarg) Date: Wed, 26 Jan 2011 19:18:38 +0100 Subject: Call for testing: OpenSSH-5.7 In-Reply-To: <20110121082936.GA24000@gate.dtucker.net> References: <4D37D9DC.3050502@zip.com.au> <20110120072940.GA9265@gate.dtucker.net> <20110121082936.GA24000@gate.dtucker.net> Message-ID: On Fri, Jan 21, 2011 at 09:29, Darren Tucker wrote: > On Thu, Jan 20, 2011 at 06:20:14PM -0800, Kevin Brott wrote: >> Hrm - that doesn't quite seem to work ... > > OK, I found I forgot to add the "HAVE_" in front of the symbol and I'm > guessing that I need to include the rsa header (although I didn't need > it on my test installation). > > Please try this patch. > > Index: configure.ac > =================================================================== > RCS file: /home/dtucker/openssh/cvs/openssh/configure.ac,v > retrieving revision 1.468 > diff -u -p -r1.468 configure.ac > --- configure.ac ? ? ? ?19 Jan 2011 12:12:30 -0000 ? ? ?1.468 > +++ configure.ac ? ? ? ?20 Jan 2011 07:04:06 -0000 > @@ -2180,7 +2180,7 @@ int main(void) { SSLeay_add_all_algorith > ? ? ? ?] > ?) > > -AC_CHECK_FUNCS(RSA_generate_key_ex DSA_generate_parameters_ex BN_is_prime_ex) > +AC_CHECK_FUNCS(RSA_generate_key_ex DSA_generate_parameters_ex BN_is_prime_ex RSA_get_default_method) > > ?AC_ARG_WITH(ssl-engine, > ? ? ? ?[ ?--with-ssl-engine ? ? ? Enable OpenSSL (hardware) ENGINE support ], > Index: openbsd-compat/openssl-compat.c > =================================================================== > RCS file: /home/dtucker/openssh/cvs/openssh/openbsd-compat/openssl-compat.c,v > retrieving revision 1.12 > diff -u -p -r1.12 openssl-compat.c > --- openbsd-compat/openssl-compat.c ? ? 4 Dec 2010 21:46:05 -0000 ? ? ? 1.12 > +++ openbsd-compat/openssl-compat.c ? ? 21 Jan 2011 07:53:40 -0000 > @@ -26,6 +26,10 @@ > ?# include > ?#endif > > +#ifndef HAVE_RSA_GET_DEFAULT_METHOD > +# include > +#endif > + > ?#include "log.h" > > ?#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS > @@ -120,6 +124,14 @@ DSA_generate_parameters_ex(DSA *dsa, int > ?} > ?#endif > > +#ifndef HAVE_RSA_GET_DEFAULT_METHOD > +RSA_METHOD * > +RSA_get_default_method(void) > +{ > + ? ? ? return RSA_PKCS1_SSLeay(); > +} > +#endif > + > ?#ifdef USE_OPENSSL_ENGINE > ?void > ?ssh_SSLeay_add_all_algorithms(void) > Index: openbsd-compat/openssl-compat.h > =================================================================== > RCS file: /home/dtucker/openssh/cvs/openssh/openbsd-compat/openssl-compat.h,v > retrieving revision 1.17 > diff -u -p -r1.17 openssl-compat.h > --- openbsd-compat/openssl-compat.h ? ? 4 Dec 2010 12:20:50 -0000 ? ? ? 1.17 > +++ openbsd-compat/openssl-compat.h ? ? 21 Jan 2011 08:02:14 -0000 > @@ -78,6 +78,10 @@ extern const EVP_CIPHER *evp_acss(void); > ?# define EVP_CIPHER_CTX_key_length(c) ((c)->key_len) > ?#endif > > +#ifndef HAVE_RSA_GET_DEFAULT_METHOD > +RSA_METHOD *RSA_get_default_method(void); > +#endif This function returns a const RSA_METHOD* on my system with libssl-0.9.8k-7ubuntu8.5. Bert From mansourmoufid at gmail.com Thu Jan 27 08:15:22 2011 From: mansourmoufid at gmail.com (Mansour Moufid) Date: Wed, 26 Jan 2011 16:15:22 -0500 Subject: Packets Sizes and Information Leakage Message-ID: This message is a few years old so I cannot reply to the original, but it is still of current research interest. > So one of my coworkers is doing a little research on SSH usage in the > wild using netflow data. One of the things he's trying to do is > determine a way to differentiate between data transfers and interactive > sessions. We thought of a couple of ways but we wanted to float them > here and see if there are methods incorporated to defeat thi sort of > traffic analysis. > > The first idea is to look at the average number of packets per second > over the length of the flow. The idea is that a data transfer would have > a significantly higher number of PPS than an interactive session. If > we analyze few thousand ssh flows and build a histogram we expect to see > two (or maybe 3 peaks) corresponding to various connection types. I > think this probably has the best chance of statistically significant > results. Inter-packet timings is another measure. A useful (and efficient) way to distinguish between interactive sessions and bulk transfers would be a power spectral density function (e.g. maximum entropy periodogram). The psd of a bulk transfer would be significantly skewed toward the higher frequencies. People can only type so fast so that provides a convenient upper bound on frequencies to consider representative of interactive vs bulk transfer sessions. > The second method would be to look at the packet size. The idea being > that interactive packets would end up being significantly smaller than > full size data packets. I know that some padding is used to protect > against plaintext attacks according to the RFC but I didn't know if > there was any additional padding on top of that to protect against > traffic analysis. Are interactive packets coalesced or padded to the > known MTU? I'm going to run some tcpdumps but I wanted to ask here as well. If I understand correctly, the padding in SSH packets is not meant for this type of (flow-based) traffic analysis [1]: Arbitrary-length padding, such that the total length of (packet_length || padding_length || payload || random padding) is a multiple of the cipher block size or 8, whichever is larger. There MUST be at least four bytes of padding. The padding SHOULD consist of random bytes. The maximum amount of padding is 255 bytes. So the random padding length is always set to its maximum value for each packet (as opposed to being a random value between minimum and maximum). > The other method would be to use packet arrival times but we only have > flow data and putting a packet sniffer on 10G link is prohibitively > expensive for work like this. > > Please note: If there aren't any countermeasures for this type of > traffic analysis I'm not saying that is a problem at all. Knowing a flow > is interactive versus a bulk data transfer really doesn't help out an > attacker all that much. I'm just curious at this time and my coworker > needs the data for a presentation to a center director here. A real problem is that the type of traffic analysis developed for multi-hop stream encryption protocols (e.g. Tor) becomes trivial and very efficient when applied to OpenSSH streams. [1] From hyc at symas.com Thu Jan 27 09:09:54 2011 From: hyc at symas.com (Howard Chu) Date: Wed, 26 Jan 2011 14:09:54 -0800 Subject: Packets Sizes and Information Leakage In-Reply-To: References: Message-ID: <4D409BB2.3000904@symas.com> Mansour Moufid wrote: > This message is a few years old so I cannot reply to the original, but > it is still of current research interest. > >> So one of my coworkers is doing a little research on SSH usage in the >> wild using netflow data. One of the things he's trying to do is >> determine a way to differentiate between data transfers and interactive >> sessions. We thought of a couple of ways but we wanted to float them >> here and see if there are methods incorporated to defeat thi sort of >> traffic analysis. >> >> The first idea is to look at the average number of packets per second >> over the length of the flow. The idea is that a data transfer would have >> a significantly higher number of PPS than an interactive session. If >> we analyze few thousand ssh flows and build a histogram we expect to see >> two (or maybe 3 peaks) corresponding to various connection types. I >> think this probably has the best chance of statistically significant >> results. > > Inter-packet timings is another measure. A useful (and efficient) way > to distinguish between interactive sessions and bulk transfers would > be a power spectral density function (e.g. maximum entropy > periodogram). The psd of a bulk transfer would be significantly skewed > toward the higher frequencies. People can only type so fast so that > provides a convenient upper bound on frequencies to consider > representative of interactive vs bulk transfer sessions. With my Linemode patch the packet frequencies would drop even lower, since character echoing and line editing would all be local to the client. But at that point you would have to decide whether this is an actual interactive session, or simply an automated session with periodic refresh updates. >> The second method would be to look at the packet size. The idea being >> that interactive packets would end up being significantly smaller than >> full size data packets. I know that some padding is used to protect >> against plaintext attacks according to the RFC but I didn't know if >> there was any additional padding on top of that to protect against >> traffic analysis. Are interactive packets coalesced or padded to the >> known MTU? I'm going to run some tcpdumps but I wanted to ask here as well. > > If I understand correctly, the padding in SSH packets is not meant for > this type of (flow-based) traffic analysis [1]: > > Arbitrary-length padding, such that the total length of > (packet_length || padding_length || payload || random padding) > is a multiple of the cipher block size or 8, whichever is > larger. There MUST be at least four bytes of padding. The > padding SHOULD consist of random bytes. The maximum amount of > padding is 255 bytes. > > So the random padding length is always set to its maximum value for > each packet (as opposed to being a random value between minimum and > maximum). > >> The other method would be to use packet arrival times but we only have >> flow data and putting a packet sniffer on 10G link is prohibitively >> expensive for work like this. >> >> Please note: If there aren't any countermeasures for this type of >> traffic analysis I'm not saying that is a problem at all. Knowing a flow >> is interactive versus a bulk data transfer really doesn't help out an >> attacker all that much. I'm just curious at this time and my coworker >> needs the data for a presentation to a center director here. > > A real problem is that the type of traffic analysis developed for > multi-hop stream encryption protocols (e.g. Tor) becomes trivial and > very efficient when applied to OpenSSH streams. > > [1] > _______________________________________________ -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From mansourmoufid at gmail.com Thu Jan 27 09:22:37 2011 From: mansourmoufid at gmail.com (Mansour Moufid) Date: Wed, 26 Jan 2011 17:22:37 -0500 Subject: Randomness in packet padding length as a feature Message-ID: Hello list, RFC 4253 provides for per-packet random padding, the length of which depends on the payload and the cipher block size. If I understand correctly, for OpenSSH (5.7) this is done in packet.c lines 674-684 and 881-911? Although the padding itself is random, its length is not, and the final packet size is just a step function of the size of the payload. This can be a problem to some users worried about traffic analysis. One approach to address this has been to make the padding per-packet a random value between 4 and 255 bytes, but is this planned to ever be a feature? Thanks for your time. From hyc at symas.com Thu Jan 27 10:57:33 2011 From: hyc at symas.com (Howard Chu) Date: Wed, 26 Jan 2011 15:57:33 -0800 Subject: Randomness in packet padding length as a feature In-Reply-To: References: Message-ID: <4D40B4ED.3010408@symas.com> Mansour Moufid wrote: > Hello list, > > RFC 4253 provides for per-packet random padding, the length of which > depends on the payload and the cipher block size. If I understand > correctly, for OpenSSH (5.7) this is done in packet.c lines 674-684 > and 881-911? > > Although the padding itself is random, its length is not, and the > final packet size is just a step function of the size of the payload. > This can be a problem to some users worried about traffic analysis. > One approach to address this has been to make the padding per-packet a > random value between 4 and 255 bytes, but is this planned to ever be a > feature? When deciding if/how to implement this, keep in mind that a lot of us use SSH over cellphone networks where we pay per byte, bandwidth is low, and latencies are relatively high. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From markus.r.friedl at arcor.de Thu Jan 27 23:20:22 2011 From: markus.r.friedl at arcor.de (Markus Friedl) Date: Thu, 27 Jan 2011 13:20:22 +0100 Subject: ECDSA and first connection; bug? In-Reply-To: References: <20110124114541.GA69546@redoubt.spodhuis.org> Message-ID: <20110127122022.GA32456@folly> I agree with Damien: The current behaviour reduces the risks of a MITM attack and using ssh-keyscan to collect the 'new' ECDSA is perfectly reasonable. -m On Tue, Jan 25, 2011 at 09:25:02AM +1100, Damien Miller wrote: > On Mon, 24 Jan 2011, Phil Pennock wrote: > > > Folks, > > > > I read the 5.7 release announcement and updated, to try out ECDSA. Most > > parts worked very smoothly. The inability to create SSHFP records is > > understandable, since IANA haven't allocated a code yet. > > > > One apparent bug: I think StrictHostKeyChecking=ask is broken for ECDSA. > > > > % ssh -o HostKeyAlgorithms=ecdsa-sha2-nistp256 localhost > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > This is deliberate. > > Previously, a malicious server could arrange for ssh(1) to display a > less-scary message for a changed hostkey if its host key happened to > be a different type to one that has already been learned. > > Now there should be no surprises since ssh(1) will automatically request > hostkey type matching keys that are already known, though this does not > occur when you override HostkeyAlgorithms (like you did). We talked about > whether we should retain the old message in this case or not, but thought > the safest thing to do would be consistent with the non-explicit- > HostkeyAlgorithms case. > > For learning different hostkey types, we recommend ssh-keyscan. I'd like to > do a protocol message for a server to send all its hostkeys to the client, > but this would require a KEX extension and I'm not sure how compatible > this would be with non-OpenSSH implementations. > > -d > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From dan at doxpara.com Fri Jan 28 03:38:33 2011 From: dan at doxpara.com (Dan Kaminsky) Date: Thu, 27 Jan 2011 09:38:33 -0700 Subject: ECDSA and first connection; bug? In-Reply-To: <20110127122022.GA32456@folly> References: <20110124114541.GA69546@redoubt.spodhuis.org> <20110127122022.GA32456@folly> Message-ID: <87A686A1-4D60-489A-BC0F-6621BD47FD1A@doxpara.com> What you'd want is a protocol to upgrade from an old host key to a new host key, leveraging the existing trust in the old key. Everything else is just a new leap of faith, including ssh-keyscan. Sent from my iPhone On Jan 27, 2011, at 5:20 AM, Markus Friedl wrote: > I agree with Damien: > > The current behaviour reduces the risks of a MITM attack and using > ssh-keyscan to collect the 'new' ECDSA is perfectly reasonable. > > -m > > On Tue, Jan 25, 2011 at 09:25:02AM +1100, Damien Miller wrote: >> On Mon, 24 Jan 2011, Phil Pennock wrote: >> >>> Folks, >>> >>> I read the 5.7 release announcement and updated, to try out ECDSA. Most >>> parts worked very smoothly. The inability to create SSHFP records is >>> understandable, since IANA haven't allocated a code yet. >>> >>> One apparent bug: I think StrictHostKeyChecking=ask is broken for ECDSA. >>> >>> % ssh -o HostKeyAlgorithms=ecdsa-sha2-nistp256 localhost >>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >>> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >> >> This is deliberate. >> >> Previously, a malicious server could arrange for ssh(1) to display a >> less-scary message for a changed hostkey if its host key happened to >> be a different type to one that has already been learned. >> >> Now there should be no surprises since ssh(1) will automatically request >> hostkey type matching keys that are already known, though this does not >> occur when you override HostkeyAlgorithms (like you did). We talked about >> whether we should retain the old message in this case or not, but thought >> the safest thing to do would be consistent with the non-explicit- >> HostkeyAlgorithms case. >> >> For learning different hostkey types, we recommend ssh-keyscan. I'd like to >> do a protocol message for a server to send all its hostkeys to the client, >> but this would require a KEX extension and I'm not sure how compatible >> this would be with non-OpenSSH implementations. >> >> -d >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From phil.pennock at globnix.org Fri Jan 28 07:04:39 2011 From: phil.pennock at globnix.org (Phil Pennock) Date: Thu, 27 Jan 2011 15:04:39 -0500 Subject: ECDSA and first connection; bug? In-Reply-To: References: <20110124114541.GA69546@redoubt.spodhuis.org> Message-ID: <20110127200439.GA91295@redoubt.spodhuis.org> On 2011-01-25 at 09:25 +1100, Damien Miller wrote: > On Mon, 24 Jan 2011, Phil Pennock wrote: > > I read the 5.7 release announcement and updated, to try out ECDSA. Most > > parts worked very smoothly. The inability to create SSHFP records is > > understandable, since IANA haven't allocated a code yet. > > > > One apparent bug: I think StrictHostKeyChecking=ask is broken for ECDSA. > > > > % ssh -o HostKeyAlgorithms=ecdsa-sha2-nistp256 localhost > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > This is deliberate. > > Previously, a malicious server could arrange for ssh(1) to display a > less-scary message for a changed hostkey if its host key happened to > be a different type to one that has already been learned. > > Now there should be no surprises since ssh(1) will automatically request > hostkey type matching keys that are already known, though this does not > occur when you override HostkeyAlgorithms (like you did). We talked about > whether we should retain the old message in this case or not, but thought > the safest thing to do would be consistent with the non-explicit- > HostkeyAlgorithms case. I accept the argument that this should be done in a more safe manner. When I was investigating why things were failing, the error messages given were actively confusing and led to multiple false starts, trying to figure out what was going wrong. Before, this error message meant that another host-key of the *same* type had been found and therefore there was a change which was likely an attack, while a different message was used when you were connecting with a new key-type. Clearer diagnostic messages which state the actual problem, rather than recycling what was the error message for a completely different problem, would lead to less confusion. Eg: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Your connection negotiated host key algorithm "ecdsa-sha2-nistp256". You have not previously connected with this algorithm but you have connected with: "rsa", "dsa" Please add the new host key to your known_hosts file manually. See also: ssh-keyscan(1) [exit] -Phil From mfriedl at gmail.com Fri Jan 28 09:03:43 2011 From: mfriedl at gmail.com (Markus Friedl) Date: Thu, 27 Jan 2011 23:03:43 +0100 Subject: ECDSA and first connection; bug? In-Reply-To: <87A686A1-4D60-489A-BC0F-6621BD47FD1A@doxpara.com> References: <20110124114541.GA69546@redoubt.spodhuis.org> <20110127122022.GA32456@folly> <87A686A1-4D60-489A-BC0F-6621BD47FD1A@doxpara.com> Message-ID: <67E29A57-22DF-47F6-8B85-CC68F5B706EF@arcor.de> yes, this is what Damien wrote. Am 27.01.2011 um 17:38 schrieb Dan Kaminsky: > What you'd want is a protocol to upgrade from an old host key to a new host key, leveraging the existing trust in the old key. > > Everything else is just a new leap of faith, including ssh-keyscan. > > Sent from my iPhone > > On Jan 27, 2011, at 5:20 AM, Markus Friedl wrote: > >> I agree with Damien: >> >> The current behaviour reduces the risks of a MITM attack and using >> ssh-keyscan to collect the 'new' ECDSA is perfectly reasonable. >> >> -m >> >> On Tue, Jan 25, 2011 at 09:25:02AM +1100, Damien Miller wrote: >>> On Mon, 24 Jan 2011, Phil Pennock wrote: >>> >>>> Folks, >>>> >>>> I read the 5.7 release announcement and updated, to try out ECDSA. Most >>>> parts worked very smoothly. The inability to create SSHFP records is >>>> understandable, since IANA haven't allocated a code yet. >>>> >>>> One apparent bug: I think StrictHostKeyChecking=ask is broken for ECDSA. >>>> >>>> % ssh -o HostKeyAlgorithms=ecdsa-sha2-nistp256 localhost >>>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >>>> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >>>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >>> >>> This is deliberate. >>> >>> Previously, a malicious server could arrange for ssh(1) to display a >>> less-scary message for a changed hostkey if its host key happened to >>> be a different type to one that has already been learned. >>> >>> Now there should be no surprises since ssh(1) will automatically request >>> hostkey type matching keys that are already known, though this does not >>> occur when you override HostkeyAlgorithms (like you did). We talked about >>> whether we should retain the old message in this case or not, but thought >>> the safest thing to do would be consistent with the non-explicit- >>> HostkeyAlgorithms case. >>> >>> For learning different hostkey types, we recommend ssh-keyscan. I'd like to >>> do a protocol message for a server to send all its hostkeys to the client, >>> but this would require a KEX extension and I'm not sure how compatible >>> this would be with non-OpenSSH implementations. >>> >>> -d >>> >>> _______________________________________________ >>> openssh-unix-dev mailing list >>> openssh-unix-dev at mindrot.org >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From openssh at roumenpetrov.info Fri Jan 28 09:10:43 2011 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Fri, 28 Jan 2011 00:10:43 +0200 Subject: ECDSA and first connection; bug? In-Reply-To: <20110127122022.GA32456@folly> References: <20110124114541.GA69546@redoubt.spodhuis.org> <20110127122022.GA32456@folly> Message-ID: <4D41ED63.8070109@roumenpetrov.info> Markus Friedl wrote: > I agree with Damien: > > The current behaviour reduces the risks of a MITM attack and using > ssh-keyscan to collect the 'new' ECDSA is perfectly reasonable. > > -m > > On Tue, Jan 25, 2011 at 09:25:02AM +1100, Damien Miller wrote: > >> On Mon, 24 Jan 2011, Phil Pennock wrote: >> >> >>> Folks, >>> >>> I read the 5.7 release announcement and updated, to try out ECDSA. Most >>> parts worked very smoothly. The inability to create SSHFP records is >>> understandable, since IANA haven't allocated a code yet. >>> >>> One apparent bug: I think StrictHostKeyChecking=ask is broken for ECDSA. >>> >>> % ssh -o HostKeyAlgorithms=ecdsa-sha2-nistp256 localhost >>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >>> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >>> >> This is deliberate. >> >> Previously, a malicious server could arrange for ssh(1) to display a >> less-scary message for a changed hostkey if its host key happened to >> be a different type to one that has already been learned. >> >> Now there should be no surprises since ssh(1) will automatically request >> hostkey type matching keys that are already known, though this does not >> occur when you override HostkeyAlgorithms (like you did). We talked about >> whether we should retain the old message in this case or not, but thought >> the safest thing to do would be consistent with the non-explicit- >> HostkeyAlgorithms case. >> >> For learning different hostkey types, we recommend ssh-keyscan. I'd like to >> do a protocol message for a server to send all its hostkeys to the client, >> but this would require a KEX extension and I'm not sure how compatible >> this would be with non-OpenSSH implementations. >> >> -d >> I disagree with analysis. The issue don't require user to change default settings . The test case is simple : - install versions < 5.7 on both sides; - perform one connection from client; - upgrade both systems => above message and connection refused. So after upgrade users could either change HostKeyAlgorithms to the old ones or to upgrade to new server key. Roumen -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/ From dan at doxpara.com Fri Jan 28 09:48:11 2011 From: dan at doxpara.com (Dan Kaminsky) Date: Thu, 27 Jan 2011 14:48:11 -0800 Subject: ECDSA and first connection; bug? In-Reply-To: <67E29A57-22DF-47F6-8B85-CC68F5B706EF@arcor.de> References: <20110124114541.GA69546@redoubt.spodhuis.org> <20110127122022.GA32456@folly> <87A686A1-4D60-489A-BC0F-6621BD47FD1A@doxpara.com> <67E29A57-22DF-47F6-8B85-CC68F5B706EF@arcor.de> Message-ID: Not really. ssh-keyscan is a leap of faith. It's _technically_ feasible to do this: 1) Detect that there are other host key types 2) After logging in, run new ssh sessions off a port forward to localhost:[original connection port, might not be 22] 3) Collect the new keys Whether anyone wants to write this code, I don't know. But it's completely possible. On Thu, Jan 27, 2011 at 2:03 PM, Markus Friedl wrote: > yes, this is what Damien wrote. > > Am 27.01.2011 um 17:38 schrieb Dan Kaminsky: > >> What you'd want is a protocol to upgrade from an old host key to a new host key, leveraging the existing trust in the old key. >> >> Everything else is just a new leap of faith, including ssh-keyscan. >> >> Sent from my iPhone >> >> On Jan 27, 2011, at 5:20 AM, Markus Friedl wrote: >> >>> I agree with Damien: >>> >>> The current behaviour reduces the risks of a MITM attack and using >>> ssh-keyscan to collect the 'new' ECDSA is perfectly reasonable. >>> >>> -m >>> >>> On Tue, Jan 25, 2011 at 09:25:02AM +1100, Damien Miller wrote: >>>> On Mon, 24 Jan 2011, Phil Pennock wrote: >>>> >>>>> Folks, >>>>> >>>>> I read the 5.7 release announcement and updated, to try out ECDSA. ?Most >>>>> parts worked very smoothly. ?The inability to create SSHFP records is >>>>> understandable, since IANA haven't allocated a code yet. >>>>> >>>>> One apparent bug: I think StrictHostKeyChecking=ask is broken for ECDSA. >>>>> >>>>> % ssh -o HostKeyAlgorithms=ecdsa-sha2-nistp256 localhost >>>>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >>>>> @ ? ?WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! ? ? @ >>>>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >>>> >>>> This is deliberate. >>>> >>>> Previously, a malicious server could arrange for ssh(1) to display a >>>> less-scary message for a changed hostkey if its host key happened to >>>> be a different type to one that has already been learned. >>>> >>>> Now there should be no surprises since ssh(1) will automatically request >>>> hostkey type matching keys that are already known, though this does not >>>> occur when you override HostkeyAlgorithms (like you did). We talked about >>>> whether we should retain the old message in this case or not, but thought >>>> the safest thing to do would be consistent with the non-explicit- >>>> HostkeyAlgorithms case. >>>> >>>> For learning different hostkey types, we recommend ssh-keyscan. I'd like to >>>> do a protocol message for a server to send all its hostkeys to the client, >>>> but this would require a KEX extension and I'm not sure how compatible >>>> this would be with non-OpenSSH implementations. >>>> >>>> -d >>>> >>>> _______________________________________________ >>>> openssh-unix-dev mailing list >>>> openssh-unix-dev at mindrot.org >>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >>> _______________________________________________ >>> openssh-unix-dev mailing list >>> openssh-unix-dev at mindrot.org >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From djm at mindrot.org Fri Jan 28 10:03:15 2011 From: djm at mindrot.org (Damien Miller) Date: Fri, 28 Jan 2011 10:03:15 +1100 (EST) Subject: ECDSA and first connection; bug? In-Reply-To: References: <20110124114541.GA69546@redoubt.spodhuis.org> <20110127122022.GA32456@folly> <87A686A1-4D60-489A-BC0F-6621BD47FD1A@doxpara.com> <67E29A57-22DF-47F6-8B85-CC68F5B706EF@arcor.de> Message-ID: On Thu, 27 Jan 2011, Dan Kaminsky wrote: > Not really. ssh-keyscan is a leap of faith. It was mentioned in the context of manually accepting hostkeys, where trust-wise it is strictly equivalent. > It's _technically_ feasible to do this: > > 1) Detect that there are other host key types > 2) After logging in, run new ssh sessions off a port forward to > localhost:[original connection port, might not be 22] > 3) Collect the new keys > > Whether anyone wants to write this code, I don't know. But it's > completely possible. That would let you do it without protocol extensions. Using a protocol change, it should be more user-friendly. I think it would be possible to do it reliably with a new transport message: #define SSH2_MSG_SERVER_HOSTKEYS 7 byte SSH2_MSG_SERVER_HOSTKEYS string public_keys string signature Where "public keys" consists of: string first_hostkey string second_hostkey ... And signature is S(session_id || public_keys) and made using the hostkey that was actually used for KEX. This should be safe to do because RFC4253 says: > 11.4. Reserved Messages > > An implementation MUST respond to all unrecognized messages with an > SSH_MSG_UNIMPLEMENTED message in the order in which the messages were > received. Such messages MUST be otherwise ignored. Later protocol > versions may define other meanings for these message types. > > byte SSH_MSG_UNIMPLEMENTED > uint32 packet sequence number of rejected message -d From dan at doxpara.com Fri Jan 28 10:17:21 2011 From: dan at doxpara.com (Dan Kaminsky) Date: Thu, 27 Jan 2011 15:17:21 -0800 Subject: ECDSA and first connection; bug? In-Reply-To: References: <20110124114541.GA69546@redoubt.spodhuis.org> <20110127122022.GA32456@folly> <87A686A1-4D60-489A-BC0F-6621BD47FD1A@doxpara.com> <67E29A57-22DF-47F6-8B85-CC68F5B706EF@arcor.de> Message-ID: On Thu, Jan 27, 2011 at 3:03 PM, Damien Miller wrote: > On Thu, 27 Jan 2011, Dan Kaminsky wrote: > >> Not really. ?ssh-keyscan is a leap of faith. > > It was mentioned in the context of manually accepting hostkeys, where > trust-wise it is strictly equivalent. I'm saying that if you already know the RSA or DSA host key, you should not need to downgrade to another leap of faith to get the ECC key. > >> It's _technically_ feasible to do this: >> >> 1) Detect that there are other host key types >> 2) After logging in, run new ssh sessions off a port forward to >> localhost:[original connection port, might not be 22] >> 3) Collect the new keys >> >> Whether anyone wants to write this code, I don't know. ?But it's >> completely possible. > > That would let you do it without protocol extensions. Which is sort of nice. > > Using a protocol change, it should be more user-friendly. I think it would > be possible to do it reliably with a new transport message: > > ? ?#define SSH2_MSG_SERVER_HOSTKEYS ? ?7 > > ? ?byte SSH2_MSG_SERVER_HOSTKEYS > ? ?string public_keys > ? ?string signature > > ? ?Where "public keys" consists of: > > ? ?string first_hostkey > ? ?string second_hostkey > ? ?... > > And signature is S(session_id || public_keys) and made using the hostkey > that was actually used for KEX. > > This should be safe to do because RFC4253 says: > >> 11.4. ?Reserved Messages >> >> ? ?An implementation MUST respond to all unrecognized messages with an >> ? ?SSH_MSG_UNIMPLEMENTED message in the order in which the messages were >> ? ?received. ?Such messages MUST be otherwise ignored. ?Later protocol >> ? ?versions may define other meanings for these message types. >> >> ? ? ? byte ? ? ?SSH_MSG_UNIMPLEMENTED >> ? ? ? uint32 ? ?packet sequence number of rejected message Would this add a RTT? SSH is a little slow as is. This is unquestionably a more elegant solution. > > -d > > From djm at mindrot.org Fri Jan 28 10:20:50 2011 From: djm at mindrot.org (Damien Miller) Date: Fri, 28 Jan 2011 10:20:50 +1100 (EST) Subject: ECDSA and first connection; bug? In-Reply-To: References: <20110124114541.GA69546@redoubt.spodhuis.org> <20110127122022.GA32456@folly> <87A686A1-4D60-489A-BC0F-6621BD47FD1A@doxpara.com> <67E29A57-22DF-47F6-8B85-CC68F5B706EF@arcor.de> Message-ID: On Thu, 27 Jan 2011, Dan Kaminsky wrote: > Would this add a RTT? SSH is a little slow as is. No, it would just be an informational message sent from the server to the client probably right after the first SSH_MSG_NEWKEYS. -d From dan at doxpara.com Fri Jan 28 10:29:38 2011 From: dan at doxpara.com (Dan Kaminsky) Date: Thu, 27 Jan 2011 15:29:38 -0800 Subject: ECDSA and first connection; bug? In-Reply-To: References: <20110124114541.GA69546@redoubt.spodhuis.org> <20110127122022.GA32456@folly> <87A686A1-4D60-489A-BC0F-6621BD47FD1A@doxpara.com> <67E29A57-22DF-47F6-8B85-CC68F5B706EF@arcor.de> Message-ID: On Thu, Jan 27, 2011 at 3:20 PM, Damien Miller wrote: > On Thu, 27 Jan 2011, Dan Kaminsky wrote: > >> Would this add a RTT? ?SSH is a little slow as is. > > No, it would just be an informational message sent from the server to the > client probably right after the first SSH_MSG_NEWKEYS. > > -d > A message that said "BTW, here's my other host keys" would be excellent. Question: If we know the ECC key for something, should we no longer respect the RSA/DSA key? My understanding is the ECC key is stronger. From djm at mindrot.org Fri Jan 28 10:34:59 2011 From: djm at mindrot.org (Damien Miller) Date: Fri, 28 Jan 2011 10:34:59 +1100 (EST) Subject: ECDSA and first connection; bug? In-Reply-To: References: <20110124114541.GA69546@redoubt.spodhuis.org> <20110127122022.GA32456@folly> <87A686A1-4D60-489A-BC0F-6621BD47FD1A@doxpara.com> <67E29A57-22DF-47F6-8B85-CC68F5B706EF@arcor.de> Message-ID: On Thu, 27 Jan 2011, Dan Kaminsky wrote: > On Thu, Jan 27, 2011 at 3:20 PM, Damien Miller wrote: > > On Thu, 27 Jan 2011, Dan Kaminsky wrote: > > > >> Would this add a RTT? SSH is a little slow as is. > > > > No, it would just be an informational message sent from the server to the > > client probably right after the first SSH_MSG_NEWKEYS. > > A message that said "BTW, here's my other host keys" would be > excellent. Question: If we know the ECC key for something, should we > no longer respect the RSA/DSA key? My understanding is the ECC key is > stronger. In OpenSSH 5.7, the preference order is: #define KEX_DEFAULT_PK_ALG \ "ecdsa-sha2-nistp256-cert-v01 at openssh.com," \ "ecdsa-sha2-nistp384-cert-v01 at openssh.com," \ "ecdsa-sha2-nistp521-cert-v01 at openssh.com," \ "ssh-rsa-cert-v01 at openssh.com," \ "ssh-dss-cert-v01 at openssh.com," \ "ssh-rsa-cert-v00 at openssh.com," \ "ssh-dss-cert-v00 at openssh.com," \ "ecdsa-sha2-nistp256," \ "ecdsa-sha2-nistp384," \ "ecdsa-sha2-nistp521," \ "ssh-rsa," \ "ssh-dss" -d From dan at doxpara.com Fri Jan 28 10:36:29 2011 From: dan at doxpara.com (Dan Kaminsky) Date: Thu, 27 Jan 2011 15:36:29 -0800 Subject: ECDSA and first connection; bug? In-Reply-To: References: <20110124114541.GA69546@redoubt.spodhuis.org> <20110127122022.GA32456@folly> <87A686A1-4D60-489A-BC0F-6621BD47FD1A@doxpara.com> <67E29A57-22DF-47F6-8B85-CC68F5B706EF@arcor.de> Message-ID: On Thu, Jan 27, 2011 at 3:34 PM, Damien Miller wrote: > On Thu, 27 Jan 2011, Dan Kaminsky wrote: > >> On Thu, Jan 27, 2011 at 3:20 PM, Damien Miller wrote: >> > On Thu, 27 Jan 2011, Dan Kaminsky wrote: >> > >> >> Would this add a RTT? ?SSH is a little slow as is. >> > >> > No, it would just be an informational message sent from the server to the >> > client probably right after the first SSH_MSG_NEWKEYS. >> >> A message that said "BTW, here's my other host keys" would be >> excellent. ?Question: ?If we know the ECC key for something, should we >> no longer respect the RSA/DSA key? ?My understanding is the ECC key is >> stronger. > > In OpenSSH 5.7, the preference order is: > > #define KEX_DEFAULT_PK_ALG ? ? ?\ > ? ? ? ?"ecdsa-sha2-nistp256-cert-v01 at openssh.com," \ > ? ? ? ?"ecdsa-sha2-nistp384-cert-v01 at openssh.com," \ > ? ? ? ?"ecdsa-sha2-nistp521-cert-v01 at openssh.com," \ > ? ? ? ?"ssh-rsa-cert-v01 at openssh.com," \ > ? ? ? ?"ssh-dss-cert-v01 at openssh.com," \ > ? ? ? ?"ssh-rsa-cert-v00 at openssh.com," \ > ? ? ? ?"ssh-dss-cert-v00 at openssh.com," \ > ? ? ? ?"ecdsa-sha2-nistp256," \ > ? ? ? ?"ecdsa-sha2-nistp384," \ > ? ? ? ?"ecdsa-sha2-nistp521," \ > ? ? ? ?"ssh-rsa," \ > ? ? ? ?"ssh-dss" > > -d > > True, but suppose I'm a malicious server w/ the valid DSA key, but not the ECC key. I could advertise DSA exclusively, and the question is: Should the client accept the downgrade? Also, shouldn't we prefer *more* secure keys to less secure keys, client side? From djm at mindrot.org Fri Jan 28 14:04:19 2011 From: djm at mindrot.org (Damien Miller) Date: Fri, 28 Jan 2011 14:04:19 +1100 (EST) Subject: ECDSA and first connection; bug? In-Reply-To: References: <20110124114541.GA69546@redoubt.spodhuis.org> <20110127122022.GA32456@folly> <87A686A1-4D60-489A-BC0F-6621BD47FD1A@doxpara.com> <67E29A57-22DF-47F6-8B85-CC68F5B706EF@arcor.de> Message-ID: On Thu, 27 Jan 2011, Dan Kaminsky wrote: > True, but suppose I'm a malicious server w/ the valid DSA key, but not > the ECC key. I could advertise DSA exclusively, and the question is: > Should the client accept the downgrade? The client will accept the downgrade; this behaviour is unchanged from OpenSSH < 5.7. I'm happy with this for now, because if there are problems in the ECC code then users much be able to downgrade. > Also, shouldn't we prefer *more* secure keys to less secure keys, > client side? Are you referring to the ordering of the key lengths within the ECDSA types? These don't matter so much, since a host will only have at most one ECDSA key. -d From bert.wesarg at googlemail.com Mon Jan 31 19:04:44 2011 From: bert.wesarg at googlemail.com (Bert Wesarg) Date: Mon, 31 Jan 2011 09:04:44 +0100 Subject: [PATCH] fix copy'n'paste error in PROTOCOL.mux Message-ID: <3f0bbca1f844d62087c958a2ef84aea6a5bcb752.1296460738.git.bert.wesarg@googlemail.com> --- PROTOCOL.mux | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/PROTOCOL.mux b/PROTOCOL.mux index 3d6f818..88f95b3 100644 --- a/PROTOCOL.mux +++ b/PROTOCOL.mux @@ -122,7 +122,7 @@ For dynamically allocated listen port the server replies with Note: currently unimplemented (server will always reply with MUX_S_FAILURE). -A client may request the master to establish a port forward: +A client may request the master to close a port forward: uint32 MUX_C_CLOSE_FWD uint32 request id -- 1.7.3.3.1603.g7f137 From vinschen at redhat.com Mon Jan 31 21:54:05 2011 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 31 Jan 2011 11:54:05 +0100 Subject: Generate SSH1 host key by default? Message-ID: <20110131105405.GA6215@calimero.vinschen.de> Hi, the OpenSSH installation script for Cygwin still creates a SSH1 host key by default. My question is, wouldn't it make more sense to drop all auto-generation of SSH1 keys from the default installation procedure? I mean, nobody should use SSH1 anymore, right? Or should the script stick to it for some reason? Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From dtucker at zip.com.au Mon Jan 31 23:05:34 2011 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 31 Jan 2011 23:05:34 +1100 Subject: Generate SSH1 host key by default? In-Reply-To: <20110131105405.GA6215@calimero.vinschen.de> References: <20110131105405.GA6215@calimero.vinschen.de> Message-ID: <4D46A58E.4050800@zip.com.au> On 31/01/2011 9:54 PM, Corinna Vinschen wrote: > the OpenSSH installation script for Cygwin still creates a SSH1 host key > by default. > > My question is, wouldn't it make more sense to drop all auto-generation > of SSH1 keys from the default installation procedure? I mean, nobody > should use SSH1 anymore, right? Or should the script stick to it for > some reason? Although the server now defaults to not enabling SSH1 for new installs (and has for a couple of releases) the client could conceivably need an SSH1 key, eg for RhostsRSAAuthentication. The admin could also enable Protocol 1 in the server (although it might be reasonable to give them the responsibility of creating the key in that case). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.