Call for testing: OpenSSH-5.7

Damien Miller djm at mindrot.org
Thu Jan 6 23:31:24 EST 2011 

Hi,

OpenSSH 5.7 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This release contains a
couple of large and intrusive features and changes and quite a number of
bug fixes.

Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable OpenSSH is also available via anonymous CVS using the
instructions at http://www.openssh.com/portable.html#cvs or
via Mercurial at http://hg.mindrot.org/openssh

Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:

$ ./configure && make tests

Live testing on suitable non-production systems is also
appreciated. Please send reports of success or failure to
openssh-unix-dev at mindrot.org.

Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.

Thanks to the many people who contributed to this release.

-------------------------------

Features:

 * Implement Elliptic Curve Cryptography modes for key exchange (ECDH)
   and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA
   offer better performance than plain DH and DSA at the same equivalent
   symmetric key length, as well as much shorter keys.
     
   Only the mandatory sections of RFC5656 are implemented, specifically
   the three REQUIRED curves nistp256, nistp384 and nistp521 and only
   ECDH and ECDSA. Point compression (optional in RFC5656) is NOT
   implemented.
     
   Certificate host and user keys using the new ECDSA key types are
   supported - an ECDSA key may be certified, and an ECDSA key may act
   as a CA to sign certificates.

   ECDH in a 256 bit curve field is the preferred key agreement
   algorithm when both the client and server support it. ECDSA host
   keys are preferred when learning a host's keys for the first time.
     
 * sftp(1)/sftp-server(8): add a protocol extension to support a hard
   link operation. It is available through the "ln" command in the
   client. The old "ln" behaviour of creating a symlink is available
   using its "-s" option or through the preexisting "symlink" command

 * scp(1): Add a new -3 option to scp: Copies between two remote hosts
   are transferred through the local host.  Without this option the
   data is copied directly between the two remote hosts. 

 * ssh(1): automatically order the hostkeys requested by the client
   based on which hostkeys are already recorded in known_hosts. This
   avoids hostkey warnings when connecting to servers with new ECDSA
   keys, since these are now preferred when learning hostkeys for the
   first time.

 * ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary
   TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.

 * sftp(1): the sftp client is now significantly faster, using OpenBSD
   glob(3) extensions to preserve the results of stat(3) operations
   performed in the course of its execution rather than performing
   expensive round trips to fetch them again afterwards.

 * ssh(1): "atomically" create the listening mux socket by binding it on
   a temporary name and then linking it into position after listen() has
   succeeded. this allows the mux clients to determine that the server
   socket is either ready or stale without races. stale server sockets
   are now automatically removed

 * ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server
   configuration to allow selection of which key exchange methods are
   used by ssh(1) and sshd(8) and their order of preference.

 * sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into
   a generic bandwidth limiter that can be attached using the atomicio
   callback mechanism and use it to add a bandwidth limit option to
   sftp(1).
 
BugFixes:

 * ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent
   temporary directories

 * ssh(1): avoid NULL deref on receiving a channel request on an unknown
   or invalid channel; bz#1842

 * sshd(8): remove a debug() that pollutes stderr on client connecting
   to a server in debug mode; bz#1719, ok dtucker

 * scp(1): pass through ssh command-line flags and options when doing
   remote-remote transfers, e.g. to enable agent forwarding which is
   particularly useful in this case; bz#1837

 * sftp-server(8): umask should be parsed as octal

 * sftp(1): escape '[' in filename tab-completion

 * ssh(1): Typo in confirmation message.  bz#1827

 * sshd(8): prevent free() of string in .rodata when overriding
   AuthorizedKeys in a Match block

 * Support building against openssl-1.0.0a

 * sshd(8): Use default shell /bin/sh if $SHELL is ""

 * ssh(1): kill proxy command on fatal() (we already kill it on clean exit);

 * ssh(1): install a SIGCHLD handler to reap expiried child process

Portable OpenSSH Bugfixes:

 * Use mandoc as preferred manpage formatter if it is present, followed
   by nroff and groff respectively.

 * sshd(8): Relax permission requirement on btmp logs to allow group
   read/writea

 * bz#1840: fix warning when configuring --with-ssl-engine

 * sshd(8): Use correct uid_t/pid_t types instead of int. bz#1817

 * sshd(8): bz#1824: Add Solaris Project support.

 * sshd(8): Check is_selinux_enabled for exact return code since it can
   apparently return -1 under some conditions.

Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
  Security bugs should be reported directly to openssh at openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.

More information about the openssh-unix-dev mailing list