Call for testing: OpenSSH-6.3

Andy Tsouladze andyb1 at andy-t.org
Fri Jul 26 10:52:09 EST 2013 

openssh-SNAP-20130726.tar.gz compiles and passes all tests on 
slackware64-14.0.

I found it strange that configure script does not try to determine whether 
md5 passwords are supported by the system, and it defaults to no support. 
It only checks if --with-md5-passwords was supplied.  Is this intended? 
What are the consequences of running sshd with no md5 password support on 
a system that does support them?  Is there a way to programmatically 
determine this?  Or maybe default should be to support md5 passwords?

Regards,

Andy

On Thu, 25 Jul 2013, Damien Miller wrote:

> Hi,
>
> OpenSSH 6.3 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains
> some substantial new features and a number of bugfixes.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs or
> via Mercurial at http://hg.mindrot.org/openssh
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Changes since OpenSSH 6.2
> =========================
>
> This release is predominantly a bugfix release:
>
> Features:
>
> * sshd(8): add ssh-agent(1) support to sshd(8); allows encrypted hostkeys,
>   or hostkeys on smartcards.
>
> * ssh(1)/sshd(8): allow optional time-based rekeying via a second argument
>   to the existing RekeyLimit option. RekeyLimit is now supported in
>   sshd_config as well as on the client.
>
> * sshd(8): standardise logging of information during user authentication.
>
>   The presented key/cert and the remote username (if available) is now
>   logged in the authentication success/failure message on the same log
>   line as the local username, remote host/port and protocol in use.
>   Certificates contents and the key fingerprint of the signing CA are
>   logged too.
>
>   Including all relevant information on a single line simplifies log
>   analysis as it is no longer necessary to relate information scattered
>   across multiple log entries.
>
> * ssh(1): add the ability to query supported ciphers, MAC algorithms, key
>   types and key exchange methods.
>
> * ssh(1): support ProxyCommand=- to allow support cases where stdin and
>   stdout already point to the proxy.
>
> * ssh(1): allow IdenityFile=none
>
> * ssh(1)/sshd(8): add -E option to ssh and sshd to append debugging logs
>   to a specified file instead of stderr or syslog.
>
> * sftp(1): add support for resuming partial downloads using the "reget"
>   command and on the sftp commandline or on the "get" commandline using
>   the "-a" (append) option.
>
> * ssh(1): add an "IgnoreUnknown" configuration option to selectively
>   suppress errors arising from unknown configuration directives.
>
> * sshd(8): add support for submethods to be appended to required
>   authentication methods listed via AuthenticationMethods.
>
> Bugfixes:
>
> * sshd(8): fix refusal to accept certificate if a key of a different type
>   to the CA key appeared in authorized_keys before the CA key.
>
> * ssh(1)/ssh-agent(1)/sshd(8): Use a monotonic time source for timers so
>   that things like keepalives and rekeying will work properly over clock
>   steps.
>
> * sftp(1): update progressmeter when data is acknowledged, not when it's
>   sent. bz#2108
>
> * ssh(1)/ssh-keygen(1): improve error messages when the current user does
>   not exist in /etc/passwd; bz#2125
>
> * ssh(1): reset the order in which public keys are tried after partial
>   authentication success.
>
> * ssh-agent(1): clean up socket files after SIGINT when in debug mode;
>   bz#2120
>
> * ssh(1) and others: avoid confusing error messages in the case of broken
>   system resolver configurations; bz#2122
>
> * ssh(1): set TCP nodelay for connections started with -N; bz#2124
>
> * ssh(1): correct manual for permission requirements on ~/.ssh/config;
>   bz#2078
>
> * ssh(1): fix ControlPersist timeout not triggering in cases where TCP
>   connections have hung. bz#1917
>
> * ssh(1): properly deatch a ControlPersist master from its controlling
>   terminal.
>
> * sftp(1): avoid crashes in libedit when it has been compiled with multi-
>   byte character support. bz#1990
>
> * sshd(8): when running sshd -D, close stderr unless we have explicitly
>   requested logging to stderr. bz#1976,
>
> * ssh(1): fix incomplete bzero; bz#2100
>
> * sshd(8): log and error and exit if ChrootDirectory is specified and
>   running without root privileges.
>
> * Many improvements to the regression test suite. In particular log files
>   are now saved from ssh and sshd after failures.
>
> * Fix a number of memory leaks. bz#1967 bz#2096 and others
>
> * sshd(8): fix public key authentication when a :style is appended to
>   the requested username.
>
> * ssh(1): do not fatally exit when attempting to cleanup multiplexing-
>   created channels that are incompletely opened. bz#2079
>
> Portable OpenSSH:
>
> * Major overhaul of contrib/cygwin/README
>
> * Fix unaligned accesses in umac.c for strict-alignment architectures.
>   bz#2101
>
> * Enable -Wsizeof-pointer-memaccess if the compiler supports it. bz#2100
>
> * Fix broken incorrect commandline reporting errors. bz#1448
>
> * Only include SHA256 and ECC-based key exchange methods if libcrypto has
>   the required support.
>
> * A number of portability fixes for Android:
>   * Don't try to use lastlog on Android; bz#2111
>   * Fall back to using openssl's DES_crypt function on platorms that don't
>     have a native crypt() function; bz#2112
>   * Test for fd_mask, howmany and NFDBITS rather than trying to enumerate
>     the plaforms that don't have them. bz#2085
>   * Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is.
>     bz#2085
>   * Add a null implementation of endgrent for platforms that don't have
>     it (eg Android) bz#2087
>   * Support platforms, such as Android, that lack struct passwd.pw_gecos.
>     bz#2086
>
> Reporting Bugs:
> ===============
>
> - Please read http://www.openssh.com/report.html
>  Security bugs should be reported directly to openssh at openssh.com
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
> Ben Lindstrom.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

Dr Andy Tsouladze
Sr Unix/Storage SysAdmin

More information about the openssh-unix-dev mailing list