Call for testing: OpenSSH 6.7

Kevin Brott kevin.brott at gmail.com
Tue Aug 19 03:00:03 EST 2014 

So apparently openssl/ec.h didn't show up earlier than 0.9.8m right now
it's looking like any system with earlier versions will configure, but fail
to build off the bat.


On Mon, Aug 18, 2014 at 9:18 AM, Kevin Brott <kevin.brott at gmail.com> wrote:

> Ugh - so, forgot to RT the list ... and another failed buildhost ...
>
> I know these are legacy OS version - but they're still in use here so ...
>
> OS           Build_Target        CC             OpenSSL       BUILD  TEST
> ===========  =================   ============   ============= =====
> =================
> Centos 2.1   i386-redhat-linux   gcc 2.9.6      0.9.6b-engine FAIL*1
> RHEL 3.4     i386-redhat-linux   gcc 3.2.3-47   0.9.7a        FAIL*1
>
> make[1]: Entering directory `/usr/src/openssh/openbsd-compat'
> gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
> -fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
> arc4random.c
> In file included from ../buffer.h:24,
>                  from ../entropy.h:30,
>                  from ../includes.h:177,
>                  from arc4random.c:27:
> ../sshbuf.h:25:24: openssl/ec.h: No such file or directory
> make[1]: *** [arc4random.o] Error 1
> make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
> make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
> [root at localhost openssh]# find ec.h
> find: ec.h: No such file or directory
>
>
>
>
> On Sun, Aug 17, 2014 at 6:23 PM, Damien Miller <djm at mindrot.org> wrote:
>
>> Hi,
>>
>> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
>> on as many platforms and systems as possible. This is a big release
>> containing a number of features, a lot of internal refactoring and some
>> potentially-incompatible changes.
>>
>> Snapshot releases for portable OpenSSH are available from
>> http://www.mindrot.org/openssh_snap/
>>
>> The OpenBSD version is available in CVS HEAD:
>> http://www.openbsd.org/anoncvs.html
>>
>> Portable OpenSSH is also available via anonymous CVS using the
>> instructions at http://www.openssh.com/portable.html#cvs or
>> via Git at https://anongit.mindrot.org/openssh.git/
>>
>> Running the regression tests supplied with Portable OpenSSH does not
>> require installation and is a simply:
>>
>> $ ./configure && make tests
>>
>> Live testing on suitable non-production systems is also
>> appreciated. Please send reports of success or failure to
>> openssh-unix-dev at mindrot.org.
>>
>> Below is a summary of changes. More detail may be found in the ChangeLog
>> in the portable OpenSSH tarballs.
>>
>> Thanks to the many people who contributed to this release.
>>
>> Changes since OpenSSH 6.6
>> =========================
>>
>> Potentially-incompatible changes
>>
>>  * sshd(8): The default set of ciphers and MACs has been altered to
>>    remove unsafe algorithms. In particular, CBC ciphers and arcfour*
>>    are disabled by default.
>>
>>    The full set of algorithms remains available if configured
>>    explicitly via the Ciphers and MACs sshd_config options.
>>
>>  * sshd(8): Support for tcpwrappers/libwrap has been removed.
>>
>>  * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
>>    using the curve25519-sha256 at libssh.org KEX exchange method to fail
>>    when connecting with something that implements the specification
>>    correctly. OpenSSH 6.7 disables this KEX method when speaking to
>>    one of the affected versions.
>>
>> New Features
>>
>>  * Major internal refactoring to begin to make part of OpenSSH usable
>>    as a library. So far the wire parsing, key handling and KRL code
>>    has been refactored. Please note that we do not consider the API
>>    stable yet, nor do we offer the library in separable form.
>>
>>  * ssh(1), sshd(8): Add support for Unix domain socket forwarding.
>>    A remote TCP port may be forwarded to a local Unix domain socket
>>    and vice versa or both ends may be a Unix domain socket.
>>
>>  * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
>>    ED25519 key types.
>>
>>  * sftp(1): Allow resumption of interrupted uploads.
>>
>>  * ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it
>>    is the same as the one sent during initial key exchange; bz#2154
>>
>>  * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind
>>    addresses when GatewayPorts=no; allows client to choose address
>>    family; bz#2222
>>
>>  * sshd(8): Add a sshd_config PermitUserRC option to control whether
>>    ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
>>    option; bz#2160
>>
>>  * ssh(1): Add a %C escape sequence for LocalCommand and ControlPath
>>    that expands to a unique identifer based on a hash of the tuple of
>>    (local host, remote user, hostname, port). Helps avoid exceeding
>>    miserly pathname limits for Unix domain sockets in multiplexing
>>    control paths; bz#2220
>>
>>  * sshd(8): Make the "Too many authentication failures" message
>>    include the user, source address, port and protocol in a format
>>    similar to the authentication success / failure messages; bz#2199
>>
>>  * Added unit and fuzz tests for refactored code. These are run
>>    automatically in portable OpenSSH via the "make tests" target.
>>
>> Bugfixes
>>
>>  * sshd(8): Fix remote fwding with same listen port but different
>>    listen address.
>>
>>  * ssh(1): Fix inverted test that caused PKCS#11 keys that were
>>    explicitly listed in ssh_config or on the commandline not to be
>>    preferred.
>>
>>  * ssh-keygen(1): Fix bug in KRL generation: multiple consecutive
>>    revoked certificate serial number ranges could be serialised to an
>>    invalid format. Readers of a broken KRL caused by this bug will
>>    fail closed, so no should-have-been-revoked key will be accepted.
>>
>>  * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in
>>    exit status. Previously we were always returning 0; bz#2255
>>
>>  * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the
>>    randomart border; bz#2247
>>
>>  * ssh-agent(1): Only cleanup agent socket in the main agent process
>>    and not in any subprocesses it may have started (e.g. forked
>>    askpass). Fixes agent sockets being zapped when askpass processes
>>    fatal(); bz#2236
>>
>>  * ssh-add(1): Make stdout line-buffered; saves partial output getting
>>    lost when ssh-add fatal()s part-way through (e.g. when listing keys
>>    from an agent that supports key types that ssh-add doesn't);
>>    bz#2234
>>
>>  * ssh-keygen(1): When hashing or removing hosts, don't choke on
>>    @revoked markers and don't remove @cert-authority markers; bz#2241
>>
>>  * ssh(1): Don't fatal when hostname canonicalisation fails and a
>>    ProxyCommand is in use; continue and allow the ProxyCommand to
>>    connect anyway (e.g. to a host with a name outside the DNS behind
>>    a bastion)
>>
>>  * scp(1): When copying local->remote fails during read, don't send
>>    uninitialised heap to the remote end.
>>
>>  * sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing
>>    filenames with  a single quote char somewhere in the string;
>>    bz#2238
>>
>>  * ssh-keyscan(1): Scan for Ed25519 keys by default.
>>
>>  * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-
>>    convert any certificate keys to plain keys and attempt SSHFP
>>    resolution.  Prevents a server from skipping SSHFP lookup and
>>    forcing a new-hostkey dialog by offering only certificate keys.
>>
>>  * sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225
>>
>>  * Fix some strict-alignment errors.
>>
>> Portable OpenSSH
>>
>>  * Portable OpenSSH now supports building against libressl-portable.
>>
>>  * Portable OpenSSH now requires openssl 0.9.8f or greater. Older
>>    versions are no longer supported.
>>
>>  * In the OpenSSL version check, allow fix version upgrades (but not
>>    downgrades. Debian bug #748150.
>>
>>  * sshd(8): On Cygwin, determine privilege separation user at runtime,
>>    since it may need to be a domain account.
>>
>>  * sshd(8): Don't attempt to use vhangup on Linux. It doens't work for
>>    non-root users, and for them it just messes up the tty settings.
>>
>>  * Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
>>    available. It takes into account time spent suspended, thereby
>>    ensuring timeouts (e.g. for expiring agent keys) fire correctly.
>>    bz#2228
>>
>>  * Add support for ed25519 to opensshd.init init script.
>>
>>  * sftp-server(8): On platforms that support it, use prctl() to
>>    prevent sftp-server from accessing /proc/self/{mem,maps}
>>
>> Reporting Bugs:
>> ===============
>>
>> - Please read http://www.openssh.com/report.html
>>   Security bugs should be reported directly to openssh at openssh.com
>>
>> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
>> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
>> Ben Lindstrom.
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>
>
>
> --
> # include <stddisclaimer.h>
> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>
>


-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

More information about the openssh-unix-dev mailing list