Call for testing: OpenSSH 6.7

Jeff Wieland wieland at purdue.edu
Wed Aug 20 07:49:33 EST 2014


It fails under SPARC Solaris 10, running a recent patch set, with
our locally build OpenSSL 1.0.0n, and SUN Studio 12.  The
test_sshbuf binary dumps core with an error code of 139:

cd ./regress || exit $?; \
make \
         .OBJDIR="${BUILDDIR}/regress" \
         .CURDIR="`pwd`" \
         BUILDDIR="${BUILDDIR}" \
         OBJ="${BUILDDIR}/regress/" \
         PATH="${BUILDDIR}:${PATH}" \
         TEST_ENV=MALLOC_OPTIONS="" \
         TEST_SHELL="${TEST_SHELL}" \
         TEST_SSH_SCP="${TEST_SSH_SCP}" \
         TEST_SSH_SSH="${TEST_SSH_SSH}" \
         TEST_SSH_SSHD="${TEST_SSH_SSHD}" \
         TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}" \
         TEST_SSH_SSHADD="${TEST_SSH_SSHADD}" \
         TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" \
         TEST_SSH_SSHPKCS11HELPER="${TEST_SSH_SSHPKCS11HELPER}" \
         TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" \
         TEST_SSH_SFTP="${TEST_SSH_SFTP}" \
         TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}" \
         TEST_SSH_PLINK="${TEST_SSH_PLINK}" \
         TEST_SSH_PUTTYGEN="${TEST_SSH_PUTTYGEN}" \
         TEST_SSH_CONCH="${TEST_SSH_CONCH}" \
         TEST_SSH_IPV6="${TEST_SSH_IPV6}" \
         TEST_SSH_ECC="${TEST_SSH_ECC}" \
         EXEEXT="" \
         tests && echo all tests passed
set -e ; if test -z "" ; then \
 
/opt/src/sys/openssh/openssh-SNAP-20140820/regress/unittests/sshbuf/test_sshbuf ; \
 
/opt/src/sys/openssh/openssh-SNAP-20140820/regress/unittests/sshkey/test_sshkey \
                 -d 
/opt/src/sys/openssh/openssh-SNAP-20140820/regress//unittests/sshkey/testdata ; \
fi
*** Error code 139
make: Fatal error: Command failed for target `unit'
Current working directory /opt/src/sys/openssh/openssh-SNAP-20140820/regress
*** Error code 1
make: Fatal error: Command failed for target `tests'

Damien Miller wrote:
> Hi,
>
> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release
> containing a number of features, a lot of internal refactoring and some
> potentially-incompatible changes.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs or
> via Git at https://anongit.mindrot.org/openssh.git/
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Changes since OpenSSH 6.6
> =========================
>
> Potentially-incompatible changes
>
>  * sshd(8): The default set of ciphers and MACs has been altered to
>    remove unsafe algorithms. In particular, CBC ciphers and arcfour*
>    are disabled by default.
>
>    The full set of algorithms remains available if configured
>    explicitly via the Ciphers and MACs sshd_config options.
>
>  * sshd(8): Support for tcpwrappers/libwrap has been removed.
>
>  * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
>    using the curve25519-sha256 at libssh.org KEX exchange method to fail
>    when connecting with something that implements the specification
>    correctly. OpenSSH 6.7 disables this KEX method when speaking to
>    one of the affected versions.
>
> New Features
>
>  * Major internal refactoring to begin to make part of OpenSSH usable
>    as a library. So far the wire parsing, key handling and KRL code
>    has been refactored. Please note that we do not consider the API
>    stable yet, nor do we offer the library in separable form.
>
>  * ssh(1), sshd(8): Add support for Unix domain socket forwarding.
>    A remote TCP port may be forwarded to a local Unix domain socket
>    and vice versa or both ends may be a Unix domain socket.
>
>  * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
>    ED25519 key types.
>
>  * sftp(1): Allow resumption of interrupted uploads.
>
>  * ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it
>    is the same as the one sent during initial key exchange; bz#2154
>
>  * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind
>    addresses when GatewayPorts=no; allows client to choose address
>    family; bz#2222
>
>  * sshd(8): Add a sshd_config PermitUserRC option to control whether
>    ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
>    option; bz#2160
>
>  * ssh(1): Add a %C escape sequence for LocalCommand and ControlPath
>    that expands to a unique identifer based on a hash of the tuple of
>    (local host, remote user, hostname, port). Helps avoid exceeding
>    miserly pathname limits for Unix domain sockets in multiplexing
>    control paths; bz#2220
>
>  * sshd(8): Make the "Too many authentication failures" message
>    include the user, source address, port and protocol in a format
>    similar to the authentication success / failure messages; bz#2199
>
>  * Added unit and fuzz tests for refactored code. These are run
>    automatically in portable OpenSSH via the "make tests" target.
>
> Bugfixes
>
>  * sshd(8): Fix remote fwding with same listen port but different
>    listen address.
>
>  * ssh(1): Fix inverted test that caused PKCS#11 keys that were
>    explicitly listed in ssh_config or on the commandline not to be
>    preferred.
>
>  * ssh-keygen(1): Fix bug in KRL generation: multiple consecutive
>    revoked certificate serial number ranges could be serialised to an
>    invalid format. Readers of a broken KRL caused by this bug will
>    fail closed, so no should-have-been-revoked key will be accepted.
>
>  * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in
>    exit status. Previously we were always returning 0; bz#2255
>
>  * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the
>    randomart border; bz#2247
>
>  * ssh-agent(1): Only cleanup agent socket in the main agent process
>    and not in any subprocesses it may have started (e.g. forked
>    askpass). Fixes agent sockets being zapped when askpass processes
>    fatal(); bz#2236
>
>  * ssh-add(1): Make stdout line-buffered; saves partial output getting
>    lost when ssh-add fatal()s part-way through (e.g. when listing keys
>    from an agent that supports key types that ssh-add doesn't);
>    bz#2234
>
>  * ssh-keygen(1): When hashing or removing hosts, don't choke on
>    @revoked markers and don't remove @cert-authority markers; bz#2241
>
>  * ssh(1): Don't fatal when hostname canonicalisation fails and a
>    ProxyCommand is in use; continue and allow the ProxyCommand to
>    connect anyway (e.g. to a host with a name outside the DNS behind
>    a bastion)
>
>  * scp(1): When copying local->remote fails during read, don't send
>    uninitialised heap to the remote end.
>
>  * sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing
>    filenames with  a single quote char somewhere in the string;
>    bz#2238
>
>  * ssh-keyscan(1): Scan for Ed25519 keys by default.
>
>  * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-
>    convert any certificate keys to plain keys and attempt SSHFP
>    resolution.  Prevents a server from skipping SSHFP lookup and
>    forcing a new-hostkey dialog by offering only certificate keys.
>      
>  * sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225
>
>  * Fix some strict-alignment errors.
>
> Portable OpenSSH
>
>  * Portable OpenSSH now supports building against libressl-portable.
>
>  * Portable OpenSSH now requires openssl 0.9.8f or greater. Older
>    versions are no longer supported.
>
>  * In the OpenSSL version check, allow fix version upgrades (but not
>    downgrades. Debian bug #748150.
>
>  * sshd(8): On Cygwin, determine privilege separation user at runtime,
>    since it may need to be a domain account.
>
>  * sshd(8): Don't attempt to use vhangup on Linux. It doens't work for
>    non-root users, and for them it just messes up the tty settings.
>
>  * Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
>    available. It takes into account time spent suspended, thereby
>    ensuring timeouts (e.g. for expiring agent keys) fire correctly.
>    bz#2228
>
>  * Add support for ed25519 to opensshd.init init script.
>
>  * sftp-server(8): On platforms that support it, use prctl() to
>    prevent sftp-server from accessing /proc/self/{mem,maps}
>
> Reporting Bugs:
> ===============
>
> - Please read http://www.openssh.com/report.html
>   Security bugs should be reported directly to openssh at openssh.com
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
> Ben Lindstrom.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>   


-- 
           Jeff Wieland            |         Purdue University
    Network Systems Administrator  |        ITIS UNIX Platforms
        Voice: (765)496-8234       |        155 S. Grant Street
         FAX: (765)494-6620        |      West Lafayette, IN 47907




More information about the openssh-unix-dev mailing list