Call for testing: OpenSSH-6.5

Mark E. Lee mark at markelee.com
Thu Jan 23 13:01:49 EST 2014


On Fri, 2014-01-17 at 11:26 +1100, Damien Miller wrote:
> Hi,
> 
> OpenSSH 6.5 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains
> some substantial new features and a number of bugfixes.
> 
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
> 
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
> 
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs or
> via Mercurial at http://hg.mindrot.org/openssh
> 
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> 
> $ ./configure && make tests
> 
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
> 
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
> 
> Thanks to the many people who contributed to this release.
> 
> Changes since OpenSSH 6.4
> =========================
> 
> This is a feature-focused release.
> 
> New features:
> 
>  * ssh(1), sshd(8): Add support for key exchange using elliptic-curve
>    Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange
>    method is the default when both the client and server support it.
> 
>  * ssh(1), sshd(8): Add support for Ed25519 as a public key type.
>    Ed25519 is a elliptic curve signature scheme that offers
>    better security than ECDSA and DSA and good performance. It may be
>    used for both user and host keys.
> 
>  * Add a new private key format that uses a bcrypt KDF to better
>    protect keys at rest. This format is used unconditionally for
>    Ed25519 keys, but may be requested when generating or saving
>    existing keys of other types via the -o ssh-keygen(1) option.
>    We intend to make the new format the default in the near future.
>    Details of the new format are in the PROTOCOL.key file.
> 
>  * ssh(1), sshd(8): Add a new transport cipher
>    "chacha20-poly1305 at openssh.com" that combines Daniel Bernstein's
>    ChaCha20 stream cipher and Poly1305 MAC to build an authenticated
>    encryption mode. Details are in the PROTOCOL.chacha20poly1305 file.
> 
>  * ssh(1), sshd(8): Refuse RSA keys from old proprietary clients and
>    servers that use the obsolete RSA+MD5 signature scheme. It will
>    still be possible to connect with these clients/servers but only
>    DSA keys will be accepted, and OpenSSH will refuse connection
>    entirely in a future release.
> 
>  * ssh(1), sshd(8): Refuse old proprietary clients and servers that
>    use a weaker key exchange hash calculation.
> 
>  * ssh(1): Increase the size of the Diffie-Hellman groups requested
>    for each symmetric key size. New values from NIST Special
>    Publication 800-57 with the upper limit specified by RFC4419
> 
>  * ssh(1), ssh-agent(1): Support pkcs#11 tokes that only provide
>    X.509 certs instead of raw public keys (requested as bz#1908).
> 
>  * ssh(1): Add a ssh_config(5) "Match" keyword that allows
>    conditional configuration to be applied by matching on hostname,
>    user and result of arbitrary commands.
> 
>  * ssh(1): Add support for client-side hostname canonicalisation
>    using a set of DNS suffixes and rules in ssh_config(5). This
>    allows unqualified names to be canonicalised to fully-qualified
>    domain names to eliminate ambiguity when looking up keys in
>    known_hosts or checking host certificate names.
> 
>  * sftp-server(8): Add the ability to whitelist and/or blacklist sftp
>    protocol requests by name.
> 
>  * sftp-server(8): Add a sftp "fsync at openssh.com" to support calling
>    fsync(2) on an open file handle.
> 
>  * sshd(8): Add a ssh_config(5) PermitTTY to disallow TTY allocation,
>    mirroring the longstanding no-pty authorized_keys option.
> 
>  * ssh(1): Add a ssh_config ProxyUseFDPass option that supports the
>    use of ProxyCommands that establish a connection and then pass a
>    connected file descriptor back to ssh(1). This allows the
>    ProxyCommand to exit rather than staying around to transfer data.
> 
> Bugfixes:
> 
>  * ssh(1), sshd(8): Fix potential stack exhaustion caused by nested
>    certificates.
> 
>  * ssh(1): bz#1211: make BindAddress work with UsePrivilegedPort.
> 
>  * sftp(1): bz#2137: fix the progress meter for resumed transfer.
> 
>  * ssh-add(1): bz#2187: do not request smartcard PIN when removing
>    keys from ssh-agent.
> 
>  * sshd(8): bz#2139: fix re-exec fallback when original sshd binary
>    cannot be executed.
> 
>  * ssh-keygen(1): Make relative-specified certificate expiry times
>    relative to current time and not the validity start time.
> 
>  * sshd(8): bz#2161: fix AuthorizedKeysCommand inside a Match block.
> 
>  * sftp(1): bz#2129: symlinking a file would incorrectly canonicalise
>    the target path.
> 
>  * ssh-agent(1): bz#2175: fix a use-after-free in the PKCS#11 agent
>    helper executable.
> 
>  * sshd(8): Improve logging of sessions to include the user name,
>    remote host and port, the session type (shell, command, etc.) and
>    allocated TTY (if any).
> 
>  * sshd(8): bz#1297: tell the client (via a debug message) when
>    their preferred listen address has been overridden by the
>    server's GatewayPorts setting.
> 
>  * sshd(8): bz#2162: include report port in bad protocol banner
>    message.
> 
>  * sftp(1): bz#2163: fix memory leak in error path in do_readdir()
> 
>  * sftp(1): bz#2171: don't leak file descriptor on error.
> 
>  * sshd(8): Include the local address and port in "Connection from
>    ..." message (only shown at loglevel>=verbose)
> 
> Portable OpenSSH:
> 
>  * Switch to a ChaCha20-based arc4random() PRNG for platforms that do
>    not provide their own.
> 
>  * sshd(8): bz#2156: restore Linux oom_adj setting when handling
>    SIGHUP to maintain behaviour over retart.
> 
>  * sshd(8): bz#2032: use local username in krb5_kuserok check rather
>    than full client name which may be of form user at REALM.
> 
>  * ssh(1), sshd(8): Test for both the presence of ECC NID numbers in
>    OpenSSL and that they actually work. Fedora (at least) has
>    NID_secp521r1 that doesn't work.
> 
>  * bz#2173: use pkg-config --libs to include correct -L location for
>    libedit.
> 
> Reporting Bugs:
> ===============
> 
> - Please read http://www.openssh.com/report.html
>   Security bugs should be reported directly to openssh at openssh.com
> 
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
> Ben Lindstrom.
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Salutations,

Tested 1/23/2014 snapshot on Arch Linux 64-bit with following configure
options:
./configure \
                --prefix=/usr \
                --sbindir=/usr/bin \
                --libexecdir=/usr/lib/ssh \
                --sysconfdir=/etc/ssh \
                --with-ldns \
                --with-libedit \
                --with-ssl-engine \
                --with-pam \
                --with-privsep-user=nobody \
                --with-kerberos5=/usr \
                --with-xauth=/usr/bin/xauth \
                --with-mantype=man \
                --with-md5-passwords \
                --with-pid-dir=/run \

Passed all tests.

Regards,
Mark
-- 
Mark E. Lee <mark at markelee.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140122/8a8aac61/attachment-0001.bin>


More information about the openssh-unix-dev mailing list