Call for testing: OpenSSH-6.5

Damien Miller djm at mindrot.org
Thu Jan 30 10:42:20 EST 2014


On Tue, 28 Jan 2014, Tom G. Christensen wrote:

> On 28/01/14 12:17, Damien Miller wrote:
> > As for altering the test to take longer - you could try increasing
> > the 'sleep 3' statements in rekey.sh to something longer and see
> > if that helps. Unfortunately, this is a more fiddly one to avoid the
> > races on.
> > 
> AFAICT the two tests that fail are run through the ssh_data_rekeying function
> which does not include a sleep.
> 
> The failed tests:
> client rekey chacha20-poly1305 at openssh.com diffie-hellman-group-exchange-sha1
> client rekey chacha20-poly1305 at openssh.com
> diffie-hellman-group-exchange-sha256
> 
> See also http://jupiterrise.com/tmp where the failed-* logs are.

Darren and I just talked about this and we have a theory of
what is going wrong. chacha20-poly1305 at openssh.com demands the
most key material from the key exchange and thus causes the
diffie-hellman-group-exchange-* methods to select their largest and most
computationally expensive DH groups.

So your poor machine is trying to do these 8kbit modular exponentiations
and they are taking too long for the tests' default LoginGraceTime of
two minutes.

Unfortunately we don't have a good way to report this, as the login
grace stuff runs as a SIGALARM handler and Irix doesn't have a
signal-safe fprintf or syslog_r.

Fortunately, working around this in the test is easy:

Index: regress/test-exec.sh
===================================================================
RCS file: /var/cvs/openssh/regress/test-exec.sh,v
retrieving revision 1.61
diff -u -p -r1.61 test-exec.sh
--- regress/test-exec.sh	9 Nov 2013 05:55:03 -0000	1.61
+++ regress/test-exec.sh	29 Jan 2014 23:37:41 -0000
@@ -328,6 +328,7 @@ cat << EOF > $OBJ/sshd_config
 	StrictModes		no
 	Port			$PORT
 	Protocol		2,1
+	LoginGraceTime		15m
 	AddressFamily		inet
 	ListenAddress		127.0.0.1
 	#ListenAddress		::1

Please let us know if this works.

-d


More information about the openssh-unix-dev mailing list