MacOS; Unix sockets & man (Re: Call for testing: OpenSSH 6.7)

Thu Sep 11 16:31:01 EST 2014

On 2014-08-18 at 11:23 +1000, Damien Miller wrote:
> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release
> containing a number of features, a lot of internal refactoring and some
> potentially-incompatible changes.
> 
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/

Downloaded openssh-SNAP-20140911.tar.gz onto MacOS 10.8.5, using Clang
(Apple LLVM version 5.1 (clang-503.0.40) (based on LLVM 3.4svn)).

Configured with:

  ./configure --with-libedit --with-pam --with-kerberos5 \
    --prefix=/opt/openssh --sysconfdir=/etc/ssh \
    --with-ssl-dir=/usr/local/Cellar/openssl/1.0.1i \
    --with-ldns

stolen/derived from the Homebrew configuration: so I think this will
match a common configuration profile on this platform (everything except
the --prefix value chosen).

"all tests passed".

The Unix port forwarding appears to be undocumented.  From reading the
code, presence of a '/' anywhere in the PORT field causes
parse_fwd_field() to mark the item as a path.  When I supply an absolute
path, this works and works great!  :)  If I supply a relative path, then
it's passed to the server as a path but fails, triggering a warning
message:

  Warning: remote port forwarding failed for listen path tmp/FRED

The server-side debug logs:
----------------------------8< cut here >8------------------------------
debug1: server_input_global_request: rtype streamlocal-forward at openssh.com want_reply 1
debug1: server_input_global_request: streamlocal-forward listen path usr/fred
debug3: channel_setup_fwd_listener_streamlocal: type 19 path usr/fred
bind: Permission denied
unix_listener: cannot bind to path: usr/fred
----------------------------8< cut here >8------------------------------

This is with client and server both on the same MacOS box.

Since I'm not sure if it's only supposed to work if the path _starts_
with a slash, or if it _should_ work for _contains_ a slash, I'm not
offering a documentation patch; I'll note that I'd expect to see this
documented under -L, -R or the ssh_config options, or perhaps in a new
section in ssh(1) "Port Forwarding" and cut down on a bunch of the
duplication by referring to a full spec in that.

(If you want an nroff patch and say what the behaviour should be, I'd be
happy to contribute).

To finish off, compilation warnings until the end of the email, so if
not interested in these, then there's nothing else to read here.

Thanks,
-Phil

I'll list them all for completeness, despite the lack of visible
replacements for some deprecation-warning items:

 * `getrrsetbyname-ldns.c` had complaints on multiple lines of the form:
----------------------------8< cut here >8------------------------------
getrrsetbyname-ldns.c:92:6: warning: variable 'ldns_res' is used uninitialized whenever 'if' condition is true
----------------------------8< cut here >8------------------------------
    Always for `ldns_res`.
    These were classed as `-Wsometimes-uninitialized` warnings.

 * Lots of ranlib complaints of files having no symbols; which I suspect
   come down to not defining things like USE_BUILTIN_RIJNDAEL so these
   are just noise

 * Two complaints of daemon() deprecation in ssh.c, lines 1288 & 1300;
   also in sshd.c:1892:
----------------------------8< cut here >8------------------------------
ssh.c:1288:2: warning: 'daemon' is deprecated: first deprecated in OS X 10.5 [-Wdeprecated-declarations]
----------------------------8< cut here >8------------------------------
   Man-page daemon(3) says nothing about a deprecation; stdlib.h just
   has:
----------------------------8< cut here >8------------------------------
int      daemon(int, int) __DARWIN_1050(daemon) __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_0, __MAC_10_5, __IPHONE_2_0, __IPHONE_2_0);
----------------------------8< cut here >8------------------------------
   and I'm not seeing what replaces it, unless the answer is just
   "use launchd".

 * Many of these:
----------------------------8< cut here >8------------------------------
clang: warning: argument unused during compilation: '-pie'
----------------------------8< cut here >8------------------------------

 * loginrec.c : `struct utmp` and the `login()`, `logout()` and
   `logwtmp()` functions are triggering deprecation warnings:
----------------------------8< cut here >8------------------------------
loginrec.c:188:49: warning: 'utmp' is deprecated [-Wdeprecated-declarations]
void set_utmp_time(struct logininfo *li, struct utmp *ut);
----------------------------8< cut here >8------------------------------
   The function at least has a deprecated-since label of 10.5:
     __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_0,__MAC_10_5,__IPHONE_NA,__IPHONE_NA);

 * sandbox-darwin.c warnings and deprecations:
----------------------------8< cut here >8------------------------------
sandbox-darwin.c:43:25: warning: declaration of 'struct monitor' will not be visible outside of this function [-Wvisibility]
ssh_sandbox_init(struct monitor *monitor)
                        ^
sandbox-darwin.c:65:6: warning: 'sandbox_init' is deprecated: first deprecated in OS X 10.8 [-Wdeprecated-declarations]
        if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED,
            ^
/usr/include/sandbox.h:65:5: note: 'sandbox_init' declared here
int sandbox_init(const char *profile, uint64_t flags, char **errorbuf);
    ^
sandbox-darwin.c:65:19: warning: 'kSBXProfilePureComputation' is deprecated: first deprecated in OS X 10.8
      [-Wdeprecated-declarations]
        if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED,
                         ^
/usr/include/sandbox.h:97:19: note: 'kSBXProfilePureComputation' declared here
extern const char kSBXProfilePureComputation[];
                  ^
3 warnings generated.
----------------------------8< cut here >8------------------------------