Call for testing: OpenSSH 6.8

Darren Tucker dtucker at
Tue Feb 24 07:16:39 AEDT 2015

I've found the following problem with really old gccs (definitely
and 2.95.3 but possibly others).  I believe it's due to variadic macros
when given only 1 arg.

channels.c: In function `channel_input_port_forward_request´:
channels.c:3442: parse error before `;´

The line is pretty simple:

        if (fwd.connect_port == 0)
                packet_disconnect("Dynamic forwarding denied.");

As part of the new API, packet_disconnect() became a macro:

#define packet_disconnect(fmt, args...) \
        ssh_packet_disconnect(active_state, (fmt), ##args)

If I do -save-temps, the preprocessed source is (note unbalanced parens):

        if (fwd.connect_port == 0)
                ssh_packet_disconnect(active_state, ( "Dynamic forwarding
denied."  ) ;

If I change the source to:

        if (fwd.connect_port == 0)
                packet_disconnect("%s", "Dynamic forwarding denied.");

then it'll work.

Question is: what to do?
a) nothing.  I'll either retire the affected test platforms or upgrade the
compiler depending on how enthusiastic I get.
b) add the "%s"
c) make packet_disconnect a real function.
d) ???


On Thu, Feb 19, 2015 at 5:21 PM, Damien Miller <djm at> wrote:

> Hi,
> OpenSSH 6.8 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains
> some substantial new features and a number of bugfixes.
> Snapshot releases for portable OpenSSH are available from
> The OpenBSD version is available in CVS HEAD:
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at or
> via Git at
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> $ ./configure && make tests
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
> Thanks to the many people who contributed to this release.
> Changes since OpenSSH 6.7
> =========================
> This is a major release, containing a number of new features as
> well as a large internal re-factoring.
> Potentially-incompatible changes
> --------------------------------
>  * sshd(8): UseDNS now defaults to 'no'. Configurations that match
>    against the client host name (via sshd_config or authorized_keys)
>    may need to re-enable it or convert to matching against addresses.
> New Features
> ------------
>  * Much of OpenSSH's internal code has been re-factored to be more
>    library-like. These changes are mostly not user-visible, but
>    have greatly improved OpenSSH's testability and internal layout.
>  * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent
>    command-line flags to the other tools to control algorithm used
>    for key fingerprints. The default changes from MD5 to SHA256 and
>    format from hex to base64.
>    Fingerprints now have the hash algorithm prepended. An example of
>    the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE
>    Please note that visual host keys will also be different.
>  * ssh(1), sshd(8): Host key rotation support. Add a protocol
>    extension for a server to inform a client of all its available
>    host keys after authentication has completed. The client may
>    record the keys in known_hosts, allowing it to upgrade to better
>    host key algorithms and a server to gracefully rotate its keys.
>    The client side of this is controlled by a UpdateHostkeys config
>    option (default on).
>  * ssh(1): Add a ssh_config HostbasedKeyType option to control which
>    host public key types are tried during host-based authentication.
>  * ssh(1), sshd(8): fix connection-killing host key mismatch errors
>    when sshd offers multiple ECDSA keys of different lengths.
>  * ssh(1): when host name canonicalisation is enabled, try to
>    parse host names as addresses before looking them up for
>    canonicalisation. fixes bz#2074 and avoiding needless DNS
>    lookups in some cases.
>  * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer
>    require OpenSSH to be compiled with OpenSSL support.
>  * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based
>    authentication.
>  * sshd(8): SSH protocol v.1 workaround for the Meyer, et al,
>    Bleichenbacher Side Channel Attack. Fake up a bignum key before
>    RSA decryption.
>  * sshd(8): Remember which public keys have been used for
>    authentication and refuse to accept previously-used keys.
>    This allows AuthenticationMethods=publickey,publickey to require
>    that users authenticate using two _different_ public keys.
>  * sshd(8): add sshd_config HostbasedAcceptedKeyTypes and
>    PubkeyAcceptedKeyTypes options to allow sshd to control what
>    public key types will be accepted. Currently defaults to all.
>  * sshd(8): Don't count partial authentication success as a failure
>    against MaxAuthTries.
>  * ssh(1): Add RevokedHostKeys option for the client to allow
>    text-file or KRL-based revocation of host keys.
>  * ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by
>    serial number or key ID without scoping to a particular CA.
>  * ssh(1): Add a "Match canonical" criteria that allows ssh_config
>    Match blocks to trigger only in the second config pass.
>  * ssh(1): Add a -G option to ssh that causes it to parse its
>    configuration and dump the result to stdout, similar to "sshd -T".
>  * ssh(1): Allow Match criteria to be negated. E.g. "Match !host".
>  * The regression test suite has been extended to cover more OpenSSH
>    features. The unit tests have been expanded and now cover key
>    exchange.
> Bugfixes
> --------
>  * ssh-keyscan(1): ssh-keyscan has been made much more robust again
>    servers that hang or violate the SSH protocol.
>  * ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were
>    being lost as comment fields.
>  * ssh(1): Allow ssh_config Port options set in the second config
>    parse phase to be applied (they were being ignored). bz#2286
>  * ssh(1): Tweak config re-parsing with host canonicalisation - make
>    the second pass through the config files always run when host name
>    canonicalisation is enabled (and not whenever the host name
>    changes) bz#2267
>  * ssh(1): Fix passing of wildcard forward bind addresses when
>    connection multiplexing is in use; bz#2324;
>  * ssh-keygen(1): Fix broken private key conversion from non-OpenSSH
>    formats; bz#2345.
>  * ssh-keygen(1): Fix KRL generation bug when multiple CAs are in
>    use.
>  * Various fixed to manual pages: bz#2288, bz#2316, bz#2273
> Portable OpenSSH
> ----------------
>  * Support --without-openssl at configure time
>    Disables and removes dependency on OpenSSL. Many features,
>    including SSH protocol 1 are not supported and the set of crypto
>    options is greatly restricted. This will only work on system with
>    native arc4random or /dev/urandom.
>    Considered highly experimental for now.
>  * Support --without-ssh1 option at configure time
>    Allows disabling support for SSH protocol 1.
>    Still experimental - not all regression and unit tests have been
>    been adapted for the absence of SSH protocol 1.
>  * sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296
>  * Allow custom service name for sshd on Cygwin. Permits the use of
>    multiple sshd running with different service names.
> Reporting Bugs:
> ===============
> - Please read
>   Security bugs should be reported directly to openssh at
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
> Ben Lindstrom.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list