Call for testing: OpenSSH 7.4

The Doctor doctor at
Wed Dec 14 12:09:25 AEDT 2016

On Wed, Dec 14, 2016 at 11:53:32AM +1100, Damien Miller wrote:
> Hi,
> OpenSSH 7.4 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains some
> substantial new features and a number of bugfixes.
> Snapshot releases for portable OpenSSH are available from
> The OpenBSD version is available in CVS HEAD:
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at or
> via Git at or via a
> mirror at Github:
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> $ ./configure && make tests
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
> Thanks to the many people who contributed to this release.

Got you.  Will run make tests.  So far running on 
FreeBSD 11.0 using openssl 1.0.2 current


Trying Openssl 1.1

> Potentially-incompatible changes
> ================================
> This release includes a number of changes that may affect existing
> configurations:
>  * This release removes server support for the SSH v.1 protocol.
>  * ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
>    block ciphers are not safe in 2016 and we don't want to wait until
>    attacks like SWEET32 are extended to SSH. As 3des-cbc was the
>    only mandatory cipher in the SSH RFCs, this may cause problems
>    connecting to older devices using the default configuration,
>    but it's highly likely that such devices already need explicit
>    configuration for key exchange and hostkey algorithms already
>    anyway.
>  * sshd(8): Remove support for pre-authentication compression.
>    Doing compression early in the protocol probably seemed reasonable
>    in the 1990s, but today it's clearly a bad idea in terms of both
>    cryptography (cf. multiple compression oracle attacks in TLS) and
>    attack surface. Pre-auth compression support has been disabled by
>    default for >10 years. Support remains in the client.
>  * ssh-agent will refuse to load PKCS#11 modules outside a whitelist
>    of trusted paths by default. The path whitelist may be specified
>    at run-time.
>  * sshd(8): When a forced-command appears in both a certificate and
>    an authorized keys/principals command= restriction, sshd will now
>    refuse to accept the certificate unless they are identical.
>    The previous (documented) behaviour of having the certificate
>    forced-command override the other could be a bit confusing and
>    error-prone.
>  * sshd(8): Remove the UseLogin configuration directive and support
>    for having /bin/login manage login sessions.
> Changes since OpenSSH 7.3
> =========================
> This is primarily a bugfix release.
> New Features
> ------------
>  * ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the
>    version in PuTTY by Simon Tatham. This allows a multiplexing
>    client to communicate with the master process using a subset of
>    the SSH packet and channels protocol over a Unix-domain socket,
>    with the main process acting as a proxy that translates channel
>    IDs, etc.  This allows multiplexing mode to run on systems that
>    lack file- descriptor passing (used by current multiplexing
>    code) and potentially, in conjunction with Unix-domain socket
>    forwarding, with the client and multiplexing master process on
>    different machines. Multiplexing proxy mode may be invoked using
>    "ssh -O proxy ..."
>  * sshd(8): Add a sshd_config DisableForwaring option that disables
>    X11, agent, TCP, tunnel and Unix domain socket forwarding, as well
>    as anything else we might implement in the future. Like the
>    'restrict' authorized_keys flag, this is intended to be a simple
>    and future-proof way of restricting an account.
>  * sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
>    method. This is identical to the currently-support method named
>    "curve25519-sha256 at".
>  * sshd(8): Improve handling of SIGHUP by checking to see if sshd is
>    already daemonised at startup and skipping the call to daemon(3)
>    if it is. This ensures that a SIGHUP restart of sshd(8) will
>    retain the same process-ID as the initial execution. sshd(8) will
>    also now unlink the PidFile prior to SIGHUP restart and re-create
>    it after a successful restart, rather than leaving a stale file in
>    the case of a configuration error. bz#2641
>  * sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
>    directives to appear in sshd_config Match blocks.
>  * sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match
>    those supported by AuthorizedKeysCommand (key, key type,
>    fingerprint, etc.) and a few more to provide access to the
>    contents of the certificate being offered.
>  * Added regression tests for string matching, address matching and
>    string sanitisation functions.
>  * Improved the key exchange fuzzer harness.
> Bugfixes
> --------
>  * ssh(1): Allow IdentityFile to successfully load and use
>    certificates that have no corresponding bare public key. bz#2617
>    certificate (and no
>  * ssh(1): Fix public key authentication when multiple
>    authentication is in use and publickey is not just the first
>    method attempted. bz#2642
>  * regress: Allow the PuTTY interop tests to run unattended. bz#2639
>  * ssh-agent(1), ssh(1): improve reporting when attempting to load
>    keys from PKCS#11 tokens with fewer useless log messages and more
>    detail in debug messages. bz#2610
>  * ssh(1): When tearing down ControlMaster connections, don't
>    pollute stderr when LogLevel=quiet.
>  * sftp(1): On ^Z wait for underlying ssh(1) to suspend before
>    suspending sftp(1) to ensure that ssh(1) restores the terminal mode
>    correctly if suspended during a password prompt.
>  * ssh(1): Avoid busy-wait when ssh(1) is suspended during a password
>    prompt.
>  * ssh(1), sshd(8): Correctly report errors during sending of ext-
>    info messages.
>  * sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
>    sequence NEWKEYS message.
>  * sshd(8): Correct list of supported signature algorithms sent in
>    the server-sig-algs extension. bz#2547
>  * sshd(8): Fix sending ext_info message if privsep is disabled.
>  * sshd(8): more strictly enforce the expected ordering of privilege
>    separation monitor calls used for authentication and allow them
>    only when their respective authentication methods are enabled
>    in the configuration
>  * sshd(8): Fix uninitialised optlen in getsockopt() call; harmless
>    on Unix/BSD but potentially crashy on Cygwin.
>  * Fix false positive reports caused by explicit_bzero(3) not being
>    recognised as a memory initialiser when compiled with
>    -fsanitize-memory.
>  * sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for
>    configuration examples.
> Portability
> -----------
>  * On environments configured with Turkish locales, fall back to the
>    C/POSIX locale to avoid errors in configuration parsing caused by
>    that locale's unique handling of the letters 'i' and 'I'. bz#2643
>  * sftp-server(8), ssh-agent(1): Deny ptrace on OS X using
>    ptrace(PT_DENY_ATTACH, ..)
>  * ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL.
>  * Fix compilation for libcrypto compiled without RIPEMD160 support.
>  * contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640
>  * sshd(8): Improve PRNG reseeding across privilege separation and
>    force libcrypto to obtain a high-quality seed before chroot or
>    sandboxing.
>  * All: Explicitly test for broken strnvis. NetBSD added an strnvis
>    and unfortunately made it incompatible with the existing one in
>    OpenBSD and Linux's libbsd (the former having existed for over ten
>    years). Try to detect this mess, and assume the only safe option
>    if we're cross compiling.
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

Member - Liberal International This is Ici
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising!  Look at Psalms 14 and 53 on Atheism
Merry Christmas 2016 and Happy New Year 2017

More information about the openssh-unix-dev mailing list