Call for testing: OpenSSH 7.4

Zev Weiss zev at
Thu Dec 15 16:22:51 AEDT 2016

On Wed, Dec 14, 2016 at 11:53:32AM +1100, Damien Miller wrote:
>OpenSSH 7.4 is almost ready for release, so we would appreciate testing
>on as many platforms and systems as possible. This release contains some
>substantial new features and a number of bugfixes.


I tested (or tried) git commit b737e4d7 on three systems, with somewhat 
mixed results.

On Mac OSX (macOS?) 10.9, configure failed with:

    checking OpenSSL header version... 1000208f (OpenSSL 1.0.2h  3 May 2016)
    checking OpenSSL library version... 009081df (OpenSSL 0.9.8zg 14 July 2015)
    checking whether OpenSSL's headers match the library... no
    configure: error: Your OpenSSL headers do not match your
	library. Check config.log for details.

A second attempt with configure's openssl-dir pointed at a macports 
install in /opt/local built successfully and passed all tests, though 
there were some warnings during the build (mostly noticed just because I 
configured with -Werror and then manually papered over them; not sure 
how important these really are):

 - daemon() deprecated (ssh.c, sshd.c)
 - utmp, login, logout, logwtmp deprecated (loginrec.c)
 - sandbox_init() deprecated (sandbox-darwin.c)
 - struct monitor declared in ssh_sandbox_init() parameter list 
 - set-but-unused 'flag' variable in sys_tun_open() (port-tun.c)

On Void Linux (which uses LibreSSL, for what it's worth): unable to 
compile due to undeclared arc4random*() functions.  The symbols exist in 
libcrypto so configure's tests for them pass, but they're not declared 
in any header files.  I'm not sure where exactly these are "supposed" to 
be declared, so I don't know if this is a problem with OpenSSH or 
LibreSSL or some packaging bungle on Void's part.

On Debian testing: discovered a small-but-significant problem in 
auth.c's allowed_user() function.  Commit 010359b3 expanded the body of 
the loop that checks DenyUsers entries, but didn't add the necessary 
braces around it, so it didn't exactly have the intended effect, instead 
resulting in only the last entry in DenyUsers actually being enforced.  
(Credit to gcc's -Wmisleading-indentation warning here.)

The attached patch 0001-Unbreak-DenyUsers-with-1-user-specified.patch 
fixes the bug; the next two patches 
(0002-Add-and-use-stop_sshd-helper-function.patch and 
0003-Add-regression-test-for-AllowUsers-DenyUsers.patch) add a 
regression test that detects it (failing before and passing after patch 

With those patches applied a -Werror build completed successfully and 
passed all tests.

(I also noticed a mis-typed error message in dh.c, addressed in the 
attached 0004-Fix-mis-worded-error-message-in-choose_dh.patch.)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Unbreak-DenyUsers-with-1-user-specified.patch
Type: text/x-diff
Size: 1129 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Add-and-use-stop_sshd-helper-function.patch
Type: text/x-diff
Size: 2222 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Add-regression-test-for-AllowUsers-DenyUsers.patch
Type: text/x-diff
Size: 2739 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Fix-mis-worded-error-message-in-choose_dh.patch
Type: text/x-diff
Size: 725 bytes
Desc: not available
URL: <>

More information about the openssh-unix-dev mailing list