Call for testing: OpenSSH 7.4

Darren Tucker dtucker at
Fri Dec 16 15:06:25 AEDT 2016

On Thu, Dec 15, 2016 at 4:22 PM, Zev Weiss <zev at> wrote:
> I tested (or tried) git commit b737e4d7 on three systems, with somewhat
> mixed results.

Thanks for the comprehensive testing!

> On Mac OSX (macOS?) 10.9, configure failed with:
>    ...
>    checking OpenSSL header version... 1000208f (OpenSSL 1.0.2h  3 May 2016)
>    checking OpenSSL library version... 009081df (OpenSSL 0.9.8zg 14 July
> 2015)
>    checking whether OpenSSL's headers match the library... no
>    configure: error: Your OpenSSL headers do not match your
>         library. Check config.log for details.

I think that's due to the headers and libraries supplied (or not) by Apple.

> A second attempt with configure's openssl-dir pointed at a macports install
> in /opt/local built successfully and passed all tests, though there were
> some warnings during the build (mostly noticed just because I configured
> with -Werror and then manually papered over them; not sure how important
> these really are):
> - daemon() deprecated (ssh.c, sshd.c)
> - utmp, login, logout, logwtmp deprecated (loginrec.c)
> - sandbox_init() deprecated (sandbox-darwin.c)

I don't think there's much we can do about these without abandoning
earlier OS releases.

> - struct monitor declared in ssh_sandbox_init() parameter list
> (sandbox-darwin.c)

Missing monitor.h include.  Harmless (it's never used), now fixed.

> - set-but-unused 'flag' variable in sys_tun_open() (port-tun.c)

True, the code that uses it is inside an ifdef.  Might look at this later.

> On Void Linux (which uses LibreSSL, for what it's worth): unable to compile
> due to undeclared arc4random*() functions.  The symbols exist in libcrypto
> so configure's tests for them pass, but they're not declared in any header
> files.  I'm not sure where exactly these are "supposed" to be declared, so I
> don't know if this is a problem with OpenSSH or LibreSSL or some packaging
> bungle on Void's part.

Don't know about this one.  Might install a VM to look at this if I
get a chance.

> On Debian testing: discovered a small-but-significant problem in auth.c's
> allowed_user() function.  Commit 010359b3 expanded the body of the loop that
> checks DenyUsers entries, but didn't add the necessary braces around it, so
> it didn't exactly have the intended effect, instead resulting in only the
> last entry in DenyUsers actually being enforced.  (Credit to gcc's
> -Wmisleading-indentation warning here.)

Nice find!  Fixed.

> The attached patch 0001-Unbreak-DenyUsers-with-1-user-specified.patch fixes
> the bug; the next two patches

All patches applied.

Thank you.

Darren Tucker (dtucker at
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list