Call for testing: OpenSSH 7.2

Jeff Wieland wieland at purdue.edu
Tue Feb 16 17:28:42 AEDT 2016


The Solaris privilege code breaks building on Solaris 10.  If
you let configure just do its thing, you get the following error
when compiling:

"sandbox-solaris.c", line 22: #error: "--with-solaris-privs must be used 
with the Solaris sandbox"

So, I did add "--with-solaris-privs" to the command line for
configure, but then I got the following error messages:

Undefined                       first referenced
  symbol                             in file
priv_basicset openbsd-compat//libopenbsd-compat.a(port-solaris.o)
ld: fatal: symbol referencing errors. No output written to ssh

The function priv_basicset doesn't appear to exist on Solaris 10.

If I set --with-sandbox=none, the compile and "make tests" succeed
(except for the SUDO test, since sudo isn't in the path, and it
wouldn't work without munging the config anyway).

Damien Miller wrote:
> Hi,
>
> OpenSSH 7.2 is almost ready for release, so we would appreciate
> testing on as many platforms and systems as possible. This release
> contains many bugfixes and several new features.
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is available via Git at
> https://anongit.mindrot.org/openssh.git/ or via a mirror on Github at
> https://github.com/openssh/openssh-portable
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ autoreconf && ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
>
> Below is a summary of changes. More detail may be found in the git
> revision log.
>
> Thanks to the many people who contributed to this release.
>
> Future deprecation notice
> =========================
>
> We plan on retiring more legacy cryptography in a near-future
> release, specifically:
>
>   * Refusing all RSA keys smaller than 1024 bits (the current minimum
>     is 768 bits)
>
> This list reflects our current intentions, but please check the final
> release notes for future releases.
>
> Potentially-incompatible changes
> ================================
>
> This release disables a number of legacy cryptographic algorithms
> by default in ssh:
>
>   * Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants
>     and the rijndael-cbc aliases for AES.
>
>   * MD5-based and truncated HMAC algorithms.
>
> These algorithms are already disabled by default in sshd.
>
> Changes since OpenSSH 7.1p2
> ===========================
>
> This is primarily a bugfix release.
>
> Security
> --------
>
>   * ssh(1), sshd(8): remove unfinished and unused roaming code (was
>     already forcibly disabled in OpenSSH 7.1p2).
>   
>   * ssh(1): eliminate fallback from untrusted X11 forwarding to
>     trusted forwarding when the X server disables the SECURITY
>     extension.
>
>   * ssh(1), sshd(8): increase the minimum modulus size supported for
>     diffie-hellman-group-exchange to 2048 bits.
>
> New Features
> ------------
>
>   * all: add support for RSA signatures using SHA-256/512 hash
>     algorithms based on draft-rsa-dsa-sha2-256-03.txt and
>     draft-ssh-ext-info-04.txt.
>
>   * ssh(1): Add an AddKeysToAgent client option which can be set to
>     'yes', 'no', 'ask', or 'confirm', and defaults to 'no'.  When
>     enabled, a private key that is used during authentication will be
>     added to ssh-agent if it is running (with confirmation enabled if
>     set to 'confirm').
>   
>   * sshd(8): add a new authorized_keys option "restrict" that includes
>     all current and future key restrictions (no-*-forwarding, etc.).
>     Also add permissive versions of the existing restrictions, e.g.
>     "no-pty" -> "pty". This simplifies the task of setting up
>     restricted keys and ensures they are maximally-restricted,
>     regardless of any permissions we might implement in the future.
>      
>   * ssh(1): add ssh_config CertificateFile option to explicitly list
>     certificates. bz#2436
>   
>   * ssh-keygen(1): allow ssh-keygen to change the key comment for all
>     supported formats.
>
>   * ssh-keygen(1): allow fingerprinting from standard input, e.g.
>     "ssh-keygen -lf -"
>
>   * ssh-keygen(1): allow fingerprinting multiple public keys in a
>     file, e.g. "ssh-keygen -lf ~/.ssh/authorized_keys" bz#1319
>
>   * sshd(8): support "none" as an argument for sshd_config
>     Foreground and ChrootDirectory. Useful inside Match blocks to
>     override a global default. bz#2486
>
>   * ssh-keygen(1): support multiple certificates (one per line) and
>     reading from standard input (using "-f -") for "ssh-keygen -L"
>      
>   * ssh-keyscan(1): add "ssh-keyscan -c ..." flag to allow fetching
>     certificates instead of plain keys.
>   
>   * ssh(1): better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in
>     hostname canonicalisation - treat them as already canonical and
>     trailing '.' before matching ssh_config.
>
> Bugfixes
> --------
>
>   * sftp(1): existing destination directories should not terminate
>     recursive uploads (regression in openssh 6.8) bz#2528
>
>   * ssh(1), sshd(8): correctly send back SSH2_MSG_UNIMPLEMENTED
>     replies to unexpected messages during key exchange. bz#2949
>
>   * ssh(1): refuse attempts to set ConnectionAttempts=0, which does
>     not make sense and would cause ssh to print an uninitialised stack
>     variable. bz#2500
>
>   * ssh(1): fix errors when attempting to connect to scoped IPv6
>     addresses with hostname canonicalisation enabled.
>
>   * sshd_config(5): list a couple more options usable in Match blocks.
>     bz#2489
>
>   * sshd(8): fix "PubkeyAcceptedKeyTypes +..." inside a Match block.
>      
>   * ssh(1): expand tilde characters in filenames passed to -i options
>     before checking whether or not the identity file exists. Avoids
>     confusion for cases where shell doesn't expand (e.g. "-i ~/file"
>     vs. "-i~/file"). bz#2481
>
>   * ssh(1): do not prepend "exec" to the shell command run by "Match
>     exec" in a config file, which could cause some commands to fail
>     in certain environments. bz#2471
>
>   * ssh-keyscan(1): fix output for multiple hosts/addrs on one line
>     when host hashing or a non standard port is in use bz#2479
>   
>   * sshd(8): skip "Could not chdir to home directory" message when
>     ChrootDirectory is active. bz#2485
>
>   * ssh(1): include PubkeyAcceptedKeyTypes in ssh -G config dump.
>      
>   * sshd(8): avoid changing TunnelForwarding device flags if they are
>     already what is needed; makes it possible to use tun/tap
>     networking as non-root user if device permissions and interface
>     flags are pre-established
>
>   * ssh(1), sshd(8): RekeyLimits could be exceeded by one packet.
>     bz#2521
>
>   * ssh(1): fix multiplexing master failure to notice client exit.
>
>   * ssh(1), ssh-agent(1): avoid fatal() for PKCS11 tokens that present
>     empty key IDs. bz#1773
>
>   * sshd(8): avoid printf of NULL argument. bz#2535
>
>   * ssh(1), sshd(8): allow RekeyLimits larger than 4GB. bz#2521
>   
>   * ssh-keygen(1): sshd(8): fix several bugs in (unused) KRL signature
>     support.
>
>   * ssh(1), sshd(8): fix connections with peers that use the key
>     exchange guess feature of the protocol. bz#2515
>
>   * sshd(8): include remote port number in log messages. bz#2503
>
>   * ssh(1): don't try to load SSHv1 private key when compiled without
>     SSHv1 support. bz#2505
>
>   * ssh-agent(1), ssh(1): fix incorrect error messages during key
>     loading and signing errors. bz#2507
>
>   * ssh-keygen(1): don't leave empty temporary files when performing
>     known_hosts file edits when known_hosts doesn't exist.
>
>   * sshd(8): correct packet format for tcpip-forward replies for
>     requests that don't allocate a port bz#2509
>
>   * ssh(1), sshd(8): fix possible hang on closed output. bz#2469
>      
>   * ssh(1): expand %i in ControlPath to UID. bz#2449
>
>   * ssh(1), sshd(8): fix return type of openssh_RSA_verify. bz#2460
>   
>   * ssh(1), sshd(8): fix some option parsing memory leaks. bz#2182
>
>   * ssh(1): add a some debug output before DNS resolution; it's a
>     place where ssh could previously silently stall in cases of
>     unresponsive DNS servers. bz#2433
>      
>   * ssh(1): remove spurious newline in visual hostkey. bz#2686
>   
>   * ssh(1): fix printing (ssh -G ...) of HostKeyAlgorithms=+...
>   
>   * ssh(1): fix expansion of HostkeyAlgorithms=+...
>
> Documentation
> -------------
>
>   * ssh_config(5), sshd_config(5): update default algorithm lists to
>     match current reality. bz#2527
>
>   * ssh(1): mention -Q key-plain and -Q key-cert query options.
>     bz#2455
>
>   * sshd_config(8): more clearly describe what AuthorizedKeysFile=none
>     does.
>
>   * ssh_config(5): better document ExitOnForwardFailure. bz#2444
>
>   * sshd(5): mention internal DH-GEX fallback groups in manual.
>     bz#2302
>
>   * sshd_config(5): better description for MaxSessions option.
>     bz#2531
>
> Portability
> -----------
>
>   * ssh(1), sftp-server(8), ssh-agent(1), sshd(8): Support Illumos/
>     Solaris fine-grained privileges. Including a pre-auth privsep
>     sandbox and several pledge() emulations. bz#2511
>
>   * Renovate redhat/openssh.spec, removing deprecated options and
>     syntax.
>
>   * configure: allow --without-ssl-engine with --without-openssl
>   
>   * sshd(8): fix multiple authentication using S/Key. bz#2502
>
>   * sshd(8): read back from libcrypto RAND_* before dropping
>     privileges.  Avoids sandboxing violations with BoringSSL.
>
>   * Fix name collision with system-provided glob(3) functions.
>     bz#2463
>
>   * Adapt Makefile to use ssh-keygen -A when generating host keys.
>     bz#2459
>   
>   * configure: correct default value for --with-ssh1 bz#2457
>
>   * configure: better detection of _res symbol bz#2259
>
>   * support getrandom() syscall on Linux
>
> Reporting Bugs:
> ===============
>
> - Please read http://www.openssh.com/report.html
>    Security bugs should be reported directly to openssh at openssh.com
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

-- 
           Jeff Wieland            |         Purdue University
    Network Systems Administrator  |        ITIS UNIX Platforms
        Voice: (765)496-8234       |        155 S. Grant Street
         FAX: (765)496-1380        |      West Lafayette, IN 47907



More information about the openssh-unix-dev mailing list