Call for testing: OpenSSH 7.2
Jeff Wieland
wieland at purdue.edu
Tue Feb 16 17:28:42 AEDT 2016
The Solaris privilege code breaks building on Solaris 10. If
you let configure just do its thing, you get the following error
when compiling:
"sandbox-solaris.c", line 22: #error: "--with-solaris-privs must be used
with the Solaris sandbox"
So, I did add "--with-solaris-privs" to the command line for
configure, but then I got the following error messages:
Undefined first referenced
symbol in file
priv_basicset openbsd-compat//libopenbsd-compat.a(port-solaris.o)
ld: fatal: symbol referencing errors. No output written to ssh
The function priv_basicset doesn't appear to exist on Solaris 10.
If I set --with-sandbox=none, the compile and "make tests" succeed
(except for the SUDO test, since sudo isn't in the path, and it
wouldn't work without munging the config anyway).
Damien Miller wrote:
> Hi,
>
> OpenSSH 7.2 is almost ready for release, so we would appreciate
> testing on as many platforms and systems as possible. This release
> contains many bugfixes and several new features.
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is available via Git at
> https://anongit.mindrot.org/openssh.git/ or via a mirror on Github at
> https://github.com/openssh/openssh-portable
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ autoreconf && ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
>
> Below is a summary of changes. More detail may be found in the git
> revision log.
>
> Thanks to the many people who contributed to this release.
>
> Future deprecation notice
> =========================
>
> We plan on retiring more legacy cryptography in a near-future
> release, specifically:
>
> * Refusing all RSA keys smaller than 1024 bits (the current minimum
> is 768 bits)
>
> This list reflects our current intentions, but please check the final
> release notes for future releases.
>
> Potentially-incompatible changes
> ================================
>
> This release disables a number of legacy cryptographic algorithms
> by default in ssh:
>
> * Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants
> and the rijndael-cbc aliases for AES.
>
> * MD5-based and truncated HMAC algorithms.
>
> These algorithms are already disabled by default in sshd.
>
> Changes since OpenSSH 7.1p2
> ===========================
>
> This is primarily a bugfix release.
>
> Security
> --------
>
> * ssh(1), sshd(8): remove unfinished and unused roaming code (was
> already forcibly disabled in OpenSSH 7.1p2).
>
> * ssh(1): eliminate fallback from untrusted X11 forwarding to
> trusted forwarding when the X server disables the SECURITY
> extension.
>
> * ssh(1), sshd(8): increase the minimum modulus size supported for
> diffie-hellman-group-exchange to 2048 bits.
>
> New Features
> ------------
>
> * all: add support for RSA signatures using SHA-256/512 hash
> algorithms based on draft-rsa-dsa-sha2-256-03.txt and
> draft-ssh-ext-info-04.txt.
>
> * ssh(1): Add an AddKeysToAgent client option which can be set to
> 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When
> enabled, a private key that is used during authentication will be
> added to ssh-agent if it is running (with confirmation enabled if
> set to 'confirm').
>
> * sshd(8): add a new authorized_keys option "restrict" that includes
> all current and future key restrictions (no-*-forwarding, etc.).
> Also add permissive versions of the existing restrictions, e.g.
> "no-pty" -> "pty". This simplifies the task of setting up
> restricted keys and ensures they are maximally-restricted,
> regardless of any permissions we might implement in the future.
>
> * ssh(1): add ssh_config CertificateFile option to explicitly list
> certificates. bz#2436
>
> * ssh-keygen(1): allow ssh-keygen to change the key comment for all
> supported formats.
>
> * ssh-keygen(1): allow fingerprinting from standard input, e.g.
> "ssh-keygen -lf -"
>
> * ssh-keygen(1): allow fingerprinting multiple public keys in a
> file, e.g. "ssh-keygen -lf ~/.ssh/authorized_keys" bz#1319
>
> * sshd(8): support "none" as an argument for sshd_config
> Foreground and ChrootDirectory. Useful inside Match blocks to
> override a global default. bz#2486
>
> * ssh-keygen(1): support multiple certificates (one per line) and
> reading from standard input (using "-f -") for "ssh-keygen -L"
>
> * ssh-keyscan(1): add "ssh-keyscan -c ..." flag to allow fetching
> certificates instead of plain keys.
>
> * ssh(1): better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in
> hostname canonicalisation - treat them as already canonical and
> trailing '.' before matching ssh_config.
>
> Bugfixes
> --------
>
> * sftp(1): existing destination directories should not terminate
> recursive uploads (regression in openssh 6.8) bz#2528
>
> * ssh(1), sshd(8): correctly send back SSH2_MSG_UNIMPLEMENTED
> replies to unexpected messages during key exchange. bz#2949
>
> * ssh(1): refuse attempts to set ConnectionAttempts=0, which does
> not make sense and would cause ssh to print an uninitialised stack
> variable. bz#2500
>
> * ssh(1): fix errors when attempting to connect to scoped IPv6
> addresses with hostname canonicalisation enabled.
>
> * sshd_config(5): list a couple more options usable in Match blocks.
> bz#2489
>
> * sshd(8): fix "PubkeyAcceptedKeyTypes +..." inside a Match block.
>
> * ssh(1): expand tilde characters in filenames passed to -i options
> before checking whether or not the identity file exists. Avoids
> confusion for cases where shell doesn't expand (e.g. "-i ~/file"
> vs. "-i~/file"). bz#2481
>
> * ssh(1): do not prepend "exec" to the shell command run by "Match
> exec" in a config file, which could cause some commands to fail
> in certain environments. bz#2471
>
> * ssh-keyscan(1): fix output for multiple hosts/addrs on one line
> when host hashing or a non standard port is in use bz#2479
>
> * sshd(8): skip "Could not chdir to home directory" message when
> ChrootDirectory is active. bz#2485
>
> * ssh(1): include PubkeyAcceptedKeyTypes in ssh -G config dump.
>
> * sshd(8): avoid changing TunnelForwarding device flags if they are
> already what is needed; makes it possible to use tun/tap
> networking as non-root user if device permissions and interface
> flags are pre-established
>
> * ssh(1), sshd(8): RekeyLimits could be exceeded by one packet.
> bz#2521
>
> * ssh(1): fix multiplexing master failure to notice client exit.
>
> * ssh(1), ssh-agent(1): avoid fatal() for PKCS11 tokens that present
> empty key IDs. bz#1773
>
> * sshd(8): avoid printf of NULL argument. bz#2535
>
> * ssh(1), sshd(8): allow RekeyLimits larger than 4GB. bz#2521
>
> * ssh-keygen(1): sshd(8): fix several bugs in (unused) KRL signature
> support.
>
> * ssh(1), sshd(8): fix connections with peers that use the key
> exchange guess feature of the protocol. bz#2515
>
> * sshd(8): include remote port number in log messages. bz#2503
>
> * ssh(1): don't try to load SSHv1 private key when compiled without
> SSHv1 support. bz#2505
>
> * ssh-agent(1), ssh(1): fix incorrect error messages during key
> loading and signing errors. bz#2507
>
> * ssh-keygen(1): don't leave empty temporary files when performing
> known_hosts file edits when known_hosts doesn't exist.
>
> * sshd(8): correct packet format for tcpip-forward replies for
> requests that don't allocate a port bz#2509
>
> * ssh(1), sshd(8): fix possible hang on closed output. bz#2469
>
> * ssh(1): expand %i in ControlPath to UID. bz#2449
>
> * ssh(1), sshd(8): fix return type of openssh_RSA_verify. bz#2460
>
> * ssh(1), sshd(8): fix some option parsing memory leaks. bz#2182
>
> * ssh(1): add a some debug output before DNS resolution; it's a
> place where ssh could previously silently stall in cases of
> unresponsive DNS servers. bz#2433
>
> * ssh(1): remove spurious newline in visual hostkey. bz#2686
>
> * ssh(1): fix printing (ssh -G ...) of HostKeyAlgorithms=+...
>
> * ssh(1): fix expansion of HostkeyAlgorithms=+...
>
> Documentation
> -------------
>
> * ssh_config(5), sshd_config(5): update default algorithm lists to
> match current reality. bz#2527
>
> * ssh(1): mention -Q key-plain and -Q key-cert query options.
> bz#2455
>
> * sshd_config(8): more clearly describe what AuthorizedKeysFile=none
> does.
>
> * ssh_config(5): better document ExitOnForwardFailure. bz#2444
>
> * sshd(5): mention internal DH-GEX fallback groups in manual.
> bz#2302
>
> * sshd_config(5): better description for MaxSessions option.
> bz#2531
>
> Portability
> -----------
>
> * ssh(1), sftp-server(8), ssh-agent(1), sshd(8): Support Illumos/
> Solaris fine-grained privileges. Including a pre-auth privsep
> sandbox and several pledge() emulations. bz#2511
>
> * Renovate redhat/openssh.spec, removing deprecated options and
> syntax.
>
> * configure: allow --without-ssl-engine with --without-openssl
>
> * sshd(8): fix multiple authentication using S/Key. bz#2502
>
> * sshd(8): read back from libcrypto RAND_* before dropping
> privileges. Avoids sandboxing violations with BoringSSL.
>
> * Fix name collision with system-provided glob(3) functions.
> bz#2463
>
> * Adapt Makefile to use ssh-keygen -A when generating host keys.
> bz#2459
>
> * configure: correct default value for --with-ssh1 bz#2457
>
> * configure: better detection of _res symbol bz#2259
>
> * support getrandom() syscall on Linux
>
> Reporting Bugs:
> ===============
>
> - Please read http://www.openssh.com/report.html
> Security bugs should be reported directly to openssh at openssh.com
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
--
Jeff Wieland | Purdue University
Network Systems Administrator | ITIS UNIX Platforms
Voice: (765)496-8234 | 155 S. Grant Street
FAX: (765)496-1380 | West Lafayette, IN 47907
More information about the openssh-unix-dev
mailing list