Call for testing: OpenSSH 7.7

Hisashi T Fujinaka htodd at twofifty.com
Sat Mar 24 04:17:58 AEDT 2018 

Not working on NetBSD-current for obvious reasons:

checking OpenSSL header version... 1010007f (OpenSSL 1.1.0g  2 Nov 2017)
checking OpenSSL library version... configure: error: OpenSSL >= 1.1.0 is not yet supported (have "1010007f (OpenSSL 1.1.0g  2 Nov 2017)")

On Thu, 22 Mar 2018, Damien Miller wrote:

> Hi,
>
> OpenSSH 7.7p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev at mindrot.org. Security bugs should be reported
> directly to openssh at openssh.com.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Potentially-incompatible changes
> ================================
>
> This release includes a number of changes that may affect existing
> configurations:
>
> * ssh(1)/sshd(8): Drop compatibility support for some very old SSH
>   implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
>   These versions were all released in or before 2001 and predate the
>   final SSH RFCs. The support in question isn't necessary for RFC-
>   compliant SSH implementations.
>
> Changes since OpenSSH 7.6
> =========================
>
> This is primarily a bugfix release.
>
> New Features
> ------------
>
> * All: Add experimental support for PQC XMSS keys (Extended Hash-
>   Based Signatures) based on the algorithm described in
>   https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
>   The XMSS signature code is experimental and not compiled in by
>   default.
>
> * sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword
>   to allow conditional configuration that depends on which routing
>   domain a connection was received on (currently supported on OpenBSD
>   and Linux).
>
> * sshd_config(5): Add an optional rdomain qualifier to the
>   ListenAddress directive to allow listening on different routing
>   domains. This is supported only on OpenBSD and Linux at present.
>
> * sshd_config(5): Add RDomain directive to allow the authenticated
>   session to be placed in an explicit routing domain. This is only
>   supported on OpenBSD at present.
>
> * sshd(8): Add "expiry-time" option for authorized_keys files to
>   allow for expiring keys.
>
> * ssh(1): Add a BindInterface option to allow binding the outgoing
>   connection to an interface's address (basically a more usable
>   BindAddress)
>
> * ssh(1): Expose device allocated for tun/tap forwarding via a new
>   %T expansion for LocalCommand. This allows LocalCommand to be used
>   to prepare the interface.
>
> * sshd(8): Expose the device allocated for tun/tap forwarding via a
>   new SSH_TUNNEL environment variable. This allows automatic setup of
>   the interface and surrounding network configuration automatically on
>   the server.
>
> * ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g.
>   ssh://user@host or sftp://user@host/path.  Additional connection
>   parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not
>   implemented since the ssh fingerprint format in the draft uses the
>   deprecated MD5 hash with no way to specify the any other algorithm.
>
> * ssh-keygen(1): Allow certificate validity intervals that specify
>   only a start or stop time (instead of both or neither).
>
> * sftp(1): Allow "cd" and "lcd" commands with no explicit path
>   argument. lcd will change to the local user's home directory as
>   usual. cd will change to the starting directory for session (because
>   the protocol offers no way to obtain the remote user's home
>   directory). bz#2760
>
> * sshd(8): When doing a config test with sshd -T, only require the
>   attributes that are actually used in Match criteria rather than (an
>   incomplete list of) all criteria.
>
> * sshd(8): Fix support for client that advertise a protocol version
>   of "1.99" (indicating that they are prepared to accept both SSHv1 and
>   SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1
>   support. bz#2810
>
> Bugfixes
> --------
>
> * ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when
>   a rsa-sha2-256/512 signature was requested. This condition is possible
>   when an old or non-OpenSSH agent is in use. bz#2799
>
> * ssh(1)/sshd(8): More strictly check signature types during key
>   exchange against what was negotiated. Prevents downgrade of RSA
>   signatures made with SHA-256/512 to SHA-1.
>
> * ssh-agent(1): Fix regression introduce in 7.6 that caused ssh-agent
>   to fatally exit if presented an invalid signature request message.
>
> * sshd_config(5): Accept yes/no flag options case-insensitively, as
>   has been the case in ssh_config(5) for a long time. bz#2664
>
> * ssh(1): Improve error reporting for failures during connection.
>   Under some circumstances misleading errors were being shows. bz#2814
>
> * ssh-keyscan(1): Add -D option to allow printing of results directly
>   in SSHFP format. bz#2821
>
> * regress tests: fix PuTTY interop test broken in last release's SSHv1
>   removal. bz#2823
>
> * ssh(1): Compatibility fix for some servers that erroneously drop the
>   connection when the IUTF8 (RFC8160) option is sent.
>
> * scp(1): Disable RemoteCommand and RequestTTY in the ssh session
>   started by scp (sftp was already doing this.)
>
> * ssh-keygen(1): Refuse to create a certificate with an unusable
>   number of principals.
>
> * ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the
>   public key during key generation. Previously it would silently
>   ignore errors writing the comment and terminating newline.
>
> * ssh(1): Do not modify hostname arguments that are addresses by
>   automatically forcing them to lower-case. Instead canonicalise them
>   to resolve ambiguities (e.g. ::0001 => ::1) before they are matched
>   against known_hosts. bz#2763
>
> * ssh(1): Don't accept junk after "yes" or "no" responses to hostkey
>   prompts. bz#2803
>
> * sftp(1): Have sftp print a warning about shell cleanliness when
>   decoding the first packet fails, which is usually caused by shells
>   polluting stdout of non-interactive startups. bz#2800
>
> * ssh(1)/sshd(8): Switch timers in packet code from using wall-clock
>   time to monotonic time, allowing the packet layer to better function
>   over a clock step and avoiding possible integer overflows during
>   steps.
>
> * Numerous manual page fixes and improvements.
>
> Portability
> -----------
>
> * sshd(8): Correctly detect MIPS ABI in use at configure time. Fixes
>   sandbox violations on some environments.
>
> * sshd(8): Remove UNICOS support. The hardware and software are literal
>   museum pieces and support in sshd is too intrusive to justify
>   maintaining.
>
> * All: Build and link with "retpoline" flags when available to mitigate
>   the "branch target injection" style (variant 2) of the Spectre
>   branch-prediction vulnerability.
>
> * All: Add auto-generated dependency information to Makefile.
>
> * Numerous fixed to the RPM spec files.
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

-- 
Hisashi T Fujinaka - htodd at twofifty.com
BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee

More information about the openssh-unix-dev mailing list