Call for testing: OpenSSH 7.7

Peter Moody mindrot at hda3.com
Sat Mar 24 09:06:31 AEDT 2018


> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev at mindrot.org. Security bugs should be reported
> directly to openssh at openssh.com.

I've got one weird case.

doing pubkey auth with certificates, if I have both the key and cert
loaded in my agent, I see:

$ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh-add -l
256 SHA256:byQi9IUy4F9Osg/977BQ/zyOHG2Yvlz0nSqpADvlZpQ (ED25519)
256 SHA256:byQi9IUy4F9Osg/977BQ/zyOHG2Yvlz0nSqpADvlZpQ (ED25519-CERT)

$ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh host

pmoody at host:~$

but if I only have the certificate, I see:

$ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh-add -l
256 SHA256:byQi9IUy4F9Osg/977BQ/zyOHG2Yvlz0nSqpADvlZpQ (ED25519-CERT)

$ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh host
warning: agent returned different signature type ssh-ed25519 (expected
ssh-ed25519-cert-v01 at openssh.com)

pmoody at host:~$

it still works, but it prints the error about different signature type.

the ssh-agent from the snapshot is listening on /tmp/ssh.sock2

this is from high seirra:

$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.13.3
BuildVersion: 17D47

built like:

OpenSSH has been configured with the following options:
                     User binaries: /usr/local/bin
                   System binaries: /usr/local/sbin
               Configuration files: /usr/local/etc
                   Askpass program: /usr/local/libexec/ssh-askpass
                      Manual pages: /usr/local/share/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/empty
            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
                    Manpage format: doc
                       PAM support: no
                   OSF SIA support: no
                 KerberosV support: no
                   SELinux support: no
                     S/KEY support: no
              MD5 password support: no
                   libedit support: no
                   libldns support: no
  Solaris process contract support: no
           Solaris project support: no
         Solaris privilege support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: no
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY
             Privsep sandbox style: darwin

              Host: x86_64-apple-darwin17.4.0
          Compiler: gcc
    Compiler flags: -g -O2 -pipe -Qunused-arguments
-Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset
-fstack-protector-strong -fPIE
Preprocessor flags: -I/usr/local/opt/openssl/include
      Linker flags: -L/usr/local/opt/openssl/lib -fstack-protector-strong -pie
         Libraries: -lcrypto -lz  -lresolv
         +for sshd:  -lsandbox

with:

$ /usr/local/opt/openssl/bin/openssl version
OpenSSL 1.0.2n  7 Dec 2017


More information about the openssh-unix-dev mailing list