Please help test recent changes

Corinna Vinschen vinschen at redhat.com
Fri Jan 21 06:30:46 AEDT 2022 

On Jan  7 09:52, Damien Miller wrote:
> Hi,
> 
> We've landed some fairly significant changes in OpenSSH recently and
> would appreciate your help in testing them. The biggest of the changes
> are:
> 
> 1. Conversion of the ssh and sshd mainloop from select() to poll()
> 
> This should be entirely invisible to users, so any behaviour change
> is a bug. If you see something and want to help debug it further,
> uncomment the DEBUG_CHANNEL_POLL #define in channels.c for helps of
> extra debug logging.
> 
> 2. Restricted agent keys.
> 
> This is a large set of changes to add destination- and path-restricted
> keys to ssh-agent. A full writeup is at on the website at
> https://www.openssh.com/agent-restrict.html - I'm interested to hear
> feedback on how this works in practice, UI and things that could be
> improved (as well as bug reports).
> 
> 3. Running down the remaining RSA/SHA2 corner-cases
> 
> There has been a fair bit of work to identify and fix the remaining
> cases where various things behaved badly wrt RSA signature algorithms.
> Recent fixes include hostbased authentication and UpdateHostkeys.
> Again, [almost] any change in visible behaviour here is a bug.
> 
> All of these changes are in git and will be in tomorrow's snapshot
> (20220108).

Took me a while but today I tested this on recent Cygwin.  The testsuite
fails at one point:

  run test hostkey-agent.sh ...
  [...]
  cert type sk-ssh-ed25519-cert-v01 at openssh.com
  cert type sk-ssh-ed25519-cert-v01 at openssh.com failed
  bad SSH_CONNECTION key type sk-ssh-ed25519-cert-v01 at openssh.com
  [...]
  bad SSH_CONNECTION key type sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com
  failed hostkey agent

Looking into cat failed-sshd.log I notice this message for *all*
agent-key.*.pub files:

  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  Permissions 0644 for '/home/corinna/tmp/openssh/regress/agent-key.ecdsa-sha2-nistp256.pub' are too open.
  It is required that your private key files are NOT accessible by others.
  This private key will be ignored.
  Unable to load host key "/home/corinna/tmp/openssh/regress/agent-key.ecdsa-sha2-nistp256.pub": bad permissions

Shouldn't the testsuite have generated the files with correct permissions
in the first place?  And then again, these are PUB files.  Shouldn't
a 644 permission suffice?


Corinna

More information about the openssh-unix-dev mailing list