OpenSSH 5.1: call for testing
andyb1 at andy-t.org
Tue Jul 8 11:22:17 EST 2008
Compiled and tested successfully on
On Mon, 7 Jul 2008, Damien Miller wrote:
> OpenSSH 5.1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release is one of
> the biggest in recent years, with two hackathons' worth of improvements
> and fixes for some of our most recalcitrant bugs.
> Snapshot releases for portable OpenSSH are available from
> The OpenBSD version is available in CVS HEAD:
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> $ ./configure && make tests
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
> Below is a summary of changes. More detail may be found in the
> ChangeLog in the portable OpenSSH tarballs.
> Thanks to the many people who contributed to this release.
> New features:
> * Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1)
> and ssh-keygen(1). Visual fingerprinnt display is controlled by a new
> ssh_config(5) option "VisualHostKey". The intent is to render
> SSH host keys in a visual form that is amenable to easy recall and
> rejection of changed host keys. This technique inspired by the
> graphical hash visualisation schemes known as "random art[*]", and
> by Dan Kaminsky's musings at 23C3 in Berlin.
> Fingerprint visualisation in is currently disabled by default, as the
> algorithm used to generate the random art is still subject to change.
> [*] "Hash Visualization: a New Technique to improve Real-World
> Security", Perrig A. and Song D., 1999, International Workshop on
> Cryptographic Techniques and E-Commerce (CrypTEC '99)
> * sshd_config(5) now supports CIDR address/masklen matching in "Match
> address" blocks, with a fallback to classic wildcard matching. For
> Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
> PasswordAuthentication yes
> * sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys
> from="..." restrictions, also with a fallback to classic wildcard
> * Added an extended test mode (-T) to sshd(8) to request that it write
> its effective configuration to stdout and exit. Extended test mode
> also supports the specification of connection parameters (username,
> source address and hostname) to test the application of
> sshd_config(5) Match rules.
> * sftp-server(8) now supports extension methods statvfs at openssh.com and
> fstatvfs at openssh.com that implement statvfs(2)-like operations.
> * sftp(1) now has a "df" command to the sftp client that uses the
> statvfs at openssh.com to produce a df(1)-like display of filesystem
> space and inode utilisation (requires statvfs at openssh.com support on
> the server)
> * Added a MaxSessions option to sshd_config(5) to allow control of the
> number of multiplexed sessions supported over a single TCP connection.
> This allows increasing the number of allowed sessions above the
> previous default of 10, disabling connection multiplexing
> (MaxSessions=1) or disallowing login/shell/subsystem sessions
> entirely (MaxSessions=0).
> * Added a no-more-sessions at openssh.com global request extension that is
> sent from ssh(1) to sshd(8) when the client knows that it will never
> request another session (i.e. when session multiplexing is disabled).
> This allows a server to disallow further session requests and
> terminate the session in cases where the client has been hijacked.
> * ssh-keygen(1) now supports the use of the -l option in combination
> with -F to search for a host in ~/.ssh/known_hosts and display its
> * ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of
> * Added an AllowAgentForwarding option to sshd_config(8) to control
> whether authentication agent forwarding is permitted. Note that this
> is a loose control, as a client may install their own unofficial
> * Avoid unnecessary malloc/copy/free when receiving network data,
> resulting in a ~10% speedup
> * ssh(1) and sshd(8) will now try additional addresses when connecting
> to a port forward destination whose DNS name resolves to more than
> one address. The previous behaviour was to try the only first address
> and give up if that failed.
> * ssh(1) and sshd(8) now support signalling that channels are
> half-closed for writing, through a channel protocol extension
> notification "eow at openssh.com". This allows propagation of closed
> file descriptors, so that commands such as:
> "ssh -2 localhost od /bin/ls | true"
> do not send unnecessary data over the wire. (bz#85)
> * sshd(8): increased the default size of ssh protocol 1 ephemeral keys
> from 768 to 1024 bits.
> * When ssh(1) has been requested to fork after authentication
> ("ssh -f") with ExitOnForwardFailure enabled, delay the fork until
> after replies for any -R forwards have been seen. Allows for robust
> detection of -R forward failure when using -f.
> * "Match group" blocks in sshd_config(5) now support negation of
> groups. E.g. "Match group staff,!guests"
> * sftp(1) and sftp-server(8) now allow chmod-like operations to set
> set[ug]id/sticky bits.
> * The MaxAuthTries option is now permitted in sshd_config(5) match
> * Multiplexed ssh(1) sessions now support a subset of the ~ escapes
> that are available to a primary connection.
> * ssh(1) connection multiplexing will now fall back to creating a new
> connection in most error cases.
> * Added some basic interoperability tests against Twisted Conch.
> * Documented OpenSSH's extensions to and deviations from the published
> SSH protocols (the PROTOCOL file in the distribution)
> * Documented OpenSSH's ssh-agent protocol (PROTOCOL.agent).
> * Make ssh(1) deal more gracefully with channel requests that fail.
> Previously it would optimistically assume that requests would always
> succeed, which could cause hangs if they did not (e.g. when the
> server runs out of file descriptors).
> * ssh(1) now reports multiplexing errors via the multiplex slave's
> stderr where possible (subject to LogLevel in the mux master).
> * ssh(1) and sshd(8) now send terminate protocol banners with CR+LF for
> protocol 2 to comply with RFC 4253. Previously they were terminated
> with CR alone. Protocol 1 banners remain CR terminated.
> * Merged duplicate authentication file checks in sshd(8) and refuse to
> read authorised_keys and .shosts from non-regular files.
> * Ensure that sshd(8)'s umask disallows at least group and world write,
> even if a more permissive one has been inherited.
> * Suppress the warning message from sshd(8) when changing to a
> non-existent user home directory after chrooting.
> * Mention that scp(1) follows symlinks when performing recursive
> * Prevent sshd(8) from erroneously applying public key restrictions
> leaned from ~/.ssh/authorized_keys to other authentication methods
> when public key authentication subsequently fails.
> * Fix protocol keepalive timeouts - in some cases, keepalive packets
> were being sent, but the connection was not being closed when the
> limit for missing replies was exceeded.
> * Fix ssh(1) sending invalid TTY modes when a TTY was forced (ssh -tt)
> but stdin was not a TTY.
> * ssh(1) will now exit with a non-zero exit status if
> ExitOnForwardFailure was set and forwardings were disabled due to a
> failed host key check.
> * Fix MaxAuthTries tests to disallow a free authentication try to
> clients that skipped the protocol 2 "none" authentication method.
> * bz#1363: Make keepalive timeouts apply while synchronously waiting
> for a packet, particularly during key renegotiation.
> * sshd(8) has been audited to eliminate fd leaks and calls to fatal()
> in conditions of file descriptor exhaustion.
> Portable OpenSSH-specific bugfixes
> * Avoid a sshd(8) hang-on-exit on Solaris caused by depending on the
> success of isatty() on a PTY master (undefined behaviour). Probably
> affected other platforms too.
> * bz#1083: Fixed test for locked accounts on HP/UX with shadowed
> passwords disabled.
> * bz#1386: Disable poll() fallback in atomiciov for Tru64. readv
> doesn't seem to be a comparable object there, which lead to
> compilation errors.
> * bz#1447: Fall back to racy rename if link returns EXDEV.
> * bz#1467: Explicitly handle EWOULDBLOCK wherever we handle EAGAIN, on
> some platforms (HP nonstop) it is a distinct errno.
> * bz#1240: Avoid NULL dereferences in ancient sigaction replacement
> * bz#1276: Avoid linking against libgssapi, which despite its name
> doesn't seem to implement all of GSSAPI.
> * bz#1112: Use explicit noreturn attribute instead of __dead, fixing
> compilation problems on Interix.
> * bz#1241: Support password expiry on Tru64 SIA systems.
> * bz#1462: Fix an UMAC alignment problem that manifested on Itanium
> Damien Miller
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
Dr Andy Tsouladze
Sr Unix SysAdmin/System Architect
More information about the openssh-unix-dev