From djm at mindrot.org  Fri Aug  1 10:28:26 2014
From: djm at mindrot.org (Damien Miller)
Date: Fri, 1 Aug 2014 10:28:26 +1000 (EST)
Subject: corrupted copy in regress/multiplex.sh
In-Reply-To: <20140731091935.39219cf1@leda.localdomain>
References: <20140725091450.7a537255@leda.localdomain>
 <20140731091935.39219cf1@leda.localdomain>
Message-ID: <alpine.BSO.2.11.1408011022400.6111@natsu.mindrot.org>

On Thu, 31 Jul 2014, Christian Hesse wrote:

> Christian Hesse <list at eworm.de> on Fri, 2014/07/25 09:14:
> > Hello everybody,
> > 
> > after installing openbsd-netcat some tests in multiplex.sh do still fail for
> > me. Sadly this happens when trying to build a package only, everything works
> > just fine if I try to debug this. Any ideas? Logfile failed-regress.log is
> > attached.
> 
> Looks like the copy is truncated for any reason... In some really rare cases
> the tests succeed. (Though I have never seen both to succeed at the same
> time.) Still no clue what really is the culprit.

I'm looking at this at the moment. It happens when the test is run with
stdin set to /dev/null - I thought I had it figured out yesterday, but now
I'm not so sure...

-d

From djm at mindrot.org  Fri Aug  1 10:42:17 2014
From: djm at mindrot.org (Damien Miller)
Date: Fri, 1 Aug 2014 10:42:17 +1000 (EST)
Subject: corrupted copy in regress/multiplex.sh
In-Reply-To: <alpine.BSO.2.11.1408011022400.6111@natsu.mindrot.org>
References: <20140725091450.7a537255@leda.localdomain>
 <20140731091935.39219cf1@leda.localdomain>
 <alpine.BSO.2.11.1408011022400.6111@natsu.mindrot.org>
Message-ID: <alpine.BSO.2.11.1408011039300.6111@natsu.mindrot.org>

On Fri, 1 Aug 2014, Damien Miller wrote:

> I'm looking at this at the moment. It happens when the test is run with
> stdin set to /dev/null - I thought I had it figured out yesterday, but now
> I'm not so sure...

I think this fixes it. nc was closing as soon as it saw an EOF on stdin,
regardless of data still coming from the socket.

diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index 693211b..b33e732 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -89,7 +89,7 @@ trace "forward over TCP/IP and check result"
 $NC -l 127.0.0.1 $((${PORT} + 1)) < ${DATA} &
 netcat_pid=$!
 ${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L127.0.0.1:$((${PORT} + 2)):127.0.0.1:$((${PORT} + 1)) otherhost >>$TEST_SSH_LOGFILE 2>&1
-$NC 127.0.0.1 $((${PORT} + 2)) > ${COPY}
+$NC -q5 127.0.0.1 $((${PORT} + 2)) > ${COPY} < /dev/null
 cmp ${DATA} ${COPY}		|| fail "ssh: corrupted copy of ${DATA}"
 kill $netcat_pid 2>/dev/null
 rm -f ${COPY} $OBJ/unix-[123].fwd
@@ -99,7 +99,7 @@ $NC -Ul $OBJ/unix-1.fwd < ${DATA} &
 netcat_pid=$!
 ${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L$OBJ/unix-2.fwd:$OBJ/unix-1.fwd otherhost >>$TEST_SSH_LOGFILE 2>&1
 ${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R$OBJ/unix-3.fwd:$OBJ/unix-2.fwd otherhost >>$TEST_SSH_LOGFILE 2>&1
-$NC -U $OBJ/unix-3.fwd > ${COPY}
+$NC -q5 -U $OBJ/unix-3.fwd > ${COPY} </dev/null
 cmp ${DATA} ${COPY}		|| fail "ssh: corrupted copy of ${DATA}"
 kill $netcat_pid 2>/dev/null
 rm -f ${COPY} $OBJ/unix-[123].fwd

From djm at mindrot.org  Fri Aug  1 14:41:29 2014
From: djm at mindrot.org (Damien Miller)
Date: Fri, 1 Aug 2014 14:41:29 +1000 (EST)
Subject: corrupted copy in regress/multiplex.sh
In-Reply-To: <alpine.BSO.2.11.1408011039300.6111@natsu.mindrot.org>
References: <20140725091450.7a537255@leda.localdomain>
 <20140731091935.39219cf1@leda.localdomain>
 <alpine.BSO.2.11.1408011022400.6111@natsu.mindrot.org>
 <alpine.BSO.2.11.1408011039300.6111@natsu.mindrot.org>
Message-ID: <alpine.BSO.2.11.1408011441000.24507@natsu.mindrot.org>

On Fri, 1 Aug 2014, Damien Miller wrote:

> On Fri, 1 Aug 2014, Damien Miller wrote:
> 
> > I'm looking at this at the moment. It happens when the test is run with
> > stdin set to /dev/null - I thought I had it figured out yesterday, but now
> > I'm not so sure...
> 
> I think this fixes it. nc was closing as soon as it saw an EOF on stdin,
> regardless of data still coming from the socket.

I committed a better fix and also a hack to disable the whole test for
systems with incompatible netcat.

-d

From list at eworm.de  Fri Aug  1 15:33:13 2014
From: list at eworm.de (Christian Hesse)
Date: Fri, 1 Aug 2014 07:33:13 +0200
Subject: corrupted copy in regress/multiplex.sh
In-Reply-To: <alpine.BSO.2.11.1408011441000.24507@natsu.mindrot.org>
References: <20140725091450.7a537255@leda.localdomain>
 <20140731091935.39219cf1@leda.localdomain>
 <alpine.BSO.2.11.1408011022400.6111@natsu.mindrot.org>
 <alpine.BSO.2.11.1408011039300.6111@natsu.mindrot.org>
 <alpine.BSO.2.11.1408011441000.24507@natsu.mindrot.org>
Message-ID: <20140801073313.4110ef90@leda.localdomain>

Damien Miller <djm at mindrot.org> on Fri, 2014/08/01 14:41:
> On Fri, 1 Aug 2014, Damien Miller wrote:
> 
> > On Fri, 1 Aug 2014, Damien Miller wrote:
> > 
> > > I'm looking at this at the moment. It happens when the test is run with
> > > stdin set to /dev/null - I thought I had it figured out yesterday, but
> > > now I'm not so sure...
> > 
> > I think this fixes it. nc was closing as soon as it saw an EOF on stdin,
> > regardless of data still coming from the socket.
> 
> I committed a better fix and also a hack to disable the whole test for
> systems with incompatible netcat.

Works perfectly now. Thanks a lot!
-- 
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Chris           get my mail address:    */=0;b=c[a++];)
putchar(b-1/(/*               gcc -o sig sig.c && ./sig    */b/42*2-3)*42);}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140801/66fa3e7d/attachment-0001.bin>

From 1.41421 at gmail.com  Sat Aug  2 10:25:26 2014
From: 1.41421 at gmail.com (JCA)
Date: Fri, 1 Aug 2014 18:25:26 -0600
Subject: Password authentication problem with 6.4p1 (and later) clients
Message-ID: <CAFy1yb2vdLr7V5+qXNGUE=9UaZtgtQe7y_ZOGFywse0GmzfByQ@mail.gmail.com>

I have been using OpenSSH clients against a number of embedded SSH
servers with no problem up till now. Starting with version 6.4p1
password authentication has stopped working against such servers. What
happens is that the client enters an infinite loop during the
authentication phase.

I built OpenSSH 5.9p1 and 6.4p1 in a Linux box so that the client
prints out to the screen all of the SSH messages sent to, and received
from, the server. What follows is a condensed account of my
observations based on the output generated by the 5.9p1 and 6.4p1,
respectively, displaying only  the relevant data.

The output is organized in two columns. The left column contains the
messages sent by the client, and the right column contains the
messages sent by the server. Time is assumed to flow from top to
bottom, so the message exchange ordering may be immediately noticed.

The output is constrained to the authentication phase, after the
session keys have been derived by both parties, and before any
channels are opened. The asymmetric keys and user name are exactly the
same in both cases.


OpenSSH client 5.9p1
Embedded SSH server

SSH_MSG_USERAUTH_REQUEST
  Method name: none


               SSH_MSG_USERAUTH_FAILURE

                  Supported auth. methods: password, publickey

                  Partial success Boolean: FALSE

SSH_MSG_USERAUTH_REQUEST
  Method name: publickey
  Boolean: FALSE


               SSH_MSG_USERAUTH_PK_OK

SSH_MSG_USERAUTH_REQUEST
  Method name: publickey
  Boolean: TRUE


               SSH_MSG_USERAUTH_FAILURE

                  Supported auth. methods: password, publickey

                  Partial success Boolean: TRUE

SSH_MSG_USERAUTH_REQUEST
  Method name: password
  Boolean: FALSE


              SSH_MSG_USERAUTH_SUCCESS

After this the client opens a channel and the interactive session gets
established.




OpenSSH client 6.4p1
Embedded SSH server

SSH_MSG_USERAUTH_REQUEST
  Method name: none


               SSH_MSG_USERAUTH_FAILURE

                  Supported auth. methods: password, publickey

                  Partial success Boolean: FALSE

SSH_MSG_USERAUTH_REQUEST
  Method name: publickey
  Boolean: FALSE


               SSH_MSG_USERAUTH_PK_OK

SSH_MSG_USERAUTH_REQUEST
  Method name: publickey
  Boolean: TRUE


               SSH_MSG_USERAUTH_FAILURE

                  Supported auth. methods: password, publickey

                  Partial success Boolean: TRUE

SSH_MSG_USERAUTH_REQUEST
  Method name: publickey
  Boolean: FALSE


              SSH_MSG_USERAUTH_PK_OK

SSH_MSG_USERAUTH_REQUEST
  Method name: publickey
  Boolean: TRUE


             SSH_MSG_USERAUTH_FAILURE

               Supported auth. methods: password, publickey

               Partial success Boolean: TRUE

SSH_MSG_USERAUTH_REQUEST
  Method name: publickey
  Boolean: FALSE


           SSH_MSG_USERAUTH_PK_OK

SSH_MSG_USERAUTH_REQUEST
  Method name: publickey
  Boolean: TRUE


          SSH_MSG_USERAUTH_FAILURE

            Supported auth. methods: password, publickey

            Partial success Boolean: TRUE


The first six messages exchanged are identical in both cases, as far
as their payloads are concerned.  However, after the sixth message (an
SSH_MSG_USERAUTH_FAILURE sent by the server) things change
dramatically. The 5.9p1 client at that point gives up attempting
public-key-based authentication, falling back on to password
authentication. This is as it should be, for there is no public key
for this particular user in the server.

On the other hand, at the same point in the exchange the 6.4p1 client
sends another public key authentication request, this time, like the
very first one, with the Boolean field set to FALSE.  This is the
start of the infinite loop on the client side, which just prints out
the 'Authenticated with partial success.' line ad infinitum, without
ever prompting the person at the keyboard for a password. The loop is
in the last four messages depicted in the traces above.

Why is the 6.4p1 client attempting to probe for public key
authentication again, when the server has already indicated that the
public key received will not authenticate the user? In every
SSH_MSG_USERAUTH_REQUEST that contains a public key  (an RSA one, in
this case) the client always sends the same public key. As it happens,
should there be a matching public key for that user in the server, the
authentication phase succeeds and the interactive session gets
established without any issues.

I am hoping that this is a bug in the OpenSSH 6.4p1 code (and later -
at least, the same seems to be true of 6.6p1) that is tickled by the
embedded server (things work fine against OpenSSH servers) for it
would be far easier to change SSH client than fixing the server.
However, a reading of RFC 4252 seems to indicate that the 6.4p1 client
is not doing the right thing here, but I may be misinterpreting the
RFC.  Hopefully experts in this forum will be able to clarify this
situation one way or the other.

From 1.41421 at gmail.com  Sat Aug  2 10:28:40 2014
From: 1.41421 at gmail.com (JCA)
Date: Fri, 1 Aug 2014 18:28:40 -0600
Subject: My apologies
Message-ID: <CAFy1yb3BTX+1vucBzqDypPYfpgK3YBqFfMgtWFH4+xA0Xsw0vA@mail.gmail.com>

Google mail did not preserve my two-column arrangement in my previous
email. Hopefully it is still possible to understand the data flow.

From 1.41421 at gmail.com  Tue Aug  5 00:51:40 2014
From: 1.41421 at gmail.com (JCA)
Date: Mon, 4 Aug 2014 08:51:40 -0600
Subject: Password authentication problem with 6.4p1 (and later) clients: An
 analysis
Message-ID: <CAFy1yb3kcaVQ+71mRD5q2dmNn-1k-PU=o655VghgofCdX01gAg@mail.gmail.com>

I have been looking into this over the weekend, and what I have found
might be of interest to OpenSSH developers.

First, the bug that triggers the problem is in the embedded system.
Second, such as things were changed in 6.4p1, the OpenSSH client seems
to be open to a potential DoS attack.

The infinite loop described in my previous post is embodied in the
last four messages of the 6.4p1 traces. That is, from that point
onward client and server exchange that block of four messages, over
and over again.

The first SSH_MSG_USERAUTH_FAILURE message sent by the embedded server
as a response to the the first SSH_MSG_USERAUTH_REQUEST message
received from the client, for public key authentication and with the
authentication Boolean set to TRUE, is formatted incorrectly. Indeed,
the partial success Boolean should have been FALSE, rather than TRUE,
because it was generated as a response to an SSH_MSG_USERAUTH_REQUEST
message with an authentication Boolean set to TRUE (i.e. a real public
key authentication request, rather than just a probe) and the
authentication itself failed.

In the OpenSSH side, when receiving an SSH_MSG_USERAUTH_FAILURE
message, the OpenSSH client code will invoke a function called
'input_userauth_failure'. This function will retrieve the value of the
partial success Boolean from the incoming message and will store it
into a variable called 'partial'. Then, in 6.4p1 and later,
'input_userauth_failure' will do the following:

  if (partial != 0) {
    logit("Authenticated with partial success.");
    /* reset state */
    pubkey_cleanup(authctxt);
    pubkey_prepare(authctxt);
  }
  debug("Authentications that can continue: %s", authlist);

Before 6.4p1 the 'pubkey_cleanup' and 'pubkey_prepare' invocation were
missing. The undesirable behavior is introduced by 'pubkey_prepare'.
When invoked here, it will modify the OpenSSH authentication context
'authctxt' so that the client code will try public key authentication
again - rather than falling back to the next authentication mechanism
(password authentication, in this case) as it should. An infinite loop
ensues. Before the 'pubkey_*' lines were introduced OpenSSH would
still do the right thing, despite of the fact that it was getting a
misleading message from the embedded server.

Thus, although OpenSSH 6.4p1 and later clients are proceeding
correctly according to the standards, because of the way the code is
organized a malicious server could potentially cause problems to
clients. This would probably be no more than a nuisance for actual
interactive sessions, but might be a real issue for batch ones.

From djm at mindrot.org  Tue Aug  5 10:25:11 2014
From: djm at mindrot.org (Damien Miller)
Date: Tue, 5 Aug 2014 10:25:11 +1000 (EST)
Subject: Password authentication problem with 6.4p1 (and later) clients:
 An analysis
In-Reply-To: <CAFy1yb3kcaVQ+71mRD5q2dmNn-1k-PU=o655VghgofCdX01gAg@mail.gmail.com>
References: <CAFy1yb3kcaVQ+71mRD5q2dmNn-1k-PU=o655VghgofCdX01gAg@mail.gmail.com>
Message-ID: <alpine.BSO.2.11.1408051018500.14918@natsu.mindrot.org>

On Mon, 4 Aug 2014, JCA wrote:

>   if (partial != 0) {
>     logit("Authenticated with partial success.");
>     /* reset state */
>     pubkey_cleanup(authctxt);
>     pubkey_prepare(authctxt);
>   }
>   debug("Authentications that can continue: %s", authlist);
> 
> Before 6.4p1 the 'pubkey_cleanup' and 'pubkey_prepare' invocation were
> missing. The undesirable behavior is introduced by 'pubkey_prepare'.
> When invoked here, it will modify the OpenSSH authentication context
> 'authctxt' so that the client code will try public key authentication
> again - rather than falling back to the next authentication mechanism
> (password authentication, in this case) as it should. An infinite loop
> ensues. Before the 'pubkey_*' lines were introduced OpenSSH would
> still do the right thing, despite of the fact that it was getting a
> misleading message from the embedded server.

The idea here is that if a server supports multiple authentications,
then it should be managing the list of authentications that can
continue. In particular, once key based authentication is complete
and the server won't accept any more keys then the server should
no longer offer publickey in the list of accepted auth methods.

I agree the client should be a bit smarter here about not trying
things that have already succeeded or failed.

> Thus, although OpenSSH 6.4p1 and later clients are proceeding
> correctly according to the standards, because of the way the code is
> organized a malicious server could potentially cause problems to
> clients. This would probably be no more than a nuisance for actual
> interactive sessions, but might be a real issue for batch ones.

I don't think there is any new DoS here. A broken/malicious server
could just hang after authentication and achieve the same result.

-d

From 1.41421 at gmail.com  Wed Aug  6 01:04:26 2014
From: 1.41421 at gmail.com (JCA)
Date: Tue, 5 Aug 2014 09:04:26 -0600
Subject: Password authentication problem with 6.4p1 (and later) clients:
 An analysis
In-Reply-To: <alpine.BSO.2.11.1408051018500.14918@natsu.mindrot.org>
References: <CAFy1yb3kcaVQ+71mRD5q2dmNn-1k-PU=o655VghgofCdX01gAg@mail.gmail.com>
 <alpine.BSO.2.11.1408051018500.14918@natsu.mindrot.org>
Message-ID: <CAFy1yb2wrwT+T-Od9NEW3pzMJia=3aGVmy=ygU6RP=x2-rryEA@mail.gmail.com>

> I don't think there is any new DoS here. A broken/malicious server
> could just hang after authentication and achieve the same result.

Not quite the same. The client would hang, whereas in this case it
enters an infinite loop. Anyhow, like you said, an extra dollop of
intelligence in the client's code would be welcome here.

On Mon, Aug 4, 2014 at 6:25 PM, Damien Miller <djm at mindrot.org> wrote:
> On Mon, 4 Aug 2014, JCA wrote:
>
>>   if (partial != 0) {
>>     logit("Authenticated with partial success.");
>>     /* reset state */
>>     pubkey_cleanup(authctxt);
>>     pubkey_prepare(authctxt);
>>   }
>>   debug("Authentications that can continue: %s", authlist);
>>
>> Before 6.4p1 the 'pubkey_cleanup' and 'pubkey_prepare' invocation were
>> missing. The undesirable behavior is introduced by 'pubkey_prepare'.
>> When invoked here, it will modify the OpenSSH authentication context
>> 'authctxt' so that the client code will try public key authentication
>> again - rather than falling back to the next authentication mechanism
>> (password authentication, in this case) as it should. An infinite loop
>> ensues. Before the 'pubkey_*' lines were introduced OpenSSH would
>> still do the right thing, despite of the fact that it was getting a
>> misleading message from the embedded server.
>
> The idea here is that if a server supports multiple authentications,
> then it should be managing the list of authentications that can
> continue. In particular, once key based authentication is complete
> and the server won't accept any more keys then the server should
> no longer offer publickey in the list of accepted auth methods.
>
> I agree the client should be a bit smarter here about not trying
> things that have already succeeded or failed.
>
>> Thus, although OpenSSH 6.4p1 and later clients are proceeding
>> correctly according to the standards, because of the way the code is
>> organized a malicious server could potentially cause problems to
>> clients. This would probably be no more than a nuisance for actual
>> interactive sessions, but might be a real issue for batch ones.
>
> I don't think there is any new DoS here. A broken/malicious server
> could just hang after authentication and achieve the same result.
>
> -d

From bairyvr at gmail.com  Wed Aug 13 05:16:51 2014
From: bairyvr at gmail.com (vamshi reddy bairy)
Date: Tue, 12 Aug 2014 12:16:51 -0700
Subject: openssh-6.6p1 link error to openssl
Message-ID: <CA+szr1qCjXpHqD6tVd90xXyNQVrSURA6vxSfwdW5Nj979vc+SA@mail.gmail.com>

Hello all,



I am trying to force to link openssh to link openssl  from  my workaera
home/xxx/openssl/lib & home/xxx/openssl/include

Instead of default link ?/usr/lib/? etc



./configure --with-ssl-dir=/home/xxx/install/open_ssl
 --with-cppflags="-I/home/xxx/install/open_ssl/include"

    --with-ldflags="-L/home/xxx/install/open_ssl/lib"



With this I could not able to configure openssh with my built in version of
openssl



When I run above command I end up with ?OpenSSL header version... not
found?

Could you please let me know where iam going wrong

From scott_n at xypro.com  Wed Aug 13 07:15:48 2014
From: scott_n at xypro.com (Scott Neugroschl)
Date: Tue, 12 Aug 2014 21:15:48 +0000
Subject: openssh-6.6p1 link error to openssl
In-Reply-To: <CA+szr1qCjXpHqD6tVd90xXyNQVrSURA6vxSfwdW5Nj979vc+SA@mail.gmail.com>
References: <CA+szr1qCjXpHqD6tVd90xXyNQVrSURA6vxSfwdW5Nj979vc+SA@mail.gmail.com>
Message-ID: <D358E5B1511A314F8160ADC6F37549870695C750@XYSVEX02.XYPRO-23.LOCAL>

I've already filed a bug about this.

https://bugzilla.mindrot.org/show_bug.cgi?id=2261


-----Original Message-----
From: openssh-unix-dev [mailto:openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org] On Behalf Of vamshi reddy bairy
Sent: Tuesday, August 12, 2014 12:17 PM
To: openssh-unix-dev at mindrot.org
Subject: openssh-6.6p1 link error to openssl

Hello all,



I am trying to force to link openssh to link openssl  from  my workaera home/xxx/openssl/lib & home/xxx/openssl/include

Instead of default link ?/usr/lib/? etc



./configure --with-ssl-dir=/home/xxx/install/open_ssl
 --with-cppflags="-I/home/xxx/install/open_ssl/include"

    --with-ldflags="-L/home/xxx/install/open_ssl/lib"



With this I could not able to configure openssh with my built in version of openssl



When I run above command I end up with ?OpenSSL header version... not found?

Could you please let me know where iam going wrong _______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

From bairyvr at gmail.com  Wed Aug 13 08:37:05 2014
From: bairyvr at gmail.com (vamshi reddy bairy)
Date: Tue, 12 Aug 2014 15:37:05 -0700
Subject: openssh-6.6p1 link error to openssl
In-Reply-To: <D358E5B1511A314F8160ADC6F37549870695C750@XYSVEX02.XYPRO-23.LOCAL>
References: <CA+szr1qCjXpHqD6tVd90xXyNQVrSURA6vxSfwdW5Nj979vc+SA@mail.gmail.com>
 <D358E5B1511A314F8160ADC6F37549870695C750@XYSVEX02.XYPRO-23.LOCAL>
Message-ID: <CA+szr1q9E=LMxZn=6_jtNfj_v-kM2cznzHYAfAVFP5n21tQb+Q@mail.gmail.com>

Hello Scott,

Thanks for the reply,
I see same kind of behavior with older version openssh like openssh5.51p1 ,
does it also observed in this version too?


On Tue, Aug 12, 2014 at 2:15 PM, Scott Neugroschl <scott_n at xypro.com> wrote:

> I've already filed a bug about this.
>
> https://bugzilla.mindrot.org/show_bug.cgi?id=2261
>
>
> -----Original Message-----
> From: openssh-unix-dev [mailto:openssh-unix-dev-bounces+scott_n=
> xypro.com at mindrot.org] On Behalf Of vamshi reddy bairy
> Sent: Tuesday, August 12, 2014 12:17 PM
> To: openssh-unix-dev at mindrot.org
> Subject: openssh-6.6p1 link error to openssl
>
> Hello all,
>
>
>
> I am trying to force to link openssh to link openssl  from  my workaera
> home/xxx/openssl/lib & home/xxx/openssl/include
>
> Instead of default link ?/usr/lib/? etc
>
>
>
> ./configure --with-ssl-dir=/home/xxx/install/open_ssl
>  --with-cppflags="-I/home/xxx/install/open_ssl/include"
>
>     --with-ldflags="-L/home/xxx/install/open_ssl/lib"
>
>
>
> With this I could not able to configure openssh with my built in version
> of openssl
>
>
>
> When I run above command I end up with ?OpenSSL header version... not
> found?
>
> Could you please let me know where iam going wrong
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

From bhendin at gmail.com  Thu Aug 14 11:20:48 2014
From: bhendin at gmail.com (Ben H)
Date: Wed, 13 Aug 2014 20:20:48 -0500
Subject: questions regarding nsswitch and the internal-sftp server and
 ChrootDirectory options
Message-ID: <CAAd7auZW5QozW+-j3022D-7qW60B+7bb-qPWfYznuC6Ld=cTNA@mail.gmail.com>

What is the intended behavior of the internal-sftp server when looking
to resolve identity information for user via the nsswitch configured
mechanisms?
I am seeing different behavior between two packaged versions and am
looking to understand what should be expected.

Scenario:

Utilizing a developed directory services plugin (dsplug), "ls" access
on the sftp session fails with the following on a RHEL 6.5 machine
with OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013:

CONSOLE OUTPUT:
---------------
sftp localjoe at localhost
Connecting to localhost...
Password:
sftp> ls
Connection closed

LOG OUTPUT:
-----------
tail /var/log/secure
Aug 13 19:27:17 centos65-01 sshd[6203]: Accepted
keyboard-interactive/pam for localjoe from ::1 port 38958 ssh2
Aug 13 19:27:17 centos65-01 sshd[6203]: pam_unix(sshd:session):
session opened for user localjoe by (uid=0)
Aug 13 19:27:17 centos65-01 sshd[6208]: subsystem request for sftp
Aug 13 19:27:19 centos65-01 sshd[6209]: error: select: Bad file descriptor
Aug 13 19:27:19 centos65-01 sshd[6208]: Received disconnect from ::1:
11: disconnected by user
Aug 13 19:27:19 centos65-01 sshd[6203]: pam_unix(sshd:session):
session closed for user localjoe

STRACE OUTPUT:

-------------

lstat("/sftptest", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/etc/localtime", 0x7fff2c118340)  = -1 ENOENT (No such file or directory)
open("/etc/localtime", O_RDONLY)        = -1 ENOENT (No such file or directory)
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
close(4)                                = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 4
fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR)               = 0
connect(4, {sa_family=AF_FILE, path="/opt/dsplug/sockets/.auth"}, 110)
= -1 ENOENT (No such file or directory)
close(4)                                = 0
open("/etc/group", O_RDONLY|O_CLOEXEC)  = -1 ENOENT (No such file or directory)
...
select(5, [3], [4], NULL, NULL)         = -1 EBADF (Bad file descriptor)


I am able to get around these issues with the following in nsswitch.conf:

passwd:     files [UNAVAIL=return] nis dsplug

shadow:     files nis

group:      files [UNAVAIL=return] nis dsplug

This however has the negative effect of not resolving any UID/GID
information within the sftp session.

On a Kubentu 13.11 machine with OpenSSH_6.2p2 Ubuntu-6ubuntu0.1,
OpenSSL 1.0.1e 11 Feb 2013, this issue does not occur in a default
configuration.
An strace on that system shows that no calls past passwd/group files
are made and no attempt seems to be done to resolve any naming
information (including local passwd/group)

Should internal-sftp make any attempt past local passwd/group files?
It appears at least in the RHEL testing if only "files nis" is
configured that NIS names will be properly resolved... ?

thank you

From vinschen at redhat.com  Thu Aug 14 22:15:54 2014
From: vinschen at redhat.com (Corinna Vinschen)
Date: Thu, 14 Aug 2014 14:15:54 +0200
Subject: Problem with enabling /etc/default(s)/login on Cygwin
Message-ID: <20140814121554.GA23935@calimero.vinschen.de>

Hi,


below is a patch which simply removes a Cygwin-specific piece of code
from OpenSSH.  Input from a system admin educated me how useful this
option could be on Cygwin as well.  However, way back when the call to
read_etc_default_login got disabled on Cygwin hardcoded in session.c,
rather than just setting --disable-etc-default-login when building the
Cygwin version of OpenSSH.  So, here's the patch which simply re-enables
reading /etc/default/login on Cygwin.

However, even when removing this Cygwin-specific patch, there's still a
problem.  On Cygwin the path is not /etc/default, but /etc/defaults.
Note the trailing "s".  The problem is, the path to the default login
file is not configurable.  Would it be much of a problem to make the
path to this file configurable?

I'm also wondering if the configure test for /etc/default/login is
really doing the right thing.  What happens is:

- If --disable-etc-default-login is set, no support for /etc/default/login

- If nothing is given on the command line, check for /etc/default/login.
  If it's available support it, otherwise don't.

So far, so good, but this one is a problem IMHO:

- If --enable-etc-default-login is set, configure *still* checks for
  /etc/default/login.

That's not correct, AFAICS.  Even if the package maintainer *explicitely*
enabled /etc/default/login support, the configure script makes the
sshd code only supports /etc/default/login if the file existed on the
maintainer's machine at configure time.  This is very unreliable and
the result is puzzeling.

Shouldn't configure.ac be changed like this:

  if --disable-etc-default-login is given
    etc_default_login=no
  else if --enable-etc-default-login is given
    etc_default_login=yes
    external_path_file=/etc/default/login
    AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1], ...
  else if cross_compiling
    etc_default_login=no
  else if AC_CHECK_FILE(["/etc/default/login"]
    etc_default_login=yes
  else
    etc_default_login=no

???


Thanks,
Corinna


Index: session.c
===================================================================
RCS file: /cvs/openssh/session.c,v
retrieving revision 1.434
diff -u -p -r1.434 session.c
--- session.c	18 Jul 2014 04:11:26 -0000	1.434
+++ session.c	14 Aug 2014 11:29:58 -0000
@@ -1188,13 +1188,6 @@ do_setup_env(Session *s, const char *she
 		else
 			child_set_env(&env, &envsize, "PATH", getenv("PATH"));
 #else /* HAVE_LOGIN_CAP */
-# ifndef HAVE_CYGWIN
-		/*
-		 * There's no standard path on Windows. The path contains
-		 * important components pointing to the system directories,
-		 * needed for loading shared libraries. So the path better
-		 * remains intact here.
-		 */
 #  ifdef HAVE_ETC_DEFAULT_LOGIN
 		read_etc_default_login(&env, &envsize, pw->pw_uid);
 		path = child_get_env(env, "PATH");
@@ -1204,7 +1197,6 @@ do_setup_env(Session *s, const char *she
 			    s->pw->pw_uid == 0 ?
 				SUPERUSER_PATH : _PATH_STDPATH);
 		}
-# endif /* HAVE_CYGWIN */
 #endif /* HAVE_LOGIN_CAP */
 
 		snprintf(buf, sizeof buf, "%.200s/%.50s",



-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140814/25d030db/attachment.bin>

From bairyvr at gmail.com  Fri Aug 15 08:08:47 2014
From: bairyvr at gmail.com (vamshi reddy bairy)
Date: Thu, 14 Aug 2014 15:08:47 -0700
Subject: generating libcrypto.so.6
Message-ID: <CA+szr1oHreQFZ8BApvLoUX=eauQ9baokQrUJsmL68n31qASFtQ@mail.gmail.com>

Hi ,

I have compiled openssl-1.0.1i and it generated *.so  files.
but  i cannot  find libcrypto.so.6 & libssl.so.6 generated which my
application requires ,
can you please let me know how i can generate those so's, with out
installing any rpm's

Thanks

From alex at alex.org.uk  Fri Aug 15 14:44:51 2014
From: alex at alex.org.uk (Alex Bligh)
Date: Fri, 15 Aug 2014 05:44:51 +0100
Subject: generating libcrypto.so.6
In-Reply-To: <CA+szr1oHreQFZ8BApvLoUX=eauQ9baokQrUJsmL68n31qASFtQ@mail.gmail.com>
References: <CA+szr1oHreQFZ8BApvLoUX=eauQ9baokQrUJsmL68n31qASFtQ@mail.gmail.com>
Message-ID: <F9CFFF79-D731-472C-AD4F-DA2C442B75FB@alex.org.uk>


On 14 Aug 2014, at 23:08, vamshi reddy bairy <bairyvr at gmail.com> wrote:

> I have compiled openssl-1.0.1i and it generated *.so  files.
> but  i cannot  find libcrypto.so.6 & libssl.so.6 generated which my
> application requires ,
> can you please let me know how i can generate those so's, with out
> installing any rpm's

You would probably be better off on an openssl list than an
openssh list.

-- 
Alex Bligh





From loganaden at gmail.com  Sat Aug 16 18:12:15 2014
From: loganaden at gmail.com (Loganaden Velvindron)
Date: Sat, 16 Aug 2014 12:12:15 +0400
Subject: .ssh_config forwarding
Message-ID: <CAOp4FwTu4M-t+E4_qUdVFoEsUceTAPEhai-u1xnKk_dOGiijuQ@mail.gmail.com>

Hi guys,

I was wondering about having ssh-agent also forward the ssh_config in
addition to the private keys. This would be helpful, when you have a
lot of host file definitions in your .ssh_config.

Kind regards,
//Logan
C-x-C-c


-- 
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.

From djm at mindrot.org  Mon Aug 18 11:23:41 2014
From: djm at mindrot.org (Damien Miller)
Date: Mon, 18 Aug 2014 11:23:41 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
Message-ID: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>

Hi,

OpenSSH 6.7 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a big release
containing a number of features, a lot of internal refactoring and some
potentially-incompatible changes.

Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable OpenSSH is also available via anonymous CVS using the
instructions at http://www.openssh.com/portable.html#cvs or
via Git at https://anongit.mindrot.org/openssh.git/

Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:

$ ./configure && make tests

Live testing on suitable non-production systems is also
appreciated. Please send reports of success or failure to
openssh-unix-dev at mindrot.org.

Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.

Thanks to the many people who contributed to this release.

Changes since OpenSSH 6.6
=========================

Potentially-incompatible changes

 * sshd(8): The default set of ciphers and MACs has been altered to
   remove unsafe algorithms. In particular, CBC ciphers and arcfour*
   are disabled by default.

   The full set of algorithms remains available if configured
   explicitly via the Ciphers and MACs sshd_config options.

 * sshd(8): Support for tcpwrappers/libwrap has been removed.

 * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
   using the curve25519-sha256 at libssh.org KEX exchange method to fail
   when connecting with something that implements the specification
   correctly. OpenSSH 6.7 disables this KEX method when speaking to
   one of the affected versions.

New Features

 * Major internal refactoring to begin to make part of OpenSSH usable
   as a library. So far the wire parsing, key handling and KRL code
   has been refactored. Please note that we do not consider the API
   stable yet, nor do we offer the library in separable form.

 * ssh(1), sshd(8): Add support for Unix domain socket forwarding.
   A remote TCP port may be forwarded to a local Unix domain socket
   and vice versa or both ends may be a Unix domain socket.

 * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
   ED25519 key types.

 * sftp(1): Allow resumption of interrupted uploads.

 * ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it
   is the same as the one sent during initial key exchange; bz#2154

 * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind
   addresses when GatewayPorts=no; allows client to choose address
   family; bz#2222

 * sshd(8): Add a sshd_config PermitUserRC option to control whether
   ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
   option; bz#2160

 * ssh(1): Add a %C escape sequence for LocalCommand and ControlPath
   that expands to a unique identifer based on a hash of the tuple of
   (local host, remote user, hostname, port). Helps avoid exceeding
   miserly pathname limits for Unix domain sockets in multiplexing
   control paths; bz#2220

 * sshd(8): Make the "Too many authentication failures" message
   include the user, source address, port and protocol in a format
   similar to the authentication success / failure messages; bz#2199

 * Added unit and fuzz tests for refactored code. These are run
   automatically in portable OpenSSH via the "make tests" target.

Bugfixes

 * sshd(8): Fix remote fwding with same listen port but different
   listen address.

 * ssh(1): Fix inverted test that caused PKCS#11 keys that were
   explicitly listed in ssh_config or on the commandline not to be
   preferred.

 * ssh-keygen(1): Fix bug in KRL generation: multiple consecutive
   revoked certificate serial number ranges could be serialised to an
   invalid format. Readers of a broken KRL caused by this bug will
   fail closed, so no should-have-been-revoked key will be accepted.

 * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in
   exit status. Previously we were always returning 0; bz#2255

 * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the
   randomart border; bz#2247

 * ssh-agent(1): Only cleanup agent socket in the main agent process
   and not in any subprocesses it may have started (e.g. forked
   askpass). Fixes agent sockets being zapped when askpass processes
   fatal(); bz#2236

 * ssh-add(1): Make stdout line-buffered; saves partial output getting
   lost when ssh-add fatal()s part-way through (e.g. when listing keys
   from an agent that supports key types that ssh-add doesn't);
   bz#2234

 * ssh-keygen(1): When hashing or removing hosts, don't choke on
   @revoked markers and don't remove @cert-authority markers; bz#2241

 * ssh(1): Don't fatal when hostname canonicalisation fails and a
   ProxyCommand is in use; continue and allow the ProxyCommand to
   connect anyway (e.g. to a host with a name outside the DNS behind
   a bastion)

 * scp(1): When copying local->remote fails during read, don't send
   uninitialised heap to the remote end.

 * sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing
   filenames with  a single quote char somewhere in the string;
   bz#2238

 * ssh-keyscan(1): Scan for Ed25519 keys by default.

 * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-
   convert any certificate keys to plain keys and attempt SSHFP
   resolution.  Prevents a server from skipping SSHFP lookup and
   forcing a new-hostkey dialog by offering only certificate keys.
     
 * sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225

 * Fix some strict-alignment errors.

Portable OpenSSH

 * Portable OpenSSH now supports building against libressl-portable.

 * Portable OpenSSH now requires openssl 0.9.8f or greater. Older
   versions are no longer supported.

 * In the OpenSSL version check, allow fix version upgrades (but not
   downgrades. Debian bug #748150.

 * sshd(8): On Cygwin, determine privilege separation user at runtime,
   since it may need to be a domain account.

 * sshd(8): Don't attempt to use vhangup on Linux. It doens't work for
   non-root users, and for them it just messes up the tty settings.

 * Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
   available. It takes into account time spent suspended, thereby
   ensuring timeouts (e.g. for expiring agent keys) fire correctly.
   bz#2228

 * Add support for ed25519 to opensshd.init init script.

 * sftp-server(8): On platforms that support it, use prctl() to
   prevent sftp-server from accessing /proc/self/{mem,maps}

Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
  Security bugs should be reported directly to openssh at openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.

From dirkx at webweaving.org  Mon Aug 18 19:27:44 2014
From: dirkx at webweaving.org (Dirk-Willem van Gulik)
Date: Mon, 18 Aug 2014 11:27:44 +0200
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
Message-ID: <759B26D1-2C39-4D21-9440-61B9C5972460@webweaving.org>


Op 18 aug. 2014, om 03:23 heeft Damien Miller <djm at mindrot.org> het volgende geschreven:

With this fix:

> * ssh(1): Fix inverted test that caused PKCS#11 keys that were
>   explicitly listed in ssh_config or on the commandline not to be
>   preferred.

A fairly broad range of pin-keypad readers as often used in healthcare have sprung to live. Would be nice if you could
also apply patch below.

The gist of this change is that it will revert PIN entry to the keypad of the reader if such is available/mandatory.

Thanks,

Dw.

* Allow for PIN/password entry on the keypad of the chipcard reader.

diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index c96be3b..83b5f3a 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -255,21 +255,27 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
 	si = &k11->provider->slotinfo[k11->slotidx];
 	if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
 		if (!pkcs11_interactive) {
-			error("need pin");
+			error("need pin entry%s", 
+				(si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? " on reader keypad" : "");
 			return (-1);
 		}
-		snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
-		    si->token.label);
-		pin = read_passphrase(prompt, RP_ALLOW_EOF);
-		if (pin == NULL)
-			return (-1);	/* bail out */
-		if ((rv = f->C_Login(si->session, CKU_USER,
-		    (u_char *)pin, strlen(pin))) != CKR_OK) {
-			free(pin);
+		if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) {
+			verbose("Deferring PIN entry to keypad of chipcard reader.");
+			pin = NULL;
+		} else {
+			snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
+			    si->token.label);
+			pin = read_passphrase(prompt, RP_ALLOW_EOF);
+			if (pin == NULL)
+				return (-1);	/* bail out */
+		};
+		if ((rv = f->C_Login(si->session, CKU_USER, pin, pin ? strlen(pin): 0)) 
+                        != CKR_OK) {
+                        if (pin) free(pin);
 			error("C_Login failed: %lu", rv);
 			return (-1);
 		}
-		free(pin);
+		if (pin) free(pin);
 		si->logged_in = 1;
 	}
 	key_filter[1].pValue = k11->keyid;


From bisson at archlinux.org  Mon Aug 18 20:04:06 2014
From: bisson at archlinux.org (Gaetan Bisson)
Date: Mon, 18 Aug 2014 19:04:06 +0900
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
Message-ID: <20140818100406.GA27927@aji.vesath.org>

Hi,

[2014-08-18 11:23:41 +1000] Damien Miller:
> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible.

(Not that this is important, but) running `make tests` I get:

	run test connect.sh ...
	nologin: invalid option -- 'c'
	
	Usage:
	 nologin [options]
	
	Options:
	 -h, --help     display this help and exit
	 -V, --version  output version information and exit
	
	For more details see nologin(8).
	ssh connect with protocol 1 failed

My nologin binary identifies itself as:

	$ nologin --version
	nologin from util-linux 2.25

I got it straight from my distro (Arch Linux).

Other than that, I have experienced no regression so far with
openssh-SNAP-20140818; but if I do I will report them here...

Cheers.

-- 
Gaetan

From vinschen at redhat.com  Mon Aug 18 22:45:40 2014
From: vinschen at redhat.com (Corinna Vinschen)
Date: Mon, 18 Aug 2014 14:45:40 +0200
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
Message-ID: <20140818124540.GF2280@calimero.vinschen.de>

On Aug 18 11:23, Damien Miller wrote:
> Hi,
> 
> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release
> containing a number of features, a lot of internal refactoring and some
> potentially-incompatible changes.
> 
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/

I tested from CVS HEAD and there's a bug in serverloop.c.  On systems
not defining NO_IPPORT_RESERVED_CONCEPT, a stray "||" leads to a syntax
error.  Here's a patch:

Index: serverloop.c
===================================================================
RCS file: /cvs/openssh/serverloop.c,v
retrieving revision 1.181
diff -u -p -r1.181 serverloop.c
--- serverloop.c	18 Jul 2014 04:11:26 -0000	1.181
+++ serverloop.c	18 Aug 2014 12:33:02 -0000
@@ -1173,9 +1173,9 @@ server_input_global_request(int type, u_
 		/* check permissions */
 		if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
 		    no_port_forwarding_flag ||
-		    (!want_reply && fwd.listen_port == 0) ||
+		    (!want_reply && fwd.listen_port == 0)
 #ifndef NO_IPPORT_RESERVED_CONCEPT
-		    (fwd.listen_port != 0 && fwd.listen_port < IPPORT_RESERVED &&
+		    || (fwd.listen_port != 0 && fwd.listen_port < IPPORT_RESERVED &&
 		    pw->pw_uid != 0)
 #endif
 		    ) {

Also, I can't run the testsuite on Cygwin anymore:

$ make tests
[ -d `pwd`/regress ]  ||  mkdir -p `pwd`/regress
[ -d `pwd`/regress/unittests ]  ||  mkdir -p `pwd`/regress/unittests
[ -d `pwd`/regress/unittests/test_helper ]  || \
        mkdir -p `pwd`/regress/unittests/test_helper
[ -d `pwd`/regress/unittests/sshbuf ]  || \
        mkdir -p `pwd`/regress/unittests/sshbuf
[ -d `pwd`/regress/unittests/sshkey ]  || \
        mkdir -p `pwd`/regress/unittests/sshkey
[ -f `pwd`/regress/Makefile ]  || \
    ln -s `cd ../src && pwd`/regress/Makefile `pwd`/regress/Makefile
(cd openbsd-compat && make)
make[1]: Entering directory '/home/corinna/src/openssh/build/openbsd-compat'
make[1]: Nothing to be done for 'all'.
make[1]: Leaving directory '/home/corinna/src/openssh/build/openbsd-compat'
gcc -g -O2 [...options...] -o regress/modpipe.exe ../src/regress/modpipe.c \
-L. -Lopenbsd-compat/  -fstack-protector-all -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz  /usr/lib/textreadmode.o -lcrypt
gcc -g -O2 [...options...] -o regress/setuid-allowed.exe ../src/regress/setuid-allowed.c \
-L. -Lopenbsd-compat/  -fstack-protector-all -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz  /usr/lib/textreadmode.o -lcrypt
make: *** No rule to make target 'regress/unittests/sshbuf/tests.o', needed by 'regress/unittests/sshbuf/test_sshbuf.exe'.  Stop.

This is using GNU make.  I'm not sure what's missing.  Is that because
I'm not building in the source dir, by any chance?


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140818/a12441c2/attachment-0001.bin>

From kevin.brott at gmail.com  Tue Aug 19 02:18:38 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Mon, 18 Aug 2014 09:18:38 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
Message-ID: <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>

Ugh - so, forgot to RT the list ... and another failed buildhost ...

I know these are legacy OS version - but they're still in use here so ...

OS           Build_Target        CC             OpenSSL       BUILD  TEST
===========  =================   ============   ============= =====
=================
Centos 2.1   i386-redhat-linux   gcc 2.9.6      0.9.6b-engine FAIL*1
RHEL 3.4     i386-redhat-linux   gcc 3.2.3-47   0.9.7a        FAIL*1

make[1]: Entering directory `/usr/src/openssh/openbsd-compat'
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
-fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
arc4random.c
In file included from ../buffer.h:24,
                 from ../entropy.h:30,
                 from ../includes.h:177,
                 from arc4random.c:27:
../sshbuf.h:25:24: openssl/ec.h: No such file or directory
make[1]: *** [arc4random.o] Error 1
make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
[root at localhost openssh]# find ec.h
find: ec.h: No such file or directory




On Sun, Aug 17, 2014 at 6:23 PM, Damien Miller <djm at mindrot.org> wrote:

> Hi,
>
> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release
> containing a number of features, a lot of internal refactoring and some
> potentially-incompatible changes.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs or
> via Git at https://anongit.mindrot.org/openssh.git/
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Changes since OpenSSH 6.6
> =========================
>
> Potentially-incompatible changes
>
>  * sshd(8): The default set of ciphers and MACs has been altered to
>    remove unsafe algorithms. In particular, CBC ciphers and arcfour*
>    are disabled by default.
>
>    The full set of algorithms remains available if configured
>    explicitly via the Ciphers and MACs sshd_config options.
>
>  * sshd(8): Support for tcpwrappers/libwrap has been removed.
>
>  * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
>    using the curve25519-sha256 at libssh.org KEX exchange method to fail
>    when connecting with something that implements the specification
>    correctly. OpenSSH 6.7 disables this KEX method when speaking to
>    one of the affected versions.
>
> New Features
>
>  * Major internal refactoring to begin to make part of OpenSSH usable
>    as a library. So far the wire parsing, key handling and KRL code
>    has been refactored. Please note that we do not consider the API
>    stable yet, nor do we offer the library in separable form.
>
>  * ssh(1), sshd(8): Add support for Unix domain socket forwarding.
>    A remote TCP port may be forwarded to a local Unix domain socket
>    and vice versa or both ends may be a Unix domain socket.
>
>  * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
>    ED25519 key types.
>
>  * sftp(1): Allow resumption of interrupted uploads.
>
>  * ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it
>    is the same as the one sent during initial key exchange; bz#2154
>
>  * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind
>    addresses when GatewayPorts=no; allows client to choose address
>    family; bz#2222
>
>  * sshd(8): Add a sshd_config PermitUserRC option to control whether
>    ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
>    option; bz#2160
>
>  * ssh(1): Add a %C escape sequence for LocalCommand and ControlPath
>    that expands to a unique identifer based on a hash of the tuple of
>    (local host, remote user, hostname, port). Helps avoid exceeding
>    miserly pathname limits for Unix domain sockets in multiplexing
>    control paths; bz#2220
>
>  * sshd(8): Make the "Too many authentication failures" message
>    include the user, source address, port and protocol in a format
>    similar to the authentication success / failure messages; bz#2199
>
>  * Added unit and fuzz tests for refactored code. These are run
>    automatically in portable OpenSSH via the "make tests" target.
>
> Bugfixes
>
>  * sshd(8): Fix remote fwding with same listen port but different
>    listen address.
>
>  * ssh(1): Fix inverted test that caused PKCS#11 keys that were
>    explicitly listed in ssh_config or on the commandline not to be
>    preferred.
>
>  * ssh-keygen(1): Fix bug in KRL generation: multiple consecutive
>    revoked certificate serial number ranges could be serialised to an
>    invalid format. Readers of a broken KRL caused by this bug will
>    fail closed, so no should-have-been-revoked key will be accepted.
>
>  * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in
>    exit status. Previously we were always returning 0; bz#2255
>
>  * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the
>    randomart border; bz#2247
>
>  * ssh-agent(1): Only cleanup agent socket in the main agent process
>    and not in any subprocesses it may have started (e.g. forked
>    askpass). Fixes agent sockets being zapped when askpass processes
>    fatal(); bz#2236
>
>  * ssh-add(1): Make stdout line-buffered; saves partial output getting
>    lost when ssh-add fatal()s part-way through (e.g. when listing keys
>    from an agent that supports key types that ssh-add doesn't);
>    bz#2234
>
>  * ssh-keygen(1): When hashing or removing hosts, don't choke on
>    @revoked markers and don't remove @cert-authority markers; bz#2241
>
>  * ssh(1): Don't fatal when hostname canonicalisation fails and a
>    ProxyCommand is in use; continue and allow the ProxyCommand to
>    connect anyway (e.g. to a host with a name outside the DNS behind
>    a bastion)
>
>  * scp(1): When copying local->remote fails during read, don't send
>    uninitialised heap to the remote end.
>
>  * sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing
>    filenames with  a single quote char somewhere in the string;
>    bz#2238
>
>  * ssh-keyscan(1): Scan for Ed25519 keys by default.
>
>  * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-
>    convert any certificate keys to plain keys and attempt SSHFP
>    resolution.  Prevents a server from skipping SSHFP lookup and
>    forcing a new-hostkey dialog by offering only certificate keys.
>
>  * sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225
>
>  * Fix some strict-alignment errors.
>
> Portable OpenSSH
>
>  * Portable OpenSSH now supports building against libressl-portable.
>
>  * Portable OpenSSH now requires openssl 0.9.8f or greater. Older
>    versions are no longer supported.
>
>  * In the OpenSSL version check, allow fix version upgrades (but not
>    downgrades. Debian bug #748150.
>
>  * sshd(8): On Cygwin, determine privilege separation user at runtime,
>    since it may need to be a domain account.
>
>  * sshd(8): Don't attempt to use vhangup on Linux. It doens't work for
>    non-root users, and for them it just messes up the tty settings.
>
>  * Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
>    available. It takes into account time spent suspended, thereby
>    ensuring timeouts (e.g. for expiring agent keys) fire correctly.
>    bz#2228
>
>  * Add support for ed25519 to opensshd.init init script.
>
>  * sftp-server(8): On platforms that support it, use prctl() to
>    prevent sftp-server from accessing /proc/self/{mem,maps}
>
> Reporting Bugs:
> ===============
>
> - Please read http://www.openssh.com/report.html
>   Security bugs should be reported directly to openssh at openssh.com
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
> Ben Lindstrom.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>



-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From kevin.brott at gmail.com  Tue Aug 19 03:00:03 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Mon, 18 Aug 2014 10:00:03 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
Message-ID: <CAMv58rbwpaUXMZDBEoFOjV_gxb9752ErckRz4qPCxwfegOH_Qg@mail.gmail.com>

So apparently openssl/ec.h didn't show up earlier than 0.9.8m right now
it's looking like any system with earlier versions will configure, but fail
to build off the bat.


On Mon, Aug 18, 2014 at 9:18 AM, Kevin Brott <kevin.brott at gmail.com> wrote:

> Ugh - so, forgot to RT the list ... and another failed buildhost ...
>
> I know these are legacy OS version - but they're still in use here so ...
>
> OS           Build_Target        CC             OpenSSL       BUILD  TEST
> ===========  =================   ============   ============= =====
> =================
> Centos 2.1   i386-redhat-linux   gcc 2.9.6      0.9.6b-engine FAIL*1
> RHEL 3.4     i386-redhat-linux   gcc 3.2.3-47   0.9.7a        FAIL*1
>
> make[1]: Entering directory `/usr/src/openssh/openbsd-compat'
> gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
> -fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
> arc4random.c
> In file included from ../buffer.h:24,
>                  from ../entropy.h:30,
>                  from ../includes.h:177,
>                  from arc4random.c:27:
> ../sshbuf.h:25:24: openssl/ec.h: No such file or directory
> make[1]: *** [arc4random.o] Error 1
> make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
> make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
> [root at localhost openssh]# find ec.h
> find: ec.h: No such file or directory
>
>
>
>
> On Sun, Aug 17, 2014 at 6:23 PM, Damien Miller <djm at mindrot.org> wrote:
>
>> Hi,
>>
>> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
>> on as many platforms and systems as possible. This is a big release
>> containing a number of features, a lot of internal refactoring and some
>> potentially-incompatible changes.
>>
>> Snapshot releases for portable OpenSSH are available from
>> http://www.mindrot.org/openssh_snap/
>>
>> The OpenBSD version is available in CVS HEAD:
>> http://www.openbsd.org/anoncvs.html
>>
>> Portable OpenSSH is also available via anonymous CVS using the
>> instructions at http://www.openssh.com/portable.html#cvs or
>> via Git at https://anongit.mindrot.org/openssh.git/
>>
>> Running the regression tests supplied with Portable OpenSSH does not
>> require installation and is a simply:
>>
>> $ ./configure && make tests
>>
>> Live testing on suitable non-production systems is also
>> appreciated. Please send reports of success or failure to
>> openssh-unix-dev at mindrot.org.
>>
>> Below is a summary of changes. More detail may be found in the ChangeLog
>> in the portable OpenSSH tarballs.
>>
>> Thanks to the many people who contributed to this release.
>>
>> Changes since OpenSSH 6.6
>> =========================
>>
>> Potentially-incompatible changes
>>
>>  * sshd(8): The default set of ciphers and MACs has been altered to
>>    remove unsafe algorithms. In particular, CBC ciphers and arcfour*
>>    are disabled by default.
>>
>>    The full set of algorithms remains available if configured
>>    explicitly via the Ciphers and MACs sshd_config options.
>>
>>  * sshd(8): Support for tcpwrappers/libwrap has been removed.
>>
>>  * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
>>    using the curve25519-sha256 at libssh.org KEX exchange method to fail
>>    when connecting with something that implements the specification
>>    correctly. OpenSSH 6.7 disables this KEX method when speaking to
>>    one of the affected versions.
>>
>> New Features
>>
>>  * Major internal refactoring to begin to make part of OpenSSH usable
>>    as a library. So far the wire parsing, key handling and KRL code
>>    has been refactored. Please note that we do not consider the API
>>    stable yet, nor do we offer the library in separable form.
>>
>>  * ssh(1), sshd(8): Add support for Unix domain socket forwarding.
>>    A remote TCP port may be forwarded to a local Unix domain socket
>>    and vice versa or both ends may be a Unix domain socket.
>>
>>  * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
>>    ED25519 key types.
>>
>>  * sftp(1): Allow resumption of interrupted uploads.
>>
>>  * ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it
>>    is the same as the one sent during initial key exchange; bz#2154
>>
>>  * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind
>>    addresses when GatewayPorts=no; allows client to choose address
>>    family; bz#2222
>>
>>  * sshd(8): Add a sshd_config PermitUserRC option to control whether
>>    ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
>>    option; bz#2160
>>
>>  * ssh(1): Add a %C escape sequence for LocalCommand and ControlPath
>>    that expands to a unique identifer based on a hash of the tuple of
>>    (local host, remote user, hostname, port). Helps avoid exceeding
>>    miserly pathname limits for Unix domain sockets in multiplexing
>>    control paths; bz#2220
>>
>>  * sshd(8): Make the "Too many authentication failures" message
>>    include the user, source address, port and protocol in a format
>>    similar to the authentication success / failure messages; bz#2199
>>
>>  * Added unit and fuzz tests for refactored code. These are run
>>    automatically in portable OpenSSH via the "make tests" target.
>>
>> Bugfixes
>>
>>  * sshd(8): Fix remote fwding with same listen port but different
>>    listen address.
>>
>>  * ssh(1): Fix inverted test that caused PKCS#11 keys that were
>>    explicitly listed in ssh_config or on the commandline not to be
>>    preferred.
>>
>>  * ssh-keygen(1): Fix bug in KRL generation: multiple consecutive
>>    revoked certificate serial number ranges could be serialised to an
>>    invalid format. Readers of a broken KRL caused by this bug will
>>    fail closed, so no should-have-been-revoked key will be accepted.
>>
>>  * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in
>>    exit status. Previously we were always returning 0; bz#2255
>>
>>  * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the
>>    randomart border; bz#2247
>>
>>  * ssh-agent(1): Only cleanup agent socket in the main agent process
>>    and not in any subprocesses it may have started (e.g. forked
>>    askpass). Fixes agent sockets being zapped when askpass processes
>>    fatal(); bz#2236
>>
>>  * ssh-add(1): Make stdout line-buffered; saves partial output getting
>>    lost when ssh-add fatal()s part-way through (e.g. when listing keys
>>    from an agent that supports key types that ssh-add doesn't);
>>    bz#2234
>>
>>  * ssh-keygen(1): When hashing or removing hosts, don't choke on
>>    @revoked markers and don't remove @cert-authority markers; bz#2241
>>
>>  * ssh(1): Don't fatal when hostname canonicalisation fails and a
>>    ProxyCommand is in use; continue and allow the ProxyCommand to
>>    connect anyway (e.g. to a host with a name outside the DNS behind
>>    a bastion)
>>
>>  * scp(1): When copying local->remote fails during read, don't send
>>    uninitialised heap to the remote end.
>>
>>  * sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing
>>    filenames with  a single quote char somewhere in the string;
>>    bz#2238
>>
>>  * ssh-keyscan(1): Scan for Ed25519 keys by default.
>>
>>  * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-
>>    convert any certificate keys to plain keys and attempt SSHFP
>>    resolution.  Prevents a server from skipping SSHFP lookup and
>>    forcing a new-hostkey dialog by offering only certificate keys.
>>
>>  * sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225
>>
>>  * Fix some strict-alignment errors.
>>
>> Portable OpenSSH
>>
>>  * Portable OpenSSH now supports building against libressl-portable.
>>
>>  * Portable OpenSSH now requires openssl 0.9.8f or greater. Older
>>    versions are no longer supported.
>>
>>  * In the OpenSSL version check, allow fix version upgrades (but not
>>    downgrades. Debian bug #748150.
>>
>>  * sshd(8): On Cygwin, determine privilege separation user at runtime,
>>    since it may need to be a domain account.
>>
>>  * sshd(8): Don't attempt to use vhangup on Linux. It doens't work for
>>    non-root users, and for them it just messes up the tty settings.
>>
>>  * Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
>>    available. It takes into account time spent suspended, thereby
>>    ensuring timeouts (e.g. for expiring agent keys) fire correctly.
>>    bz#2228
>>
>>  * Add support for ed25519 to opensshd.init init script.
>>
>>  * sftp-server(8): On platforms that support it, use prctl() to
>>    prevent sftp-server from accessing /proc/self/{mem,maps}
>>
>> Reporting Bugs:
>> ===============
>>
>> - Please read http://www.openssh.com/report.html
>>   Security bugs should be reported directly to openssh at openssh.com
>>
>> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
>> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
>> Ben Lindstrom.
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>
>
>
> --
> # include <stddisclaimer.h>
> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>
>


-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From vinschen at redhat.com  Tue Aug 19 03:03:06 2014
From: vinschen at redhat.com (Corinna Vinschen)
Date: Mon, 18 Aug 2014 19:03:06 +0200
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <20140818124540.GF2280@calimero.vinschen.de>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <20140818124540.GF2280@calimero.vinschen.de>
Message-ID: <20140818170306.GA14093@calimero.vinschen.de>

On Aug 18 14:45, Corinna Vinschen wrote:
> On Aug 18 11:23, Damien Miller wrote:
> > Hi,
> > 
> > OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> > on as many platforms and systems as possible. This is a big release
> > containing a number of features, a lot of internal refactoring and some
> > potentially-incompatible changes.
> > 
> > Snapshot releases for portable OpenSSH are available from
> > http://www.mindrot.org/openssh_snap/
> 
> I tested from CVS HEAD and there's a bug in serverloop.c.  On systems
> not defining NO_IPPORT_RESERVED_CONCEPT, a stray "||" leads to a syntax
> error.  Here's a patch:
> 
> Index: serverloop.c
> ===================================================================
> RCS file: /cvs/openssh/serverloop.c,v
> retrieving revision 1.181
> diff -u -p -r1.181 serverloop.c
> --- serverloop.c	18 Jul 2014 04:11:26 -0000	1.181
> +++ serverloop.c	18 Aug 2014 12:33:02 -0000
> @@ -1173,9 +1173,9 @@ server_input_global_request(int type, u_
>  		/* check permissions */
>  		if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
>  		    no_port_forwarding_flag ||
> -		    (!want_reply && fwd.listen_port == 0) ||
> +		    (!want_reply && fwd.listen_port == 0)
>  #ifndef NO_IPPORT_RESERVED_CONCEPT
> -		    (fwd.listen_port != 0 && fwd.listen_port < IPPORT_RESERVED &&
> +		    || (fwd.listen_port != 0 && fwd.listen_port < IPPORT_RESERVED &&
>  		    pw->pw_uid != 0)
>  #endif
>  		    ) {
> 
> Also, I can't run the testsuite on Cygwin anymore:
> 
> $ make tests
> [ -d `pwd`/regress ]  ||  mkdir -p `pwd`/regress
> [ -d `pwd`/regress/unittests ]  ||  mkdir -p `pwd`/regress/unittests
> [ -d `pwd`/regress/unittests/test_helper ]  || \
>         mkdir -p `pwd`/regress/unittests/test_helper
> [ -d `pwd`/regress/unittests/sshbuf ]  || \
>         mkdir -p `pwd`/regress/unittests/sshbuf
> [ -d `pwd`/regress/unittests/sshkey ]  || \
>         mkdir -p `pwd`/regress/unittests/sshkey
> [ -f `pwd`/regress/Makefile ]  || \
>     ln -s `cd ../src && pwd`/regress/Makefile `pwd`/regress/Makefile
> (cd openbsd-compat && make)
> make[1]: Entering directory '/home/corinna/src/openssh/build/openbsd-compat'
> make[1]: Nothing to be done for 'all'.
> make[1]: Leaving directory '/home/corinna/src/openssh/build/openbsd-compat'
> gcc -g -O2 [...options...] -o regress/modpipe.exe ../src/regress/modpipe.c \
> -L. -Lopenbsd-compat/  -fstack-protector-all -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz  /usr/lib/textreadmode.o -lcrypt
> gcc -g -O2 [...options...] -o regress/setuid-allowed.exe ../src/regress/setuid-allowed.c \
> -L. -Lopenbsd-compat/  -fstack-protector-all -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz  /usr/lib/textreadmode.o -lcrypt
> make: *** No rule to make target 'regress/unittests/sshbuf/tests.o', needed by 'regress/unittests/sshbuf/test_sshbuf.exe'.  Stop.
> 
> This is using GNU make.  I'm not sure what's missing.  Is that because
> I'm not building in the source dir, by any chance?

No, it's not.  Even when building in the source dir, `make tests'
fails as above.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140818/9f5a1dad/attachment-0001.bin>

From imorgan at nas.nasa.gov  Tue Aug 19 04:07:21 2014
From: imorgan at nas.nasa.gov (Iain Morgan)
Date: Mon, 18 Aug 2014 11:07:21 -0700
Subject: .ssh_config forwarding
In-Reply-To: <CAOp4FwTu4M-t+E4_qUdVFoEsUceTAPEhai-u1xnKk_dOGiijuQ@mail.gmail.com>
References: <CAOp4FwTu4M-t+E4_qUdVFoEsUceTAPEhai-u1xnKk_dOGiijuQ@mail.gmail.com>
Message-ID: <20140818180721.GA10370@linux124.nas.nasa.gov>

On Sat, Aug 16, 2014 at 12:12:15 +0400, Loganaden Velvindron wrote:
> Hi guys,
> 
> I was wondering about having ssh-agent also forward the ssh_config in
> addition to the private keys. This would be helpful, when you have a
> lot of host file definitions in your .ssh_config.
> 

I must admit to not knowing much about the inner workings of ssh-agent,
but I didn't think it actually forwarded private keys. That would be
really wrong.

But that point isn't really relevant to your main point. Assuming that
doing something like this is compatible with how ssh-agent works, how
would you propose dealing with incompatible OpenSSH versions between the
local and remote host? I can foresee a situation where the local
configuration takes advantage of some newer feature that may not be
supported on the remote host.

I'm rather dubious about the value and viability of such a feature.

-- 
Iain Morgan

From loganaden at gmail.com  Tue Aug 19 06:05:22 2014
From: loganaden at gmail.com (Loganaden Velvindron)
Date: Tue, 19 Aug 2014 00:05:22 +0400
Subject: .ssh_config forwarding
In-Reply-To: <20140818180721.GA10370@linux124.nas.nasa.gov>
References: <CAOp4FwTu4M-t+E4_qUdVFoEsUceTAPEhai-u1xnKk_dOGiijuQ@mail.gmail.com>
 <20140818180721.GA10370@linux124.nas.nasa.gov>
Message-ID: <CAOp4FwQdrVHAXLLgwUU_zKMQP4aLteTOitbf68X+oxGT+rk9Lg@mail.gmail.com>

On Mon, Aug 18, 2014 at 10:07 PM, Iain Morgan <imorgan at nas.nasa.gov> wrote:
> On Sat, Aug 16, 2014 at 12:12:15 +0400, Loganaden Velvindron wrote:
>> Hi guys,
>>
>> I was wondering about having ssh-agent also forward the ssh_config in
>> addition to the private keys. This would be helpful, when you have a
>> lot of host file definitions in your .ssh_config.

Sorry, I meant in addition to storing the private keys, what about
also forwarding the .ssh_config.


>>
>
> I must admit to not knowing much about the inner workings of ssh-agent,
> but I didn't think it actually forwarded private keys. That would be
> really wrong.
>
> But that point isn't really relevant to your main point. Assuming that
> doing something like this is compatible with how ssh-agent works, how
> would you propose dealing with incompatible OpenSSH versions between the
> local and remote host? I can foresee a situation where the local
> configuration takes advantage of some newer feature that may not be
> supported on the remote host.
>
> I'm rather dubious about the value and viability of such a feature.
>
> --
> Iain Morgan



-- 
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.

From kevin.brott at gmail.com  Tue Aug 19 06:33:49 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Mon, 18 Aug 2014 13:33:49 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rbwpaUXMZDBEoFOjV_gxb9752ErckRz4qPCxwfegOH_Qg@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <CAMv58rbwpaUXMZDBEoFOjV_gxb9752ErckRz4qPCxwfegOH_Qg@mail.gmail.com>
Message-ID: <CAMv58rYALqDcEu4FouZSACCc0CAaPORjZ6UQuJKqqwXmJyqi+A@mail.gmail.com>

Requirement for ec.h breaks all builds on systems without the EC feature (*all
Red Hat [probably variants as well] below 6.5*).  New linking issue with
gcc on AIX before tests run.  Same systems built 6.6 release without issue.

Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140819.tar.gz

OS              Build_Target                CC
OpenSSL       BUILD    TEST
==============  =========================== ================
============= ======   =================
Centos 2.1      i386-redhat-linux           gcc 2.9.6
0.9.6b-engine FAIL*1
RHEL 3.4        i386-redhat-linux           gcc 3.2.3-47
0.9.7a        FAIL*1
Fedora Core r2  i386-redhat-linux           gcc 3.3.3-7
0.9.7a        FAIL*1
RHEL 4.8        i386-redhat-linux           gcc 3.4.6-11
0.9.7a        FAIL*1
RHEL 4.8        x86_64-redhat-linux         gcc 3.4.6-11
0.9.7a        FAIL*1
RHEL 5.4        i386-redhat-linux           gcc 4.1.2-46
0.9.8e-fips   FAIL*1
RHEL 5.4        x86_64-redhat-linux         gcc 4.1.2-46
0.9.8e-fips   FAIL*1
RHEL 5.5        i386-redhat-linux           gcc 4.1.2-48
0.9.8e-fips   FAIL*1
RHEL 5.5        x86_64-redhat-linux         gcc 4.1.2-48
0.9.8e-fips   FAIL*1
RHEL 5.6        i386-redhat-linux           gcc 4.1.2-50
0.9.8e-fips   FAIL*1
RHEL 5.6        x86_64-redhat-linux         gcc 4.1.2-50
0.9.8e-fips   FAIL*1
RHEL 5.7        i386-redhat-linux           gcc 4.1.2-51
0.9.8e-fips   FAIL*1
RHEL 5.7        x86_64-redhat-linux         gcc 4.1.2-51
0.9.8e-fips   FAIL*1
RHEL 5.8        i386-redhat-linux           gcc 4.1.2-52
0.9.8e-fips   FAIL*1
RHEL 5.8        x86_64-redhat-linux         gcc 4.1.2-52
0.9.8e-fips   FAIL*1
RHEL 5.9        i386-redhat-linux           gcc 4.1.2-54
0.9.8e-fips   FAIL*1
RHEL 5.9        x86_64-redhat-linux         gcc 4.1.2-54
0.9.8e-fips   FAIL*1
RHEL 5.10       i686-redhat-linux           gcc 4.1.2-54
0.9.8e-fips   FAIL*1
RHEL 5.10       x86_64-redhat-linux         gcc 4.1.2-54
0.9.8e-fips   FAIL*1
RHEL 6.0        i686-redhat-linux           gcc 4.4.4-13
1.0.0-fips    FAIL*1
RHEL 6.0        x86_64-redhat-linux         gcc 4.4.4-13
1.0.0-fips    FAIL*1
RHEL 6.1        i686-redhat-linux           gcc 4.4.5-6
1.0.0-fips    FAIL*1
RHEL 6.1        x86_64-redhat-linux         gcc 4.4.5-6
1.0.0-fips    FAIL*1
RHEL 6.2        i686-redhat-linux           gcc 4.4.6-3
1.0.0-fips    FAIL*1
RHEL 6.2        x86_64-redhat-linux         gcc 4.4.6-3
1.0.0-fips    FAIL*1
RHEL 6.3        i686-redhat-linux           gcc 4.4.7-3
1.0.0-fips    FAIL*1
RHEL 6.3        x86_64-redhat-linux         gcc 4.4.7-3
1.0.0-fips    FAIL*1
RHEL 6.4        i686-redhat-linux           gcc 4.4.7-3
1.0.0-fips    FAIL*1
RHEL 6.4        x86_64-redhat-linux         gcc 4.4.7-3
1.0.0-fips    FAIL*1
RHEL 6.5        i686-redhat-linux           gcc 4.4.7-4
1.0.1e-fips   OK       all tests passed
RHEL 6.5        x86_64-redhat-linux         gcc 4.4.7-4
1.0.1e-fips   OK       all tests passed
RHEL 7.0        x86_64-redhat-linux         gcc 4.8.2-16
1.0.1e-fips   OK       all tests passed
Debian 7.6      x86_64-linux-gnu            gcc Debian 4.7.2-5
1.0.1e        OK       all tests passed
AIX 5300-12-04  powerpc-ibm-aix5.3.0.0      gcc 4.2.0-3
0.9.8k        FAIL*1
AIX 5300-12-02  powerpc-ibm-aix5.3.0.0      xlc 8.0.0.16
0.9.8k        FAIL*1
AIX 6100-07-08  powerpc-ibm-aix6.1.0.0      gcc 4.2.0
0.9.8y        FAIL*2
AIX 6100-07-08  powerpc-ibm-aix6.1.0.0      xlc 11.1.0.6
0.9.8y        OK       all tests passed
AIX 7100-03-01  powerpc-ibm-aix7.1.0.0      gcc 4.4.7
1.0.1e        FAIL*2
AIX 7100-03-01  powerpc-ibm-aix7.1.0.0      xlc 12.1.0.6
1.0.1e        OK       all tests passed
HP-UX 11.23     ia64-hp-hpux11.23           gcc 4.3.1
0.9.8w        OK       all tests passed
HP-UX 11.23     ia64-hp-hpux11.23           C/aC++ C.11.23.12
0.9.8w        OK       all tests passed
HP-UX 11.31     ia64-hp-hpux11.31           gcc 4.6.2
0.9.8t        OK       all tests passed
HP-UX 11.31     ia64-hp-hpux11.31           C/aC++ C.11.31.05
0.9.8t        OK       all tests passed

RHL     Red Hat Linux
RHEL    Red Hat Enterprise Linux

F*1  Requires openssl with ec.h (not in RHEL 6.4 and before), HP-UX 11.23+
and AIX 5.3+ have in-place upgrades
     make[1]: Entering directory `/usr/src/openssh/openbsd-compat'
     gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
-fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
arc4random.c
     In file included from ../buffer.h:24,
                      from ../entropy.h:30,
                      from ../includes.h:177,
                      from arc4random.c:27:
     ../sshbuf.h:25:24: openssl/ec.h: No such file or directory
     make[1]: *** [arc4random.o] Error 1
     make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
     make: *** [openbsd-compat/libopenbsd-compat.a] Error 2

F*2 gcc on AIX - linking fails just before tests start - i.e.
    gcc -o regress/unittests/sshbuf/test_sshbuf -L. -Lopenbsd-compat/
-Wl,-blibpath:/usr/lib:/lib regress/unittests/sshbuf/tests.o
regress/unittests/sshbuf/test_sshbuf.o
regress/unittests/sshbuf/test_sshbuf_getput_basic.o
regress/unittests/sshbuf/test_sshbuf_getput_crypto.o
regress/unittests/sshbuf/test_sshbuf_misc.o
regress/unittests/sshbuf/test_sshbuf_fuzz.o
regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o
regress/unittests/sshbuf/test_sshbuf_fixed.o \
 -L regress/unittests/test_helper -ltest_helper \
 -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz -lpthread
collect2: library libtest_helper not found
gmake: *** [regress/unittests/sshbuf/test_sshbuf] Error 1




On Mon, Aug 18, 2014 at 10:00 AM, Kevin Brott <kevin.brott at gmail.com> wrote:

>
> So apparently openssl/ec.h didn't show up earlier than 0.9.8m right now
> it's looking like any system with earlier versions will configure, but fail
> to build off the bat.
>
>
> On Mon, Aug 18, 2014 at 9:18 AM, Kevin Brott <kevin.brott at gmail.com>
> wrote:
>
>> Ugh - so, forgot to RT the list ... and another failed buildhost ...
>>
>> I know these are legacy OS version - but they're still in use here so ...
>>
>> OS           Build_Target        CC             OpenSSL       BUILD  TEST
>> ===========  =================   ============   ============= =====
>> =================
>> Centos 2.1   i386-redhat-linux   gcc 2.9.6      0.9.6b-engine FAIL*1
>> RHEL 3.4     i386-redhat-linux   gcc 3.2.3-47   0.9.7a        FAIL*1
>>
>> make[1]: Entering directory `/usr/src/openssh/openbsd-compat'
>> gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
>> -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
>> -fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
>> arc4random.c
>> In file included from ../buffer.h:24,
>>                  from ../entropy.h:30,
>>                  from ../includes.h:177,
>>                  from arc4random.c:27:
>> ../sshbuf.h:25:24: openssl/ec.h: No such file or directory
>> make[1]: *** [arc4random.o] Error 1
>> make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
>> make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
>> [root at localhost openssh]# find ec.h
>> find: ec.h: No such file or directory
>>
>>
>>
>>
>> On Sun, Aug 17, 2014 at 6:23 PM, Damien Miller <djm at mindrot.org> wrote:
>>
>>> Hi,
>>>
>>> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
>>> on as many platforms and systems as possible. This is a big release
>>> containing a number of features, a lot of internal refactoring and some
>>> potentially-incompatible changes.
>>>
>>> Snapshot releases for portable OpenSSH are available from
>>> http://www.mindrot.org/openssh_snap/
>>>
>>> The OpenBSD version is available in CVS HEAD:
>>> http://www.openbsd.org/anoncvs.html
>>>
>>> Portable OpenSSH is also available via anonymous CVS using the
>>> instructions at http://www.openssh.com/portable.html#cvs or
>>> via Git at https://anongit.mindrot.org/openssh.git/
>>>
>>> Running the regression tests supplied with Portable OpenSSH does not
>>> require installation and is a simply:
>>>
>>> $ ./configure && make tests
>>>
>>> Live testing on suitable non-production systems is also
>>> appreciated. Please send reports of success or failure to
>>> openssh-unix-dev at mindrot.org.
>>>
>>> Below is a summary of changes. More detail may be found in the ChangeLog
>>> in the portable OpenSSH tarballs.
>>>
>>> Thanks to the many people who contributed to this release.
>>>
>>> Changes since OpenSSH 6.6
>>> =========================
>>>
>>> Potentially-incompatible changes
>>>
>>>  * sshd(8): The default set of ciphers and MACs has been altered to
>>>    remove unsafe algorithms. In particular, CBC ciphers and arcfour*
>>>    are disabled by default.
>>>
>>>    The full set of algorithms remains available if configured
>>>    explicitly via the Ciphers and MACs sshd_config options.
>>>
>>>  * sshd(8): Support for tcpwrappers/libwrap has been removed.
>>>
>>>  * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
>>>    using the curve25519-sha256 at libssh.org KEX exchange method to fail
>>>    when connecting with something that implements the specification
>>>    correctly. OpenSSH 6.7 disables this KEX method when speaking to
>>>    one of the affected versions.
>>>
>>> New Features
>>>
>>>  * Major internal refactoring to begin to make part of OpenSSH usable
>>>    as a library. So far the wire parsing, key handling and KRL code
>>>    has been refactored. Please note that we do not consider the API
>>>    stable yet, nor do we offer the library in separable form.
>>>
>>>  * ssh(1), sshd(8): Add support for Unix domain socket forwarding.
>>>    A remote TCP port may be forwarded to a local Unix domain socket
>>>    and vice versa or both ends may be a Unix domain socket.
>>>
>>>  * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
>>>    ED25519 key types.
>>>
>>>  * sftp(1): Allow resumption of interrupted uploads.
>>>
>>>  * ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it
>>>    is the same as the one sent during initial key exchange; bz#2154
>>>
>>>  * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind
>>>    addresses when GatewayPorts=no; allows client to choose address
>>>    family; bz#2222
>>>
>>>  * sshd(8): Add a sshd_config PermitUserRC option to control whether
>>>    ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
>>>    option; bz#2160
>>>
>>>  * ssh(1): Add a %C escape sequence for LocalCommand and ControlPath
>>>    that expands to a unique identifer based on a hash of the tuple of
>>>    (local host, remote user, hostname, port). Helps avoid exceeding
>>>    miserly pathname limits for Unix domain sockets in multiplexing
>>>    control paths; bz#2220
>>>
>>>  * sshd(8): Make the "Too many authentication failures" message
>>>    include the user, source address, port and protocol in a format
>>>    similar to the authentication success / failure messages; bz#2199
>>>
>>>  * Added unit and fuzz tests for refactored code. These are run
>>>    automatically in portable OpenSSH via the "make tests" target.
>>>
>>> Bugfixes
>>>
>>>  * sshd(8): Fix remote fwding with same listen port but different
>>>    listen address.
>>>
>>>  * ssh(1): Fix inverted test that caused PKCS#11 keys that were
>>>    explicitly listed in ssh_config or on the commandline not to be
>>>    preferred.
>>>
>>>  * ssh-keygen(1): Fix bug in KRL generation: multiple consecutive
>>>    revoked certificate serial number ranges could be serialised to an
>>>    invalid format. Readers of a broken KRL caused by this bug will
>>>    fail closed, so no should-have-been-revoked key will be accepted.
>>>
>>>  * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in
>>>    exit status. Previously we were always returning 0; bz#2255
>>>
>>>  * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the
>>>    randomart border; bz#2247
>>>
>>>  * ssh-agent(1): Only cleanup agent socket in the main agent process
>>>    and not in any subprocesses it may have started (e.g. forked
>>>    askpass). Fixes agent sockets being zapped when askpass processes
>>>    fatal(); bz#2236
>>>
>>>  * ssh-add(1): Make stdout line-buffered; saves partial output getting
>>>    lost when ssh-add fatal()s part-way through (e.g. when listing keys
>>>    from an agent that supports key types that ssh-add doesn't);
>>>    bz#2234
>>>
>>>  * ssh-keygen(1): When hashing or removing hosts, don't choke on
>>>    @revoked markers and don't remove @cert-authority markers; bz#2241
>>>
>>>  * ssh(1): Don't fatal when hostname canonicalisation fails and a
>>>    ProxyCommand is in use; continue and allow the ProxyCommand to
>>>    connect anyway (e.g. to a host with a name outside the DNS behind
>>>    a bastion)
>>>
>>>  * scp(1): When copying local->remote fails during read, don't send
>>>    uninitialised heap to the remote end.
>>>
>>>  * sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing
>>>    filenames with  a single quote char somewhere in the string;
>>>    bz#2238
>>>
>>>  * ssh-keyscan(1): Scan for Ed25519 keys by default.
>>>
>>>  * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-
>>>    convert any certificate keys to plain keys and attempt SSHFP
>>>    resolution.  Prevents a server from skipping SSHFP lookup and
>>>    forcing a new-hostkey dialog by offering only certificate keys.
>>>
>>>  * sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225
>>>
>>>  * Fix some strict-alignment errors.
>>>
>>> Portable OpenSSH
>>>
>>>  * Portable OpenSSH now supports building against libressl-portable.
>>>
>>>  * Portable OpenSSH now requires openssl 0.9.8f or greater. Older
>>>    versions are no longer supported.
>>>
>>>  * In the OpenSSL version check, allow fix version upgrades (but not
>>>    downgrades. Debian bug #748150.
>>>
>>>  * sshd(8): On Cygwin, determine privilege separation user at runtime,
>>>    since it may need to be a domain account.
>>>
>>>  * sshd(8): Don't attempt to use vhangup on Linux. It doens't work for
>>>    non-root users, and for them it just messes up the tty settings.
>>>
>>>  * Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
>>>    available. It takes into account time spent suspended, thereby
>>>    ensuring timeouts (e.g. for expiring agent keys) fire correctly.
>>>    bz#2228
>>>
>>>  * Add support for ed25519 to opensshd.init init script.
>>>
>>>  * sftp-server(8): On platforms that support it, use prctl() to
>>>    prevent sftp-server from accessing /proc/self/{mem,maps}
>>>
>>> Reporting Bugs:
>>> ===============
>>>
>>> - Please read http://www.openssh.com/report.html
>>>   Security bugs should be reported directly to openssh at openssh.com
>>>
>>> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
>>> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
>>> Ben Lindstrom.
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev at mindrot.org
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>
>>
>>
>>
>> --
>> # include <stddisclaimer.h>
>> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>>
>>
>
>
> --
> # include <stddisclaimer.h>
> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>
>


-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From mouring at eviladmin.org  Tue Aug 19 06:50:35 2014
From: mouring at eviladmin.org (Ben Lindstrom)
Date: Mon, 18 Aug 2014 15:50:35 -0500
Subject: .ssh_config forwarding
In-Reply-To: <CAOp4FwQdrVHAXLLgwUU_zKMQP4aLteTOitbf68X+oxGT+rk9Lg@mail.gmail.com>
References: <CAOp4FwTu4M-t+E4_qUdVFoEsUceTAPEhai-u1xnKk_dOGiijuQ@mail.gmail.com>
 <20140818180721.GA10370@linux124.nas.nasa.gov>
 <CAOp4FwQdrVHAXLLgwUU_zKMQP4aLteTOitbf68X+oxGT+rk9Lg@mail.gmail.com>
Message-ID: <69749C91-6C07-4F33-84F3-B0393CF3A571@eviladmin.org>


On Aug 18, 2014, at 3:05 PM, Loganaden Velvindron <loganaden at gmail.com> wrote:

> On Mon, Aug 18, 2014 at 10:07 PM, Iain Morgan <imorgan at nas.nasa.gov> wrote:
>> On Sat, Aug 16, 2014 at 12:12:15 +0400, Loganaden Velvindron wrote:
>>> Hi guys,
>>> 
>>> I was wondering about having ssh-agent also forward the ssh_config in
>>> addition to the private keys. This would be helpful, when you have a
>>> lot of host file definitions in your .ssh_config.
> 
> Sorry, I meant in addition to storing the private keys, what about
> also forwarding the .ssh_config.

Not sure why I'd want /etc/ssh/ssh_config  or  ~/.ssh/config forwarded off my machine.  I tend to have a lot of "host .." directives.  Thus I'd leak almost two-dozen machines which have special User, Identity, auto-forwarding, etc  to a machine which honestly has no business knowing about each other.

So I'm not sure how this is "helpful."  Can you explain more why this leak of information is of value to me?

- Ben

From htodd at twofifty.com  Tue Aug 19 07:15:57 2014
From: htodd at twofifty.com (Hisashi T Fujinaka)
Date: Mon, 18 Aug 2014 14:15:57 -0700 (PDT)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
Message-ID: <alpine.NEB.2.11.1408181414420.11647@chris.i8u.org>

NetBSD-current amd64

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all  -I. -I.  -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ssh-dss.c -o ssh-dss.o
ssh-dss.c: In function 'ssh_dss_sign':
ssh-dss.c:50:2: error: unknown type name 'DSA_SIG'
   DSA_SIG *sig = NULL;



-- 
Hisashi T Fujinaka - htodd at twofifty.com
BSEE(6/86) + BSChem(3/95) + BAEnglish(8/95) + MSCS(8/03) + $2.50 = latte

From imorgan at nas.nasa.gov  Tue Aug 19 10:11:09 2014
From: imorgan at nas.nasa.gov (Iain Morgan)
Date: Mon, 18 Aug 2014 17:11:09 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
Message-ID: <20140819001109.GC10370@linux124.nas.nasa.gov>

On Mon, Aug 18, 2014 at 11:23:41 +1000, Damien Miller wrote:
> Hi,
> 
> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release
> containing a number of features, a lot of internal refactoring and some
> potentially-incompatible changes.
> 

The 20140819 snapshot successfully builds and passes the tests on RHEL
6.5/x86_64 w/OpenSSL 1.0.1i.

Regarding the removal of TCP wrapper support, it would be good to remove
references to it in the contrib/*/openssh.spec files:

% egrep -i 'netkit|wrapper|tcpd' */openssh.spec
caldera/openssh.spec:            --with-tcp-wrappers \
redhat/openssh.spec:BuildRequires: perl, openssl-devel, tcp_wrappers
redhat/openssh.spec:    --with-tcp-wrappers \
suse/openssh.spec:#   TCP Wrappers (tcpd-devel),
suse/openssh.spec:BuildPrereq:  tcpd-devel
suse/openssh.spec:- Added flag to configure daemon with TCP Wrappers
support
suse/openssh.spec:              --with-tcp-wrappers \

There are also references to tcpd or libwrap in INSTALL and
contrib/cygwin/README that should probably be removed or revised.

-- 
Iain Morgan

From djm at mindrot.org  Tue Aug 19 11:19:45 2014
From: djm at mindrot.org (Damien Miller)
Date: Tue, 19 Aug 2014 11:19:45 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <20140818124540.GF2280@calimero.vinschen.de>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <20140818124540.GF2280@calimero.vinschen.de>
Message-ID: <alpine.BSO.2.11.1408191112440.414@natsu.mindrot.org>

On Mon, 18 Aug 2014, Corinna Vinschen wrote:

> I tested from CVS HEAD and there's a bug in serverloop.c.  On systems
> not defining NO_IPPORT_RESERVED_CONCEPT, a stray "||" leads to a syntax
> error.  Here's a patch:
> 
> Index: serverloop.c

applied - thanks.

> Also, I can't run the testsuite on Cygwin anymore:
[...]
> -L. -Lopenbsd-compat/  -fstack-protector-all -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz  /usr/lib/textreadmode.o -lcrypt
> make: *** No rule to make target 'regress/unittests/sshbuf/tests.o', needed by 'regress/unittests/sshbuf/test_sshbuf.exe'.  Stop.
> 
> This is using GNU make.  I'm not sure what's missing.  Is that because
> I'm not building in the source dir, by any chance?

I don't think so - it works on Ubuntu with GNU Make and building outside
the source directory. There is probably some other make trickery that
I've messed up.

-d

From djm at mindrot.org  Tue Aug 19 11:23:49 2014
From: djm at mindrot.org (Damien Miller)
Date: Tue, 19 Aug 2014 11:23:49 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
Message-ID: <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>

On Mon, 18 Aug 2014, Kevin Brott wrote:

> Ugh - so, forgot to RT the list ... and another failed buildhost ...
> 
>                  from ../entropy.h:30,
>                  from ../includes.h:177,
>                  from arc4random.c:27:
> ../sshbuf.h:25:24: openssl/ec.h: No such file or directory

This should help:

Index: sshbuf.h
===================================================================
RCS file: /var/cvs/openssh/sshbuf.h,v
retrieving revision 1.4
diff -u -p -r1.4 sshbuf.h
--- sshbuf.h	2 Jul 2014 05:28:04 -0000	1.4
+++ sshbuf.h	19 Aug 2014 01:23:22 -0000
@@ -21,8 +21,12 @@
 #include <sys/types.h>
 #include <stdarg.h>
 #include <stdio.h>
-#include <openssl/bn.h>
-#include <openssl/ec.h>
+#ifdef WITH_OPENSSL
+# include <openssl/bn.h>
+# ifdef OPENSSL_HAS_ECC
+#  include <openssl/ec.h>
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
 
 #define SSHBUF_SIZE_MAX		0x8000000	/* Hard maximum size */
 #define SSHBUF_REFS_MAX		0x100000	/* Max child buffers */
@@ -204,17 +208,19 @@ int	sshbuf_peek_string_direct(const stru
  * Functions to extract or store SSH wire encoded bignums and elliptic
  * curve points.
  */
+int	sshbuf_put_bignum2_bytes(struct sshbuf *buf, const void *v, size_t len);
+#ifdef WITH_OPENSSL
 int	sshbuf_get_bignum2(struct sshbuf *buf, BIGNUM *v);
 int	sshbuf_get_bignum1(struct sshbuf *buf, BIGNUM *v);
 int	sshbuf_put_bignum2(struct sshbuf *buf, const BIGNUM *v);
 int	sshbuf_put_bignum1(struct sshbuf *buf, const BIGNUM *v);
-int	sshbuf_put_bignum2_bytes(struct sshbuf *buf, const void *v, size_t len);
-#if !defined(WITH_OPENSSL) || defined(OPENSSL_HAS_ECC)
+# ifdef OPENSSL_HAS_ECC
 int	sshbuf_get_ec(struct sshbuf *buf, EC_POINT *v, const EC_GROUP *g);
 int	sshbuf_get_eckey(struct sshbuf *buf, EC_KEY *v);
 int	sshbuf_put_ec(struct sshbuf *buf, const EC_POINT *v, const EC_GROUP *g);
 int	sshbuf_put_eckey(struct sshbuf *buf, const EC_KEY *v);
-#endif
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
 
 /* Dump the contents of the buffer in a human-readable format */
 void	sshbuf_dump(struct sshbuf *buf, FILE *f);

From djm at mindrot.org  Tue Aug 19 11:30:51 2014
From: djm at mindrot.org (Damien Miller)
Date: Tue, 19 Aug 2014 11:30:51 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rYALqDcEu4FouZSACCc0CAaPORjZ6UQuJKqqwXmJyqi+A@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <CAMv58rbwpaUXMZDBEoFOjV_gxb9752ErckRz4qPCxwfegOH_Qg@mail.gmail.com>
 <CAMv58rYALqDcEu4FouZSACCc0CAaPORjZ6UQuJKqqwXmJyqi+A@mail.gmail.com>
Message-ID: <alpine.BSO.2.11.1408191129010.414@natsu.mindrot.org>

On Mon, 18 Aug 2014, Kevin Brott wrote:

> Requirement for ec.h breaks all builds on systems without the EC feature (*all
> Red Hat [probably variants as well] below 6.5*).  New linking issue with
> gcc on AIX before tests run.  Same systems built 6.6 release without issue.

Thanks again Kevin for the exhaustive testing.

> F*1  Requires openssl with ec.h (not in RHEL 6.4 and before), HP-UX 11.23+
> and AIX 5.3+ have in-place upgrades

I've committed a fix for this (the one I sent in a patch a few minutes ago).

> F*2 gcc on AIX - linking fails just before tests start - i.e.
>     gcc -o regress/unittests/sshbuf/test_sshbuf -L. -Lopenbsd-compat/
> -Wl,-blibpath:/usr/lib:/lib regress/unittests/sshbuf/tests.o
> regress/unittests/sshbuf/test_sshbuf.o
> regress/unittests/sshbuf/test_sshbuf_getput_basic.o
> regress/unittests/sshbuf/test_sshbuf_getput_crypto.o
> regress/unittests/sshbuf/test_sshbuf_misc.o
> regress/unittests/sshbuf/test_sshbuf_fuzz.o
> regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o
> regress/unittests/sshbuf/test_sshbuf_fixed.o \
>  -L regress/unittests/test_helper -ltest_helper \
>  -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz -lpthread
> collect2: library libtest_helper not found

Does libtest_helper.a get created okay? It should be under
regress/unittests/test_helper/libtest_helper.a

-d

From djm at mindrot.org  Tue Aug 19 11:32:56 2014
From: djm at mindrot.org (Damien Miller)
Date: Tue, 19 Aug 2014 11:32:56 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.NEB.2.11.1408181414420.11647@chris.i8u.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408181414420.11647@chris.i8u.org>
Message-ID: <alpine.BSO.2.11.1408191131280.414@natsu.mindrot.org>

On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:

> NetBSD-current amd64

...

> ssh-dss.c: In function 'ssh_dss_sign':
> ssh-dss.c:50:2: error: unknown type name 'DSA_SIG'
>   DSA_SIG *sig = NULL;

Thanks - I think this should fix it (already committed).

Index: ssh-dss.c
===================================================================
RCS file: /var/cvs/openssh/ssh-dss.c,v
retrieving revision 1.33
diff -u -p -r1.33 ssh-dss.c
--- ssh-dss.c	2 Jul 2014 05:28:03 -0000	1.33
+++ ssh-dss.c	19 Aug 2014 01:31:26 -0000
@@ -28,6 +28,7 @@
 #include <sys/types.h>
 
 #include <openssl/bn.h>
+#include <openssl/dsa.h>
 #include <openssl/evp.h>
 
 #include <stdarg.h>

From djm at mindrot.org  Tue Aug 19 11:36:16 2014
From: djm at mindrot.org (Damien Miller)
Date: Tue, 19 Aug 2014 11:36:16 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <20140819001109.GC10370@linux124.nas.nasa.gov>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <20140819001109.GC10370@linux124.nas.nasa.gov>
Message-ID: <alpine.BSO.2.11.1408191134470.414@natsu.mindrot.org>

On Mon, 18 Aug 2014, Iain Morgan wrote:

> Regarding the removal of TCP wrapper support, it would be good to remove
> references to it in the contrib/*/openssh.spec files:
...

> There are also references to tcpd or libwrap in INSTALL and
> contrib/cygwin/README that should probably be removed or revised.

Done - thanks for the reminder.

-d

From kevin.brott at gmail.com  Tue Aug 19 13:06:59 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Mon, 18 Aug 2014 20:06:59 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
Message-ID: <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>

Will test this out in the morning.  Will this be in the 0820 snapshot?


On Mon, Aug 18, 2014 at 6:23 PM, Damien Miller <djm at mindrot.org> wrote:

> On Mon, 18 Aug 2014, Kevin Brott wrote:
>
> > Ugh - so, forgot to RT the list ... and another failed buildhost ...
> >
> >                  from ../entropy.h:30,
> >                  from ../includes.h:177,
> >                  from arc4random.c:27:
> > ../sshbuf.h:25:24: openssl/ec.h: No such file or directory
>
> This should help:
>
> Index: sshbuf.h
> ===================================================================
> RCS file: /var/cvs/openssh/sshbuf.h,v
> retrieving revision 1.4
> diff -u -p -r1.4 sshbuf.h
> --- sshbuf.h    2 Jul 2014 05:28:04 -0000       1.4
> +++ sshbuf.h    19 Aug 2014 01:23:22 -0000
> @@ -21,8 +21,12 @@
>  #include <sys/types.h>
>  #include <stdarg.h>
>  #include <stdio.h>
> -#include <openssl/bn.h>
> -#include <openssl/ec.h>
> +#ifdef WITH_OPENSSL
> +# include <openssl/bn.h>
> +# ifdef OPENSSL_HAS_ECC
> +#  include <openssl/ec.h>
> +# endif /* OPENSSL_HAS_ECC */
> +#endif /* WITH_OPENSSL */
>
>  #define SSHBUF_SIZE_MAX                0x8000000       /* Hard maximum
> size */
>  #define SSHBUF_REFS_MAX                0x100000        /* Max child
> buffers */
> @@ -204,17 +208,19 @@ int       sshbuf_peek_string_direct(const stru
>   * Functions to extract or store SSH wire encoded bignums and elliptic
>   * curve points.
>   */
> +int    sshbuf_put_bignum2_bytes(struct sshbuf *buf, const void *v, size_t
> len);
> +#ifdef WITH_OPENSSL
>  int    sshbuf_get_bignum2(struct sshbuf *buf, BIGNUM *v);
>  int    sshbuf_get_bignum1(struct sshbuf *buf, BIGNUM *v);
>  int    sshbuf_put_bignum2(struct sshbuf *buf, const BIGNUM *v);
>  int    sshbuf_put_bignum1(struct sshbuf *buf, const BIGNUM *v);
> -int    sshbuf_put_bignum2_bytes(struct sshbuf *buf, const void *v, size_t
> len);
> -#if !defined(WITH_OPENSSL) || defined(OPENSSL_HAS_ECC)
> +# ifdef OPENSSL_HAS_ECC
>  int    sshbuf_get_ec(struct sshbuf *buf, EC_POINT *v, const EC_GROUP *g);
>  int    sshbuf_get_eckey(struct sshbuf *buf, EC_KEY *v);
>  int    sshbuf_put_ec(struct sshbuf *buf, const EC_POINT *v, const
> EC_GROUP *g);
>  int    sshbuf_put_eckey(struct sshbuf *buf, const EC_KEY *v);
> -#endif
> +# endif /* OPENSSL_HAS_ECC */
> +#endif /* WITH_OPENSSL */
>
>  /* Dump the contents of the buffer in a human-readable format */
>  void   sshbuf_dump(struct sshbuf *buf, FILE *f);
>



-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From kevin.brott at gmail.com  Tue Aug 19 13:04:04 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Mon, 18 Aug 2014 20:04:04 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <20140819001109.GC10370@linux124.nas.nasa.gov>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <20140819001109.GC10370@linux124.nas.nasa.gov>
Message-ID: <CAMv58rbESxZYgHXww2B-NDyRwnq6dbvG9M+pS+N4k0q4xP=8Pw@mail.gmail.com>

Going to throw in my $.02 here (late) but I really think this is a bad
move.  AIX doesn't natively do tcp wrappers (yes there is a *shudder* rpm
for it), but I literally just today stopped a minor syslog DoS caused by
some "monitoring" software slamming at my sshd process every second and
causing auth.log to grow like nobody's business, making it unparseable and
full of useless noise.

How did I stop it quickly? Created a /etc/hosts.deny file and threw this
into it ... knowing that sshd would process it and silently drop the
connections:
sshd : ip.add.re.ss : severity debug : deny

Yes, I could have run genfilt, if the server had ipsec4 filtering already
configured and running (it didn't).  But I could write out a one-line file,
bounce sshd, and voila!  Silent droppage of unwanted connections (except
into the separate debug log I was using for evidence).

I know it's a moot point at this juncture, but I disagree with the decision.



On Mon, Aug 18, 2014 at 5:11 PM, Iain Morgan <imorgan at nas.nasa.gov> wrote:

> On Mon, Aug 18, 2014 at 11:23:41 +1000, Damien Miller wrote:
> > Hi,
> >
> > OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> > on as many platforms and systems as possible. This is a big release
> > containing a number of features, a lot of internal refactoring and some
> > potentially-incompatible changes.
> >
>
> The 20140819 snapshot successfully builds and passes the tests on RHEL
> 6.5/x86_64 w/OpenSSL 1.0.1i.
>
> Regarding the removal of TCP wrapper support, it would be good to remove
> references to it in the contrib/*/openssh.spec files:
>
> % egrep -i 'netkit|wrapper|tcpd' */openssh.spec
> caldera/openssh.spec:            --with-tcp-wrappers \
> redhat/openssh.spec:BuildRequires: perl, openssl-devel, tcp_wrappers
> redhat/openssh.spec:    --with-tcp-wrappers \
> suse/openssh.spec:#   TCP Wrappers (tcpd-devel),
> suse/openssh.spec:BuildPrereq:  tcpd-devel
> suse/openssh.spec:- Added flag to configure daemon with TCP Wrappers
> support
> suse/openssh.spec:              --with-tcp-wrappers \
>
> There are also references to tcpd or libwrap in INSTALL and
> contrib/cygwin/README that should probably be removed or revised.
>
> --
> Iain Morgan
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>



-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From djm at mindrot.org  Tue Aug 19 14:26:06 2014
From: djm at mindrot.org (Damien Miller)
Date: Tue, 19 Aug 2014 14:26:06 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
Message-ID: <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>



On Mon, 18 Aug 2014, Kevin Brott wrote:

> Will test this out in the morning.  Will this be in the 0820 snapshot?

Yes, it should be.

-d

From htodd at twofifty.com  Tue Aug 19 15:49:27 2014
From: htodd at twofifty.com (Hisashi T Fujinaka)
Date: Mon, 18 Aug 2014 22:49:27 -0700 (PDT)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408191131280.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408181414420.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191131280.414@natsu.mindrot.org>
Message-ID: <alpine.NEB.2.11.1408182248320.11647@chris.i8u.org>

On Tue, 19 Aug 2014, Damien Miller wrote:

> On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:
>
>> NetBSD-current amd64
> ...
>
> Thanks - I think this should fix it (already committed).

Next one:

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all  -I. -I.  -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ssh-ecdsa.c -o ssh-ecdsa.o
ssh-ecdsa.c: In function 'ssh_ecdsa_sign':
ssh-ecdsa.c:83:2: warning: implicit declaration of function 'sshbuf_put_bignum2' [-Wimplicit-function-declaration]
   if ((ret = sshbuf_put_bignum2(bb, sig->r)) != 0 ||
   ^
ssh-ecdsa.c: In function 'ssh_ecdsa_verify':
ssh-ecdsa.c:155:2: warning: implicit declaration of function 'sshbuf_get_bignum2' [-Wimplicit-function-declaration]
   if (sshbuf_get_bignum2(sigbuf, sig->r) != 0 ||

-- 
Hisashi T Fujinaka - htodd at twofifty.com
BSEE(6/86) + BSChem(3/95) + BAEnglish(8/95) + MSCS(8/03) + $2.50 = latte

From djm at mindrot.org  Tue Aug 19 16:14:13 2014
From: djm at mindrot.org (Damien Miller)
Date: Tue, 19 Aug 2014 16:14:13 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.NEB.2.11.1408182248320.11647@chris.i8u.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408181414420.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191131280.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182248320.11647@chris.i8u.org>
Message-ID: <alpine.BSO.2.11.1408191611420.414@natsu.mindrot.org>

On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:

> Next one:
...
> 'sshbuf_put_bignum2' [-Wimplicit-function-declaration]
>   if ((ret = sshbuf_put_bignum2(bb, sig->r)) != 0 ||
>   ^
> ssh-ecdsa.c: In function 'ssh_ecdsa_verify':
> ssh-ecdsa.c:155:2: warning: implicit declaration of function
> 'sshbuf_get_bignum2' [-Wimplicit-function-declaration]
>   if (sshbuf_get_bignum2(sigbuf, sig->r) != 0 ||

That's strange - does your config.h have "#define WITH_OPENSSL 1" in it?

-d

From htodd at twofifty.com  Tue Aug 19 16:31:27 2014
From: htodd at twofifty.com (Hisashi T Fujinaka)
Date: Mon, 18 Aug 2014 23:31:27 -0700 (PDT)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408191611420.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408181414420.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191131280.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182248320.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191611420.414@natsu.mindrot.org>
Message-ID: <alpine.NEB.2.11.1408182323550.11647@chris.i8u.org>

Yes it does. I did a gmake distclean; git reset --hard; configure; gmake
and it still has the same error.

Perhaps the version of openssl is wrong?

On Tue, 19 Aug 2014, Damien Miller wrote:

> On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:
>
>> Next one:
> ...
>> 'sshbuf_put_bignum2' [-Wimplicit-function-declaration]
>>   if ((ret = sshbuf_put_bignum2(bb, sig->r)) != 0 ||
>>   ^
>> ssh-ecdsa.c: In function 'ssh_ecdsa_verify':
>> ssh-ecdsa.c:155:2: warning: implicit declaration of function
>> 'sshbuf_get_bignum2' [-Wimplicit-function-declaration]
>>   if (sshbuf_get_bignum2(sigbuf, sig->r) != 0 ||
>
> That's strange - does your config.h have "#define WITH_OPENSSL 1" in it?
>
> -d
>

-- 
Hisashi T Fujinaka - htodd at twofifty.com
BSEE(6/86) + BSChem(3/95) + BAEnglish(8/95) + MSCS(8/03) + $2.50 = latte

From djm at mindrot.org  Tue Aug 19 16:40:41 2014
From: djm at mindrot.org (Damien Miller)
Date: Tue, 19 Aug 2014 16:40:41 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.NEB.2.11.1408182323550.11647@chris.i8u.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408181414420.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191131280.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182248320.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191611420.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182323550.11647@chris.i8u.org>
Message-ID: <alpine.BSO.2.11.1408191639200.414@natsu.mindrot.org>

On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:

> Yes it does. I did a gmake distclean; git reset --hard; configure; gmake
> and it still has the same error.
> 
> Perhaps the version of openssl is wrong?

no, the prototypes the compiler is complaining about are in sshbuf.h

Could you please attach your ssh-ecdsa.c, sshbuf.h and config.h?

-d


From htodd at twofifty.com  Tue Aug 19 16:42:34 2014
From: htodd at twofifty.com (Hisashi T Fujinaka)
Date: Mon, 18 Aug 2014 23:42:34 -0700 (PDT)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408191639200.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408181414420.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191131280.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182248320.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191611420.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182323550.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191639200.414@natsu.mindrot.org>
Message-ID: <alpine.NEB.2.11.1408182341360.11647@chris.i8u.org>

On Tue, 19 Aug 2014, Damien Miller wrote:

> On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:
>
>> Yes it does. I did a gmake distclean; git reset --hard; configure; gmake
>> and it still has the same error.
>>
>> Perhaps the version of openssl is wrong?
>
> no, the prototypes the compiler is complaining about are in sshbuf.h
>
> Could you please attach your ssh-ecdsa.c, sshbuf.h and config.h?

Here they are.

-- 
Hisashi T Fujinaka - htodd at twofifty.com
BSEE(6/86) + BSChem(3/95) + BAEnglish(8/95) + MSCS(8/03) + $2.50 = latte
-------------- next part --------------
/* $OpenBSD: ssh-ecdsa.c,v 1.11 2014/06/24 01:13:21 djm Exp $ */
/*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 * Copyright (c) 2010 Damien Miller.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#ifdef OPENSSL_HAS_ECC

#include <sys/types.h>

#include <openssl/bn.h>
#include <openssl/ec.h>
#include <openssl/ecdsa.h>
#include <openssl/evp.h>

#include <string.h>

#include "sshbuf.h"
#include "ssherr.h"
#include "digest.h"
#define SSHKEY_INTERNAL
#include "sshkey.h"

/* ARGSUSED */
int
ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
    const u_char *data, size_t datalen, u_int compat)
{
	ECDSA_SIG *sig = NULL;
	int hash_alg;
	u_char digest[SSH_DIGEST_MAX_LENGTH];
	size_t len, dlen;
	struct sshbuf *b = NULL, *bb = NULL;
	int ret = SSH_ERR_INTERNAL_ERROR;

	if (lenp != NULL)
		*lenp = 0;
	if (sigp != NULL)
		*sigp = NULL;

	if (key == NULL || key->ecdsa == NULL ||
	    sshkey_type_plain(key->type) != KEY_ECDSA)
		return SSH_ERR_INVALID_ARGUMENT;

	if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
	    (dlen = ssh_digest_bytes(hash_alg)) == 0)
		return SSH_ERR_INTERNAL_ERROR;
	if ((ret = ssh_digest_memory(hash_alg, data, datalen,
	    digest, sizeof(digest))) != 0)
		goto out;

	if ((sig = ECDSA_do_sign(digest, dlen, key->ecdsa)) == NULL) {
		ret = SSH_ERR_LIBCRYPTO_ERROR;
		goto out;
	}

	if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) {
		ret = SSH_ERR_ALLOC_FAIL;
		goto out;
	}
	if ((ret = sshbuf_put_bignum2(bb, sig->r)) != 0 ||
	    (ret = sshbuf_put_bignum2(bb, sig->s)) != 0)
		goto out;
	if ((ret = sshbuf_put_cstring(b, sshkey_ssh_name_plain(key))) != 0 ||
	    (ret = sshbuf_put_stringb(b, bb)) != 0)
		goto out;
	len = sshbuf_len(b);
	if (sigp != NULL) {
		if ((*sigp = malloc(len)) == NULL) {
			ret = SSH_ERR_ALLOC_FAIL;
			goto out;
		}
		memcpy(*sigp, sshbuf_ptr(b), len);
	}
	if (lenp != NULL)
		*lenp = len;
	ret = 0;
 out:
	explicit_bzero(digest, sizeof(digest));
	if (b != NULL)
		sshbuf_free(b);
	if (bb != NULL)
		sshbuf_free(bb);
	if (sig != NULL)
		ECDSA_SIG_free(sig);
	return ret;
}

/* ARGSUSED */
int
ssh_ecdsa_verify(const struct sshkey *key,
    const u_char *signature, size_t signaturelen,
    const u_char *data, size_t datalen, u_int compat)
{
	ECDSA_SIG *sig = NULL;
	int hash_alg;
	u_char digest[SSH_DIGEST_MAX_LENGTH];
	size_t dlen;
	int ret = SSH_ERR_INTERNAL_ERROR;
	struct sshbuf *b = NULL, *sigbuf = NULL;
	char *ktype = NULL;

	if (key == NULL || key->ecdsa == NULL ||
	    sshkey_type_plain(key->type) != KEY_ECDSA)
		return SSH_ERR_INVALID_ARGUMENT;

	if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
	    (dlen = ssh_digest_bytes(hash_alg)) == 0)
		return SSH_ERR_INTERNAL_ERROR;

	/* fetch signature */
	if ((b = sshbuf_from(signature, signaturelen)) == NULL)
		return SSH_ERR_ALLOC_FAIL;
	if (sshbuf_get_cstring(b, &ktype, NULL) != 0 ||
	    sshbuf_froms(b, &sigbuf) != 0) {
		ret = SSH_ERR_INVALID_FORMAT;
		goto out;
	}
	if (strcmp(sshkey_ssh_name_plain(key), ktype) != 0) {
		ret = SSH_ERR_KEY_TYPE_MISMATCH;
		goto out;
	}
	if (sshbuf_len(b) != 0) {
		ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
		goto out;
	}

	/* parse signature */
	if ((sig = ECDSA_SIG_new()) == NULL) {
		ret = SSH_ERR_ALLOC_FAIL;
		goto out;
	}
	if (sshbuf_get_bignum2(sigbuf, sig->r) != 0 ||
	    sshbuf_get_bignum2(sigbuf, sig->s) != 0) {
		ret = SSH_ERR_INVALID_FORMAT;
		goto out;
	}
	if (sshbuf_len(sigbuf) != 0) {
		ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
		goto out;
	}
	if ((ret = ssh_digest_memory(hash_alg, data, datalen,
	    digest, sizeof(digest))) != 0)
		goto out;

	switch (ECDSA_do_verify(digest, dlen, sig, key->ecdsa)) {
	case 1:
		ret = 0;
		break;
	case 0:
		ret = SSH_ERR_SIGNATURE_INVALID;
		goto out;
	default:
		ret = SSH_ERR_LIBCRYPTO_ERROR;
		goto out;
	}

 out:
	explicit_bzero(digest, sizeof(digest));
	if (sigbuf != NULL)
		sshbuf_free(sigbuf);
	if (b != NULL)
		sshbuf_free(b);
	if (sig != NULL)
		ECDSA_SIG_free(sig);
	free(ktype);
	return ret;
}

#endif /* OPENSSL_HAS_ECC */
-------------- next part --------------
/*	$OpenBSD: sshbuf.h,v 1.3 2014/06/24 01:13:21 djm Exp $	*/
/*
 * Copyright (c) 2011 Damien Miller
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#ifndef _SSHBUF_H
#define _SSHBUF_H

#include <sys/types.h>
#include <stdarg.h>
#include <stdio.h>
#ifdef WITH_OPENSSL
# include <openssl/bn.h>
# ifdef OPENSSL_HAS_ECC
#  include <openssl/ec.h>
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */

#define SSHBUF_SIZE_MAX		0x8000000	/* Hard maximum size */
#define SSHBUF_REFS_MAX		0x100000	/* Max child buffers */
#define SSHBUF_MAX_BIGNUM	(16384 / 8)	/* Max bignum *bytes* */
#define SSHBUF_MAX_ECPOINT	((528 * 2 / 8) + 1) /* Max EC point *bytes* */

/*
 * NB. do not depend on the internals of this. It will be made opaque
 * one day.
 */
struct sshbuf {
	u_char *d;		/* Data */
	const u_char *cd;	/* Const data */
	size_t off;		/* First available byte is buf->d + buf->off */
	size_t size;		/* Last byte is buf->d + buf->size - 1 */
	size_t max_size;	/* Maximum size of buffer */
	size_t alloc;		/* Total bytes allocated to buf->d */
	int readonly;		/* Refers to external, const data */
	int dont_free;		/* Kludge to support sshbuf_init */
	u_int refcount;		/* Tracks self and number of child buffers */
	struct sshbuf *parent;	/* If child, pointer to parent */
};

#ifndef SSHBUF_NO_DEPREACTED
/*
 * NB. Please do not use sshbuf_init() in new code. Please use sshbuf_new()
 * instead. sshbuf_init() is deprectated and will go away soon (it is
 * only included to allow compat with buffer_* in OpenSSH)
 */
void sshbuf_init(struct sshbuf *buf);
#endif

/*
 * Create a new sshbuf buffer.
 * Returns pointer to buffer on success, or NULL on allocation failure.
 */
struct sshbuf *sshbuf_new(void);

/*
 * Create a new, read-only sshbuf buffer from existing data.
 * Returns pointer to buffer on success, or NULL on allocation failure.
 */
struct sshbuf *sshbuf_from(const void *blob, size_t len);

/*
 * Create a new, read-only sshbuf buffer from the contents of an existing
 * buffer. The contents of "buf" must not change in the lifetime of the
 * resultant buffer.
 * Returns pointer to buffer on success, or NULL on allocation failure.
 */
struct sshbuf *sshbuf_fromb(struct sshbuf *buf);

/*
 * Create a new, read-only sshbuf buffer from the contents of a string in
 * an existing buffer (the string is consumed in the process).
 * The contents of "buf" must not change in the lifetime of the resultant
 * buffer.
 * Returns pointer to buffer on success, or NULL on allocation failure.
 */
int	sshbuf_froms(struct sshbuf *buf, struct sshbuf **bufp);

/*
 * Clear and free buf
 */
void	sshbuf_free(struct sshbuf *buf);

/*
 * Reset buf, clearing its contents. NB. max_size is preserved.
 */
void	sshbuf_reset(struct sshbuf *buf);

/*
 * Return the maximum size of buf
 */
size_t	sshbuf_max_size(const struct sshbuf *buf);

/*
 * Set the maximum size of buf
 * Returns 0 on success, or a negative SSH_ERR_* error code on failure.
 */
int	sshbuf_set_max_size(struct sshbuf *buf, size_t max_size);

/*
 * Returns the length of data in buf
 */
size_t	sshbuf_len(const struct sshbuf *buf);

/*
 * Returns number of bytes left in buffer before hitting max_size.
 */
size_t	sshbuf_avail(const struct sshbuf *buf);

/*
 * Returns a read-only pointer to the start of the the data in buf
 */
const u_char *sshbuf_ptr(const struct sshbuf *buf);

/*
 * Returns a mutable pointer to the start of the the data in buf, or
 * NULL if the buffer is read-only.
 */
u_char *sshbuf_mutable_ptr(const struct sshbuf *buf);

/*
 * Check whether a reservation of size len will succeed in buf
 * Safer to use than direct comparisons again sshbuf_avail as it copes
 * with unsigned overflows correctly.
 * Returns 0 on success, or a negative SSH_ERR_* error code on failure.
 */
int	sshbuf_check_reserve(const struct sshbuf *buf, size_t len);

/*
 * Reserve len bytes in buf.
 * Returns 0 on success and a pointer to the first reserved byte via the
 * optional dpp parameter or a negative * SSH_ERR_* error code on failure.
 */
int	sshbuf_reserve(struct sshbuf *buf, size_t len, u_char **dpp);

/*
 * Consume len bytes from the start of buf
 * Returns 0 on success, or a negative SSH_ERR_* error code on failure.
 */
int	sshbuf_consume(struct sshbuf *buf, size_t len);

/*
 * Consume len bytes from the end of buf
 * Returns 0 on success, or a negative SSH_ERR_* error code on failure.
 */
int	sshbuf_consume_end(struct sshbuf *buf, size_t len);

/* Extract or deposit some bytes */
int	sshbuf_get(struct sshbuf *buf, void *v, size_t len);
int	sshbuf_put(struct sshbuf *buf, const void *v, size_t len);
int	sshbuf_putb(struct sshbuf *buf, const struct sshbuf *v);

/* Append using a printf(3) format */
int	sshbuf_putf(struct sshbuf *buf, const char *fmt, ...)
	    __attribute__((format(printf, 2, 3)));
int	sshbuf_putfv(struct sshbuf *buf, const char *fmt, va_list ap);

/* Functions to extract or store big-endian words of various sizes */
int	sshbuf_get_u64(struct sshbuf *buf, u_int64_t *valp);
int	sshbuf_get_u32(struct sshbuf *buf, u_int32_t *valp);
int	sshbuf_get_u16(struct sshbuf *buf, u_int16_t *valp);
int	sshbuf_get_u8(struct sshbuf *buf, u_char *valp);
int	sshbuf_put_u64(struct sshbuf *buf, u_int64_t val);
int	sshbuf_put_u32(struct sshbuf *buf, u_int32_t val);
int	sshbuf_put_u16(struct sshbuf *buf, u_int16_t val);
int	sshbuf_put_u8(struct sshbuf *buf, u_char val);

/*
 * Functions to extract or store SSH wire encoded strings (u32 len || data)
 * The "cstring" variants admit no \0 characters in the string contents.
 * Caller must free *valp.
 */
int	sshbuf_get_string(struct sshbuf *buf, u_char **valp, size_t *lenp);
int	sshbuf_get_cstring(struct sshbuf *buf, char **valp, size_t *lenp);
int	sshbuf_get_stringb(struct sshbuf *buf, struct sshbuf *v);
int	sshbuf_put_string(struct sshbuf *buf, const void *v, size_t len);
int	sshbuf_put_cstring(struct sshbuf *buf, const char *v);
int	sshbuf_put_stringb(struct sshbuf *buf, const struct sshbuf *v);

/*
 * "Direct" variant of sshbuf_get_string, returns pointer into the sshbuf to
 * avoid an malloc+memcpy. The pointer is guaranteed to be valid until the
 * next sshbuf-modifying function call. Caller does not free.
 */
int	sshbuf_get_string_direct(struct sshbuf *buf, const u_char **valp,
	    size_t *lenp);

/* Skip past a string */
#define sshbuf_skip_string(buf) sshbuf_get_string_direct(buf, NULL, NULL)

/* Another variant: "peeks" into the buffer without modifying it */
int	sshbuf_peek_string_direct(const struct sshbuf *buf, const u_char **valp,
	    size_t *lenp);

/*
 * Functions to extract or store SSH wire encoded bignums and elliptic
 * curve points.
 */
int	sshbuf_put_bignum2_bytes(struct sshbuf *buf, const void *v, size_t len);
#ifdef WITH_OPENSSL
int	sshbuf_get_bignum2(struct sshbuf *buf, BIGNUM *v);
int	sshbuf_get_bignum1(struct sshbuf *buf, BIGNUM *v);
int	sshbuf_put_bignum2(struct sshbuf *buf, const BIGNUM *v);
int	sshbuf_put_bignum1(struct sshbuf *buf, const BIGNUM *v);
# ifdef OPENSSL_HAS_ECC
int	sshbuf_get_ec(struct sshbuf *buf, EC_POINT *v, const EC_GROUP *g);
int	sshbuf_get_eckey(struct sshbuf *buf, EC_KEY *v);
int	sshbuf_put_ec(struct sshbuf *buf, const EC_POINT *v, const EC_GROUP *g);
int	sshbuf_put_eckey(struct sshbuf *buf, const EC_KEY *v);
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */

/* Dump the contents of the buffer in a human-readable format */
void	sshbuf_dump(struct sshbuf *buf, FILE *f);

/* Dump specified memory in a human-readable format */
void	sshbuf_dump_data(const void *s, size_t len, FILE *f);

/* Return the hexadecimal representation of the contents of the buffer */
char	*sshbuf_dtob16(struct sshbuf *buf);

/* Encode the contents of the buffer as base64 */
char	*sshbuf_dtob64(struct sshbuf *buf);

/* Decode base64 data and append it to the buffer */
int	sshbuf_b64tod(struct sshbuf *buf, const char *b64);

/* Macros for decoding/encoding integers */
#define PEEK_U64(p) \
	(((u_int64_t)(((u_char *)(p))[0]) << 56) | \
	 ((u_int64_t)(((u_char *)(p))[1]) << 48) | \
	 ((u_int64_t)(((u_char *)(p))[2]) << 40) | \
	 ((u_int64_t)(((u_char *)(p))[3]) << 32) | \
	 ((u_int64_t)(((u_char *)(p))[4]) << 24) | \
	 ((u_int64_t)(((u_char *)(p))[5]) << 16) | \
	 ((u_int64_t)(((u_char *)(p))[6]) << 8) | \
	  (u_int64_t)(((u_char *)(p))[7]))
#define PEEK_U32(p) \
	(((u_int32_t)(((u_char *)(p))[0]) << 24) | \
	 ((u_int32_t)(((u_char *)(p))[1]) << 16) | \
	 ((u_int32_t)(((u_char *)(p))[2]) << 8) | \
	  (u_int32_t)(((u_char *)(p))[3]))
#define PEEK_U16(p) \
	(((u_int16_t)(((u_char *)(p))[0]) << 8) | \
	  (u_int16_t)(((u_char *)(p))[1]))

#define POKE_U64(p, v) \
	do { \
		((u_char *)(p))[0] = (((u_int64_t)(v)) >> 56) & 0xff; \
		((u_char *)(p))[1] = (((u_int64_t)(v)) >> 48) & 0xff; \
		((u_char *)(p))[2] = (((u_int64_t)(v)) >> 40) & 0xff; \
		((u_char *)(p))[3] = (((u_int64_t)(v)) >> 32) & 0xff; \
		((u_char *)(p))[4] = (((u_int64_t)(v)) >> 24) & 0xff; \
		((u_char *)(p))[5] = (((u_int64_t)(v)) >> 16) & 0xff; \
		((u_char *)(p))[6] = (((u_int64_t)(v)) >> 8) & 0xff; \
		((u_char *)(p))[7] = ((u_int64_t)(v)) & 0xff; \
	} while (0)
#define POKE_U32(p, v) \
	do { \
		((u_char *)(p))[0] = (((u_int64_t)(v)) >> 24) & 0xff; \
		((u_char *)(p))[1] = (((u_int64_t)(v)) >> 16) & 0xff; \
		((u_char *)(p))[2] = (((u_int64_t)(v)) >> 8) & 0xff; \
		((u_char *)(p))[3] = ((u_int64_t)(v)) & 0xff; \
	} while (0)
#define POKE_U16(p, v) \
	do { \
		((u_char *)(p))[0] = (((u_int64_t)(v)) >> 8) & 0xff; \
		((u_char *)(p))[1] = ((u_int64_t)(v)) & 0xff; \
	} while (0)

/* Internal definitions follow. Exposed for regress tests */
#ifdef SSHBUF_INTERNAL

/*
 * Return the allocation size of buf
 */
size_t	sshbuf_alloc(const struct sshbuf *buf);

/*
 * Increment the reference count of buf.
 */
int	sshbuf_set_parent(struct sshbuf *child, struct sshbuf *parent);

/*
 * Return the parent buffer of buf, or NULL if it has no parent.
 */
const struct sshbuf *sshbuf_parent(const struct sshbuf *buf);

/*
 * Return the reference count of buf
 */
u_int	sshbuf_refcount(const struct sshbuf *buf);

# define SSHBUF_SIZE_INIT	256		/* Initial allocation */
# define SSHBUF_SIZE_INC	256		/* Preferred increment length */
# define SSHBUF_PACK_MIN	8192		/* Minimim packable offset */

/* # define SSHBUF_ABORT abort */
/* # define SSHBUF_DEBUG */

# ifndef SSHBUF_ABORT
#  define SSHBUF_ABORT()
# endif

# ifdef SSHBUF_DEBUG
#  define SSHBUF_TELL(what) do { \
		printf("%s:%d %s: %s size %zu alloc %zu off %zu max %zu\n", \
		    __FILE__, __LINE__, __func__, what, \
		    buf->size, buf->alloc, buf->off, buf->max_size); \
		fflush(stdout); \
	} while (0)
#  define SSHBUF_DBG(x) do { \
		printf("%s:%d %s: ", __FILE__, __LINE__, __func__); \
		printf x; \
		printf("\n"); \
		fflush(stdout); \
	} while (0)
# else
#  define SSHBUF_TELL(what)
#  define SSHBUF_DBG(x)
# endif
#endif /* SSHBUF_INTERNAL */

#endif /* _SSHBUF_H */
-------------- next part --------------
/* config.h.  Generated from config.h.in by configure.  */
/* config.h.in.  Generated from configure.ac by autoheader.  */

/* Define if building universal (internal helper macro) */
/* #undef AC_APPLE_UNIVERSAL_BUILD */

/* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
   */
/* #undef AIX_GETNAMEINFO_HACK */

/* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */
/* #undef AIX_LOGINFAILED_4ARG */

/* System only supports IPv4 audit records */
/* #undef AU_IPv4 */

/* Define if your resolver libs need this for getrrsetbyname */
/* #undef BIND_8_COMPAT */

/* The system has incomplete BSM API */
/* #undef BROKEN_BSM_API */

/* Define if cmsg_type is not passed correctly */
/* #undef BROKEN_CMSG_TYPE */

/* getaddrinfo is broken (if present) */
/* #undef BROKEN_GETADDRINFO */

/* getgroups(0,NULL) will return -1 */
/* #undef BROKEN_GETGROUPS */

/* FreeBSD glob does not do what we need */
/* #undef BROKEN_GLOB */

/* Define if you system's inet_ntoa is busted (e.g. Irix gcc issue) */
/* #undef BROKEN_INET_NTOA */

/* ia_uinfo routines not supported by OS yet */
/* #undef BROKEN_LIBIAF */

/* Ultrix mmap can't map files */
/* #undef BROKEN_MMAP */

/* Define if your struct dirent expects you to allocate extra space for d_name
   */
/* #undef BROKEN_ONE_BYTE_DIRENT_D_NAME */

/* Can't do comparisons on readv */
/* #undef BROKEN_READV_COMPARISON */

/* NetBSD read function is sometimes redirected, breaking atomicio comparisons
   against it */
#define BROKEN_READ_COMPARISON 1

/* Define if you have a broken realpath. */
/* #undef BROKEN_REALPATH */

/* Needed for NeXT */
/* #undef BROKEN_SAVED_UIDS */

/* Define if your setregid() is broken */
/* #undef BROKEN_SETREGID */

/* Define if your setresgid() is broken */
/* #undef BROKEN_SETRESGID */

/* Define if your setresuid() is broken */
/* #undef BROKEN_SETRESUID */

/* Define if your setreuid() is broken */
/* #undef BROKEN_SETREUID */

/* LynxOS has broken setvbuf() implementation */
/* #undef BROKEN_SETVBUF */

/* QNX shadow support is broken */
/* #undef BROKEN_SHADOW_EXPIRE */

/* Define if your snprintf is busted */
/* #undef BROKEN_SNPRINTF */

/* FreeBSD strnvis argument order is swapped compared to OpenBSD */
#define BROKEN_STRNVIS 1

/* tcgetattr with ICANON may hang */
/* #undef BROKEN_TCGETATTR_ICANON */

/* updwtmpx is broken (if present) */
/* #undef BROKEN_UPDWTMPX */

/* Define if you have BSD auth support */
/* #undef BSD_AUTH */

/* Define if you want to specify the path to your lastlog file */
/* #undef CONF_LASTLOG_FILE */

/* Define if you want to specify the path to your utmp file */
#define CONF_UTMP_FILE "/var/run/utmp"

/* Define if you want to specify the path to your wtmpx file */
/* #undef CONF_WTMPX_FILE */

/* Define if you want to specify the path to your wtmp file */
#define CONF_WTMP_FILE "/var/log/wtmp"

/* Define if your platform needs to skip post auth file descriptor passing */
/* #undef DISABLE_FD_PASSING */

/* Define if you don't want to use lastlog */
/* #undef DISABLE_LASTLOG */

/* Define if you don't want to use your system's login() call */
/* #undef DISABLE_LOGIN */

/* Define if you don't want to use pututline() etc. to write [uw]tmp */
/* #undef DISABLE_PUTUTLINE */

/* Define if you don't want to use pututxline() etc. to write [uw]tmpx */
/* #undef DISABLE_PUTUTXLINE */

/* Define if you want to disable shadow passwords */
/* #undef DISABLE_SHADOW */

/* Define if you don't want to use utmp */
/* #undef DISABLE_UTMP */

/* Define if you don't want to use utmpx */
/* #undef DISABLE_UTMPX */

/* Define if you don't want to use wtmp */
/* #undef DISABLE_WTMP */

/* Define if you don't want to use wtmpx */
#define DISABLE_WTMPX 1

/* Enable for PKCS#11 support */
#define ENABLE_PKCS11 /**/

/* File names may not contain backslash characters */
/* #undef FILESYSTEM_NO_BACKSLASH */

/* fsid_t has member val */
/* #undef FSID_HAS_VAL */

/* fsid_t has member __val */
/* #undef FSID_HAS___VAL */

/* Define to 1 if the `getpgrp' function requires zero arguments. */
#define GETPGRP_VOID 1

/* Conflicting defs for getspnam */
/* #undef GETSPNAM_CONFLICTING_DEFS */

/* Define if your system glob() function has the GLOB_ALTDIRFUNC extension */
#define GLOB_HAS_ALTDIRFUNC 1

/* Define if your system glob() function has gl_matchc options in glob_t */
#define GLOB_HAS_GL_MATCHC 1

/* Define if your system glob() function has gl_statv options in glob_t */
/* #undef GLOB_HAS_GL_STATV */

/* Define this if you want GSSAPI support in the version 2 protocol */
/* #undef GSSAPI */

/* Define if you want to use shadow password expire field */
/* #undef HAS_SHADOW_EXPIRE */

/* Define if your system uses access rights style file descriptor passing */
/* #undef HAVE_ACCRIGHTS_IN_MSGHDR */

/* Define if you have ut_addr in utmp.h */
/* #undef HAVE_ADDR_IN_UTMP */

/* Define if you have ut_addr in utmpx.h */
/* #undef HAVE_ADDR_IN_UTMPX */

/* Define if you have ut_addr_v6 in utmp.h */
/* #undef HAVE_ADDR_V6_IN_UTMP */

/* Define if you have ut_addr_v6 in utmpx.h */
/* #undef HAVE_ADDR_V6_IN_UTMPX */

/* Define to 1 if you have the `arc4random' function. */
#define HAVE_ARC4RANDOM 1

/* Define to 1 if you have the `arc4random_buf' function. */
#define HAVE_ARC4RANDOM_BUF 1

/* Define to 1 if you have the `arc4random_stir' function. */
#define HAVE_ARC4RANDOM_STIR 1

/* Define to 1 if you have the `arc4random_uniform' function. */
#define HAVE_ARC4RANDOM_UNIFORM 1

/* Define to 1 if you have the `asprintf' function. */
#define HAVE_ASPRINTF 1

/* OpenBSD's gcc has bounded */
/* #undef HAVE_ATTRIBUTE__BOUNDED__ */

/* Have attribute nonnull */
#define HAVE_ATTRIBUTE__NONNULL__ 1

/* OpenBSD's gcc has sentinel */
/* #undef HAVE_ATTRIBUTE__SENTINEL__ */

/* Define to 1 if you have the `aug_get_machine' function. */
/* #undef HAVE_AUG_GET_MACHINE */

/* Define to 1 if you have the `b64_ntop' function. */
/* #undef HAVE_B64_NTOP */

/* Define to 1 if you have the `b64_pton' function. */
/* #undef HAVE_B64_PTON */

/* Define if you have the basename function. */
#define HAVE_BASENAME 1

/* Define to 1 if you have the `bcopy' function. */
#define HAVE_BCOPY 1

/* Define to 1 if you have the `bcrypt_pbkdf' function. */
/* #undef HAVE_BCRYPT_PBKDF */

/* Define to 1 if you have the `bindresvport_sa' function. */
#define HAVE_BINDRESVPORT_SA 1

/* Define to 1 if you have the `blf_enc' function. */
/* #undef HAVE_BLF_ENC */

/* Define to 1 if you have the <blf.h> header file. */
/* #undef HAVE_BLF_H */

/* Define to 1 if you have the `Blowfish_expand0state' function. */
/* #undef HAVE_BLOWFISH_EXPAND0STATE */

/* Define to 1 if you have the `Blowfish_expandstate' function. */
/* #undef HAVE_BLOWFISH_EXPANDSTATE */

/* Define to 1 if you have the `Blowfish_initstate' function. */
/* #undef HAVE_BLOWFISH_INITSTATE */

/* Define to 1 if you have the `Blowfish_stream2word' function. */
/* #undef HAVE_BLOWFISH_STREAM2WORD */

/* Define to 1 if you have the `BN_is_prime_ex' function. */
#define HAVE_BN_IS_PRIME_EX 1

/* Define to 1 if you have the <bsd/libutil.h> header file. */
/* #undef HAVE_BSD_LIBUTIL_H */

/* Define to 1 if you have the <bsm/audit.h> header file. */
/* #undef HAVE_BSM_AUDIT_H */

/* Define to 1 if you have the <bstring.h> header file. */
/* #undef HAVE_BSTRING_H */

/* Define to 1 if you have the `cap_rights_limit' function. */
/* #undef HAVE_CAP_RIGHTS_LIMIT */

/* Define to 1 if you have the `clock' function. */
#define HAVE_CLOCK 1

/* Have clock_gettime */
#define HAVE_CLOCK_GETTIME 1

/* define if you have clock_t data type */
#define HAVE_CLOCK_T 1

/* Define to 1 if you have the `closefrom' function. */
#define HAVE_CLOSEFROM 1

/* Define if gai_strerror() returns const char * */
#define HAVE_CONST_GAI_STRERROR_PROTO 1

/* Define if your system uses ancillary data style file descriptor passing */
#define HAVE_CONTROL_IN_MSGHDR 1

/* Define to 1 if you have the `crypt' function. */
#define HAVE_CRYPT 1

/* Define to 1 if you have the <crypto/sha2.h> header file. */
/* #undef HAVE_CRYPTO_SHA2_H */

/* Define to 1 if you have the <crypt.h> header file. */
/* #undef HAVE_CRYPT_H */

/* Define if you are on Cygwin */
/* #undef HAVE_CYGWIN */

/* Define if your libraries define daemon() */
#define HAVE_DAEMON 1

/* Define to 1 if you have the declaration of `authenticate', and to 0 if you
   don't. */
/* #undef HAVE_DECL_AUTHENTICATE */

/* Define to 1 if you have the declaration of `GLOB_NOMATCH', and to 0 if you
   don't. */
#define HAVE_DECL_GLOB_NOMATCH 1

/* Define to 1 if you have the declaration of `GSS_C_NT_HOSTBASED_SERVICE',
   and to 0 if you don't. */
/* #undef HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE */

/* Define to 1 if you have the declaration of `howmany', and to 0 if you
   don't. */
#define HAVE_DECL_HOWMANY 1

/* Define to 1 if you have the declaration of `h_errno', and to 0 if you
   don't. */
#define HAVE_DECL_H_ERRNO 1

/* Define to 1 if you have the declaration of `loginfailed', and to 0 if you
   don't. */
/* #undef HAVE_DECL_LOGINFAILED */

/* Define to 1 if you have the declaration of `loginrestrictions', and to 0 if
   you don't. */
/* #undef HAVE_DECL_LOGINRESTRICTIONS */

/* Define to 1 if you have the declaration of `loginsuccess', and to 0 if you
   don't. */
/* #undef HAVE_DECL_LOGINSUCCESS */

/* Define to 1 if you have the declaration of `MAXSYMLINKS', and to 0 if you
   don't. */
#define HAVE_DECL_MAXSYMLINKS 1

/* Define to 1 if you have the declaration of `NFDBITS', and to 0 if you
   don't. */
#define HAVE_DECL_NFDBITS 1

/* Define to 1 if you have the declaration of `offsetof', and to 0 if you
   don't. */
#define HAVE_DECL_OFFSETOF 1

/* Define to 1 if you have the declaration of `O_NONBLOCK', and to 0 if you
   don't. */
#define HAVE_DECL_O_NONBLOCK 1

/* Define to 1 if you have the declaration of `passwdexpired', and to 0 if you
   don't. */
/* #undef HAVE_DECL_PASSWDEXPIRED */

/* Define to 1 if you have the declaration of `setauthdb', and to 0 if you
   don't. */
/* #undef HAVE_DECL_SETAUTHDB */

/* Define to 1 if you have the declaration of `SHUT_RD', and to 0 if you
   don't. */
#define HAVE_DECL_SHUT_RD 1

/* Define to 1 if you have the declaration of `writev', and to 0 if you don't.
   */
#define HAVE_DECL_WRITEV 1

/* Define to 1 if you have the declaration of `_getlong', and to 0 if you
   don't. */
#define HAVE_DECL__GETLONG 0

/* Define to 1 if you have the declaration of `_getshort', and to 0 if you
   don't. */
#define HAVE_DECL__GETSHORT 0

/* Define to 1 if you have the `DES_crypt' function. */
#define HAVE_DES_CRYPT 1

/* Define if you have /dev/ptmx */
#define HAVE_DEV_PTMX 1

/* Define if you have /dev/ptc */
/* #undef HAVE_DEV_PTS_AND_PTC */

/* Define to 1 if you have the <dirent.h> header file. */
#define HAVE_DIRENT_H 1

/* Define to 1 if you have the `dirfd' function. */
/* #undef HAVE_DIRFD */

/* Define to 1 if you have the `dirname' function. */
#define HAVE_DIRNAME 1

/* Define to 1 if you have the `DSA_generate_parameters_ex' function. */
#define HAVE_DSA_GENERATE_PARAMETERS_EX 1

/* Define to 1 if you have the <elf.h> header file. */
#define HAVE_ELF_H 1

/* Define to 1 if you have the `endgrent' function. */
#define HAVE_ENDGRENT 1

/* Define to 1 if you have the <endian.h> header file. */
/* #undef HAVE_ENDIAN_H */

/* Define to 1 if you have the `endutent' function. */
#define HAVE_ENDUTENT 1

/* Define to 1 if you have the `endutxent' function. */
#define HAVE_ENDUTXENT 1

/* Define if your system has /etc/default/login */
/* #undef HAVE_ETC_DEFAULT_LOGIN */

/* Define if libcrypto has EVP_CIPHER_CTX_ctrl */
#define HAVE_EVP_CIPHER_CTX_CTRL 1

/* Define to 1 if you have the `EVP_DigestFinal_ex' function. */
#define HAVE_EVP_DIGESTFINAL_EX 1

/* Define to 1 if you have the `EVP_DigestInit_ex' function. */
#define HAVE_EVP_DIGESTINIT_EX 1

/* Define to 1 if you have the `EVP_MD_CTX_cleanup' function. */
#define HAVE_EVP_MD_CTX_CLEANUP 1

/* Define to 1 if you have the `EVP_MD_CTX_copy_ex' function. */
#define HAVE_EVP_MD_CTX_COPY_EX 1

/* Define to 1 if you have the `EVP_MD_CTX_init' function. */
#define HAVE_EVP_MD_CTX_INIT 1

/* Define to 1 if you have the `EVP_sha256' function. */
#define HAVE_EVP_SHA256 1

/* Define if you have ut_exit in utmp.h */
/* #undef HAVE_EXIT_IN_UTMP */

/* Define to 1 if you have the `explicit_bzero' function. */
/* #undef HAVE_EXPLICIT_BZERO */

/* Define to 1 if you have the `fchmod' function. */
#define HAVE_FCHMOD 1

/* Define to 1 if you have the `fchown' function. */
#define HAVE_FCHOWN 1

/* Use F_CLOSEM fcntl for closefrom */
/* #undef HAVE_FCNTL_CLOSEM */

/* Define to 1 if you have the <fcntl.h> header file. */
#define HAVE_FCNTL_H 1

/* Define to 1 if the system has the type `fd_mask'. */
#define HAVE_FD_MASK 1

/* Define to 1 if you have the <features.h> header file. */
/* #undef HAVE_FEATURES_H */

/* Define to 1 if you have the <floatingpoint.h> header file. */
/* #undef HAVE_FLOATINGPOINT_H */

/* Define to 1 if you have the `fmt_scaled' function. */
/* #undef HAVE_FMT_SCALED */

/* Define to 1 if you have the `freeaddrinfo' function. */
#define HAVE_FREEADDRINFO 1

/* Define to 1 if the system has the type `fsblkcnt_t'. */
#define HAVE_FSBLKCNT_T 1

/* Define to 1 if the system has the type `fsfilcnt_t'. */
#define HAVE_FSFILCNT_T 1

/* Define to 1 if you have the `fstatfs' function. */
#define HAVE_FSTATFS 1

/* Define to 1 if you have the `fstatvfs' function. */
#define HAVE_FSTATVFS 1

/* Define to 1 if you have the `futimes' function. */
#define HAVE_FUTIMES 1

/* Define to 1 if you have the `gai_strerror' function. */
#define HAVE_GAI_STRERROR 1

/* Define to 1 if you have the `getaddrinfo' function. */
#define HAVE_GETADDRINFO 1

/* Define to 1 if you have the `getaudit' function. */
/* #undef HAVE_GETAUDIT */

/* Define to 1 if you have the `getaudit_addr' function. */
/* #undef HAVE_GETAUDIT_ADDR */

/* Define to 1 if you have the `getcwd' function. */
#define HAVE_GETCWD 1

/* Define to 1 if you have the `getgrouplist' function. */
#define HAVE_GETGROUPLIST 1

/* Define to 1 if you have the `getgrset' function. */
/* #undef HAVE_GETGRSET */

/* Define to 1 if you have the `getlastlogxbyname' function. */
/* #undef HAVE_GETLASTLOGXBYNAME */

/* Define to 1 if you have the `getluid' function. */
/* #undef HAVE_GETLUID */

/* Define to 1 if you have the `getnameinfo' function. */
#define HAVE_GETNAMEINFO 1

/* Define to 1 if you have the `getopt' function. */
#define HAVE_GETOPT 1

/* Define to 1 if you have the <getopt.h> header file. */
#define HAVE_GETOPT_H 1

/* Define if your getopt(3) defines and uses optreset */
#define HAVE_GETOPT_OPTRESET 1

/* Define if your libraries define getpagesize() */
#define HAVE_GETPAGESIZE 1

/* Define to 1 if you have the `getpeereid' function. */
#define HAVE_GETPEEREID 1

/* Define to 1 if you have the `getpeerucred' function. */
/* #undef HAVE_GETPEERUCRED */

/* Define to 1 if you have the `getpgid' function. */
#define HAVE_GETPGID 1

/* Define to 1 if you have the `getpgrp' function. */
#define HAVE_GETPGRP 1

/* Define to 1 if you have the `getpwanam' function. */
/* #undef HAVE_GETPWANAM */

/* Define to 1 if you have the `getrlimit' function. */
#define HAVE_GETRLIMIT 1

/* Define if getrrsetbyname() exists */
/* #undef HAVE_GETRRSETBYNAME */

/* Define to 1 if you have the `getrusage' function. */
/* #undef HAVE_GETRUSAGE */

/* Define to 1 if you have the `getseuserbyname' function. */
/* #undef HAVE_GETSEUSERBYNAME */

/* Define to 1 if you have the `gettimeofday' function. */
#define HAVE_GETTIMEOFDAY 1

/* Define to 1 if you have the `getttyent' function. */
#define HAVE_GETTTYENT 1

/* Define to 1 if you have the `getutent' function. */
#define HAVE_GETUTENT 1

/* Define to 1 if you have the `getutid' function. */
/* #undef HAVE_GETUTID */

/* Define to 1 if you have the `getutline' function. */
/* #undef HAVE_GETUTLINE */

/* Define to 1 if you have the `getutxent' function. */
#define HAVE_GETUTXENT 1

/* Define to 1 if you have the `getutxid' function. */
#define HAVE_GETUTXID 1

/* Define to 1 if you have the `getutxline' function. */
#define HAVE_GETUTXLINE 1

/* Define to 1 if you have the `getutxuser' function. */
/* #undef HAVE_GETUTXUSER */

/* Define to 1 if you have the `get_default_context_with_level' function. */
/* #undef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL */

/* Define to 1 if you have the `glob' function. */
#define HAVE_GLOB 1

/* Define to 1 if you have the <glob.h> header file. */
#define HAVE_GLOB_H 1

/* Define to 1 if you have the `group_from_gid' function. */
#define HAVE_GROUP_FROM_GID 1

/* Define to 1 if you have the <gssapi_generic.h> header file. */
/* #undef HAVE_GSSAPI_GENERIC_H */

/* Define to 1 if you have the <gssapi/gssapi_generic.h> header file. */
/* #undef HAVE_GSSAPI_GSSAPI_GENERIC_H */

/* Define to 1 if you have the <gssapi/gssapi.h> header file. */
/* #undef HAVE_GSSAPI_GSSAPI_H */

/* Define to 1 if you have the <gssapi/gssapi_krb5.h> header file. */
/* #undef HAVE_GSSAPI_GSSAPI_KRB5_H */

/* Define to 1 if you have the <gssapi.h> header file. */
/* #undef HAVE_GSSAPI_H */

/* Define to 1 if you have the <gssapi_krb5.h> header file. */
/* #undef HAVE_GSSAPI_KRB5_H */

/* Define if HEADER.ad exists in arpa/nameser.h */
#define HAVE_HEADER_AD 1

/* Define to 1 if you have the `HMAC_CTX_init' function. */
#define HAVE_HMAC_CTX_INIT 1

/* Define if you have ut_host in utmp.h */
#define HAVE_HOST_IN_UTMP 1

/* Define if you have ut_host in utmpx.h */
#define HAVE_HOST_IN_UTMPX 1

/* Define to 1 if you have the <iaf.h> header file. */
/* #undef HAVE_IAF_H */

/* Define to 1 if you have the <ia.h> header file. */
/* #undef HAVE_IA_H */

/* Define if you have ut_id in utmp.h */
/* #undef HAVE_ID_IN_UTMP */

/* Define if you have ut_id in utmpx.h */
#define HAVE_ID_IN_UTMPX 1

/* Define to 1 if you have the `inet_aton' function. */
#define HAVE_INET_ATON 1

/* Define to 1 if you have the `inet_ntoa' function. */
#define HAVE_INET_NTOA 1

/* Define to 1 if you have the `inet_ntop' function. */
#define HAVE_INET_NTOP 1

/* Define to 1 if you have the `innetgr' function. */
#define HAVE_INNETGR 1

/* define if you have int64_t data type */
#define HAVE_INT64_T 1

/* Define to 1 if the system has the type `intmax_t'. */
#define HAVE_INTMAX_T 1

/* Define to 1 if you have the <inttypes.h> header file. */
#define HAVE_INTTYPES_H 1

/* define if you have intxx_t data type */
#define HAVE_INTXX_T 1

/* Define to 1 if the system has the type `in_addr_t'. */
#define HAVE_IN_ADDR_T 1

/* Define to 1 if the system has the type `in_port_t'. */
#define HAVE_IN_PORT_T 1

/* Define if you have isblank(3C). */
#define HAVE_ISBLANK 1

/* Define to 1 if you have the `krb5_cc_new_unique' function. */
/* #undef HAVE_KRB5_CC_NEW_UNIQUE */

/* Define to 1 if you have the `krb5_free_error_message' function. */
/* #undef HAVE_KRB5_FREE_ERROR_MESSAGE */

/* Define to 1 if you have the `krb5_get_error_message' function. */
/* #undef HAVE_KRB5_GET_ERROR_MESSAGE */

/* Define to 1 if you have the <lastlog.h> header file. */
/* #undef HAVE_LASTLOG_H */

/* Define if you want ldns support */
/* #undef HAVE_LDNS */

/* Define to 1 if you have the <libaudit.h> header file. */
/* #undef HAVE_LIBAUDIT_H */

/* Define to 1 if you have the `bsm' library (-lbsm). */
/* #undef HAVE_LIBBSM */

/* Define to 1 if you have the `crypt' library (-lcrypt). */
#define HAVE_LIBCRYPT 1

/* Define to 1 if you have the `dl' library (-ldl). */
/* #undef HAVE_LIBDL */

/* Define to 1 if you have the <libgen.h> header file. */
#define HAVE_LIBGEN_H 1

/* Define if system has libiaf that supports set_id */
/* #undef HAVE_LIBIAF */

/* Define to 1 if you have the `network' library (-lnetwork). */
/* #undef HAVE_LIBNETWORK */

/* Define to 1 if you have the `nsl' library (-lnsl). */
/* #undef HAVE_LIBNSL */

/* Define to 1 if you have the `pam' library (-lpam). */
/* #undef HAVE_LIBPAM */

/* Define to 1 if you have the `socket' library (-lsocket). */
/* #undef HAVE_LIBSOCKET */

/* Define to 1 if you have the <libutil.h> header file. */
/* #undef HAVE_LIBUTIL_H */

/* Define to 1 if you have the `xnet' library (-lxnet). */
/* #undef HAVE_LIBXNET */

/* Define to 1 if you have the `z' library (-lz). */
#define HAVE_LIBZ 1

/* Define to 1 if you have the <limits.h> header file. */
#define HAVE_LIMITS_H 1

/* Define to 1 if you have the <linux/audit.h> header file. */
/* #undef HAVE_LINUX_AUDIT_H */

/* Define to 1 if you have the <linux/filter.h> header file. */
/* #undef HAVE_LINUX_FILTER_H */

/* Define to 1 if you have the <linux/if_tun.h> header file. */
/* #undef HAVE_LINUX_IF_TUN_H */

/* Define to 1 if you have the <linux/seccomp.h> header file. */
/* #undef HAVE_LINUX_SECCOMP_H */

/* Define to 1 if you have the <locale.h> header file. */
#define HAVE_LOCALE_H 1

/* Define to 1 if you have the `login' function. */
#define HAVE_LOGIN 1

/* Define to 1 if you have the <login_cap.h> header file. */
#define HAVE_LOGIN_CAP_H 1

/* Define to 1 if you have the `login_getcapbool' function. */
#define HAVE_LOGIN_GETCAPBOOL 1

/* Define to 1 if you have the <login.h> header file. */
/* #undef HAVE_LOGIN_H */

/* Define to 1 if you have the `logout' function. */
#define HAVE_LOGOUT 1

/* Define to 1 if you have the `logwtmp' function. */
#define HAVE_LOGWTMP 1

/* Define to 1 if the system has the type `long double'. */
#define HAVE_LONG_DOUBLE 1

/* Define to 1 if the system has the type `long long'. */
#define HAVE_LONG_LONG 1

/* Define to 1 if you have the <maillock.h> header file. */
/* #undef HAVE_MAILLOCK_H */

/* Define to 1 if you have the `mblen' function. */
#define HAVE_MBLEN 1

/* Define to 1 if you have the `md5_crypt' function. */
/* #undef HAVE_MD5_CRYPT */

/* Define if you want to allow MD5 passwords */
/* #undef HAVE_MD5_PASSWORDS */

/* Define to 1 if you have the `memmove' function. */
#define HAVE_MEMMOVE 1

/* Define to 1 if you have the <memory.h> header file. */
#define HAVE_MEMORY_H 1

/* Define to 1 if you have the `mkdtemp' function. */
#define HAVE_MKDTEMP 1

/* Define to 1 if you have the `mmap' function. */
#define HAVE_MMAP 1

/* define if you have mode_t data type */
#define HAVE_MODE_T 1

/* Some systems put nanosleep outside of libc */
#define HAVE_NANOSLEEP 1

/* Define to 1 if you have the <ndir.h> header file. */
/* #undef HAVE_NDIR_H */

/* Define to 1 if you have the <netdb.h> header file. */
#define HAVE_NETDB_H 1

/* Define to 1 if you have the <netgroup.h> header file. */
#define HAVE_NETGROUP_H 1

/* Define to 1 if you have the <net/if_tun.h> header file. */
#define HAVE_NET_IF_TUN_H 1

/* Define if you are on NeXT */
/* #undef HAVE_NEXT */

/* Define to 1 if you have the `ngetaddrinfo' function. */
/* #undef HAVE_NGETADDRINFO */

/* Define to 1 if you have the `nsleep' function. */
/* #undef HAVE_NSLEEP */

/* Define to 1 if you have the `ogetaddrinfo' function. */
/* #undef HAVE_OGETADDRINFO */

/* Define if you have an old version of PAM which takes only one argument to
   pam_strerror */
/* #undef HAVE_OLD_PAM */

/* Define to 1 if you have the `openlog_r' function. */
#define HAVE_OPENLOG_R 1

/* Define to 1 if you have the `openpty' function. */
#define HAVE_OPENPTY 1

/* Define if your ssl headers are included with #include <openssl/header.h> */
#define HAVE_OPENSSL 1

/* Define if you have Digital Unix Security Integration Architecture */
/* #undef HAVE_OSF_SIA */

/* Define to 1 if you have the `pam_getenvlist' function. */
/* #undef HAVE_PAM_GETENVLIST */

/* Define to 1 if you have the <pam/pam_appl.h> header file. */
/* #undef HAVE_PAM_PAM_APPL_H */

/* Define to 1 if you have the `pam_putenv' function. */
/* #undef HAVE_PAM_PUTENV */

/* Define to 1 if you have the <paths.h> header file. */
#define HAVE_PATHS_H 1

/* Define if you have ut_pid in utmp.h */
/* #undef HAVE_PID_IN_UTMP */

/* define if you have pid_t data type */
#define HAVE_PID_T 1

/* Define to 1 if you have the `poll' function. */
#define HAVE_POLL 1

/* Define to 1 if you have the <poll.h> header file. */
#define HAVE_POLL_H 1

/* Define to 1 if you have the `prctl' function. */
/* #undef HAVE_PRCTL */

/* Define if you have /proc/$pid/fd */
#define HAVE_PROC_PID 1

/* Define to 1 if you have the `pstat' function. */
/* #undef HAVE_PSTAT */

/* Define to 1 if you have the <pty.h> header file. */
/* #undef HAVE_PTY_H */

/* Define to 1 if you have the `pututline' function. */
/* #undef HAVE_PUTUTLINE */

/* Define to 1 if you have the `pututxline' function. */
#define HAVE_PUTUTXLINE 1

/* Define to 1 if you have the `readpassphrase' function. */
/* #undef HAVE_READPASSPHRASE */

/* Define to 1 if you have the <readpassphrase.h> header file. */
/* #undef HAVE_READPASSPHRASE_H */

/* Define to 1 if you have the `realpath' function. */
#define HAVE_REALPATH 1

/* Define to 1 if you have the `recvmsg' function. */
#define HAVE_RECVMSG 1

/* sys/resource.h has RLIMIT_NPROC */
#define HAVE_RLIMIT_NPROC /**/

/* Define to 1 if you have the <rpc/types.h> header file. */
#define HAVE_RPC_TYPES_H 1

/* Define to 1 if you have the `rresvport_af' function. */
#define HAVE_RRESVPORT_AF 1

/* Define to 1 if you have the `RSA_generate_key_ex' function. */
#define HAVE_RSA_GENERATE_KEY_EX 1

/* Define to 1 if you have the `RSA_get_default_method' function. */
#define HAVE_RSA_GET_DEFAULT_METHOD 1

/* Define to 1 if you have the <sandbox.h> header file. */
/* #undef HAVE_SANDBOX_H */

/* Define to 1 if you have the `sandbox_init' function. */
/* #undef HAVE_SANDBOX_INIT */

/* define if you have sa_family_t data type */
#define HAVE_SA_FAMILY_T 1

/* Define to 1 if you have the `scan_scaled' function. */
/* #undef HAVE_SCAN_SCALED */

/* Define if you have SecureWare-based protected password database */
/* #undef HAVE_SECUREWARE */

/* Define to 1 if you have the <security/pam_appl.h> header file. */
#define HAVE_SECURITY_PAM_APPL_H 1

/* Define to 1 if you have the `sendmsg' function. */
#define HAVE_SENDMSG 1

/* Define to 1 if you have the `setauthdb' function. */
/* #undef HAVE_SETAUTHDB */

/* Define to 1 if you have the `setdtablesize' function. */
/* #undef HAVE_SETDTABLESIZE */

/* Define to 1 if you have the `setegid' function. */
#define HAVE_SETEGID 1

/* Define to 1 if you have the `setenv' function. */
#define HAVE_SETENV 1

/* Define to 1 if you have the `seteuid' function. */
#define HAVE_SETEUID 1

/* Define to 1 if you have the `setgroupent' function. */
#define HAVE_SETGROUPENT 1

/* Define to 1 if you have the `setgroups' function. */
#define HAVE_SETGROUPS 1

/* Define to 1 if you have the `setlinebuf' function. */
#define HAVE_SETLINEBUF 1

/* Define to 1 if you have the `setlogin' function. */
#define HAVE_SETLOGIN 1

/* Define to 1 if you have the `setluid' function. */
/* #undef HAVE_SETLUID */

/* Define to 1 if you have the `setpassent' function. */
#define HAVE_SETPASSENT 1

/* Define to 1 if you have the `setpcred' function. */
/* #undef HAVE_SETPCRED */

/* Define to 1 if you have the `setproctitle' function. */
#define HAVE_SETPROCTITLE 1

/* Define to 1 if you have the `setregid' function. */
#define HAVE_SETREGID 1

/* Define to 1 if you have the `setresgid' function. */
/* #undef HAVE_SETRESGID */

/* Define to 1 if you have the `setresuid' function. */
/* #undef HAVE_SETRESUID */

/* Define to 1 if you have the `setreuid' function. */
#define HAVE_SETREUID 1

/* Define to 1 if you have the `setrlimit' function. */
#define HAVE_SETRLIMIT 1

/* Define to 1 if you have the `setsid' function. */
#define HAVE_SETSID 1

/* Define to 1 if you have the `setutent' function. */
#define HAVE_SETUTENT 1

/* Define to 1 if you have the `setutxdb' function. */
/* #undef HAVE_SETUTXDB */

/* Define to 1 if you have the `setutxent' function. */
#define HAVE_SETUTXENT 1

/* Define to 1 if you have the `setvbuf' function. */
#define HAVE_SETVBUF 1

/* Define to 1 if you have the `set_id' function. */
/* #undef HAVE_SET_ID */

/* Define to 1 if you have the `SHA256_Update' function. */
#define HAVE_SHA256_UPDATE 1

/* Define to 1 if you have the <sha2.h> header file. */
#define HAVE_SHA2_H 1

/* Define to 1 if you have the <shadow.h> header file. */
/* #undef HAVE_SHADOW_H */

/* Define to 1 if you have the `sigaction' function. */
#define HAVE_SIGACTION 1

/* Define to 1 if you have the `sigvec' function. */
#define HAVE_SIGVEC 1

/* Define to 1 if the system has the type `sig_atomic_t'. */
#define HAVE_SIG_ATOMIC_T 1

/* define if you have size_t data type */
#define HAVE_SIZE_T 1

/* Define to 1 if you have the `snprintf' function. */
#define HAVE_SNPRINTF 1

/* Define to 1 if you have the `socketpair' function. */
#define HAVE_SOCKETPAIR 1

/* Have PEERCRED socket option */
/* #undef HAVE_SO_PEERCRED */

/* define if you have ssize_t data type */
#define HAVE_SSIZE_T 1

/* Fields in struct sockaddr_storage */
#define HAVE_SS_FAMILY_IN_SS 1

/* Define to 1 if you have the `statfs' function. */
#define HAVE_STATFS 1

/* Define to 1 if you have the `statvfs' function. */
#define HAVE_STATVFS 1

/* Define to 1 if you have the <stddef.h> header file. */
#define HAVE_STDDEF_H 1

/* Define to 1 if you have the <stdint.h> header file. */
#define HAVE_STDINT_H 1

/* Define to 1 if you have the <stdlib.h> header file. */
#define HAVE_STDLIB_H 1

/* Define to 1 if you have the `strdup' function. */
#define HAVE_STRDUP 1

/* Define to 1 if you have the `strerror' function. */
#define HAVE_STRERROR 1

/* Define to 1 if you have the `strftime' function. */
#define HAVE_STRFTIME 1

/* Silly mkstemp() */
/* #undef HAVE_STRICT_MKSTEMP */

/* Define to 1 if you have the <strings.h> header file. */
#define HAVE_STRINGS_H 1

/* Define to 1 if you have the <string.h> header file. */
#define HAVE_STRING_H 1

/* Define to 1 if you have the `strlcat' function. */
#define HAVE_STRLCAT 1

/* Define to 1 if you have the `strlcpy' function. */
#define HAVE_STRLCPY 1

/* Define to 1 if you have the `strmode' function. */
#define HAVE_STRMODE 1

/* Define to 1 if you have the `strnlen' function. */
#define HAVE_STRNLEN 1

/* Define to 1 if you have the `strnvis' function. */
#define HAVE_STRNVIS 1

/* Define to 1 if you have the `strptime' function. */
#define HAVE_STRPTIME 1

/* Define to 1 if you have the `strsep' function. */
#define HAVE_STRSEP 1

/* Define to 1 if you have the `strtoll' function. */
#define HAVE_STRTOLL 1

/* Define to 1 if you have the `strtonum' function. */
/* #undef HAVE_STRTONUM */

/* Define to 1 if you have the `strtoul' function. */
#define HAVE_STRTOUL 1

/* Define to 1 if you have the `strtoull' function. */
#define HAVE_STRTOULL 1

/* define if you have struct addrinfo data type */
#define HAVE_STRUCT_ADDRINFO 1

/* define if you have struct in6_addr data type */
#define HAVE_STRUCT_IN6_ADDR 1

/* Define to 1 if `pw_change' is a member of `struct passwd'. */
#define HAVE_STRUCT_PASSWD_PW_CHANGE 1

/* Define to 1 if `pw_class' is a member of `struct passwd'. */
#define HAVE_STRUCT_PASSWD_PW_CLASS 1

/* Define to 1 if `pw_expire' is a member of `struct passwd'. */
#define HAVE_STRUCT_PASSWD_PW_EXPIRE 1

/* Define to 1 if `pw_gecos' is a member of `struct passwd'. */
#define HAVE_STRUCT_PASSWD_PW_GECOS 1

/* define if you have struct sockaddr_in6 data type */
#define HAVE_STRUCT_SOCKADDR_IN6 1

/* Define to 1 if `sin6_scope_id' is a member of `struct sockaddr_in6'. */
#define HAVE_STRUCT_SOCKADDR_IN6_SIN6_SCOPE_ID 1

/* define if you have struct sockaddr_storage data type */
#define HAVE_STRUCT_SOCKADDR_STORAGE 1

/* Define to 1 if `st_blksize' is a member of `struct stat'. */
#define HAVE_STRUCT_STAT_ST_BLKSIZE 1

/* Define to 1 if the system has the type `struct timespec'. */
#define HAVE_STRUCT_TIMESPEC 1

/* define if you have struct timeval */
#define HAVE_STRUCT_TIMEVAL 1

/* Define to 1 if you have the `swap32' function. */
/* #undef HAVE_SWAP32 */

/* Define to 1 if you have the `sysconf' function. */
#define HAVE_SYSCONF 1

/* Define if you have syslen in utmpx.h */
/* #undef HAVE_SYSLEN_IN_UTMPX */

/* Define to 1 if you have the <sys/audit.h> header file. */
/* #undef HAVE_SYS_AUDIT_H */

/* Define to 1 if you have the <sys/bitypes.h> header file. */
/* #undef HAVE_SYS_BITYPES_H */

/* Define to 1 if you have the <sys/bsdtty.h> header file. */
/* #undef HAVE_SYS_BSDTTY_H */

/* Define to 1 if you have the <sys/capability.h> header file. */
/* #undef HAVE_SYS_CAPABILITY_H */

/* Define to 1 if you have the <sys/cdefs.h> header file. */
#define HAVE_SYS_CDEFS_H 1

/* Define to 1 if you have the <sys/dir.h> header file. */
#define HAVE_SYS_DIR_H 1

/* Define if your system defines sys_errlist[] */
#define HAVE_SYS_ERRLIST 1

/* Define to 1 if you have the <sys/mman.h> header file. */
#define HAVE_SYS_MMAN_H 1

/* Define to 1 if you have the <sys/mount.h> header file. */
#define HAVE_SYS_MOUNT_H 1

/* Define to 1 if you have the <sys/ndir.h> header file. */
/* #undef HAVE_SYS_NDIR_H */

/* Define if your system defines sys_nerr */
#define HAVE_SYS_NERR 1

/* Define to 1 if you have the <sys/poll.h> header file. */
#define HAVE_SYS_POLL_H 1

/* Define to 1 if you have the <sys/prctl.h> header file. */
/* #undef HAVE_SYS_PRCTL_H */

/* Define to 1 if you have the <sys/pstat.h> header file. */
/* #undef HAVE_SYS_PSTAT_H */

/* Define to 1 if you have the <sys/ptms.h> header file. */
/* #undef HAVE_SYS_PTMS_H */

/* Define to 1 if you have the <sys/select.h> header file. */
#define HAVE_SYS_SELECT_H 1

/* Define to 1 if you have the <sys/statvfs.h> header file. */
#define HAVE_SYS_STATVFS_H 1

/* Define to 1 if you have the <sys/stat.h> header file. */
#define HAVE_SYS_STAT_H 1

/* Define to 1 if you have the <sys/stream.h> header file. */
/* #undef HAVE_SYS_STREAM_H */

/* Define to 1 if you have the <sys/stropts.h> header file. */
/* #undef HAVE_SYS_STROPTS_H */

/* Define to 1 if you have the <sys/strtio.h> header file. */
/* #undef HAVE_SYS_STRTIO_H */

/* Force use of sys/syslog.h on Ultrix */
/* #undef HAVE_SYS_SYSLOG_H */

/* Define to 1 if you have the <sys/sysmacros.h> header file. */
/* #undef HAVE_SYS_SYSMACROS_H */

/* Define to 1 if you have the <sys/timers.h> header file. */
/* #undef HAVE_SYS_TIMERS_H */

/* Define to 1 if you have the <sys/time.h> header file. */
#define HAVE_SYS_TIME_H 1

/* Define to 1 if you have the <sys/types.h> header file. */
#define HAVE_SYS_TYPES_H 1

/* Define to 1 if you have the <sys/un.h> header file. */
#define HAVE_SYS_UN_H 1

/* Define to 1 if you have the `tcgetpgrp' function. */
#define HAVE_TCGETPGRP 1

/* Define to 1 if you have the `tcsendbreak' function. */
#define HAVE_TCSENDBREAK 1

/* Define to 1 if you have the `time' function. */
#define HAVE_TIME 1

/* Define to 1 if you have the <time.h> header file. */
#define HAVE_TIME_H 1

/* Define if you have ut_time in utmp.h */
#define HAVE_TIME_IN_UTMP 1

/* Define if you have ut_time in utmpx.h */
/* #undef HAVE_TIME_IN_UTMPX */

/* Define to 1 if you have the `timingsafe_bcmp' function. */
/* #undef HAVE_TIMINGSAFE_BCMP */

/* Define to 1 if you have the <tmpdir.h> header file. */
/* #undef HAVE_TMPDIR_H */

/* Define to 1 if you have the `truncate' function. */
#define HAVE_TRUNCATE 1

/* Define to 1 if you have the <ttyent.h> header file. */
#define HAVE_TTYENT_H 1

/* Define if you have ut_tv in utmp.h */
/* #undef HAVE_TV_IN_UTMP */

/* Define if you have ut_tv in utmpx.h */
#define HAVE_TV_IN_UTMPX 1

/* Define if you have ut_type in utmp.h */
/* #undef HAVE_TYPE_IN_UTMP */

/* Define if you have ut_type in utmpx.h */
#define HAVE_TYPE_IN_UTMPX 1

/* Define to 1 if you have the <ucred.h> header file. */
/* #undef HAVE_UCRED_H */

/* Define to 1 if the system has the type `uintmax_t'. */
#define HAVE_UINTMAX_T 1

/* define if you have uintxx_t data type */
#define HAVE_UINTXX_T 1

/* Define to 1 if you have the <unistd.h> header file. */
#define HAVE_UNISTD_H 1

/* Define to 1 if you have the `unsetenv' function. */
#define HAVE_UNSETENV 1

/* Define to 1 if the system has the type `unsigned long long'. */
#define HAVE_UNSIGNED_LONG_LONG 1

/* Define to 1 if you have the `updwtmp' function. */
/* #undef HAVE_UPDWTMP */

/* Define to 1 if you have the `updwtmpx' function. */
#define HAVE_UPDWTMPX 1

/* Define to 1 if you have the <usersec.h> header file. */
/* #undef HAVE_USERSEC_H */

/* Define to 1 if you have the `user_from_uid' function. */
#define HAVE_USER_FROM_UID 1

/* Define to 1 if you have the `usleep' function. */
#define HAVE_USLEEP 1

/* Define to 1 if you have the <util.h> header file. */
#define HAVE_UTIL_H 1

/* Define to 1 if you have the `utimes' function. */
#define HAVE_UTIMES 1

/* Define to 1 if you have the <utime.h> header file. */
#define HAVE_UTIME_H 1

/* Define to 1 if you have the `utmpname' function. */
#define HAVE_UTMPNAME 1

/* Define to 1 if you have the `utmpxname' function. */
#define HAVE_UTMPXNAME 1

/* Define to 1 if you have the <utmpx.h> header file. */
#define HAVE_UTMPX_H 1

/* Define to 1 if you have the <utmp.h> header file. */
#define HAVE_UTMP_H 1

/* define if you have u_char data type */
#define HAVE_U_CHAR 1

/* define if you have u_int data type */
#define HAVE_U_INT 1

/* define if you have u_int64_t data type */
#define HAVE_U_INT64_T 1

/* define if you have u_intxx_t data type */
#define HAVE_U_INTXX_T 1

/* Define to 1 if you have the `vasprintf' function. */
#define HAVE_VASPRINTF 1

/* Define if va_copy exists */
#define HAVE_VA_COPY 1

/* Define to 1 if you have the `vhangup' function. */
/* #undef HAVE_VHANGUP */

/* Define to 1 if you have the <vis.h> header file. */
#define HAVE_VIS_H 1

/* Define to 1 if you have the `vsnprintf' function. */
#define HAVE_VSNPRINTF 1

/* Define to 1 if you have the `waitpid' function. */
#define HAVE_WAITPID 1

/* Define to 1 if you have the `_getlong' function. */
#define HAVE__GETLONG 1

/* Define to 1 if you have the `_getpty' function. */
/* #undef HAVE__GETPTY */

/* Define to 1 if you have the `_getshort' function. */
#define HAVE__GETSHORT 1

/* Define if you have struct __res_state _res as an extern */
#define HAVE__RES_EXTERN 1

/* Define to 1 if you have the `__b64_ntop' function. */
#define HAVE___B64_NTOP 1

/* Define to 1 if you have the `__b64_pton' function. */
#define HAVE___B64_PTON 1

/* Define if compiler implements __FUNCTION__ */
#define HAVE___FUNCTION__ 1

/* Define if libc defines __progname */
#define HAVE___PROGNAME 1

/* Fields in struct sockaddr_storage */
/* #undef HAVE___SS_FAMILY_IN_SS */

/* Define if __va_copy exists */
#define HAVE___VA_COPY 1

/* Define if compiler implements __func__ */
#define HAVE___func__ 1

/* Define this if you are using the Heimdal version of Kerberos V5 */
/* #undef HEIMDAL */

/* Define if you need to use IP address instead of hostname in $DISPLAY */
/* #undef IPADDR_IN_DISPLAY */

/* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */
/* #undef IPV4_IN_IPV6 */

/* Define if your system choked on IP TOS setting */
/* #undef IP_TOS_IS_BROKEN */

/* Define if you want Kerberos 5 support */
/* #undef KRB5 */

/* Define if pututxline updates lastlog too */
/* #undef LASTLOG_WRITE_PUTUTXLINE */

/* Define if you want TCP Wrappers support */
/* #undef LIBWRAP */

/* Define to whatever link() returns for "not supported" if it doesn't return
   EOPNOTSUPP. */
/* #undef LINK_OPNOTSUPP_ERRNO */

/* Adjust Linux out-of-memory killer */
/* #undef LINUX_OOM_ADJUST */

/* max value of long long calculated by configure */
/* #undef LLONG_MAX */

/* min value of long long calculated by configure */
/* #undef LLONG_MIN */

/* Account locked with pw(1) */
/* #undef LOCKED_PASSWD_PREFIX */

/* String used in /etc/passwd to denote locked account */
/* #undef LOCKED_PASSWD_STRING */

/* String used in /etc/passwd to denote locked account */
/* #undef LOCKED_PASSWD_SUBSTR */

/* Some versions of /bin/login need the TERM supplied on the commandline */
/* #undef LOGIN_NEEDS_TERM */

/* Some systems need a utmpx entry for /bin/login to work */
/* #undef LOGIN_NEEDS_UTMPX */

/* Define if your login program cannot handle end of options ("--") */
/* #undef LOGIN_NO_ENDOPT */

/* If your header files don't define LOGIN_PROGRAM, then use this (detected)
   from environment and PATH */
#define LOGIN_PROGRAM_FALLBACK "/usr/bin/login"

/* Set this to your mail directory if you do not have _PATH_MAILDIR */
/* #undef MAIL_DIRECTORY */

/* Need setpgrp to acquire controlling tty */
/* #undef NEED_SETPGRP */

/* compiler does not accept __attribute__ on return types */
/* #undef NO_ATTRIBUTE_ON_RETURN_TYPE */

/* Define if the concept of ports only accessible to superusers isn't known */
/* #undef NO_IPPORT_RESERVED_CONCEPT */

/* Define if you don't want to use lastlog in session.c */
/* #undef NO_SSH_LASTLOG */

/* Define if X11 doesn't support AF_UNIX sockets on that system */
/* #undef NO_X11_UNIX_SOCKETS */

/* Define if EVP_DigestUpdate returns void */
/* #undef OPENSSL_EVP_DIGESTUPDATE_VOID */

/* OpenSSL has ECC */
#define OPENSSL_HAS_ECC 1

/* libcrypto has NID_X9_62_prime256v1 */
#define OPENSSL_HAS_NISTP256 1

/* libcrypto has NID_secp384r1 */
#define OPENSSL_HAS_NISTP384 1

/* libcrypto has NID_secp521r1 */
#define OPENSSL_HAS_NISTP521 1

/* libcrypto has EVP AES CTR */
#define OPENSSL_HAVE_EVPCTR 1

/* libcrypto has EVP AES GCM */
#define OPENSSL_HAVE_EVPGCM 1

/* libcrypto is missing AES 192 and 256 bit functions */
/* #undef OPENSSL_LOBOTOMISED_AES */

/* Define if you want OpenSSL's internally seeded PRNG only */
#define OPENSSL_PRNG_ONLY 1

/* Define to the address where bug reports for this package should be sent. */
#define PACKAGE_BUGREPORT "openssh-unix-dev at mindrot.org"

/* Define to the full name of this package. */
#define PACKAGE_NAME "OpenSSH"

/* Define to the full name and version of this package. */
#define PACKAGE_STRING "OpenSSH Portable"

/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "openssh"

/* Define to the home page for this package. */
#define PACKAGE_URL ""

/* Define to the version of this package. */
#define PACKAGE_VERSION "Portable"

/* Define if you are using Solaris-derived PAM which passes pam_messages to
   the conversation function with an extra level of indirection */
/* #undef PAM_SUN_CODEBASE */

/* Work around problematic Linux PAM modules handling of PAM_TTY */
/* #undef PAM_TTY_KLUDGE */

/* must supply username to passwd */
/* #undef PASSWD_NEEDS_USERNAME */

/* System dirs owned by bin (uid 2) */
/* #undef PLATFORM_SYS_DIR_UID */

/* Port number of PRNGD/EGD random number socket */
/* #undef PRNGD_PORT */

/* Location of PRNGD/EGD random number socket */
/* #undef PRNGD_SOCKET */

/* read(1) can return 0 for a non-closed fd */
/* #undef PTY_ZEROREAD */

/* Sandbox using capsicum */
/* #undef SANDBOX_CAPSICUM */

/* Sandbox using Darwin sandbox_init(3) */
/* #undef SANDBOX_DARWIN */

/* no privsep sandboxing */
/* #undef SANDBOX_NULL */

/* Sandbox using setrlimit(2) */
#define SANDBOX_RLIMIT 1

/* Sandbox using seccomp filter */
/* #undef SANDBOX_SECCOMP_FILTER */

/* setrlimit RLIMIT_FSIZE works */
/* #undef SANDBOX_SKIP_RLIMIT_FSIZE */

/* define if setrlimit RLIMIT_NOFILE breaks things */
/* #undef SANDBOX_SKIP_RLIMIT_NOFILE */

/* Sandbox using systrace(4) */
/* #undef SANDBOX_SYSTRACE */

/* Specify the system call convention in use */
/* #undef SECCOMP_AUDIT_ARCH */

/* Define if your platform breaks doing a seteuid before a setuid */
/* #undef SETEUID_BREAKS_SETUID */

/* The size of `int', as computed by sizeof. */
#define SIZEOF_INT 4

/* The size of `long int', as computed by sizeof. */
#define SIZEOF_LONG_INT 8

/* The size of `long long int', as computed by sizeof. */
#define SIZEOF_LONG_LONG_INT 8

/* The size of `short int', as computed by sizeof. */
#define SIZEOF_SHORT_INT 2

/* Define if you want S/Key support */
/* #undef SKEY */

/* Define if your skeychallenge() function takes 4 arguments (NetBSD) */
/* #undef SKEYCHALLENGE_4ARG */

/* Define as const if snprintf() can declare const char *fmt */
#define SNPRINTF_CONST /* not const */

/* Define to a Set Process Title type if your system is supported by
   bsd-setproctitle.c */
/* #undef SPT_TYPE */

/* Define if sshd somehow reacquires a controlling TTY after setsid() */
/* #undef SSHD_ACQUIRES_CTTY */

/* Define if pam_chauthtok wants real uid set to the unpriv'ed user */
/* #undef SSHPAM_CHAUTHTOK_NEEDS_RUID */

/* Use audit debugging module */
/* #undef SSH_AUDIT_EVENTS */

/* Windows is sensitive to read buffer size */
/* #undef SSH_IOBUFSZ */

/* non-privileged user for privilege separation */
#define SSH_PRIVSEP_USER "sshd"

/* Use tunnel device compatibility to OpenBSD */
/* #undef SSH_TUN_COMPAT_AF */

/* Open tunnel devices the FreeBSD way */
#define SSH_TUN_FREEBSD 1

/* Open tunnel devices the Linux tun/tap way */
/* #undef SSH_TUN_LINUX */

/* No layer 2 tunnel support */
/* #undef SSH_TUN_NO_L2 */

/* Open tunnel devices the OpenBSD way */
/* #undef SSH_TUN_OPENBSD */

/* Prepend the address family to IP tunnel traffic */
#define SSH_TUN_PREPEND_AF 1

/* Define to 1 if you have the ANSI C header files. */
#define STDC_HEADERS 1

/* Define if you want a different $PATH for the superuser */
/* #undef SUPERUSER_PATH */

/* syslog_r function is safe to use in in a signal handler */
/* #undef SYSLOG_R_SAFE_IN_SIGHAND */

/* Support passwords > 8 chars */
/* #undef UNIXWARE_LONG_PASSWORDS */

/* Specify default $PATH */
/* #undef USER_PATH */

/* Define this if you want to use libkafs' AFS support */
/* #undef USE_AFS */

/* Use BSM audit module */
/* #undef USE_BSM_AUDIT */

/* Use btmp to log bad logins */
/* #undef USE_BTMP */

/* Use libedit for sftp */
/* #undef USE_LIBEDIT */

/* Use Linux audit module */
/* #undef USE_LINUX_AUDIT */

/* Enable OpenSSL engine support */
/* #undef USE_OPENSSL_ENGINE */

/* Define if you want to enable PAM support */
/* #undef USE_PAM */

/* Use PIPES instead of a socketpair() */
/* #undef USE_PIPES */

/* Define if you have Solaris process contracts */
/* #undef USE_SOLARIS_PROCESS_CONTRACTS */

/* Define if you have Solaris projects */
/* #undef USE_SOLARIS_PROJECTS */

/* Define if you shouldn't strip 'tty' from your ttyname in [uw]tmp */
/* #undef WITH_ABBREV_NO_TTY */

/* Define if you want to enable AIX4's authenticate function */
/* #undef WITH_AIXAUTHENTICATE */

/* Define if you have/want arrays (cluster-wide session managment, not C
   arrays) */
/* #undef WITH_IRIX_ARRAY */

/* Define if you want IRIX audit trails */
/* #undef WITH_IRIX_AUDIT */

/* Define if you want IRIX kernel jobs */
/* #undef WITH_IRIX_JOBS */

/* Define if you want IRIX project management */
/* #undef WITH_IRIX_PROJECT */

/* Define if you want SELinux support. */
/* #undef WITH_SELINUX */

/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
   significant byte first (like Motorola and SPARC, unlike Intel). */
#if defined AC_APPLE_UNIVERSAL_BUILD
# if defined __BIG_ENDIAN__
#  define WORDS_BIGENDIAN 1
# endif
#else
# ifndef WORDS_BIGENDIAN
/* #  undef WORDS_BIGENDIAN */
# endif
#endif

/* Define if xauth is found in your path */
/* #undef XAUTH_PATH */

/* Enable large inode numbers on Mac OS X 10.5.  */
#ifndef _DARWIN_USE_64_BIT_INODE
# define _DARWIN_USE_64_BIT_INODE 1
#endif

/* Number of bits in a file offset, on hosts where this is settable. */
/* #undef _FILE_OFFSET_BITS */

/* Define for large files, on AIX-style hosts. */
/* #undef _LARGE_FILES */

/* log for bad login attempts */
/* #undef _PATH_BTMP */

/* Full path of your "passwd" program */
#define _PATH_PASSWD_PROG "/usr/bin/passwd"

/* Specify location of ssh.pid */
#define _PATH_SSH_PIDDIR "/var/run"

/* Define if we don't have struct __res_state in resolv.h */
/* #undef __res_state */

/* Define to `__inline__' or `__inline' if that's what the C compiler
   calls it, or to nothing if 'inline' is not supported under any name.  */
#ifndef __cplusplus
/* #undef inline */
#endif

/* type to use in place of socklen_t if not defined */
/* #undef socklen_t */

From djm at mindrot.org  Tue Aug 19 19:57:57 2014
From: djm at mindrot.org (Damien Miller)
Date: Tue, 19 Aug 2014 19:57:57 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.NEB.2.11.1408182341360.11647@chris.i8u.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408181414420.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191131280.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182248320.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191611420.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182323550.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191639200.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182341360.11647@chris.i8u.org>
Message-ID: <alpine.BSO.2.11.1408191956420.5828@natsu.mindrot.org>

On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:

> On Tue, 19 Aug 2014, Damien Miller wrote:
> 
> > On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:
> > 
> > > Yes it does. I did a gmake distclean; git reset --hard; configure; gmake
> > > and it still has the same error.
> > > 
> > > Perhaps the version of openssl is wrong?
> > 
> > no, the prototypes the compiler is complaining about are in sshbuf.h
> > 
> > Could you please attach your ssh-ecdsa.c, sshbuf.h and config.h?
> 
> Here they are.

It looks like your config.h.in is out of date - it is missing WITH_OPENSSL.
My config.h has "#define WITH_OPENSSL 1"

Could you please try running "autoreconf" and starting from ./configure again.

-d

From vinschen at redhat.com  Tue Aug 19 19:59:28 2014
From: vinschen at redhat.com (Corinna Vinschen)
Date: Tue, 19 Aug 2014 11:59:28 +0200
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408191134470.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <20140819001109.GC10370@linux124.nas.nasa.gov>
 <alpine.BSO.2.11.1408191134470.414@natsu.mindrot.org>
Message-ID: <20140819095928.GM2280@calimero.vinschen.de>

On Aug 19 11:36, Damien Miller wrote:
> On Mon, 18 Aug 2014, Iain Morgan wrote:
> 
> > Regarding the removal of TCP wrapper support, it would be good to remove
> > references to it in the contrib/*/openssh.spec files:
> ...
> 
> > There are also references to tcpd or libwrap in INSTALL and
> > contrib/cygwin/README that should probably be removed or revised.
> 
> Done - thanks for the reminder.

Thanks for applying your patch.  While looking into contrib/cygwin/README,
I noticed it contains another small bug.  The latest versions of cygport
don't support the "almostall" command anymore.  This should be a simple
"all":

Index: contrib/cygwin/README
===================================================================
RCS file: /cvs/openssh/contrib/cygwin/README,v
retrieving revision 1.19
diff -u -p -r1.19 README
--- contrib/cygwin/README	19 Aug 2014 01:36:08 -0000	1.19
+++ contrib/cygwin/README	19 Aug 2014 09:58:17 -0000
@@ -69,7 +69,7 @@ Building OpenSSH
 Building from source is easy.  Just unpack the source archive, cd to that
 directory, and call cygport:
 
-	cygport openssh.cygport almostall
+	cygport openssh.cygport all
 
 You must have installed the following packages to be able to build OpenSSH
 with the aforementioned cygport script:


Thanks,
Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140819/4d1dadfb/attachment.bin>

From htodd at twofifty.com  Tue Aug 19 23:59:09 2014
From: htodd at twofifty.com (Hisashi T Fujinaka)
Date: Tue, 19 Aug 2014 06:59:09 -0700 (PDT)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408191956420.5828@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408181414420.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191131280.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182248320.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191611420.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182323550.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191639200.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182341360.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191956420.5828@natsu.mindrot.org>
Message-ID: <alpine.NEB.2.11.1408190658500.11647@chris.i8u.org>

On Tue, 19 Aug 2014, Damien Miller wrote:

> On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:
>
>> On Tue, 19 Aug 2014, Damien Miller wrote:
>>
>>> On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:
>>>
>>>> Yes it does. I did a gmake distclean; git reset --hard; configure; gmake
>>>> and it still has the same error.
>>>>
>>>> Perhaps the version of openssl is wrong?
>>>
>>> no, the prototypes the compiler is complaining about are in sshbuf.h
>>>
>>> Could you please attach your ssh-ecdsa.c, sshbuf.h and config.h?
>>
>> Here they are.
>
> It looks like your config.h.in is out of date - it is missing WITH_OPENSSL.
> My config.h has "#define WITH_OPENSSL 1"
>
> Could you please try running "autoreconf" and starting from ./configure again.

Whoops. autoreconf is the step I was missing.

-- 
Hisashi T Fujinaka - htodd at twofifty.com
BSEE(6/86) + BSChem(3/95) + BAEnglish(8/95) + MSCS(8/03) + $2.50 = latte

From htodd at twofifty.com  Wed Aug 20 01:05:21 2014
From: htodd at twofifty.com (Hisashi T Fujinaka)
Date: Tue, 19 Aug 2014 08:05:21 -0700 (PDT)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408191956420.5828@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408181414420.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191131280.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182248320.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191611420.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182323550.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191639200.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182341360.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191956420.5828@natsu.mindrot.org>
Message-ID: <alpine.NEB.2.11.1408190804190.11647@chris.i8u.org>

On Tue, 19 Aug 2014, Damien Miller wrote:

> On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:
>
>> On Tue, 19 Aug 2014, Damien Miller wrote:
>>
>>> On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:
>>>
>>>> Yes it does. I did a gmake distclean; git reset --hard; configure; gmake
>>>> and it still has the same error.
>>>>
>>>> Perhaps the version of openssl is wrong?
>>>
>>> no, the prototypes the compiler is complaining about are in sshbuf.h
>>>
>>> Could you please attach your ssh-ecdsa.c, sshbuf.h and config.h?
>>
>> Here they are.
>
> It looks like your config.h.in is out of date - it is missing WITH_OPENSSL.
> My config.h has "#define WITH_OPENSSL 1"
>
> Could you please try running "autoreconf" and starting from ./configure again.

All tests passed on NetBSD 7.99.1 (head from 8/11). Thanks for looking at it.

-- 
Hisashi T Fujinaka - htodd at twofifty.com
BSEE(6/86) + BSChem(3/95) + BAEnglish(8/95) + MSCS(8/03) + $2.50 = latte

From kevin.brott at gmail.com  Wed Aug 20 01:54:50 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Tue, 19 Aug 2014 08:54:50 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
Message-ID: <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>

New failures on older openssl ... will test against the RH 1.0.0-fips in a
bit ...

Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140820.tar.gz

OS              Build_Target                CC
OpenSSL       BUILD    TEST
==============  =========================== ================
============= ======   =================
Centos 2.1      i386-redhat-linux           gcc 2.9.6
0.9.6b-engine FAIL*1
RHEL 3.4        i386-redhat-linux           gcc 3.2.3-47
0.9.7a        FAIL*1
AIX 5300-12-04  powerpc-ibm-aix5.3.0.0      gcc 4.2.0-3
0.9.8k        FAIL*2

FAIL*1 - Shouldn't this have been caught by configure?
     gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
-fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
openssl-compat.c
     In file included from openssl-compat.c:32:
     openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required
     make[1]: *** [openssl-compat.o] Error 1
     make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
     make: *** [openbsd-compat/libopenbsd-compat.a] Error 2

FAIL*2 - Different AIX failure on old openssl ...
             gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset  -I. -I.. -I. -I./..
-DHAVE_CONFIG_H -c port-aix.c
     In file included from ../key.h:29,
                      from port-aix.c:31:
     ../sshkey.h:34:24: error: openssl/ec.h: No such file or directory
     In file included from ../key.h:29,
                      from port-aix.c:31:
     ../sshkey.h:103: error: expected specifier-qualifier-list before
'EC_KEY'
     ../sshkey.h:149: error: expected ')' before '*' token
     ../sshkey.h:151: warning: type defaults to 'int' in declaration of
'EC_GROUP'
     ../sshkey.h:151: error: expected ';', ',' or ')' before '*' token
     ../sshkey.h:152: warning: type defaults to 'int' in declaration of
'EC_KEY'
     ../sshkey.h:152: error: expected ';', ',' or ')' before '*' token
     ../sshkey.h:170: warning: type defaults to 'int' in declaration of
'EC_GROUP'
     ../sshkey.h:170: error: expected ';', ',' or ')' before '*' token
     ../sshkey.h:171: warning: type defaults to 'int' in declaration of
'EC_KEY'
     ../sshkey.h:171: error: expected ';', ',' or ')' before '*' token
     In file included from port-aix.c:31:
     ../key.h:85: warning: type defaults to 'int' in declaration of
'EC_GROUP'
     ../key.h:85: error: expected ';', ',' or ')' before '*' token
     ../key.h:86: warning: type defaults to 'int' in declaration of 'EC_KEY'
     ../key.h:86: error: expected ';', ',' or ')' before '*' token
     make: The error code from the last command is 1.




On Mon, Aug 18, 2014 at 9:26 PM, Damien Miller <djm at mindrot.org> wrote:

>
>
> On Mon, 18 Aug 2014, Kevin Brott wrote:
>
> > Will test this out in the morning.  Will this be in the 0820 snapshot?
>
> Yes, it should be.
>
> -d
>



-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From doctor at doctor.nl2k.ab.ca  Wed Aug 20 02:14:47 2014
From: doctor at doctor.nl2k.ab.ca (The Doctor)
Date: Tue, 19 Aug 2014 10:14:47 -0600
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.NEB.2.11.1408190804190.11647@chris.i8u.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408181414420.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191131280.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182248320.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191611420.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182323550.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191639200.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182341360.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191956420.5828@natsu.mindrot.org>
 <alpine.NEB.2.11.1408190804190.11647@chris.i8u.org>
Message-ID: <20140819161447.GA26141@doctor.nl2k.ab.ca>

All right My old BSD/OS system still works.

Still would like to figure out

username with style protocol 2
tset: standard error: Operation not supported

10:09AM  up 64 days,  1:57, 1 user, load averages: 9.04, 7.94, 7.81
USER     TTY FROM              LOGIN@  IDLE WHAT
doctor   p0  ts1p17.nl2k.ab.c  7:57AM     0 (sshd)
Filesystem     Type  Size  Used Avail Use% Mounted on
/dev/sd0a      ufs   3.9G  1.7G  2.0G  46% /
/dev/sd0h      ufs    88G   64G   20G  76% /usr
/dev/sd0g      ufs    88G   52G   32G  62% /usr/var
/dev/sd0f      ufs    88G   69G   15G  83% /usr/home
mfs:27         mfs   992M   13M  930M   2% /tmp
Delete is backspace
/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
failed proxy connect
*** Error code 1

Stop.
*** Error code 1

Stop.   


Also I tried to use 6.7 pre on a system and got no kex alg

Rolled back to 6.6 no problem.

I was using Zap-o_com using aes256-ctr

-- 
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  Look at Psalms 14 and 53 on Atheism
Our envy of others devours us most of all - Alexander Solshenitsyn

From vinschen at redhat.com  Wed Aug 20 03:10:40 2014
From: vinschen at redhat.com (Corinna Vinschen)
Date: Tue, 19 Aug 2014 19:10:40 +0200
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408191112440.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <20140818124540.GF2280@calimero.vinschen.de>
 <alpine.BSO.2.11.1408191112440.414@natsu.mindrot.org>
Message-ID: <20140819171040.GQ2280@calimero.vinschen.de>

On Aug 19 11:19, Damien Miller wrote:
> On Mon, 18 Aug 2014, Corinna Vinschen wrote:
> 
> > I tested from CVS HEAD and there's a bug in serverloop.c.  On systems
> > not defining NO_IPPORT_RESERVED_CONCEPT, a stray "||" leads to a syntax
> > error.  Here's a patch:
> > 
> > Index: serverloop.c
> 
> applied - thanks.
> 
> > Also, I can't run the testsuite on Cygwin anymore:
> [...]
> > -L. -Lopenbsd-compat/  -fstack-protector-all -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz  /usr/lib/textreadmode.o -lcrypt
> > make: *** No rule to make target 'regress/unittests/sshbuf/tests.o', needed by 'regress/unittests/sshbuf/test_sshbuf.exe'.  Stop.
> > 
> > This is using GNU make.  I'm not sure what's missing.  Is that because
> > I'm not building in the source dir, by any chance?
> 
> I don't think so - it works on Ubuntu with GNU Make and building outside
> the source directory. There is probably some other make trickery that
> I've messed up.

Maybe it was the fact that I called `cvs up' without the -d flag...?

Duh.  Sorry about that.

So, now I can run the testsuite and I'm having a problem with the
"forwarding" test.  The older version of this test worked fine, the
latest from CVS sometimes fails:

  run test forwarding.sh ...
  failed copy /bin/ls.exe
  cmp: EOF on /home/corinna/src/openssh/64bin/regress/copy
  corrupted copy of /bin/ls.exe

This is the last test in forwarding.sh, "transfer over chained unix
domain socket forwards and check result"

Inspecting the log files I see this a couple of times in failed-ssh.log:

  debug1: Local connections to LOCALHOST:3301 forwarded to remote address 127.0.0.1:4242
  debug3: channel_setup_fwd_listener_tcpip: type 2 wildcard 0 addr NULL
  debug3: sock_set_v6only: set socket 5 IPV6_V6ONLY
  debug1: Local forwarding listening on ::1 port 3301.
  bind: Address already in use
  debug1: Local forwarding listening on 127.0.0.1 port 3301.
  bind: Address already in use
  channel_setup_fwd_listener_tcpip: cannot listen to port: 3301
  Could not request local forwarding.

failed-sshd.log shows a similar error.

Running the test another time, it runs to completion.  Running it
again, it fails.  It fails more often than succeeding, though.

This may very well be a bug in Cygwin or a shortcoming of the underlying
Windows, but I'm not sure what to look for.

I attached the failed-foo.log files from a failed run to this mail,
maybe somebody can sched some light on this problem?

Other than this problem, the testsuite succeeds on Cygwin.


Thanks,
Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: failed-regress.tar.bz2
Type: application/x-bzip2
Size: 10551 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140819/30750d08/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140819/30750d08/attachment-0001.bin>

From cloos at jhcloos.com  Wed Aug 20 04:08:49 2014
From: cloos at jhcloos.com (James Cloos)
Date: Tue, 19 Aug 2014 14:08:49 -0400
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org> (Damien
 Miller's message of "Tue, 19 Aug 2014 14:26:06 +1000 (EST)")
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
Message-ID: <m3ppfwqrm6.fsf@carbon.jhcloos.org>

I get a failure from make tests in today's master at:

  run test agent.sh ...
  agent fwd proto 1 failed (exit code 255)
  agent fwd proto 2 failed (exit code 255)
  failed simple agent test
  Makefile:168: recipe for target 't-exec' failed
  make[1]: *** [t-exec] Error 1
  make[1]: Leaving directory '/tmp/openssh/regress'
  Makefile:482: recipe for target 'tests' failed
  make: *** [tests] Error 2

I also got that from openssh-SNAP-20140818.tar.gz, but one run last
night gave all tests passed.  That run was from the same compile as
gave the t-exec error....

-JimC
-- 
James Cloos <cloos at jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6

From kevin.brott at gmail.com  Wed Aug 20 05:55:02 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Tue, 19 Aug 2014 12:55:02 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
Message-ID: <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>

FAIL*1 on Centos 2.1 -> RHEL 5.10
FAIL*2 on RHEL 6.0 -> RHEL 6.4 and AIX 5.3 (using openssl 0.9.8k)

The AIX gcc builds are still failing, but - if I replace this line:
  -L regress/unittests/test_helper -ltest_helper \
With this
  regress/unittests/test_helper/libtest_helper.a \
....
then test_sshbuf and test_sshkey compile ok (both fail for the 'missing'
library) - and tests continue ... will report status when run is done.



On Tue, Aug 19, 2014 at 8:54 AM, Kevin Brott <kevin.brott at gmail.com> wrote:

>
> New failures on older openssl ... will test against the RH 1.0.0-fips in a
> bit ...
>
> Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140820.tar.gz
>
> OS              Build_Target                CC
> OpenSSL       BUILD    TEST
> ==============  =========================== ================
> ============= ======   =================
> Centos 2.1      i386-redhat-linux           gcc 2.9.6
> 0.9.6b-engine FAIL*1
> RHEL 3.4        i386-redhat-linux           gcc 3.2.3-47
> 0.9.7a        FAIL*1
> AIX 5300-12-04  powerpc-ibm-aix5.3.0.0      gcc 4.2.0-3
> 0.9.8k        FAIL*2
>
> FAIL*1 - Shouldn't this have been caught by configure?
>      gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
> -fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
> openssl-compat.c
>      In file included from openssl-compat.c:32:
>      openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required
>      make[1]: *** [openssl-compat.o] Error 1
>      make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
>      make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
>
> FAIL*2 - Different AIX failure on old openssl ...
>              gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized
> -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
> -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset  -I. -I.. -I. -I./..
> -DHAVE_CONFIG_H -c port-aix.c
>      In file included from ../key.h:29,
>                       from port-aix.c:31:
>      ../sshkey.h:34:24: error: openssl/ec.h: No such file or directory
>      In file included from ../key.h:29,
>                       from port-aix.c:31:
>      ../sshkey.h:103: error: expected specifier-qualifier-list before
> 'EC_KEY'
>      ../sshkey.h:149: error: expected ')' before '*' token
>      ../sshkey.h:151: warning: type defaults to 'int' in declaration of
> 'EC_GROUP'
>      ../sshkey.h:151: error: expected ';', ',' or ')' before '*' token
>      ../sshkey.h:152: warning: type defaults to 'int' in declaration of
> 'EC_KEY'
>      ../sshkey.h:152: error: expected ';', ',' or ')' before '*' token
>      ../sshkey.h:170: warning: type defaults to 'int' in declaration of
> 'EC_GROUP'
>      ../sshkey.h:170: error: expected ';', ',' or ')' before '*' token
>      ../sshkey.h:171: warning: type defaults to 'int' in declaration of
> 'EC_KEY'
>      ../sshkey.h:171: error: expected ';', ',' or ')' before '*' token
>      In file included from port-aix.c:31:
>      ../key.h:85: warning: type defaults to 'int' in declaration of
> 'EC_GROUP'
>      ../key.h:85: error: expected ';', ',' or ')' before '*' token
>      ../key.h:86: warning: type defaults to 'int' in declaration of
> 'EC_KEY'
>      ../key.h:86: error: expected ';', ',' or ')' before '*' token
>      make: The error code from the last command is 1.
>
>
>
>
> On Mon, Aug 18, 2014 at 9:26 PM, Damien Miller <djm at mindrot.org> wrote:
>
>>
>>
>> On Mon, 18 Aug 2014, Kevin Brott wrote:
>>
>> > Will test this out in the morning.  Will this be in the 0820 snapshot?
>>
>> Yes, it should be.
>>
>> -d
>>
>
>
>
> --
> # include <stddisclaimer.h>
> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>
>


-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From imorgan at nas.nasa.gov  Wed Aug 20 07:13:44 2014
From: imorgan at nas.nasa.gov (Iain Morgan)
Date: Tue, 19 Aug 2014 14:13:44 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
Message-ID: <20140819211344.GD10370@linux124.nas.nasa.gov>

On Mon, Aug 18, 2014 at 11:23:41 +1000, Damien Miller wrote:
> Potentially-incompatible changes
> 
>  * sshd(8): The default set of ciphers and MACs has been altered to
>    remove unsafe algorithms. In particular, CBC ciphers and arcfour*
>    are disabled by default.
> 

Is this really true? I just ran "$PWD/sshd -f /dev/null -T" in my build
directory, and it lists the full set of ciphers -- not the trimmed-down
default list indicated in sshd_config(5).

-- 
Iain Morgan

From kevin.brott at gmail.com  Wed Aug 20 07:14:19 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Tue, 19 Aug 2014 14:14:19 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
Message-ID: <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>

AIX6/7 + gcc 4.2.0/4.4.7 passes all tests fine with the library explicitly
substituted for the -L -l construct.  I'll work out a patch that does this
automagically as soon as I work out where it should go, unless someone has
a better idea

AIX native, HPX gcc+native, and Debian builds all continue to build/test.


On Tue, Aug 19, 2014 at 12:55 PM, Kevin Brott <kevin.brott at gmail.com> wrote:

> FAIL*1 on Centos 2.1 -> RHEL 5.10
> FAIL*2 on RHEL 6.0 -> RHEL 6.4 and AIX 5.3 (using openssl 0.9.8k)
>
> The AIX gcc builds are still failing, but - if I replace this line:
>   -L regress/unittests/test_helper -ltest_helper \
> With this
>   regress/unittests/test_helper/libtest_helper.a \
> ....
> then test_sshbuf and test_sshkey compile ok (both fail for the 'missing'
> library) - and tests continue ... will report status when run is done.
>
>
>
> On Tue, Aug 19, 2014 at 8:54 AM, Kevin Brott <kevin.brott at gmail.com>
> wrote:
>
>>
>> New failures on older openssl ... will test against the RH 1.0.0-fips in
>> a bit ...
>>
>> Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140820.tar.gz
>>
>> OS              Build_Target                CC
>> OpenSSL       BUILD    TEST
>> ==============  =========================== ================
>> ============= ======   =================
>> Centos 2.1      i386-redhat-linux           gcc 2.9.6
>> 0.9.6b-engine FAIL*1
>> RHEL 3.4        i386-redhat-linux           gcc 3.2.3-47
>> 0.9.7a        FAIL*1
>> AIX 5300-12-04  powerpc-ibm-aix5.3.0.0      gcc 4.2.0-3
>> 0.9.8k        FAIL*2
>>
>> FAIL*1 - Shouldn't this have been caught by configure?
>>      gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
>> -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
>> -fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
>> openssl-compat.c
>>      In file included from openssl-compat.c:32:
>>      openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required
>>      make[1]: *** [openssl-compat.o] Error 1
>>      make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
>>      make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
>>
>> FAIL*2 - Different AIX failure on old openssl ...
>>              gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized
>> -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
>> -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset  -I. -I.. -I. -I./..
>> -DHAVE_CONFIG_H -c port-aix.c
>>      In file included from ../key.h:29,
>>                       from port-aix.c:31:
>>      ../sshkey.h:34:24: error: openssl/ec.h: No such file or directory
>>      In file included from ../key.h:29,
>>                       from port-aix.c:31:
>>      ../sshkey.h:103: error: expected specifier-qualifier-list before
>> 'EC_KEY'
>>      ../sshkey.h:149: error: expected ')' before '*' token
>>      ../sshkey.h:151: warning: type defaults to 'int' in declaration of
>> 'EC_GROUP'
>>      ../sshkey.h:151: error: expected ';', ',' or ')' before '*' token
>>      ../sshkey.h:152: warning: type defaults to 'int' in declaration of
>> 'EC_KEY'
>>      ../sshkey.h:152: error: expected ';', ',' or ')' before '*' token
>>      ../sshkey.h:170: warning: type defaults to 'int' in declaration of
>> 'EC_GROUP'
>>      ../sshkey.h:170: error: expected ';', ',' or ')' before '*' token
>>      ../sshkey.h:171: warning: type defaults to 'int' in declaration of
>> 'EC_KEY'
>>      ../sshkey.h:171: error: expected ';', ',' or ')' before '*' token
>>      In file included from port-aix.c:31:
>>      ../key.h:85: warning: type defaults to 'int' in declaration of
>> 'EC_GROUP'
>>      ../key.h:85: error: expected ';', ',' or ')' before '*' token
>>      ../key.h:86: warning: type defaults to 'int' in declaration of
>> 'EC_KEY'
>>      ../key.h:86: error: expected ';', ',' or ')' before '*' token
>>      make: The error code from the last command is 1.
>>
>>
>>
>>
>> On Mon, Aug 18, 2014 at 9:26 PM, Damien Miller <djm at mindrot.org> wrote:
>>
>>>
>>>
>>> On Mon, 18 Aug 2014, Kevin Brott wrote:
>>>
>>> > Will test this out in the morning.  Will this be in the 0820 snapshot?
>>>
>>> Yes, it should be.
>>>
>>> -d
>>>
>>
>>
>>
>> --
>> # include <stddisclaimer.h>
>> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>>
>>
>
>
> --
> # include <stddisclaimer.h>
> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>
>


-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From wieland at purdue.edu  Wed Aug 20 07:49:33 2014
From: wieland at purdue.edu (Jeff Wieland)
Date: Tue, 19 Aug 2014 17:49:33 -0400
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
Message-ID: <53F3C66D.8010300@purdue.edu>

It fails under SPARC Solaris 10, running a recent patch set, with
our locally build OpenSSL 1.0.0n, and SUN Studio 12.  The
test_sshbuf binary dumps core with an error code of 139:

cd ./regress || exit $?; \
make \
         .OBJDIR="${BUILDDIR}/regress" \
         .CURDIR="`pwd`" \
         BUILDDIR="${BUILDDIR}" \
         OBJ="${BUILDDIR}/regress/" \
         PATH="${BUILDDIR}:${PATH}" \
         TEST_ENV=MALLOC_OPTIONS="" \
         TEST_SHELL="${TEST_SHELL}" \
         TEST_SSH_SCP="${TEST_SSH_SCP}" \
         TEST_SSH_SSH="${TEST_SSH_SSH}" \
         TEST_SSH_SSHD="${TEST_SSH_SSHD}" \
         TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}" \
         TEST_SSH_SSHADD="${TEST_SSH_SSHADD}" \
         TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" \
         TEST_SSH_SSHPKCS11HELPER="${TEST_SSH_SSHPKCS11HELPER}" \
         TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" \
         TEST_SSH_SFTP="${TEST_SSH_SFTP}" \
         TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}" \
         TEST_SSH_PLINK="${TEST_SSH_PLINK}" \
         TEST_SSH_PUTTYGEN="${TEST_SSH_PUTTYGEN}" \
         TEST_SSH_CONCH="${TEST_SSH_CONCH}" \
         TEST_SSH_IPV6="${TEST_SSH_IPV6}" \
         TEST_SSH_ECC="${TEST_SSH_ECC}" \
         EXEEXT="" \
         tests && echo all tests passed
set -e ; if test -z "" ; then \
 
/opt/src/sys/openssh/openssh-SNAP-20140820/regress/unittests/sshbuf/test_sshbuf ; \
 
/opt/src/sys/openssh/openssh-SNAP-20140820/regress/unittests/sshkey/test_sshkey \
                 -d 
/opt/src/sys/openssh/openssh-SNAP-20140820/regress//unittests/sshkey/testdata ; \
fi
*** Error code 139
make: Fatal error: Command failed for target `unit'
Current working directory /opt/src/sys/openssh/openssh-SNAP-20140820/regress
*** Error code 1
make: Fatal error: Command failed for target `tests'

Damien Miller wrote:
> Hi,
>
> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release
> containing a number of features, a lot of internal refactoring and some
> potentially-incompatible changes.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs or
> via Git at https://anongit.mindrot.org/openssh.git/
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Changes since OpenSSH 6.6
> =========================
>
> Potentially-incompatible changes
>
>  * sshd(8): The default set of ciphers and MACs has been altered to
>    remove unsafe algorithms. In particular, CBC ciphers and arcfour*
>    are disabled by default.
>
>    The full set of algorithms remains available if configured
>    explicitly via the Ciphers and MACs sshd_config options.
>
>  * sshd(8): Support for tcpwrappers/libwrap has been removed.
>
>  * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
>    using the curve25519-sha256 at libssh.org KEX exchange method to fail
>    when connecting with something that implements the specification
>    correctly. OpenSSH 6.7 disables this KEX method when speaking to
>    one of the affected versions.
>
> New Features
>
>  * Major internal refactoring to begin to make part of OpenSSH usable
>    as a library. So far the wire parsing, key handling and KRL code
>    has been refactored. Please note that we do not consider the API
>    stable yet, nor do we offer the library in separable form.
>
>  * ssh(1), sshd(8): Add support for Unix domain socket forwarding.
>    A remote TCP port may be forwarded to a local Unix domain socket
>    and vice versa or both ends may be a Unix domain socket.
>
>  * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
>    ED25519 key types.
>
>  * sftp(1): Allow resumption of interrupted uploads.
>
>  * ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it
>    is the same as the one sent during initial key exchange; bz#2154
>
>  * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind
>    addresses when GatewayPorts=no; allows client to choose address
>    family; bz#2222
>
>  * sshd(8): Add a sshd_config PermitUserRC option to control whether
>    ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
>    option; bz#2160
>
>  * ssh(1): Add a %C escape sequence for LocalCommand and ControlPath
>    that expands to a unique identifer based on a hash of the tuple of
>    (local host, remote user, hostname, port). Helps avoid exceeding
>    miserly pathname limits for Unix domain sockets in multiplexing
>    control paths; bz#2220
>
>  * sshd(8): Make the "Too many authentication failures" message
>    include the user, source address, port and protocol in a format
>    similar to the authentication success / failure messages; bz#2199
>
>  * Added unit and fuzz tests for refactored code. These are run
>    automatically in portable OpenSSH via the "make tests" target.
>
> Bugfixes
>
>  * sshd(8): Fix remote fwding with same listen port but different
>    listen address.
>
>  * ssh(1): Fix inverted test that caused PKCS#11 keys that were
>    explicitly listed in ssh_config or on the commandline not to be
>    preferred.
>
>  * ssh-keygen(1): Fix bug in KRL generation: multiple consecutive
>    revoked certificate serial number ranges could be serialised to an
>    invalid format. Readers of a broken KRL caused by this bug will
>    fail closed, so no should-have-been-revoked key will be accepted.
>
>  * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in
>    exit status. Previously we were always returning 0; bz#2255
>
>  * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the
>    randomart border; bz#2247
>
>  * ssh-agent(1): Only cleanup agent socket in the main agent process
>    and not in any subprocesses it may have started (e.g. forked
>    askpass). Fixes agent sockets being zapped when askpass processes
>    fatal(); bz#2236
>
>  * ssh-add(1): Make stdout line-buffered; saves partial output getting
>    lost when ssh-add fatal()s part-way through (e.g. when listing keys
>    from an agent that supports key types that ssh-add doesn't);
>    bz#2234
>
>  * ssh-keygen(1): When hashing or removing hosts, don't choke on
>    @revoked markers and don't remove @cert-authority markers; bz#2241
>
>  * ssh(1): Don't fatal when hostname canonicalisation fails and a
>    ProxyCommand is in use; continue and allow the ProxyCommand to
>    connect anyway (e.g. to a host with a name outside the DNS behind
>    a bastion)
>
>  * scp(1): When copying local->remote fails during read, don't send
>    uninitialised heap to the remote end.
>
>  * sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing
>    filenames with  a single quote char somewhere in the string;
>    bz#2238
>
>  * ssh-keyscan(1): Scan for Ed25519 keys by default.
>
>  * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-
>    convert any certificate keys to plain keys and attempt SSHFP
>    resolution.  Prevents a server from skipping SSHFP lookup and
>    forcing a new-hostkey dialog by offering only certificate keys.
>      
>  * sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225
>
>  * Fix some strict-alignment errors.
>
> Portable OpenSSH
>
>  * Portable OpenSSH now supports building against libressl-portable.
>
>  * Portable OpenSSH now requires openssl 0.9.8f or greater. Older
>    versions are no longer supported.
>
>  * In the OpenSSL version check, allow fix version upgrades (but not
>    downgrades. Debian bug #748150.
>
>  * sshd(8): On Cygwin, determine privilege separation user at runtime,
>    since it may need to be a domain account.
>
>  * sshd(8): Don't attempt to use vhangup on Linux. It doens't work for
>    non-root users, and for them it just messes up the tty settings.
>
>  * Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
>    available. It takes into account time spent suspended, thereby
>    ensuring timeouts (e.g. for expiring agent keys) fire correctly.
>    bz#2228
>
>  * Add support for ed25519 to opensshd.init init script.
>
>  * sftp-server(8): On platforms that support it, use prctl() to
>    prevent sftp-server from accessing /proc/self/{mem,maps}
>
> Reporting Bugs:
> ===============
>
> - Please read http://www.openssh.com/report.html
>   Security bugs should be reported directly to openssh at openssh.com
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
> Ben Lindstrom.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>   


-- 
           Jeff Wieland            |         Purdue University
    Network Systems Administrator  |        ITIS UNIX Platforms
        Voice: (765)496-8234       |        155 S. Grant Street
         FAX: (765)494-6620        |      West Lafayette, IN 47907



From kevin.brott at gmail.com  Wed Aug 20 08:04:56 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Tue, 19 Aug 2014 15:04:56 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
Message-ID: <CAMv58rbQvJgwF7kdoRiXpQzBQkRqA+02LqGD7wn8YQMuFRi7oQ@mail.gmail.com>

Oh dear ... it is to laugh .. I just realized what the problem is.  This is
the failing compile example ...

gcc -o regress/unittests/sshbuf/test_sshbuf -L. -Lopenbsd-compat/
-Wl,-blibpath:/opt/phs/lib:/opt/freeware/lib:/usr/lib:/usr/ccs/lib
-L/opt/phs/lib -L/opt/freeware/lib -L/usr/lib -L/usr/ccs/lib
-Wl,-blibpath:/usr/lib:/lib regress/unittests/sshbuf/tests.o
regress/unittests/sshbuf/test_sshbuf.o
regress/unittests/sshbuf/test_sshbuf_getput_basic.o
regress/unittests/sshbuf/test_sshbuf_getput_crypto.o
regress/unittests/sshbuf/test_sshbuf_misc.o
regress/unittests/sshbuf/test_sshbuf_fuzz.o
regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o
regress/unittests/sshbuf/test_sshbuf_fixed.o \
   * -L regress/unittests/test_helper -ltest_helper \*
    -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz -lpthread
collect2: library libtest_helper not found

The space between -L and the directory is what's causing the issue.  the
correct line would be
   * -Lregress/unittests/test_helper -ltest_helper \*

Should fixed be a simple edit  in the Makefile.in ... I'm surprised this
isn't broken elsewhere for the same reason.



On Tue, Aug 19, 2014 at 2:14 PM, Kevin Brott <kevin.brott at gmail.com> wrote:

> AIX6/7 + gcc 4.2.0/4.4.7 passes all tests fine with the library explicitly
> substituted for the -L -l construct.  I'll work out a patch that does this
> automagically as soon as I work out where it should go, unless someone has
> a better idea
>
> AIX native, HPX gcc+native, and Debian builds all continue to build/test.
>
>
> On Tue, Aug 19, 2014 at 12:55 PM, Kevin Brott <kevin.brott at gmail.com>
> wrote:
>
>> FAIL*1 on Centos 2.1 -> RHEL 5.10
>> FAIL*2 on RHEL 6.0 -> RHEL 6.4 and AIX 5.3 (using openssl 0.9.8k)
>>
>> The AIX gcc builds are still failing, but - if I replace this line:
>>   -L regress/unittests/test_helper -ltest_helper \
>> With this
>>   regress/unittests/test_helper/libtest_helper.a \
>> ....
>> then test_sshbuf and test_sshkey compile ok (both fail for the 'missing'
>> library) - and tests continue ... will report status when run is done.
>>
>>
>>
>> On Tue, Aug 19, 2014 at 8:54 AM, Kevin Brott <kevin.brott at gmail.com>
>> wrote:
>>
>>>
>>> New failures on older openssl ... will test against the RH 1.0.0-fips in
>>> a bit ...
>>>
>>> Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140820.tar.gz
>>>
>>> OS              Build_Target                CC
>>> OpenSSL       BUILD    TEST
>>> ==============  =========================== ================
>>> ============= ======   =================
>>> Centos 2.1      i386-redhat-linux           gcc 2.9.6
>>> 0.9.6b-engine FAIL*1
>>> RHEL 3.4        i386-redhat-linux           gcc 3.2.3-47
>>> 0.9.7a        FAIL*1
>>> AIX 5300-12-04  powerpc-ibm-aix5.3.0.0      gcc 4.2.0-3
>>> 0.9.8k        FAIL*2
>>>
>>> FAIL*1 - Shouldn't this have been caught by configure?
>>>      gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
>>> -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
>>> -fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
>>> openssl-compat.c
>>>      In file included from openssl-compat.c:32:
>>>      openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required
>>>      make[1]: *** [openssl-compat.o] Error 1
>>>      make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
>>>      make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
>>>
>>> FAIL*2 - Different AIX failure on old openssl ...
>>>              gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized
>>> -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
>>> -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset  -I. -I.. -I. -I./..
>>> -DHAVE_CONFIG_H -c port-aix.c
>>>      In file included from ../key.h:29,
>>>                       from port-aix.c:31:
>>>      ../sshkey.h:34:24: error: openssl/ec.h: No such file or directory
>>>      In file included from ../key.h:29,
>>>                       from port-aix.c:31:
>>>      ../sshkey.h:103: error: expected specifier-qualifier-list before
>>> 'EC_KEY'
>>>      ../sshkey.h:149: error: expected ')' before '*' token
>>>      ../sshkey.h:151: warning: type defaults to 'int' in declaration of
>>> 'EC_GROUP'
>>>      ../sshkey.h:151: error: expected ';', ',' or ')' before '*' token
>>>      ../sshkey.h:152: warning: type defaults to 'int' in declaration of
>>> 'EC_KEY'
>>>      ../sshkey.h:152: error: expected ';', ',' or ')' before '*' token
>>>      ../sshkey.h:170: warning: type defaults to 'int' in declaration of
>>> 'EC_GROUP'
>>>      ../sshkey.h:170: error: expected ';', ',' or ')' before '*' token
>>>      ../sshkey.h:171: warning: type defaults to 'int' in declaration of
>>> 'EC_KEY'
>>>      ../sshkey.h:171: error: expected ';', ',' or ')' before '*' token
>>>      In file included from port-aix.c:31:
>>>      ../key.h:85: warning: type defaults to 'int' in declaration of
>>> 'EC_GROUP'
>>>      ../key.h:85: error: expected ';', ',' or ')' before '*' token
>>>      ../key.h:86: warning: type defaults to 'int' in declaration of
>>> 'EC_KEY'
>>>      ../key.h:86: error: expected ';', ',' or ')' before '*' token
>>>      make: The error code from the last command is 1.
>>>
>>>
>>>
>>>
>>> On Mon, Aug 18, 2014 at 9:26 PM, Damien Miller <djm at mindrot.org> wrote:
>>>
>>>>
>>>>
>>>> On Mon, 18 Aug 2014, Kevin Brott wrote:
>>>>
>>>> > Will test this out in the morning.  Will this be in the 0820 snapshot?
>>>>
>>>> Yes, it should be.
>>>>
>>>> -d
>>>>
>>>
>>>
>>>
>>> --
>>> # include <stddisclaimer.h>
>>> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>>>
>>>
>>
>>
>> --
>> # include <stddisclaimer.h>
>> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>>
>>
>
>
> --
> # include <stddisclaimer.h>
> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>
>


-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From kevin.brott at gmail.com  Wed Aug 20 08:30:30 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Tue, 19 Aug 2014 15:30:30 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rbQvJgwF7kdoRiXpQzBQkRqA+02LqGD7wn8YQMuFRi7oQ@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <CAMv58rbQvJgwF7kdoRiXpQzBQkRqA+02LqGD7wn8YQMuFRi7oQ@mail.gmail.com>
Message-ID: <CAMv58rZsFZjR7mUF419A==x81zkC3an_ROsf6VF+fEX8vg0WgQ@mail.gmail.com>

Forgot to include the patch ... completely berking it today ...



On Tue, Aug 19, 2014 at 3:04 PM, Kevin Brott <kevin.brott at gmail.com> wrote:

>
> Oh dear ... it is to laugh .. I just realized what the problem is.  This
> is the failing compile example ...
>
> gcc -o regress/unittests/sshbuf/test_sshbuf -L. -Lopenbsd-compat/
> -Wl,-blibpath:/opt/phs/lib:/opt/freeware/lib:/usr/lib:/usr/ccs/lib
> -L/opt/phs/lib -L/opt/freeware/lib -L/usr/lib -L/usr/ccs/lib
> -Wl,-blibpath:/usr/lib:/lib regress/unittests/sshbuf/tests.o
> regress/unittests/sshbuf/test_sshbuf.o
> regress/unittests/sshbuf/test_sshbuf_getput_basic.o
> regress/unittests/sshbuf/test_sshbuf_getput_crypto.o
> regress/unittests/sshbuf/test_sshbuf_misc.o
> regress/unittests/sshbuf/test_sshbuf_fuzz.o
> regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o
> regress/unittests/sshbuf/test_sshbuf_fixed.o \
>    * -L regress/unittests/test_helper -ltest_helper \*
>     -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz -lpthread
> collect2: library libtest_helper not found
>
> The space between -L and the directory is what's causing the issue.  the
> correct line would be
>    * -Lregress/unittests/test_helper -ltest_helper \*
>
> Should fixed be a simple edit  in the Makefile.in ... I'm surprised this
> isn't broken elsewhere for the same reason.
>
>
>
> On Tue, Aug 19, 2014 at 2:14 PM, Kevin Brott <kevin.brott at gmail.com>
> wrote:
>
>> AIX6/7 + gcc 4.2.0/4.4.7 passes all tests fine with the library
>> explicitly substituted for the -L -l construct.  I'll work out a patch that
>> does this automagically as soon as I work out where it should go, unless
>> someone has a better idea
>>
>> AIX native, HPX gcc+native, and Debian builds all continue to build/test.
>>
>>
>> On Tue, Aug 19, 2014 at 12:55 PM, Kevin Brott <kevin.brott at gmail.com>
>> wrote:
>>
>>> FAIL*1 on Centos 2.1 -> RHEL 5.10
>>> FAIL*2 on RHEL 6.0 -> RHEL 6.4 and AIX 5.3 (using openssl 0.9.8k)
>>>
>>> The AIX gcc builds are still failing, but - if I replace this line:
>>>   -L regress/unittests/test_helper -ltest_helper \
>>> With this
>>>   regress/unittests/test_helper/libtest_helper.a \
>>> ....
>>> then test_sshbuf and test_sshkey compile ok (both fail for the 'missing'
>>> library) - and tests continue ... will report status when run is done.
>>>
>>>
>>>
>>> On Tue, Aug 19, 2014 at 8:54 AM, Kevin Brott <kevin.brott at gmail.com>
>>> wrote:
>>>
>>>>
>>>> New failures on older openssl ... will test against the RH 1.0.0-fips
>>>> in a bit ...
>>>>
>>>> Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140820.tar.gz
>>>>
>>>> OS              Build_Target                CC
>>>> OpenSSL       BUILD    TEST
>>>> ==============  =========================== ================
>>>> ============= ======   =================
>>>> Centos 2.1      i386-redhat-linux           gcc 2.9.6
>>>> 0.9.6b-engine FAIL*1
>>>> RHEL 3.4        i386-redhat-linux           gcc 3.2.3-47
>>>> 0.9.7a        FAIL*1
>>>> AIX 5300-12-04  powerpc-ibm-aix5.3.0.0      gcc 4.2.0-3
>>>> 0.9.8k        FAIL*2
>>>>
>>>> FAIL*1 - Shouldn't this have been caught by configure?
>>>>      gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
>>>> -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
>>>> -fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
>>>> openssl-compat.c
>>>>      In file included from openssl-compat.c:32:
>>>>      openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required
>>>>      make[1]: *** [openssl-compat.o] Error 1
>>>>      make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
>>>>      make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
>>>>
>>>> FAIL*2 - Different AIX failure on old openssl ...
>>>>              gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized
>>>> -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
>>>> -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset  -I. -I.. -I. -I./..
>>>> -DHAVE_CONFIG_H -c port-aix.c
>>>>      In file included from ../key.h:29,
>>>>                       from port-aix.c:31:
>>>>      ../sshkey.h:34:24: error: openssl/ec.h: No such file or directory
>>>>      In file included from ../key.h:29,
>>>>                       from port-aix.c:31:
>>>>      ../sshkey.h:103: error: expected specifier-qualifier-list before
>>>> 'EC_KEY'
>>>>      ../sshkey.h:149: error: expected ')' before '*' token
>>>>      ../sshkey.h:151: warning: type defaults to 'int' in declaration of
>>>> 'EC_GROUP'
>>>>      ../sshkey.h:151: error: expected ';', ',' or ')' before '*' token
>>>>      ../sshkey.h:152: warning: type defaults to 'int' in declaration of
>>>> 'EC_KEY'
>>>>      ../sshkey.h:152: error: expected ';', ',' or ')' before '*' token
>>>>      ../sshkey.h:170: warning: type defaults to 'int' in declaration of
>>>> 'EC_GROUP'
>>>>      ../sshkey.h:170: error: expected ';', ',' or ')' before '*' token
>>>>      ../sshkey.h:171: warning: type defaults to 'int' in declaration of
>>>> 'EC_KEY'
>>>>      ../sshkey.h:171: error: expected ';', ',' or ')' before '*' token
>>>>      In file included from port-aix.c:31:
>>>>      ../key.h:85: warning: type defaults to 'int' in declaration of
>>>> 'EC_GROUP'
>>>>      ../key.h:85: error: expected ';', ',' or ')' before '*' token
>>>>      ../key.h:86: warning: type defaults to 'int' in declaration of
>>>> 'EC_KEY'
>>>>      ../key.h:86: error: expected ';', ',' or ')' before '*' token
>>>>      make: The error code from the last command is 1.
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Aug 18, 2014 at 9:26 PM, Damien Miller <djm at mindrot.org> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Mon, 18 Aug 2014, Kevin Brott wrote:
>>>>>
>>>>> > Will test this out in the morning.  Will this be in the 0820
>>>>> snapshot?
>>>>>
>>>>> Yes, it should be.
>>>>>
>>>>> -d
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> # include <stddisclaimer.h>
>>>> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>>>>
>>>>
>>>
>>>
>>> --
>>> # include <stddisclaimer.h>
>>> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>>>
>>>
>>
>>
>> --
>> # include <stddisclaimer.h>
>> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>>
>>
>
>
> --
> # include <stddisclaimer.h>
> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>
>


-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */
-------------- next part --------------
*** openssh/Makefile.in	2014-07-18 13:33:12.000000000 -0700
--- openssh-fix/Makefile.in	2014-08-19 15:25:02.304857273 -0700
***************
*** 457,461 ****
      regress/unittests/test_helper/libtest_helper.a libssh.a
  	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHBUF_OBJS) \
! 	    -L regress/unittests/test_helper -ltest_helper \
  	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
  
--- 457,461 ----
      regress/unittests/test_helper/libtest_helper.a libssh.a
  	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHBUF_OBJS) \
! 	    -Lregress/unittests/test_helper -ltest_helper \
  	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
  
***************
*** 470,474 ****
      regress/unittests/test_helper/libtest_helper.a libssh.a
  	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHKEY_OBJS) \
! 	    -L regress/unittests/test_helper -ltest_helper \
  	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
  
--- 470,474 ----
      regress/unittests/test_helper/libtest_helper.a libssh.a
  	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHKEY_OBJS) \
! 	    -Lregress/unittests/test_helper -ltest_helper \
  	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
  

From djm at mindrot.org  Wed Aug 20 09:54:09 2014
From: djm at mindrot.org (Damien Miller)
Date: Wed, 20 Aug 2014 09:54:09 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <20140819211344.GD10370@linux124.nas.nasa.gov>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <20140819211344.GD10370@linux124.nas.nasa.gov>
Message-ID: <alpine.BSO.2.11.1408200949500.414@natsu.mindrot.org>

On Tue, 19 Aug 2014, Iain Morgan wrote:

> On Mon, Aug 18, 2014 at 11:23:41 +1000, Damien Miller wrote:
> > Potentially-incompatible changes
> > 
> >  * sshd(8): The default set of ciphers and MACs has been altered to
> >    remove unsafe algorithms. In particular, CBC ciphers and arcfour*
> >    are disabled by default.
> > 
> 
> Is this really true? I just ran "$PWD/sshd -f /dev/null -T" in my build
> directory, and it lists the full set of ciphers -- not the trimmed-down
> default list indicated in sshd_config(5).

It is true, but you've just uncovered a bug in the code that dumps the
config :)

Index: servconf.c
===================================================================
RCS file: /var/cvs/openssh/servconf.c,v
retrieving revision 1.249
diff -u -p -r1.249 servconf.c
--- servconf.c	18 Jul 2014 04:11:26 -0000	1.249
+++ servconf.c	19 Aug 2014 23:53:44 -0000
@@ -54,6 +54,7 @@
 #include "packet.h"
 #include "hostfile.h"
 #include "auth.h"
+#include "myproposal.h"
 
 static void add_listen_addr(ServerOptions *, char *, int);
 static void add_one_listen_addr(ServerOptions *, char *, int);
@@ -2070,9 +2071,8 @@ dump_config(ServerOptions *o)
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
 	dump_cfg_string(sXAuthLocation, o->xauth_location);
-	dump_cfg_string(sCiphers, o->ciphers ? o->ciphers :
-	    cipher_alg_list(',', 0));
-	dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(','));
+	dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
+	dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
 	dump_cfg_string(sBanner, o->banner);
 	dump_cfg_string(sForceCommand, o->adm_forced_command);
 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
@@ -2084,8 +2084,8 @@ dump_config(ServerOptions *o)
 	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
 	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
-	dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
-	    kex_alg_list(','));
+	dump_cfg_string(sKexAlgorithms,
+  	    o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
 
 	/* string arguments requiring a lookup */
 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));

From djm at mindrot.org  Wed Aug 20 11:07:09 2014
From: djm at mindrot.org (Damien Miller)
Date: Wed, 20 Aug 2014 11:07:09 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
Message-ID: <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>

On Tue, 19 Aug 2014, Kevin Brott wrote:

> AIX6/7 + gcc 4.2.0/4.4.7 passes all tests fine with the library explicitly
> substituted for the -L -l construct.  I'll work out a patch that does this
> automagically as soon as I work out where it should go, unless someone has a
> better idea

I think we can just do this unconditionally. (patch below)

>       FAIL*1 - Shouldn't this have been caught by configure?
>            gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized
..
>            In file included from openssl-compat.c:32:
>            openssl-compat.h:28:2: #error OpenSSL 0.9.8f or
>       greater is required

good point; patch below.

>       FAIL*2 - Different AIX failure on old openssl ...
>                    gcc -g -O2 -Wall -Wpointer-arith
>       -Wuninitialized -Wsign-compare -Wformat-security
>       -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2
>       -ftrapv -fno-builtin-memset  -I. -I.. -I. -I./.. 
>       -DHAVE_CONFIG_H -c port-aix.c
>            In file included from ../key.h:29,
>                             from port-aix.c:31:
>            ../sshkey.h:34:24: error: openssl/ec.h: No such file
>       or directory
>            In file included from ../key.h:29,
>                             from port-aix.c:31:
>            ../sshkey.h:103: error: expected
>       specifier-qualifier-list before 'EC_KEY'
>            ../sshkey.h:149: error: expected ')' before '*' token
>            ../sshkey.h:151: warning: type defaults to 'int' in

patch below

all these are committed and will be in the 0821 snapshot

Index: Makefile.in
===================================================================
RCS file: /var/cvs/openssh/Makefile.in,v
retrieving revision 1.362
diff -u -p -r1.362 Makefile.in
--- Makefile.in	18 Jul 2014 20:33:12 -0000	1.362
+++ Makefile.in	20 Aug 2014 01:01:09 -0000
@@ -456,7 +456,7 @@ UNITTESTS_TEST_SSHBUF_OBJS=\
 regress/unittests/sshbuf/test_sshbuf$(EXEEXT): ${UNITTESTS_TEST_SSHBUF_OBJS} \
     regress/unittests/test_helper/libtest_helper.a libssh.a
 	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHBUF_OBJS) \
-	    -L regress/unittests/test_helper -ltest_helper \
+	    regress/unittests/test_helper/libtest_helper.a \
 	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 
 UNITTESTS_TEST_SSHKEY_OBJS=\
Index: configure.ac
===================================================================
RCS file: /var/cvs/openssh/configure.ac,v
retrieving revision 1.578
diff -u -p -r1.578 configure.ac
--- configure.ac	15 Jul 2014 00:41:39 -0000	1.578
+++ configure.ac	20 Aug 2014 01:01:09 -0000
@@ -2278,13 +2278,21 @@ AC_RUN_IFELSE(
 	if(fd == NULL)
 		exit(1);
 
-	if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0)
+	if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(),
+	    SSLeay_version(SSLEAY_VERSION))) <0)
 		exit(1);
 
 	exit(0);
 	]])],
 	[
 		ssl_library_ver=`cat conftest.ssllibver`
+		# Check version is supported.
+		case "$ssl_library_ver" in
+			0090[0-7]*|009080[0-5]*)
+				AC_MSG_ERROR([OpenSSL >= 0.9.8f required])
+		                ;;
+		        *) ;;
+		esac
 		AC_MSG_RESULT([$ssl_library_ver])
 	],
 	[
Index: sshkey.h
===================================================================
RCS file: /var/cvs/openssh/sshkey.h,v
retrieving revision 1.1
diff -u -p -r1.1 sshkey.h
--- sshkey.h	2 Jul 2014 05:28:04 -0000	1.1
+++ sshkey.h	20 Aug 2014 01:01:09 -0000
@@ -31,13 +31,19 @@
 #ifdef WITH_OPENSSL
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
-#include <openssl/ec.h>
-#else /* OPENSSL */
-#define RSA		void
-#define DSA		void
-#define EC_KEY		void
-#define EC_GROUP	void
-#define EC_POINT	void
+# ifdef OPENSSL_HAS_ECC
+#  include <openssl/ec.h>
+# else /* OPENSSL_HAS_ECC */
+#  define EC_KEY	void
+#  define EC_GROUP	void
+#  define EC_POINT	void
+# endif /* OPENSSL_HAS_ECC */
+#else /* WITH_OPENSSL */
+# define RSA		void
+# define DSA		void
+# define EC_KEY		void
+# define EC_GROUP	void
+# define EC_POINT	void
 #endif /* WITH_OPENSSL */
 
 #define SSH_RSA_MINIMUM_MODULUS_SIZE	768
@@ -211,12 +217,16 @@ int ssh_ed25519_verify(const struct sshk
     const u_char *data, size_t datalen, u_int compat);
 #endif
 
-#ifndef WITH_OPENSSL
-#undef RSA
-#undef DSA
-#undef EC_KEY
-#undef EC_GROUP
-#undef EC_POINT
-#endif /* WITH_OPENSSL */
+#if !defined(WITH_OPENSSL)
+# undef RSA
+# undef DSA
+# undef EC_KEY
+# undef EC_GROUP
+# undef EC_POINT
+#elif !defined(OPENSSL_HAS_ECC)
+# undef EC_KEY
+# undef EC_GROUP
+# undef EC_POINT
+#endif
 
 #endif /* SSHKEY_H */

From djm at mindrot.org  Wed Aug 20 11:11:07 2014
From: djm at mindrot.org (Damien Miller)
Date: Wed, 20 Aug 2014 11:11:07 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <20140819095928.GM2280@calimero.vinschen.de>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <20140819001109.GC10370@linux124.nas.nasa.gov>
 <alpine.BSO.2.11.1408191134470.414@natsu.mindrot.org>
 <20140819095928.GM2280@calimero.vinschen.de>
Message-ID: <alpine.BSO.2.11.1408201110560.414@natsu.mindrot.org>

On Tue, 19 Aug 2014, Corinna Vinschen wrote:

> Thanks for applying your patch.  While looking into contrib/cygwin/README,
> I noticed it contains another small bug.  The latest versions of cygport
> don't support the "almostall" command anymore.  This should be a simple
> "all":

done - thanks

From djm at mindrot.org  Wed Aug 20 11:32:36 2014
From: djm at mindrot.org (Damien Miller)
Date: Wed, 20 Aug 2014 11:32:36 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <20140819161447.GA26141@doctor.nl2k.ab.ca>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408181414420.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191131280.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182248320.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191611420.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182323550.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191639200.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182341360.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191956420.5828@natsu.mindrot.org>
 <alpine.NEB.2.11.1408190804190.11647@chris.i8u.org>
 <20140819161447.GA26141@doctor.nl2k.ab.ca>
Message-ID: <alpine.BSO.2.11.1408201113520.414@natsu.mindrot.org>

On Tue, 19 Aug 2014, The Doctor wrote:

> All right My old BSD/OS system still works.
> 
> Still would like to figure out
> 
> username with style protocol 2
> tset: standard error: Operation not supported

Looks like some interactive shell initialisation is running for a non-
interactive shell. tset is probably trying a termios call against a pipe.

> Also I tried to use 6.7 pre on a system and got no kex alg
> 
> Rolled back to 6.6 no problem.
> 
> I was using Zap-o_com using aes256-ctr

What's "Zap-o_com"?

Your client probably only supports the "diffie-hellman-group1-sha1" key
exchange method. Unfortunately this is weak by modern standards, since it
uses a 768 bit group.

kexalgorithms curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

-d


From djm at mindrot.org  Wed Aug 20 11:34:39 2014
From: djm at mindrot.org (Damien Miller)
Date: Wed, 20 Aug 2014 11:34:39 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <20140819171040.GQ2280@calimero.vinschen.de>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <20140818124540.GF2280@calimero.vinschen.de>
 <alpine.BSO.2.11.1408191112440.414@natsu.mindrot.org>
 <20140819171040.GQ2280@calimero.vinschen.de>
Message-ID: <alpine.BSO.2.11.1408201133010.414@natsu.mindrot.org>

On Tue, 19 Aug 2014, Corinna Vinschen wrote:

> Maybe it was the fact that I called `cvs up' without the -d flag...?
> 
> Duh.  Sorry about that.

:) no problem

> So, now I can run the testsuite and I'm having a problem with the
> "forwarding" test.  The older version of this test worked fine, the
> latest from CVS sometimes fails:
> 
>   run test forwarding.sh ...
>   failed copy /bin/ls.exe
>   cmp: EOF on /home/corinna/src/openssh/64bin/regress/copy
>   corrupted copy of /bin/ls.exe
[...]
> Running the test another time, it runs to completion.  Running it
> again, it fails.  It fails more often than succeeding, though.

I've had problems with this test leaving a ssh or sshd (can't remember
which right now) laying around after completion, which could interfere
with future test runs. I thought I fixed it already, but maybe I didn't
do so completely?

-d

From djm at mindrot.org  Wed Aug 20 11:41:00 2014
From: djm at mindrot.org (Damien Miller)
Date: Wed, 20 Aug 2014 11:41:00 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <m3ppfwqrm6.fsf@carbon.jhcloos.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <m3ppfwqrm6.fsf@carbon.jhcloos.org>
Message-ID: <alpine.BSO.2.11.1408201140390.414@natsu.mindrot.org>

On Tue, 19 Aug 2014, James Cloos wrote:

> I get a failure from make tests in today's master at:
> 
>   run test agent.sh ...
>   agent fwd proto 1 failed (exit code 255)
>   agent fwd proto 2 failed (exit code 255)
>   failed simple agent test
>   Makefile:168: recipe for target 't-exec' failed
>   make[1]: *** [t-exec] Error 1
>   make[1]: Leaving directory '/tmp/openssh/regress'
>   Makefile:482: recipe for target 'tests' failed
>   make: *** [tests] Error 2
> 
> I also got that from openssh-SNAP-20140818.tar.gz, but one run last
> night gave all tests passed.  That run was from the same compile as
> gave the t-exec error....

There should be some failed-* files in the regress/ directory that
might yield some clues here.

-d

From djm at mindrot.org  Wed Aug 20 11:48:01 2014
From: djm at mindrot.org (Damien Miller)
Date: Wed, 20 Aug 2014 11:48:01 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <53F3B623.2020409@purdue.edu>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
Message-ID: <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>

On Tue, 19 Aug 2014, Jeff Wieland wrote:

> It fails under SPARC Solaris 10, running a recent patch set, with
> our locally build OpenSSL 1.0.0n, and SUN Studio 12.  The
> test_sshbuf binary dumps core with an error code of 139.  I'm
> attaching the output of the ./configure and the "make tests".

Could you try running "regress/unittests/sshbuf/test_sshbuf -v" to
see which test is crashing?

-d

From wieland at purdue.edu  Wed Aug 20 13:15:02 2014
From: wieland at purdue.edu (Jeff Wieland)
Date: Tue, 19 Aug 2014 23:15:02 -0400
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
Message-ID: <53F412B6.70000@purdue.edu>

Damien Miller wrote:
> regress/unittests/sshbuf/test_sshbuf -v

All I get is:

Segmentation Fault(coredump)

-- 
           Jeff Wieland            |         Purdue University
    Network Systems Administrator  |        ITIS UNIX Platforms
        Voice: (765)496-8234       |        155 S. Grant Street
         FAX: (765)494-2253        |      West Lafayette, IN 47907


From djm at mindrot.org  Wed Aug 20 13:50:29 2014
From: djm at mindrot.org (Damien Miller)
Date: Wed, 20 Aug 2014 13:50:29 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <53F412B6.70000@purdue.edu>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
Message-ID: <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>

On Tue, 19 Aug 2014, Jeff Wieland wrote:

> Damien Miller wrote:
> > regress/unittests/sshbuf/test_sshbuf -v
> 
> All I get is:
> 
> Segmentation Fault(coredump)

Does the ssh (or other) binaries dump core too?

Can you attach a debugger to it and see where it crashes?

-d

From doctor at doctor.nl2k.ab.ca  Wed Aug 20 13:52:39 2014
From: doctor at doctor.nl2k.ab.ca (The Doctor)
Date: Tue, 19 Aug 2014 21:52:39 -0600
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408201113520.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408191131280.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182248320.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191611420.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182323550.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191639200.414@natsu.mindrot.org>
 <alpine.NEB.2.11.1408182341360.11647@chris.i8u.org>
 <alpine.BSO.2.11.1408191956420.5828@natsu.mindrot.org>
 <alpine.NEB.2.11.1408190804190.11647@chris.i8u.org>
 <20140819161447.GA26141@doctor.nl2k.ab.ca>
 <alpine.BSO.2.11.1408201113520.414@natsu.mindrot.org>
Message-ID: <20140820035238.GA7732@doctor.nl2k.ab.ca>

On Wed, Aug 20, 2014 at 11:32:36AM +1000, Damien Miller wrote:
> On Tue, 19 Aug 2014, The Doctor wrote:
> 
> > All right My old BSD/OS system still works.
> > 
> > Still would like to figure out
> > 
> > username with style protocol 2
> > tset: standard error: Operation not supported
> 
> Looks like some interactive shell initialisation is running for a non-
> interactive shell. tset is probably trying a termios call against a pipe.
> 
> > Also I tried to use 6.7 pre on a system and got no kex alg
> > 
> > Rolled back to 6.6 no problem.
> > 
> > I was using Zap-o_com using aes256-ctr
> 
> What's "Zap-o_com"?
> 
> Your client probably only supports the "diffie-hellman-group1-sha1" key
> exchange method. Unfortunately this is weak by modern standards, since it
> uses a 768 bit group.
> 
> kexalgorithms curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> 
> -d
> 


ZOC as it is more commonly known.

Newer version work, so not real issue.

-- 
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  Look at Psalms 14 and 53 on Atheism
22 Sept 2014 New Brunswick save the province vote Liberal!

From kevin.brott at gmail.com  Thu Aug 21 03:56:03 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Wed, 20 Aug 2014 10:56:03 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
Message-ID: <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>

Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140821.tar.gz

OS              Build_Target                CC
OpenSSL       BUILD    TEST
==============  =========================== ================
============= ======   =================
Centos 2.1      i386-redhat-linux           gcc 2.9.6
0.9.6b-engine FAIL*1
RHEL 3.4        i386-redhat-linux           gcc 3.2.3-47
0.9.7a        FAIL*1
...Fedora Core r2...RHEL 4.8 i386...same...
RHEL 4.8        x86_64-redhat-linux         gcc 3.4.6-11
0.9.7a        FAIL*1
RHEL 5.4        i386-redhat-linux           gcc 4.1.2-46
0.9.8e-fips   FAIL*1
...all RHEL 5...
RHEL 5.10       x86_64-redhat-linux         gcc 4.1.2-54
0.9.8e-fips   FAIL*1
RHEL 6.0        i686-redhat-linux           gcc 4.4.4-13
1.0.0-fips    FAIL*2
...RHEL 6.1 - 6.4...
RHEL 6.4        x86_64-redhat-linux         gcc 4.4.7-3
1.0.0-fips    FAIL*2
RHEL 6.5        i686-redhat-linux           gcc 4.4.7-4
1.0.1e-fips   OK       all tests passed
RHEL 6.5        x86_64-redhat-linux         gcc 4.4.7-4
1.0.1e-fips   OK       all tests passed
RHEL 7.0        x86_64-redhat-linux         gcc 4.8.2-16
1.0.1e-fips   OK       all tests passed
Debian 7.6      x86_64-linux-gnu            gcc Debian 4.7.2-5
1.0.1e        OK       all tests passed
AIX 5300-12-02  powerpc-ibm-aix5.3.0.0      xlc 8.0.0.16
0.9.8k        FAIL*2
AIX 5300-12-04  powerpc-ibm-aix5.3.0.0      gcc 4.2.0-3
0.9.8k        FAIL*2
AIX 6100-07-08  powerpc-ibm-aix6.1.0.0      xlc 11.1.0.6
0.9.8y        OK       all tests passed
AIX 6100-07-08  powerpc-ibm-aix6.1.0.0      gcc 4.2.0
0.9.8y        FIX*1    all tests passed
... further tests pending...


FAIL*1 - configure completes without errors ...
   make[1]: Entering directory `/usr/src/openssh/openbsd-compat'
   gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
-fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
openssl-compat.c
   In file included from openssl-compat.c:32:
   openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required
   make[1]: *** [openssl-compat.o] Error 1
   make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
   make: *** [openbsd-compat/libopenbsd-compat.a] Error 2

FAIL*2 - port-aix.c still fails to compile on RHEL and AIX where ec.h isn't
part of openssl ...
   gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -Wno-pointer-sign -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all
-fPIE  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c port-aix.c
   In file included from port-aix.c:31:
   ../key.h:85: warning: type defaults to 'int' in declaration of 'EC_GROUP'
   ../key.h:85: error: expected ';', ',' or ')' before '*' token
   ../key.h:86: warning: type defaults to 'int' in declaration of 'EC_KEY'
   ../key.h:86: error: expected ';', ',' or ')' before '*' token
   make[1]: *** [port-aix.o] Error 1
   make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
   make: *** [openbsd-compat/libopenbsd-compat.a] Error 2

FIX*1 - looks like Makefile.in only got updated for test_sshbuf and not
test_sshkey ...
   gcc -o regress/unittests/sshkey/test_sshkey -L. -Lopenbsd-compat/
-Wl,-blibpath:/opt/phs/lib:/usr/lib:/usr/ccs/lib -L/opt/phs/lib -L/usr/lib
-L/usr/ccs/lib -Wl,-blibpath:/usr/lib:/lib
regress/unittests/sshkey/test_fuzz.o regress/unittests/sshkey/tests.o
regress/unittests/sshkey/common.o regress/unittests/sshkey/test_file.o
regress/unittests/sshkey/test_sshkey.o \
            -L regress/unittests/test_helper -ltest_helper \
            -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz
-lpthread
   collect2: library libtest_helper not found
   gmake: *** [regress/unittests/sshkey/test_sshkey] Error 1

This patch fixes this issue cross-platform/compiler AFAICT.

---CUT---
*** openssh-SNAP-20140821/Makefile.in   2014-08-19 18:06:21 -0700
--- openssh-SNAP-20140821/Makefile.in.fixed     2014-08-20 10:32:23 -0700
***************
*** 457,461 ****
      regress/unittests/test_helper/libtest_helper.a libssh.a
        $(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHBUF_OBJS) \
!           regress/unittests/test_helper/libtest_helper.a \
            -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

--- 457,461 ----
      regress/unittests/test_helper/libtest_helper.a libssh.a
        $(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHBUF_OBJS) \
!           -Lregress/unittests/test_helper -ltest_helper \
            -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

***************
*** 470,474 ****
      regress/unittests/test_helper/libtest_helper.a libssh.a
        $(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHKEY_OBJS) \
!           -L regress/unittests/test_helper -ltest_helper \
            -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

--- 470,474 ----
      regress/unittests/test_helper/libtest_helper.a libssh.a
        $(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHKEY_OBJS) \
!           -Lregress/unittests/test_helper -ltest_helper \
            -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

---CUT---





On Tue, Aug 19, 2014 at 6:07 PM, Damien Miller <djm at mindrot.org> wrote:

> On Tue, 19 Aug 2014, Kevin Brott wrote:
>
> > AIX6/7 + gcc 4.2.0/4.4.7 passes all tests fine with the library
> explicitly
> > substituted for the -L -l construct.  I'll work out a patch that does
> this
> > automagically as soon as I work out where it should go, unless someone
> has a
> > better idea
>
> I think we can just do this unconditionally. (patch below)
>
> >       FAIL*1 - Shouldn't this have been caught by configure?
> >            gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized
> ..
> >            In file included from openssl-compat.c:32:
> >            openssl-compat.h:28:2: #error OpenSSL 0.9.8f or
> >       greater is required
>
> good point; patch below.
>
> >       FAIL*2 - Different AIX failure on old openssl ...
> >                    gcc -g -O2 -Wall -Wpointer-arith
> >       -Wuninitialized -Wsign-compare -Wformat-security
> >       -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2
> >       -ftrapv -fno-builtin-memset  -I. -I.. -I. -I./..
> >       -DHAVE_CONFIG_H -c port-aix.c
> >            In file included from ../key.h:29,
> >                             from port-aix.c:31:
> >            ../sshkey.h:34:24: error: openssl/ec.h: No such file
> >       or directory
> >            In file included from ../key.h:29,
> >                             from port-aix.c:31:
> >            ../sshkey.h:103: error: expected
> >       specifier-qualifier-list before 'EC_KEY'
> >            ../sshkey.h:149: error: expected ')' before '*' token
> >            ../sshkey.h:151: warning: type defaults to 'int' in
>
> patch below
>
> all these are committed and will be in the 0821 snapshot
>
> Index: Makefile.in
> ===================================================================
> RCS file: /var/cvs/openssh/Makefile.in,v
> retrieving revision 1.362
> diff -u -p -r1.362 Makefile.in
> --- Makefile.in 18 Jul 2014 20:33:12 -0000      1.362
> +++ Makefile.in 20 Aug 2014 01:01:09 -0000
> @@ -456,7 +456,7 @@ UNITTESTS_TEST_SSHBUF_OBJS=\
>  regress/unittests/sshbuf/test_sshbuf$(EXEEXT):
> ${UNITTESTS_TEST_SSHBUF_OBJS} \
>      regress/unittests/test_helper/libtest_helper.a libssh.a
>         $(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHBUF_OBJS) \
> -           -L regress/unittests/test_helper -ltest_helper \
> +           regress/unittests/test_helper/libtest_helper.a \
>             -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
>
>  UNITTESTS_TEST_SSHKEY_OBJS=\
> Index: configure.ac
> ===================================================================
> RCS file: /var/cvs/openssh/configure.ac,v
> retrieving revision 1.578
> diff -u -p -r1.578 configure.ac
> --- configure.ac        15 Jul 2014 00:41:39 -0000      1.578
> +++ configure.ac        20 Aug 2014 01:01:09 -0000
> @@ -2278,13 +2278,21 @@ AC_RUN_IFELSE(
>         if(fd == NULL)
>                 exit(1);
>
> -       if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(),
> SSLeay_version(SSLEAY_VERSION))) <0)
> +       if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(),
> +           SSLeay_version(SSLEAY_VERSION))) <0)
>                 exit(1);
>
>         exit(0);
>         ]])],
>         [
>                 ssl_library_ver=`cat conftest.ssllibver`
> +               # Check version is supported.
> +               case "$ssl_library_ver" in
> +                       0090[0-7]*|009080[0-5]*)
> +                               AC_MSG_ERROR([OpenSSL >= 0.9.8f required])
> +                               ;;
> +                       *) ;;
> +               esac
>                 AC_MSG_RESULT([$ssl_library_ver])
>         ],
>         [
> Index: sshkey.h
> ===================================================================
> RCS file: /var/cvs/openssh/sshkey.h,v
> retrieving revision 1.1
> diff -u -p -r1.1 sshkey.h
> --- sshkey.h    2 Jul 2014 05:28:04 -0000       1.1
> +++ sshkey.h    20 Aug 2014 01:01:09 -0000
> @@ -31,13 +31,19 @@
>  #ifdef WITH_OPENSSL
>  #include <openssl/rsa.h>
>  #include <openssl/dsa.h>
> -#include <openssl/ec.h>
> -#else /* OPENSSL */
> -#define RSA            void
> -#define DSA            void
> -#define EC_KEY         void
> -#define EC_GROUP       void
> -#define EC_POINT       void
> +# ifdef OPENSSL_HAS_ECC
> +#  include <openssl/ec.h>
> +# else /* OPENSSL_HAS_ECC */
> +#  define EC_KEY       void
> +#  define EC_GROUP     void
> +#  define EC_POINT     void
> +# endif /* OPENSSL_HAS_ECC */
> +#else /* WITH_OPENSSL */
> +# define RSA           void
> +# define DSA           void
> +# define EC_KEY                void
> +# define EC_GROUP      void
> +# define EC_POINT      void
>  #endif /* WITH_OPENSSL */
>
>  #define SSH_RSA_MINIMUM_MODULUS_SIZE   768
> @@ -211,12 +217,16 @@ int ssh_ed25519_verify(const struct sshk
>      const u_char *data, size_t datalen, u_int compat);
>  #endif
>
> -#ifndef WITH_OPENSSL
> -#undef RSA
> -#undef DSA
> -#undef EC_KEY
> -#undef EC_GROUP
> -#undef EC_POINT
> -#endif /* WITH_OPENSSL */
> +#if !defined(WITH_OPENSSL)
> +# undef RSA
> +# undef DSA
> +# undef EC_KEY
> +# undef EC_GROUP
> +# undef EC_POINT
> +#elif !defined(OPENSSL_HAS_ECC)
> +# undef EC_KEY
> +# undef EC_GROUP
> +# undef EC_POINT
> +#endif
>
>  #endif /* SSHKEY_H */
>



-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From cloos at jhcloos.com  Thu Aug 21 05:29:55 2014
From: cloos at jhcloos.com (James Cloos)
Date: Wed, 20 Aug 2014 15:29:55 -0400
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408201140390.414@natsu.mindrot.org> (Damien
 Miller's message of "Wed, 20 Aug 2014 11:41:00 +1000 (EST)")
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <m3ppfwqrm6.fsf@carbon.jhcloos.org>
 <alpine.BSO.2.11.1408201140390.414@natsu.mindrot.org>
Message-ID: <m3wqa3ot70.fsf@carbon.jhcloos.org>

>>>>> "DM" == Damien Miller <djm at mindrot.org> writes:

DM> There should be some failed-* files in the regress/ directory that
DM> might yield some clues here.

I got the impression that my local configs were an issue, so I tried
again in script(1) after running:

  :; set|awk -F= '/SSH/ {print $1}'|xargs unset
  :; export HOME=/tmp/empty
  :; mkdir $HOME

but it still fails there, noting that it tried to use the keys from my
running agent.

I'm trying again as a temp user.

-JimC
-- 
James Cloos <cloos at jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6

From vinschen at redhat.com  Thu Aug 21 05:39:29 2014
From: vinschen at redhat.com (Corinna Vinschen)
Date: Wed, 20 Aug 2014 21:39:29 +0200
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408201133010.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <20140818124540.GF2280@calimero.vinschen.de>
 <alpine.BSO.2.11.1408191112440.414@natsu.mindrot.org>
 <20140819171040.GQ2280@calimero.vinschen.de>
 <alpine.BSO.2.11.1408201133010.414@natsu.mindrot.org>
Message-ID: <20140820193929.GY2280@calimero.vinschen.de>

On Aug 20 11:34, Damien Miller wrote:
> On Tue, 19 Aug 2014, Corinna Vinschen wrote:
> 
> > Maybe it was the fact that I called `cvs up' without the -d flag...?
> > 
> > Duh.  Sorry about that.
> 
> :) no problem
> 
> > So, now I can run the testsuite and I'm having a problem with the
> > "forwarding" test.  The older version of this test worked fine, the
> > latest from CVS sometimes fails:
> > 
> >   run test forwarding.sh ...
> >   failed copy /bin/ls.exe
> >   cmp: EOF on /home/corinna/src/openssh/64bin/regress/copy
> >   corrupted copy of /bin/ls.exe
> [...]
> > Running the test another time, it runs to completion.  Running it
> > again, it fails.  It fails more often than succeeding, though.
> 
> I've had problems with this test leaving a ssh or sshd (can't remember
> which right now) laying around after completion, which could interfere
> with future test runs. I thought I fixed it already, but maybe I didn't
> do so completely?

That may very well be the problem.  I reduced the forwarding script to
just starting sshd and then running the final "transfer over chained
unix domain socket forwards and check result" test loop, and it runs
fine every time.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140820/824de3da/attachment.bin>

From cloos at jhcloos.com  Thu Aug 21 06:36:00 2014
From: cloos at jhcloos.com (James Cloos)
Date: Wed, 20 Aug 2014 16:36:00 -0400
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <m3wqa3ot70.fsf@carbon.jhcloos.org> (James Cloos's message of
 "Wed, 20 Aug 2014 15:29:55 -0400")
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <m3ppfwqrm6.fsf@carbon.jhcloos.org>
 <alpine.BSO.2.11.1408201140390.414@natsu.mindrot.org>
 <m3wqa3ot70.fsf@carbon.jhcloos.org>
Message-ID: <m3iolmq4pb.fsf@carbon.jhcloos.org>

JC> I'm trying again as a temp user.

In addition to using a uid which does not have anything in ~/.ssh and
which sets no envs matching /SSH/, I also moved /etc/ssh/ssh_config
out of the way while the test was running.

With that, the tests all passed.  It is a Gentoo ~amd64 box.

-JimC
-- 
James Cloos <cloos at jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6

From tgc at jupiterrise.com  Thu Aug 21 07:20:28 2014
From: tgc at jupiterrise.com (Tom Christensen)
Date: Wed, 20 Aug 2014 23:20:28 +0200
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
Message-ID: <53F5111C.5060803@jupiterrise.com>

On 20/08/14 05:50, Damien Miller wrote:
> On Tue, 19 Aug 2014, Jeff Wieland wrote:
>
>> Damien Miller wrote:
>>> regress/unittests/sshbuf/test_sshbuf -v
>>
>> All I get is:
>>
>> Segmentation Fault(coredump)

I'm seeing the same on Solaris 9 with gcc 4.9.1 and openssl 1.0.1i.

>
> Does the ssh (or other) binaries dump core too?
>
Only the test_sshbuf and test_sshkey binaries dump core for me, 
ssh-keygen and ssh run.

> Can you attach a debugger to it and see where it crashes?
>

$ gdb test_sshbuf core
GNU gdb (GDB) 7.8
<..boilerplate..>
Reading symbols from test_sshbuf...done.
[New LWP 1]
Core was generated by `./test_sshbuf'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0xfedb4b14 in strlen () from /usr/lib/libc.so.1
(gdb) bt
#0  0xfedb4b14 in strlen () from /usr/lib/libc.so.1
#1  0xfee07a20 in _doprnt () from /usr/lib/libc.so.1
#2  0xfee095e0 in printf () from /usr/lib/libc.so.1
#3  0x00023e7c in main (argc=1, argv=0xffbfec24) at 
regress/unittests/test_helper/test_helper.c:141
(gdb) f 3
#3  0x00023e7c in main (argc=1, argv=0xffbfec24) at 
regress/unittests/test_helper/test_helper.c:141
141                     printf("%s: ", __progname);
(gdb) p __progname
$1 = 0x0
(gdb)

test_helper.c should probably use ssh_get_progname() from bsd-misc.c.

-tgc

From mikep at noc.utoronto.ca  Thu Aug 21 08:25:18 2014
From: mikep at noc.utoronto.ca (mikep at noc.utoronto.ca)
Date: Wed, 20 Aug 2014 18:25:18 -0400 (EDT)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <53F5111C.5060803@jupiterrise.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
 <53F5111C.5060803@jupiterrise.com>
Message-ID: <Pine.GSO.4.64.1408201825060.12352@kraken.noc.utoronto.ca>

Tested on Solaris 10, gcc 3.4.6, openssl 1.0.1i.

'make' works, 'make tests' fails with:

gcc -o regress/unittests/sshkey/test_sshkey -L. -Lopenbsd-compat/ 
-L/opt/local/lib -R/opt/local/lib  -Wl,-z,now 
regress/unittests/sshkey/test_fuzz.o regress/unittests/sshkey/tests.o 
regress/unittests/sshkey/common.o regress/unittests/sshkey/test_file.o 
regress/unittests/sshkey/test_sshkey.o \
      -L regress/unittests/test_helper -ltest_helper \
      -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lresolv -lcrypto -lrt 
-lz -lsocket -lnsl
BUILDDIR=`pwd`; \
TEST_SHELL="/bin/bash"; \
TEST_SSH_SCP="${BUILDDIR}/scp"; \
TEST_SSH_SSH="${BUILDDIR}/ssh"; \
TEST_SSH_SSHD="${BUILDDIR}/sshd"; \
TEST_SSH_SSHAGENT="${BUILDDIR}/ssh-agent"; \
TEST_SSH_SSHADD="${BUILDDIR}/ssh-add"; \
TEST_SSH_SSHKEYGEN="${BUILDDIR}/ssh-keygen"; \
TEST_SSH_SSHPKCS11HELPER="${BUILDDIR}/ssh-pkcs11-helper"; \
TEST_SSH_SSHKEYSCAN="${BUILDDIR}/ssh-keyscan"; \
TEST_SSH_SFTP="${BUILDDIR}/sftp"; \
TEST_SSH_SFTPSERVER="${BUILDDIR}/sftp-server"; \
TEST_SSH_PLINK="plink"; \
TEST_SSH_PUTTYGEN="puttygen"; \
TEST_SSH_CONCH="conch"; \
TEST_SSH_IPV6="yes" ; \
TEST_SSH_ECC="yes" ; \
cd ./regress || exit $?; \
make \
          .OBJDIR="${BUILDDIR}/regress" \
          .CURDIR="`pwd`" \
          BUILDDIR="${BUILDDIR}" \
          OBJ="${BUILDDIR}/regress/" \
          PATH="${BUILDDIR}:${PATH}" \
          TEST_ENV=MALLOC_OPTIONS="" \
          TEST_SHELL="${TEST_SHELL}" \
          TEST_SSH_SCP="${TEST_SSH_SCP}" \
          TEST_SSH_SSH="${TEST_SSH_SSH}" \
          TEST_SSH_SSHD="${TEST_SSH_SSHD}" \
          TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}" \
          TEST_SSH_SSHADD="${TEST_SSH_SSHADD}" \
          TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" \
          TEST_SSH_SSHPKCS11HELPER="${TEST_SSH_SSHPKCS11HELPER}" \
          TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" \
          TEST_SSH_SFTP="${TEST_SSH_SFTP}" \
          TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}" \
          TEST_SSH_PLINK="${TEST_SSH_PLINK}" \
          TEST_SSH_PUTTYGEN="${TEST_SSH_PUTTYGEN}" \
          TEST_SSH_CONCH="${TEST_SSH_CONCH}" \
          TEST_SSH_IPV6="${TEST_SSH_IPV6}" \
          TEST_SSH_ECC="${TEST_SSH_ECC}" \
          EXEEXT="" \
          tests && echo all tests passed
make[1]: Entering directory `/opt/local/src/security/openssh/regress'
set -e ; if test -z "" ; then \

/opt/local/src/security/openssh/regress/unittests/sshbuf/test_sshbuf ; \

/opt/local/src/security/openssh/regress/unittests/sshkey/test_sshkey \
                  -d 
/opt/local/src/security/openssh/regress//unittests/sshkey/testdata ; \
fi
make[1]: *** [unit] Error 139
make[1]: Leaving directory `/opt/local/src/security/openssh/regress'
make: *** [tests] Error 2



Mike
--
Mike Peterson                            Information Security Analyst - Audit
E-mail: mikep at noc.utoronto.ca                WWW: http://www.noc.utoronto.ca/
Tel: 416-978-5230                                           Fax: 416-978-6620

From djm at mindrot.org  Thu Aug 21 10:47:02 2014
From: djm at mindrot.org (Damien Miller)
Date: Thu, 21 Aug 2014 10:47:02 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
Message-ID: <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>

On Wed, 20 Aug 2014, Kevin Brott wrote:

> FAIL*1 - configure completes without errors ...
>    make[1]: Entering directory `/usr/src/openssh/openbsd-compat'
>    gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
> -fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
> openssl-compat.c
>    In file included from openssl-compat.c:32:
>    openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required

that's strange - you aren't cross-compiling? The test in configure.ac
won't work for x-compiles.

If not, what does configure report your OpenSSL version as? e.g.

checking OpenSSL header version... 1000106f (OpenSSL 1.0.1f 6 Jan 2014)
checking OpenSSL library version... 1000106f (OpenSSL 1.0.1f 6 Jan 2014)

>    make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
>    make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
> 
> FAIL*2 - port-aix.c still fails to compile on RHEL and AIX where ec.h isn't
> part of openssl ...
>    gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2
> -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE  -I. -I.. -I.
> -I./..  -DHAVE_CONFIG_H -c port-aix.c
>    In file included from port-aix.c:31:
>    ../key.h:85: warning: type defaults to ?int? in declaration of ?EC_GROUP?
>    ../key.h:85: error: expected ?;?, ?,? or ?)? before ?*? token
>    ../key.h:86: warning: type defaults to ?int? in declaration of ?EC_KEY?
>    ../key.h:86: error: expected ?;?, ?,? or ?)? before ?*? token

another missing check for no-ECC OpenSSL:

Index: key.h
===================================================================
RCS file: /var/cvs/openssh/key.h,v
retrieving revision 1.45
diff -u -p -r1.45 key.h
--- key.h	2 Jul 2014 05:28:03 -0000	1.45
+++ key.h	21 Aug 2014 00:46:48 -0000
@@ -81,10 +81,10 @@ int	 key_cert_check_authority(const Key 
 	    const char **);
 char	*key_alg_list(int, int);
 
-#ifdef WITH_OPENSSL
+#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
 int	 key_ec_validate_public(const EC_GROUP *, const EC_POINT *);
 int	 key_ec_validate_private(const EC_KEY *);
-#endif /* WITH_OPENSSL */
+#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
 
 Key	*key_from_blob(const u_char *, u_int);
 int	 key_to_blob(const Key *, u_char **, u_int *);

From djm at mindrot.org  Thu Aug 21 11:00:53 2014
From: djm at mindrot.org (Damien Miller)
Date: Thu, 21 Aug 2014 11:00:53 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <53F5111C.5060803@jupiterrise.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
 <53F5111C.5060803@jupiterrise.com>
Message-ID: <alpine.BSO.2.11.1408211059040.22887@natsu.mindrot.org>

On Wed, 20 Aug 2014, Tom Christensen wrote:

> (gdb) p __progname
> $1 = 0x0
> (gdb)
> 
> test_helper.c should probably use ssh_get_progname() from bsd-misc.c.

Thanks for figuring this out. I'd prefer to keep the dependencies from
the tests to a minimum, at least until we have the API defined in
libopenssh, so here's a workaround that uses argv[0]:

Index: regress/unittests/test_helper/test_helper.c
===================================================================
RCS file: /var/cvs/openssh/regress/unittests/test_helper/test_helper.c,v
retrieving revision 1.3
diff -u -p -r1.3 test_helper.c
--- regress/unittests/test_helper/test_helper.c	11 Jun 2014 19:32:30 -0000	1.3
+++ regress/unittests/test_helper/test_helper.c	21 Aug 2014 00:59:02 -0000
@@ -117,6 +117,19 @@ main(int argc, char **argv)
 {
 	int ch;
 
+	/* Handle systems without __progname */
+	if (__progname == NULL) {
+		__progname = strrchr(argv[0], '/');
+		if (__progname == NULL || __progname[1] == '\0')
+			__progname = argv[0];	
+		else
+			__progname++;
+		if ((__progname = strdup(__progname)) == NULL) {
+			fprintf(stderr, "strdup failed\n");
+			exit(1);
+		}
+	}
+
 	while ((ch = getopt(argc, argv, "vqd:")) != -1) {
 		switch (ch) {
 		case 'd':

From djm at mindrot.org  Thu Aug 21 11:01:36 2014
From: djm at mindrot.org (Damien Miller)
Date: Thu, 21 Aug 2014 11:01:36 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <m3iolmq4pb.fsf@carbon.jhcloos.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <m3ppfwqrm6.fsf@carbon.jhcloos.org>
 <alpine.BSO.2.11.1408201140390.414@natsu.mindrot.org>
 <m3wqa3ot70.fsf@carbon.jhcloos.org> <m3iolmq4pb.fsf@carbon.jhcloos.org>
Message-ID: <alpine.BSO.2.11.1408211101150.22887@natsu.mindrot.org>

On Wed, 20 Aug 2014, James Cloos wrote:

> JC> I'm trying again as a temp user.
> 
> In addition to using a uid which does not have anything in ~/.ssh and
> which sets no envs matching /SSH/, I also moved /etc/ssh/ssh_config
> out of the way while the test was running.
> 
> With that, the tests all passed.  It is a Gentoo ~amd64 box.

Thanks, I'll take a look to see where the hermiticity of the test is
breaking...

From djm at mindrot.org  Thu Aug 21 11:02:09 2014
From: djm at mindrot.org (Damien Miller)
Date: Thu, 21 Aug 2014 11:02:09 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <Pine.GSO.4.64.1408201825060.12352@kraken.noc.utoronto.ca>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
 <53F5111C.5060803@jupiterrise.com>
 <Pine.GSO.4.64.1408201825060.12352@kraken.noc.utoronto.ca>
Message-ID: <alpine.BSO.2.11.1408211101450.22887@natsu.mindrot.org>

On Wed, 20 Aug 2014, mikep at noc.utoronto.ca wrote:

> Tested on Solaris 10, gcc 3.4.6, openssl 1.0.1i.
> 
> 'make' works, 'make tests' fails with:

This is likely the __progname problem that I just posted a patch for. Could
you give that a try?

-d

From wieland at purdue.edu  Thu Aug 21 11:36:39 2014
From: wieland at purdue.edu (Jeff Wieland)
Date: Wed, 20 Aug 2014 21:36:39 -0400
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
Message-ID: <53F54D27.5090400@purdue.edu>

Damien Miller wrote:
> On Tue, 19 Aug 2014, Jeff Wieland wrote:
>
>> Damien Miller wrote:
>>> regress/unittests/sshbuf/test_sshbuf -v
>> All I get is:
>>
>> Segmentation Fault(coredump)
> Does the ssh (or other) binaries dump core too?
>
> Can you attach a debugger to it and see where it crashes?
>
> -d
>

Sorry -- I've been tied up all day.  I've applied the patch
that you posted, and thetests are running now.  I'll know more
after a while.

-- 
           Jeff Wieland            |         Purdue University
    Network Systems Administrator  |        ITIS UNIX Platforms
        Voice: (765)496-8234       |        155 S. Grant Street
         FAX: (765)494-2253        |      West Lafayette, IN 47907


From kevin.brott at gmail.com  Thu Aug 21 13:35:39 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Wed, 20 Aug 2014 20:35:39 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
Message-ID: <CAMv58ram18WORiGgQsoyBdeKqhdxfwT=r4+Et+vUFpASORg=jw@mail.gmail.com>

No cross-compiling at all.  Completely native builds on the appropriate
OS.  The ./configure script is correctly reporting the library and header
versions listed in the build reports. (0.9.8k, etc).  But I'll do more runs
in the morning and paste the configure detections.


On Wed, Aug 20, 2014 at 5:47 PM, Damien Miller <djm at mindrot.org> wrote:

> On Wed, 20 Aug 2014, Kevin Brott wrote:
>
> > FAIL*1 - configure completes without errors ...
> >    make[1]: Entering directory `/usr/src/openssh/openbsd-compat'
> >    gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> > -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
> > -fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
> > openssl-compat.c
> >    In file included from openssl-compat.c:32:
> >    openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required
>
> that's strange - you aren't cross-compiling? The test in configure.ac
> won't work for x-compiles.
>
> If not, what does configure report your OpenSSL version as? e.g.
>
> checking OpenSSL header version... 1000106f (OpenSSL 1.0.1f 6 Jan 2014)
> checking OpenSSL library version... 1000106f (OpenSSL 1.0.1f 6 Jan 2014)
>
> >    make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
> >    make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
> >
> > FAIL*2 - port-aix.c still fails to compile on RHEL and AIX where ec.h
> isn't
> > part of openssl ...
> >    gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> > -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
> -D_FORTIFY_SOURCE=2
> > -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE  -I. -I.. -I.
> > -I./..  -DHAVE_CONFIG_H -c port-aix.c
> >    In file included from port-aix.c:31:
> >    ../key.h:85: warning: type defaults to ?int? in declaration of
> ?EC_GROUP?
> >    ../key.h:85: error: expected ?;?, ?,? or ?)? before ?*? token
> >    ../key.h:86: warning: type defaults to ?int? in declaration of
> ?EC_KEY?
> >    ../key.h:86: error: expected ?;?, ?,? or ?)? before ?*? token
>
> another missing check for no-ECC OpenSSL:
>
> Index: key.h
> ===================================================================
> RCS file: /var/cvs/openssh/key.h,v
> retrieving revision 1.45
> diff -u -p -r1.45 key.h
> --- key.h       2 Jul 2014 05:28:03 -0000       1.45
> +++ key.h       21 Aug 2014 00:46:48 -0000
> @@ -81,10 +81,10 @@ int  key_cert_check_authority(const Key
>             const char **);
>  char   *key_alg_list(int, int);
>
> -#ifdef WITH_OPENSSL
> +#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
>  int     key_ec_validate_public(const EC_GROUP *, const EC_POINT *);
>  int     key_ec_validate_private(const EC_KEY *);
> -#endif /* WITH_OPENSSL */
> +#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
>
>  Key    *key_from_blob(const u_char *, u_int);
>  int     key_to_blob(const Key *, u_char **, u_int *);
>



-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From wieland at purdue.edu  Thu Aug 21 14:01:07 2014
From: wieland at purdue.edu (Jeff Wieland)
Date: Thu, 21 Aug 2014 00:01:07 -0400
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <53F54D27.5090400@purdue.edu>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
 <53F54D27.5090400@purdue.edu>
Message-ID: <53F56F03.10609@purdue.edu>

Jeff Wieland wrote:
> Damien Miller wrote:
>> On Tue, 19 Aug 2014, Jeff Wieland wrote:
>>
>>> Damien Miller wrote:
>>>> regress/unittests/sshbuf/test_sshbuf -v
>>> All I get is:
>>>
>>> Segmentation Fault(coredump)
>> Does the ssh (or other) binaries dump core too?
>>
>> Can you attach a debugger to it and see where it crashes?
>>
>> -d
>>
>
> Sorry -- I've been tied up all day.  I've applied the patch
> that you posted, and thetests are running now.  I'll know more
> after a while.
>

With the patch to regress/unittests/test_helper/test_helper.c Solaris 10 
on SPARC
passed all tests.

-- 
           Jeff Wieland            |         Purdue University
    Network Systems Administrator  |        ITIS UNIX Platforms
        Voice: (765)496-8234       |        155 S. Grant Street
         FAX: (765)494-2253        |      West Lafayette, IN 47907


From djm at mindrot.org  Thu Aug 21 15:55:31 2014
From: djm at mindrot.org (Damien Miller)
Date: Thu, 21 Aug 2014 15:55:31 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <53F56F03.10609@purdue.edu>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
 <53F54D27.5090400@purdue.edu> <53F56F03.10609@purdue.edu>
Message-ID: <alpine.BSO.2.11.1408211555040.16213@natsu.mindrot.org>

On Thu, 21 Aug 2014, Jeff Wieland wrote:

> With the patch to regress/unittests/test_helper/test_helper.c Solaris 10 on
> SPARC
> passed all tests.

Thanks - committed. It will be in the 20140822 snapshot.

-d

From mikep at noc.utoronto.ca  Thu Aug 21 21:36:57 2014
From: mikep at noc.utoronto.ca (mikep at noc.utoronto.ca)
Date: Thu, 21 Aug 2014 07:36:57 -0400 (EDT)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408211101450.22887@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
 <53F5111C.5060803@jupiterrise.com>
 <Pine.GSO.4.64.1408201825060.12352@kraken.noc.utoronto.ca>
 <alpine.BSO.2.11.1408211101450.22887@natsu.mindrot.org>
Message-ID: <Pine.GSO.4.64.1408210736020.5422@kraken.noc.utoronto.ca>

On Thu, 21 Aug 2014, Damien Miller wrote:

> On Wed, 20 Aug 2014, mikep at noc.utoronto.ca wrote:
>
>> Tested on Solaris 10, gcc 3.4.6, openssl 1.0.1i.
>>
>> 'make' works, 'make tests' fails with:
>
> This is likely the __progname problem that I just posted a patch for. Could
> you give that a try?
>
> -d

Still fails same place.

Mike
--
Mike Peterson                            Information Security Analyst - Audit
E-mail: mikep at noc.utoronto.ca                WWW: http://www.noc.utoronto.ca/
Tel: 416-978-5230                                           Fax: 416-978-6620

From kevin.brott at gmail.com  Fri Aug 22 01:22:44 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Thu, 21 Aug 2014 08:22:44 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
Message-ID: <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>

Example ...

Using openssh-SNAP-20140822.tar.gz ... on Centos 2.1 ..

$ openssl version
OpenSSL 0.9.6b [engine] 9 Jul 2001

$ ./configure
...
checking OpenSSL header version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul
2001)
checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul
2001)
checking whether OpenSSL's headers match the library... yes
checking if programs using OpenSSL functions will link... yes
checking whether OpenSSL has crippled AES support... yes
checking whether OpenSSL has AES CTR via EVP... no
checking whether OpenSSL has AES GCM via EVP... no
checking whether OpenSSL has NID_X9_62_prime256v1... no
checking whether OpenSSL has NID_secp384r1... no
checking whether OpenSSL has NID_secp521r1... no
checking whether OpenSSL's PRNG is internally seeded... yes
...
              Host: i686-pc-linux-gnu
          Compiler: gcc
    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
-fno-builtin-memset -std=gnu99
Preprocessor flags:
      Linker flags:  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
         Libraries: -lresolv -lcrypto -lrt -ldl -lutil -lz -lnsl  -lcrypt

$ gmake
...
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
-fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
openssl-compat.c
In file included from openssl-compat.c:32:
openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required
gmake[1]: *** [openssl-compat.o] Error 1
gmake[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
gmake: *** [openbsd-compat/libopenbsd-compat.a] Error 2

This happens on all the Red Hat based systems where openssl < 1.0.0-fips



On Wed, Aug 20, 2014 at 5:47 PM, Damien Miller <djm at mindrot.org> wrote:

> On Wed, 20 Aug 2014, Kevin Brott wrote:
>
> > FAIL*1 - configure completes without errors ...
> >    make[1]: Entering directory `/usr/src/openssh/openbsd-compat'
> >    gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> > -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
> > -fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
> > openssl-compat.c
> >    In file included from openssl-compat.c:32:
> >    openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required
>
> that's strange - you aren't cross-compiling? The test in configure.ac
> won't work for x-compiles.
>
> If not, what does configure report your OpenSSL version as? e.g.
>
> checking OpenSSL header version... 1000106f (OpenSSL 1.0.1f 6 Jan 2014)
> checking OpenSSL library version... 1000106f (OpenSSL 1.0.1f 6 Jan 2014)
>
> >    make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
> >    make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
> >
> > FAIL*2 - port-aix.c still fails to compile on RHEL and AIX where ec.h
> isn't
> > part of openssl ...
> >    gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> > -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
> -D_FORTIFY_SOURCE=2
> > -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE  -I. -I.. -I.
> > -I./..  -DHAVE_CONFIG_H -c port-aix.c
> >    In file included from port-aix.c:31:
> >    ../key.h:85: warning: type defaults to ?int? in declaration of
> ?EC_GROUP?
> >    ../key.h:85: error: expected ?;?, ?,? or ?)? before ?*? token
> >    ../key.h:86: warning: type defaults to ?int? in declaration of
> ?EC_KEY?
> >    ../key.h:86: error: expected ?;?, ?,? or ?)? before ?*? token
>
> another missing check for no-ECC OpenSSL:
>
> Index: key.h
> ===================================================================
> RCS file: /var/cvs/openssh/key.h,v
> retrieving revision 1.45
> diff -u -p -r1.45 key.h
> --- key.h       2 Jul 2014 05:28:03 -0000       1.45
> +++ key.h       21 Aug 2014 00:46:48 -0000
> @@ -81,10 +81,10 @@ int  key_cert_check_authority(const Key
>             const char **);
>  char   *key_alg_list(int, int);
>
> -#ifdef WITH_OPENSSL
> +#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
>  int     key_ec_validate_public(const EC_GROUP *, const EC_POINT *);
>  int     key_ec_validate_private(const EC_KEY *);
> -#endif /* WITH_OPENSSL */
> +#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
>
>  Key    *key_from_blob(const u_char *, u_int);
>  int     key_to_blob(const Key *, u_char **, u_int *);
>



-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From kevin.brott at gmail.com  Fri Aug 22 02:11:16 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Thu, 21 Aug 2014 09:11:16 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
Message-ID: <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>

Another missing ec.h failure ... AIX openssl 0.9.8k and RH 1.0.0-fips
              gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all
-fPIE  -I. -I.  -DSSHDIR=\"/usr/local/etc\"
-D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"
-DHAVE_CONFIG_H -c sshbuf-getput-crypto.c -o sshbuf-getput-crypto.o
              sshbuf-getput-crypto.c:27:24: error: openssl/ec.h: No such
file or directory
              gmake: *** [sshbuf-getput-crypto.o] Error 1



On Thu, Aug 21, 2014 at 8:22 AM, Kevin Brott <kevin.brott at gmail.com> wrote:

>
> Example ...
>
> Using openssh-SNAP-20140822.tar.gz ... on Centos 2.1 ..
>
> $ openssl version
> OpenSSL 0.9.6b [engine] 9 Jul 2001
>
> $ ./configure
> ...
> checking OpenSSL header version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul
> 2001)
> checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul
> 2001)
> checking whether OpenSSL's headers match the library... yes
> checking if programs using OpenSSL functions will link... yes
> checking whether OpenSSL has crippled AES support... yes
> checking whether OpenSSL has AES CTR via EVP... no
> checking whether OpenSSL has AES GCM via EVP... no
> checking whether OpenSSL has NID_X9_62_prime256v1... no
> checking whether OpenSSL has NID_secp384r1... no
> checking whether OpenSSL has NID_secp521r1... no
> checking whether OpenSSL's PRNG is internally seeded... yes
> ...
>               Host: i686-pc-linux-gnu
>           Compiler: gcc
>     Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
> -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
> -fno-builtin-memset -std=gnu99
> Preprocessor flags:
>       Linker flags:  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
>          Libraries: -lresolv -lcrypto -lrt -ldl -lutil -lz -lnsl  -lcrypt
>
> $ gmake
> ...
> gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
> -fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
> openssl-compat.c
> In file included from openssl-compat.c:32:
> openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required
> gmake[1]: *** [openssl-compat.o] Error 1
> gmake[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
> gmake: *** [openbsd-compat/libopenbsd-compat.a] Error 2
>
> This happens on all the Red Hat based systems where openssl < 1.0.0-fips
>
>
>
> On Wed, Aug 20, 2014 at 5:47 PM, Damien Miller <djm at mindrot.org> wrote:
>
>> On Wed, 20 Aug 2014, Kevin Brott wrote:
>>
>> > FAIL*1 - configure completes without errors ...
>> >    make[1]: Entering directory `/usr/src/openssh/openbsd-compat'
>> >    gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
>> > -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
>> > -fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
>> > openssl-compat.c
>> >    In file included from openssl-compat.c:32:
>> >    openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required
>>
>> that's strange - you aren't cross-compiling? The test in configure.ac
>> won't work for x-compiles.
>>
>> If not, what does configure report your OpenSSL version as? e.g.
>>
>> checking OpenSSL header version... 1000106f (OpenSSL 1.0.1f 6 Jan 2014)
>> checking OpenSSL library version... 1000106f (OpenSSL 1.0.1f 6 Jan 2014)
>>
>> >    make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
>> >    make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
>> >
>> > FAIL*2 - port-aix.c still fails to compile on RHEL and AIX where ec.h
>> isn't
>> > part of openssl ...
>> >    gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
>> > -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
>> -D_FORTIFY_SOURCE=2
>> > -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE  -I. -I.. -I.
>> > -I./..  -DHAVE_CONFIG_H -c port-aix.c
>> >    In file included from port-aix.c:31:
>> >    ../key.h:85: warning: type defaults to ?int? in declaration of
>> ?EC_GROUP?
>> >    ../key.h:85: error: expected ?;?, ?,? or ?)? before ?*? token
>> >    ../key.h:86: warning: type defaults to ?int? in declaration of
>> ?EC_KEY?
>> >    ../key.h:86: error: expected ?;?, ?,? or ?)? before ?*? token
>>
>> another missing check for no-ECC OpenSSL:
>>
>> Index: key.h
>> ===================================================================
>> RCS file: /var/cvs/openssh/key.h,v
>> retrieving revision 1.45
>> diff -u -p -r1.45 key.h
>> --- key.h       2 Jul 2014 05:28:03 -0000       1.45
>> +++ key.h       21 Aug 2014 00:46:48 -0000
>> @@ -81,10 +81,10 @@ int  key_cert_check_authority(const Key
>>             const char **);
>>  char   *key_alg_list(int, int);
>>
>> -#ifdef WITH_OPENSSL
>> +#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
>>  int     key_ec_validate_public(const EC_GROUP *, const EC_POINT *);
>>  int     key_ec_validate_private(const EC_KEY *);
>> -#endif /* WITH_OPENSSL */
>> +#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
>>
>>  Key    *key_from_blob(const u_char *, u_int);
>>  int     key_to_blob(const Key *, u_char **, u_int *);
>>
>
>
>
> --
> # include <stddisclaimer.h>
> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>
>


-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From tgc at jupiterrise.com  Fri Aug 22 05:07:13 2014
From: tgc at jupiterrise.com (Tom Christensen)
Date: Thu, 21 Aug 2014 21:07:13 +0200
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408211059040.22887@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
 <53F5111C.5060803@jupiterrise.com>
 <alpine.BSO.2.11.1408211059040.22887@natsu.mindrot.org>
Message-ID: <53F64361.2020202@jupiterrise.com>

On 21/08/14 03:00, Damien Miller wrote:
> Thanks for figuring this out. I'd prefer to keep the dependencies from
> the tests to a minimum, at least until we have the API defined in
> libopenssh, so here's a workaround that uses argv[0]:
>
<snip patch>

That took care of the segfault but unfortunately test_sshbuf fails:
test_sshbuf: ........................................................
regress/unittests/sshbuf/test_sshbuf_getput_basic.c:412 test #57 
"sshbuf_putf"
ASSERT_INT_EQ(r, 0) failed:
            r = -10
            0 = 0

The rest of the testsuite is a total loss presumably due to this early 
failure.

This is on Solaris 9/SPARC with gcc 4.9.1.

-tgc

From kevin.brott at gmail.com  Fri Aug 22 06:08:32 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Thu, 21 Aug 2014 13:08:32 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
Message-ID: <CAMv58raURo4Ng6X8n0O5UCZ2SpkaOTb4GK1RjiLgb+14NYK_tA@mail.gmail.com>

I've worked it out.  The test in configure.ac (and the resulting test in
configure) is not correct, as it's expecting (I think) a variant of the
value from opensslv.h (i.e. OPENSSL_VERSION_NUMBER  0x009080bfL), which is
not what configure is actually testing against.  That, and it's missing the
second set of brackets needed for the regxep test.

Values of $ssl_library_ver from configure being tested against ...
  Centos 2.1        "90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001)"
  RHEL 3-4          "90701f (OpenSSL 0.9.7a Feb 19 2003)"
  RHEL 5            "90802f (OpenSSL 0.9.8e-rhel5 01 Jul 2008)"
  AIX 5.3           "90811f (OpenSSL 0.9.8k 25 Mar 2009)"
  HP-UX 11.23       "90817f (OpenSSL 0.9.8w 23 Apr 2012)"
  HP-UX 11.31       "90819f (OpenSSL 0.9.8y 5 Feb 2013)"
  RHEL 6.0-4        "10000003 (OpenSSL 1.0.0-fips 29 Mar 2010)"
  AIX 6-7/RHEL 6.5+ "1000105f (OpenSSL 1.0.1e 11 Feb 2013)"

So after applying this patch - and re-running autoconf - configure will
error out on old openssl versions as expected.
---CUT---
*** openssh/configure.ac    2014-08-19 18:05:03.000000000 -0700
--- openssh-fix/configure.ac    2014-08-21 12:39:23.038445826 -0700
***************
*** 2289,2293 ****
          # Check version is supported.
          case "$ssl_library_ver" in
!             0090[0-7]*|009080[0-5]*)
                  AC_MSG_ERROR([OpenSSL >= 0.9.8f required])
                          ;;
--- 2289,2293 ----
          # Check version is supported.
          case "$ssl_library_ver" in
!             90[[0-7]]*|9080[[0-5]]*)
                  AC_MSG_ERROR([OpenSSL >= 0.9.8f required])
                          ;;
---CUT---

It  should generate this (depending on your version of autoconf) in
configure
                ssl_library_ver=`cat conftest.ssllibver`
                # Check version is supported.
                case "$ssl_library_ver" in
                        90[0-7]*|9080[0-5]*)
                                as_fn_error $? "OpenSSL >= 0.9.8f required"
"$LINENO" 5
                                ;;
                        *) ;;
                esac




On Thu, Aug 21, 2014 at 8:22 AM, Kevin Brott <kevin.brott at gmail.com> wrote:

>
> Example ...
>
> Using openssh-SNAP-20140822.tar.gz ... on Centos 2.1 ..
>
> $ openssl version
> OpenSSL 0.9.6b [engine] 9 Jul 2001
>
> $ ./configure
> ...
> checking OpenSSL header version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul
> 2001)
> checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul
> 2001)
> checking whether OpenSSL's headers match the library... yes
> checking if programs using OpenSSL functions will link... yes
> checking whether OpenSSL has crippled AES support... yes
> checking whether OpenSSL has AES CTR via EVP... no
> checking whether OpenSSL has AES GCM via EVP... no
> checking whether OpenSSL has NID_X9_62_prime256v1... no
> checking whether OpenSSL has NID_secp384r1... no
> checking whether OpenSSL has NID_secp521r1... no
> checking whether OpenSSL's PRNG is internally seeded... yes
> ...
>               Host: i686-pc-linux-gnu
>           Compiler: gcc
>     Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
> -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
> -fno-builtin-memset -std=gnu99
> Preprocessor flags:
>       Linker flags:  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
>          Libraries: -lresolv -lcrypto -lrt -ldl -lutil -lz -lnsl  -lcrypt
>
> $ gmake
> ...
> gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
> -fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
> openssl-compat.c
> In file included from openssl-compat.c:32:
> openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required
> gmake[1]: *** [openssl-compat.o] Error 1
> gmake[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
> gmake: *** [openbsd-compat/libopenbsd-compat.a] Error 2
>
> This happens on all the Red Hat based systems where openssl < 1.0.0-fips
>
>
>
> On Wed, Aug 20, 2014 at 5:47 PM, Damien Miller <djm at mindrot.org> wrote:
>
>> On Wed, 20 Aug 2014, Kevin Brott wrote:
>>
>> > FAIL*1 - configure completes without errors ...
>> >    make[1]: Entering directory `/usr/src/openssh/openbsd-compat'
>> >    gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
>> > -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
>> > -fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
>> > openssl-compat.c
>> >    In file included from openssl-compat.c:32:
>> >    openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required
>>
>> that's strange - you aren't cross-compiling? The test in configure.ac
>> won't work for x-compiles.
>>
>> If not, what does configure report your OpenSSL version as? e.g.
>>
>> checking OpenSSL header version... 1000106f (OpenSSL 1.0.1f 6 Jan 2014)
>> checking OpenSSL library version... 1000106f (OpenSSL 1.0.1f 6 Jan 2014)
>>
>> >    make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
>> >    make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
>> >
>> > FAIL*2 - port-aix.c still fails to compile on RHEL and AIX where ec.h
>> isn't
>> > part of openssl ...
>> >    gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
>> > -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
>> -D_FORTIFY_SOURCE=2
>> > -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE  -I. -I.. -I.
>> > -I./..  -DHAVE_CONFIG_H -c port-aix.c
>> >    In file included from port-aix.c:31:
>> >    ../key.h:85: warning: type defaults to ?int? in declaration of
>> ?EC_GROUP?
>> >    ../key.h:85: error: expected ?;?, ?,? or ?)? before ?*? token
>> >    ../key.h:86: warning: type defaults to ?int? in declaration of
>> ?EC_KEY?
>> >    ../key.h:86: error: expected ?;?, ?,? or ?)? before ?*? token
>>
>> another missing check for no-ECC OpenSSL:
>>
>> Index: key.h
>> ===================================================================
>> RCS file: /var/cvs/openssh/key.h,v
>> retrieving revision 1.45
>> diff -u -p -r1.45 key.h
>> --- key.h       2 Jul 2014 05:28:03 -0000       1.45
>> +++ key.h       21 Aug 2014 00:46:48 -0000
>> @@ -81,10 +81,10 @@ int  key_cert_check_authority(const Key
>>             const char **);
>>  char   *key_alg_list(int, int);
>>
>> -#ifdef WITH_OPENSSL
>> +#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
>>  int     key_ec_validate_public(const EC_GROUP *, const EC_POINT *);
>>  int     key_ec_validate_private(const EC_KEY *);
>> -#endif /* WITH_OPENSSL */
>> +#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
>>
>>  Key    *key_from_blob(const u_char *, u_int);
>>  int     key_to_blob(const Key *, u_char **, u_int *);
>>
>
>
>
> --
> # include <stddisclaimer.h>
> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>
>


-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From doctor at doctor.nl2k.ab.ca  Fri Aug 22 06:11:00 2014
From: doctor at doctor.nl2k.ab.ca (The Doctor)
Date: Thu, 21 Aug 2014 14:11:00 -0600
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <53F64361.2020202@jupiterrise.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
 <53F5111C.5060803@jupiterrise.com>
 <alpine.BSO.2.11.1408211059040.22887@natsu.mindrot.org>
 <53F64361.2020202@jupiterrise.com>
Message-ID: <20140821201059.GA6173@doctor.nl2k.ab.ca>

Getting back to BSD/OS old serverware

The tests came back as


Script started on Thu Aug 21 11:50:09 2014
doctor.nl2k.ab.ca//usr/source/openssh-SNAP-20140822$ w
11:50AM  up 66 days,  3:37, 1 user, load averages: 19.64, 22.72, 20.72
USER     TTY FROM              LOGIN@  IDLE WHAT
doctor   p0  ts1p17.nl2k.ab.c  8:38AM     0 script
doctor.nl2k.ab.ca//usr/source/openssh-SNAP-20140822$ make -k tests
[ -d `pwd`/regress ]  ||  mkdir -p `pwd`/regress
[ -d `pwd`/regress/unittests ]  ||  mkdir -p `pwd`/regress/unittests
[ -d `pwd`/regress/unittests/test_helper ]  ||  mkdir -p `pwd`/regress/unittests/test_helper
[ -d `pwd`/regress/unittests/sshbuf ]  ||  mkdir -p `pwd`/regress/unittests/sshbuf
[ -d `pwd`/regress/unittests/sshkey ]  ||  mkdir -p `pwd`/regress/unittests/sshkey
[ -f `pwd`/regress/Makefile ]  ||  ln -s `cd . && pwd`/regress/Makefile `pwd`/regress/Makefile
(cd openbsd-compat && make)
/usr/bin/ar rv libssh.a ssherr.o  sshbuf.o  sshkey.o  sshbuf-getput-basic.o  sshbuf-misc.o  sshbuf-getput-crypto.o  authfd.o authfile.o bufaux.o bufbn.o buffer.o  canohost.o channels.o cipher.o cipher-aes.o  cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o  compat.o compress.o crc32.o deattack.o fatal.o hostfile.o  log.o match.o md-sha256.o moduli.o nchan.o packet.o  readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o  atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o  monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o  kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o  msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o  ssh-pkcs11.o krl.o smult_curve25519_ref.o  kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o  ssh-ed25519.o digest-openssl.o hmac.o  sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o
r - ssherr.o
r - sshbuf.o
r - sshkey.o
r - sshbuf-getput-basic.o
r - sshbuf-misc.o
r - sshbuf-getput-crypto.o
r - authfd.o
r - authfile.o
r - bufaux.o
r - bufbn.o
r - buffer.o
r - canohost.o
r - channels.o
r - cipher.o
r - cipher-aes.o
r - cipher-bf1.o
r - cipher-ctr.o
r - cipher-3des1.o
r - cleanup.o
r - compat.o
r - compress.o
r - crc32.o
r - deattack.o
r - fatal.o
r - hostfile.o
r - log.o
r - match.o
r - md-sha256.o
r - moduli.o
r - nchan.o
r - packet.o
r - readpass.o
r - rsa.o
r - ttymodes.o
r - xmalloc.o
r - addrmatch.o
r - atomicio.o
r - key.o
r - dispatch.o
r - kex.o
r - mac.o
r - uidswap.o
r - uuencode.o
r - misc.o
r - monitor_fdpass.o
r - rijndael.o
r - ssh-dss.o
r - ssh-ecdsa.o
r - ssh-rsa.o
r - dh.o
r - kexdh.o
r - kexgex.o
r - kexdhc.o
r - kexgexc.o
r - bufec.o
r - kexecdh.o
r - kexecdhc.o
r - msg.o
r - progressmeter.o
r - dns.o
r - entropy.o
r - gss-genr.o
r - umac.o
r - umac128.o
r - ssh-pkcs11.o
r - krl.o
r - smult_curve25519_ref.o
r - kexc25519.o
r - kexc25519c.o
r - poly1305.o
r - chacha.o
r - cipher-chachapoly.o
r - ssh-ed25519.o
r - digest-openssl.o
r - hmac.o
r - sc25519.o
r - ge25519.o
r - fe25519.o
r - ed25519.o
r - verify.o
r - hash.o
r - blocks.o
ranlib libssh.a
gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o  sshconnect.o sshconnect1.o sshconnect2.o mux.o  roaming_common.o roaming_client.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat  -lcrypto -ldl -lutil -lz 
gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o  audit.o audit-bsm.o audit-linux.o platform.o  sshpty.o sshlogin.o servconf.o serverloop.o  auth.o auth1.o auth2.o auth-options.o session.o  auth-chall.o auth2-chall.o groupaccess.o  auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o  auth2-none.o auth2-passwd.o auth2-pubkey.o  monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o  kexc25519s.o auth-krb5.o  auth2-gss.o gss-serv.o gss-serv-krb5.o  loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o  sftp-server.o sftp-common.o  roaming_common.o roaming_serv.o  sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o  sandbox-seccomp-filter.o sandbox-capsicum.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat  -lcrypto -ldl -lutil -lz  
gcc -o ssh-add ssh-add.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -o ssh-keygen ssh-keygen.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -o ssh-keyscan ssh-keyscan.o roaming_dummy.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lssh -lcrypto -ldl -lutil -lz
gcc -o ssh-keysign ssh-keysign.o readconf.o roaming_dummy.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -o ssh-pkcs11-helper ssh-pkcs11-helper.o ssh-pkcs11.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -o ssh-agent ssh-agent.o ssh-pkcs11-client.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -o scp scp.o progressmeter.o bufaux.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -o sftp-server sftp-server.o sftp-common.o sftp-server-main.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -o sftp progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz 
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include  -DSSHDIR=\"/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\"  -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\"  -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\"  -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\"  -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\"  -D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -o regress/modpipe ./regress/modpipe.c  -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include  -DSSHDIR=\"/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\"  -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\"  -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\"  -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\"  -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\"  -D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -o regress/setuid-allowed ./regress/setuid-allowed.c  -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include  -DSSHDIR=\"/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\"  -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\"  -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\"  -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\"  -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\"  -D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/tests.c -o regress/unittests/sshbuf/tests.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include  -DSSHDIR=\"/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\"  -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\"  -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\"  -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\"  -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\"  -D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf.c -o regress/unittests/sshbuf/test_sshbuf.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include  -DSSHDIR=\"/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\"  -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\"  -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\"  -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\"  -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\"  -D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_getput_basic.c -o regress/unittests/sshbuf/test_sshbuf_getput_basic.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include  -DSSHDIR=\"/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\"  -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\"  -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\"  -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\"  -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\"  -D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_getput_crypto.c -o regress/unittests/sshbuf/test_sshbuf_getput_crypto.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include  -DSSHDIR=\"/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\"  -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\"  -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\"  -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\"  -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\"  -D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_misc.c -o regress/unittests/sshbuf/test_sshbuf_misc.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include  -DSSHDIR=\"/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\"  -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\"  -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\"  -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\"  -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\"  -D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_fuzz.c -o regress/unittests/sshbuf/test_sshbuf_fuzz.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include  -DSSHDIR=\"/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\"  -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\"  -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\"  -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\"  -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\"  -D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c -o regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include  -DSSHDIR=\"/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\"  -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\"  -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\"  -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\"  -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\"  -D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_fixed.c -o regress/unittests/sshbuf/test_sshbuf_fixed.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include  -DSSHDIR=\"/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\"  -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\"  -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\"  -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\"  -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\"  -D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/test_helper/test_helper.c -o regress/unittests/test_helper/test_helper.o
regress/unittests/test_helper/test_helper.c: In function `test_data_file':
regress/unittests/test_helper/test_helper.c:173: warning: implicit declaration of function `strlcpy'
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include  -DSSHDIR=\"/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\"  -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\"  -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\"  -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\"  -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\"  -D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/test_helper/fuzz.c -o regress/unittests/test_helper/fuzz.o
/usr/bin/ar rv regress/unittests/test_helper/libtest_helper.a regress/unittests/test_helper/test_helper.o  regress/unittests/test_helper/fuzz.o
a - regress/unittests/test_helper/test_helper.o
a - regress/unittests/test_helper/fuzz.o
ranlib regress/unittests/test_helper/libtest_helper.a
gcc -o regress/unittests/sshbuf/test_sshbuf -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack regress/unittests/sshbuf/tests.o  regress/unittests/sshbuf/test_sshbuf.o  regress/unittests/sshbuf/test_sshbuf_getput_basic.o  regress/unittests/sshbuf/test_sshbuf_getput_crypto.o  regress/unittests/sshbuf/test_sshbuf_misc.o  regress/unittests/sshbuf/test_sshbuf_fuzz.o  regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o  regress/unittests/sshbuf/test_sshbuf_fixed.o  regress/unittests/test_helper/libtest_helper.a  -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include  -DSSHDIR=\"/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\"  -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\"  -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\"  -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\"  -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\"  -D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/test_fuzz.c -o regress/unittests/sshkey/test_fuzz.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include  -DSSHDIR=\"/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\"  -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\"  -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\"  -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\"  -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\"  -D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/tests.c -o regress/unittests/sshkey/tests.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include  -DSSHDIR=\"/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\"  -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\"  -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\"  -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\"  -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\"  -D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/common.c -o regress/unittests/sshkey/common.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include  -DSSHDIR=\"/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\"  -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\"  -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\"  -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\"  -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\"  -D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/test_file.c -o regress/unittests/sshkey/test_file.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include  -DSSHDIR=\"/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\"  -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\"  -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\"  -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\"  -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\"  -D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/test_sshkey.c -o regress/unittests/sshkey/test_sshkey.o
gcc -o regress/unittests/sshkey/test_sshkey -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack regress/unittests/sshkey/test_fuzz.o  regress/unittests/sshkey/tests.o  regress/unittests/sshkey/common.o  regress/unittests/sshkey/test_file.o  regress/unittests/sshkey/test_sshkey.o  regress/unittests/test_helper/libtest_helper.a  -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
BUILDDIR=`pwd`;  TEST_SHELL="sh";  TEST_SSH_SCP="${BUILDDIR}/scp";  TEST_SSH_SSH="${BUILDDIR}/ssh";  TEST_SSH_SSHD="${BUILDDIR}/sshd";  TEST_SSH_SSHAGENT="${BUILDDIR}/ssh-agent";  TEST_SSH_SSHADD="${BUILDDIR}/ssh-add";  TEST_SSH_SSHKEYGEN="${BUILDDIR}/ssh-keygen";  TEST_SSH_SSHPKCS11HELPER="${BUILDDIR}/ssh-pkcs11-helper";  TEST_SSH_SSHKEYSCAN="${BUILDDIR}/ssh-keyscan";  TEST_SSH_SFTP="${BUILDDIR}/sftp";  TEST_SSH_SFTPSERVER="${BUILDDIR}/sftp-server";  TEST_SSH_PLINK="plink";  TEST_SSH_PUTTYGEN="puttygen";  TEST_SSH_CONCH="conch";  TEST_SSH_IPV6="yes" ;  TEST_SSH_ECC="yes" ;  cd ./regress || exit $?;  make  .OBJDIR="${BUILDDIR}/regress"  .CURDIR="`pwd`"  BUILDDIR="${BUILDDIR}"  OBJ="${BUILDDIR}/regress/"  PATH="${BUILDDIR}:${PATH}"  TEST_ENV=MALLOC_OPTIONS=""  TEST_SHELL="${TEST_SHELL}"  TEST_SSH_SCP="${TEST_SSH_SCP}"  TEST_SSH_SSH="${TEST_SSH_SSH}"  TEST_SSH_SSHD="${TEST_SSH_SSHD}"  TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}"  TEST_SSH_SSHADD="${TEST_SSH_SSHADD}"  TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}"  TEST_SSH_SSHPKCS11HELPER="${TEST_SSH_SSHPKCS11HELPER}"  TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}"  TEST_SSH_SFTP="${TEST_SSH_SFTP}"  TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}"  TEST_SSH_PLINK="${TEST_SSH_PLINK}"  TEST_SSH_PUTTYGEN="${TEST_SSH_PUTTYGEN}"  TEST_SSH_CONCH="${TEST_SSH_CONCH}"  TEST_SSH_IPV6="${TEST_SSH_IPV6}"  TEST_SSH_ECC="${TEST_SSH_ECC}"  EXEEXT=""  tests && echo all tests passed
set -e ; if test -z "" ; then  /usr/source/openssh-SNAP-20140822/regress/unittests/sshbuf/test_sshbuf ;  /usr/source/openssh-SNAP-20140822/regress/unittests/sshkey/test_sshkey  -d  /usr/source/openssh-SNAP-20140822/regress//unittests/sshkey/testdata ;  fi
test_sshbuf: ................................................................................................... 100 tests ok
test_sshkey: ......................................................................................... 89 tests ok
/usr/source/openssh-SNAP-20140822/ssh-keygen -if /usr/source/openssh-SNAP-20140822/regress/rsa_ssh2.prv | diff - /usr/source/openssh-SNAP-20140822/regress/rsa_openssh.prv
tr '\n' '\r' </usr/source/openssh-SNAP-20140822/regress/rsa_ssh2.prv > /usr/source/openssh-SNAP-20140822/regress/rsa_ssh2_cr.prv
/usr/source/openssh-SNAP-20140822/ssh-keygen -if /usr/source/openssh-SNAP-20140822/regress/rsa_ssh2_cr.prv | diff - /usr/source/openssh-SNAP-20140822/regress/rsa_openssh.prv
awk '{print $0 "\r"}' /usr/source/openssh-SNAP-20140822/regress/rsa_ssh2.prv > /usr/source/openssh-SNAP-20140822/regress/rsa_ssh2_crnl.prv
/usr/source/openssh-SNAP-20140822/ssh-keygen -if /usr/source/openssh-SNAP-20140822/regress/rsa_ssh2_crnl.prv | diff - /usr/source/openssh-SNAP-20140822/regress/rsa_openssh.prv
cat /usr/source/openssh-SNAP-20140822/regress/rsa_openssh.prv > /usr/source/openssh-SNAP-20140822/regress//t2.out
chmod 600 /usr/source/openssh-SNAP-20140822/regress//t2.out
/usr/source/openssh-SNAP-20140822/ssh-keygen -yf /usr/source/openssh-SNAP-20140822/regress//t2.out | diff - /usr/source/openssh-SNAP-20140822/regress/rsa_openssh.pub
/usr/source/openssh-SNAP-20140822/ssh-keygen -ef /usr/source/openssh-SNAP-20140822/regress/rsa_openssh.pub >/usr/source/openssh-SNAP-20140822/regress//t3.out
/usr/source/openssh-SNAP-20140822/ssh-keygen -if /usr/source/openssh-SNAP-20140822/regress//t3.out | diff - /usr/source/openssh-SNAP-20140822/regress/rsa_openssh.pub
/usr/source/openssh-SNAP-20140822/ssh-keygen -lf /usr/source/openssh-SNAP-20140822/regress/rsa_openssh.pub | awk '{print $2}' | diff - /usr/source/openssh-SNAP-20140822/regress/t4.ok
/usr/source/openssh-SNAP-20140822/ssh-keygen -Bf /usr/source/openssh-SNAP-20140822/regress/rsa_openssh.pub | awk '{print $2}' | diff - /usr/source/openssh-SNAP-20140822/regress/t5.ok
/usr/source/openssh-SNAP-20140822/ssh-keygen -if /usr/source/openssh-SNAP-20140822/regress/dsa_ssh2.prv > /usr/source/openssh-SNAP-20140822/regress//t6.out1
/usr/source/openssh-SNAP-20140822/ssh-keygen -if /usr/source/openssh-SNAP-20140822/regress/dsa_ssh2.pub > /usr/source/openssh-SNAP-20140822/regress//t6.out2
chmod 600 /usr/source/openssh-SNAP-20140822/regress//t6.out1
/usr/source/openssh-SNAP-20140822/ssh-keygen -yf /usr/source/openssh-SNAP-20140822/regress//t6.out1 | diff - /usr/source/openssh-SNAP-20140822/regress//t6.out2
/usr/source/openssh-SNAP-20140822/ssh-keygen -q -t rsa -N '' -f /usr/source/openssh-SNAP-20140822/regress//t7.out
/usr/source/openssh-SNAP-20140822/ssh-keygen -lf /usr/source/openssh-SNAP-20140822/regress//t7.out > /dev/null
/usr/source/openssh-SNAP-20140822/ssh-keygen -Bf /usr/source/openssh-SNAP-20140822/regress//t7.out > /dev/null
/usr/source/openssh-SNAP-20140822/ssh-keygen -q -t dsa -N '' -f /usr/source/openssh-SNAP-20140822/regress//t8.out
/usr/source/openssh-SNAP-20140822/ssh-keygen -lf /usr/source/openssh-SNAP-20140822/regress//t8.out > /dev/null
/usr/source/openssh-SNAP-20140822/ssh-keygen -Bf /usr/source/openssh-SNAP-20140822/regress//t8.out > /dev/null
test "yes" != yes ||  /usr/source/openssh-SNAP-20140822/ssh-keygen -q -t ecdsa -N '' -f /usr/source/openssh-SNAP-20140822/regress//t9.out
test "yes" != yes ||  /usr/source/openssh-SNAP-20140822/ssh-keygen -lf /usr/source/openssh-SNAP-20140822/regress//t9.out > /dev/null
test "yes" != yes ||  /usr/source/openssh-SNAP-20140822/ssh-keygen -Bf /usr/source/openssh-SNAP-20140822/regress//t9.out > /dev/null
/usr/source/openssh-SNAP-20140822/ssh-keygen -q -t ed25519 -N '' -f /usr/source/openssh-SNAP-20140822/regress//t10.out
/usr/source/openssh-SNAP-20140822/ssh-keygen -lf /usr/source/openssh-SNAP-20140822/regress//t10.out > /dev/null
/usr/source/openssh-SNAP-20140822/ssh-keygen -Bf /usr/source/openssh-SNAP-20140822/regress//t10.out > /dev/null
run test connect.sh ...
tset: standard error: Operation not supported

12:09PM  up 66 days,  3:56, 1 user, load averages: 9.60, 11.32, 14.74
USER     TTY FROM              LOGIN@  IDLE WHAT
doctor   p0  ts1p17.nl2k.ab.c  8:38AM    18 script
Filesystem     Type  Size  Used Avail Use% Mounted on
/dev/sd0a      ufs   3.9G  1.7G  2.0G  46% /
/dev/sd0h      ufs    88G   63G   21G  76% /usr
/dev/sd0g      ufs    88G   53G   31G  63% /usr/var
/dev/sd0f      ufs    88G   69G   16G  82% /usr/home
mfs:27         mfs   992M   14M  930M   2% /tmp
Delete is backspace
/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
tset: standard error: Operation not supported

12:09PM  up 66 days,  3:56, 1 user, load averages: 8.43, 11.01, 14.59
USER     TTY FROM              LOGIN@  IDLE WHAT
doctor   p0  ts1p17.nl2k.ab.c  8:38AM    19 script
Filesystem     Type  Size  Used Avail Use% Mounted on
/dev/sd0a      ufs   3.9G  1.7G  2.0G  46% /
/dev/sd0h      ufs    88G   63G   21G  76% /usr
/dev/sd0g      ufs    88G   53G   31G  63% /usr/var
/dev/sd0f      ufs    88G   69G   16G  82% /usr/home
mfs:27         mfs   992M   14M  930M   2% /tmp
Delete is backspace
/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
ok simple connect
run test proxy-connect.sh ...
test: syntax error
test: syntax error
plain username protocol 1 privsep=no comp=no
tset: standard error: Operation not supported

/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 1 privsep=no comp=no
plain username protocol 1 privsep=no comp=yes
tset: standard error: Operation not supported

/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 1 privsep=no comp=yes
plain username protocol 2 privsep=no comp=no
tset: standard error: Operation not supported

/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 2 privsep=no comp=no
plain username protocol 2 privsep=no comp=yes
tset: standard error: Operation not supported

/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 2 privsep=no comp=yes
plain username protocol 1 privsep=yes comp=no
tset: standard error: Operation not supported

/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 1 privsep=yes comp=no
plain username protocol 1 privsep=yes comp=yes
tset: standard error: Operation not supported

/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 1 privsep=yes comp=yes
plain username protocol 2 privsep=yes comp=no
tset: standard error: Operation not supported

/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 2 privsep=yes comp=no
plain username protocol 2 privsep=yes comp=yes
tset: standard error: Operation not supported

/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 2 privsep=yes comp=yes
username with style protocol 1
tset: standard error: Operation not supported

12:10PM  up 66 days,  3:57, 1 user, load averages: 13.49, 12.05, 14.79
USER     TTY FROM              LOGIN@  IDLE WHAT
doctor   p0  ts1p17.nl2k.ab.c  8:38AM    19 script
Filesystem     Type  Size  Used Avail Use% Mounted on
/dev/sd0a      ufs   3.9G  1.7G  2.0G  46% /
/dev/sd0h      ufs    88G   63G   21G  76% /usr
/dev/sd0g      ufs    88G   53G   31G  63% /usr/var
/dev/sd0f      ufs    88G   69G   16G  82% /usr/home
mfs:27         mfs   992M   14M  929M   2% /tmp
Delete is backspace
/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
username with style protocol 2
tset: standard error: Operation not supported

12:10PM  up 66 days,  3:57, 1 user, load averages: 13.49, 12.05, 14.79
USER     TTY FROM              LOGIN@  IDLE WHAT
doctor   p0  ts1p17.nl2k.ab.c  8:38AM    19 script
Filesystem     Type  Size  Used Avail Use% Mounted on
/dev/sd0a      ufs   3.9G  1.7G  2.0G  46% /
/dev/sd0h      ufs    88G   63G   21G  76% /usr
/dev/sd0g      ufs    88G   53G   31G  63% /usr/var
/dev/sd0f      ufs    88G   69G   16G  82% /usr/home
mfs:27         mfs   992M   14M  929M   2% /tmp
Delete is backspace
/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
failed proxy connect
*** Error code 1 (continuing)
`tests' not remade because of errors.
all tests passed
You have new mail in /var/mail/doctor
doctor.nl2k.ab.ca//usr/source/openssh-SNAP-20140822$ exit
exit

Script done on Thu Aug 21 12:17:12 2014

Why suddenly this failure?

-- 
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  Look at Psalms 14 and 53 on Atheism
22 Sept 2014 New Brunswick save the province vote Liberal!

From vinschen at redhat.com  Fri Aug 22 06:12:28 2014
From: vinschen at redhat.com (Corinna Vinschen)
Date: Thu, 21 Aug 2014 22:12:28 +0200
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <53F64361.2020202@jupiterrise.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
 <53F5111C.5060803@jupiterrise.com>
 <alpine.BSO.2.11.1408211059040.22887@natsu.mindrot.org>
 <53F64361.2020202@jupiterrise.com>
Message-ID: <20140821201228.GA4192@calimero.vinschen.de>

On Aug 21 21:07, Tom Christensen wrote:
> On 21/08/14 03:00, Damien Miller wrote:
> >Thanks for figuring this out. I'd prefer to keep the dependencies from
> >the tests to a minimum, at least until we have the API defined in
> >libopenssh, so here's a workaround that uses argv[0]:
> >
> <snip patch>
> 
> That took care of the segfault but unfortunately test_sshbuf fails:
> test_sshbuf: ........................................................
> regress/unittests/sshbuf/test_sshbuf_getput_basic.c:412 test #57
> "sshbuf_putf"
> ASSERT_INT_EQ(r, 0) failed:
>            r = -10
>            0 = 0
> 
> The rest of the testsuite is a total loss presumably due to this early
> failure.

Try this:

  $ make tests REGRESS_TARGETS='t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec'

This runs all non-unit tests.  See regress/Makefile, right at the top.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140821/47ff2136/attachment.bin>

From tgc at jupiterrise.com  Fri Aug 22 16:20:19 2014
From: tgc at jupiterrise.com (Tom Christensen)
Date: Fri, 22 Aug 2014 08:20:19 +0200
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <20140821201228.GA4192@calimero.vinschen.de>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
 <53F5111C.5060803@jupiterrise.com>
 <alpine.BSO.2.11.1408211059040.22887@natsu.mindrot.org>
 <53F64361.2020202@jupiterrise.com>
 <20140821201228.GA4192@calimero.vinschen.de>
Message-ID: <53F6E123.5040304@jupiterrise.com>

On 21/08/14 22:12, Corinna Vinschen wrote:
> This runs all non-unit tests.  See regress/Makefile, right at the top.
>
Right.

Looks like ssh-keygen is busted.
It passes t1 but t2 is fail:

make[1]: Entering directory 
`/export/home/tgc/buildpkg/openssh/src/openssh/regress'
cat 
/export/home/tgc/buildpkg/openssh/src/openssh/regress/rsa_openssh.prv > 
/export/home/tgc/buildpkg/openssh/src/openssh/regress/t
chmod 600 /export/home/tgc/buildpkg/openssh/src/openssh/regress//t2.out
/export/home/tgc/buildpkg/openssh/src/openssh/ssh-keygen -yf 
/export/home/tgc/buildpkg/openssh/src/openssh/regress//t2.out | diff b
key_write failed1c1
<
---
 > ssh-rsa 
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko+dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX8=
make[1]: *** [t2] Error 1


Running the command by hand:
$ /export/home/tgc/buildpkg/openssh/src/openssh/ssh-keygen -yf 
/export/home/tgc/buildpkg/openssh/src/openssh/regress//t2.out
key_write failed
$

-tgc

From djm at mindrot.org  Fri Aug 22 17:29:41 2014
From: djm at mindrot.org (Damien Miller)
Date: Fri, 22 Aug 2014 17:29:41 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
Message-ID: <alpine.BSO.2.11.1408221729080.7008@natsu.mindrot.org>

On Thu, 21 Aug 2014, Kevin Brott wrote:

> checking OpenSSL header version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul
> 2001)
> checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul
> 2001)

ah, it's missing the leading zeroes that I expected.


Index: configure.ac
===================================================================
RCS file: /var/cvs/openssh/configure.ac,v
retrieving revision 1.579
diff -u -p -r1.579 configure.ac
--- configure.ac	20 Aug 2014 01:05:03 -0000	1.579
+++ configure.ac	22 Aug 2014 07:29:08 -0000
@@ -2243,7 +2243,7 @@ AC_RUN_IFELSE(
 	if(fd == NULL)
 		exit(1);
 
-	if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
+	if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
 		exit(1);
 
 	exit(0);
@@ -2278,7 +2278,7 @@ AC_RUN_IFELSE(
 	if(fd == NULL)
 		exit(1);
 
-	if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(),
+	if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
 	    SSLeay_version(SSLEAY_VERSION))) <0)
 		exit(1);
 

From djm at mindrot.org  Fri Aug 22 17:31:20 2014
From: djm at mindrot.org (Damien Miller)
Date: Fri, 22 Aug 2014 17:31:20 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
 <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
Message-ID: <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>

On Thu, 21 Aug 2014, Kevin Brott wrote:

>               sshbuf-getput-crypto.c:27:24: error: openssl/ec.h: No such
> file or directory
>               gmake: *** [sshbuf-getput-crypto.o] Error 1

I'll commit this momentarily. Will be in the 20140823 snapshot.


Index: sshbuf-getput-crypto.c
===================================================================
RCS file: /var/cvs/openssh/sshbuf-getput-crypto.c,v
retrieving revision 1.3
diff -u -p -r1.3 sshbuf-getput-crypto.c
--- sshbuf-getput-crypto.c	2 Jul 2014 02:48:05 -0000	1.3
+++ sshbuf-getput-crypto.c	22 Aug 2014 07:30:38 -0000
@@ -24,7 +24,9 @@
 #include <string.h>
 
 #include <openssl/bn.h>
-#include <openssl/ec.h>
+#ifdef OPENSSL_HAS_ECC
+# include <openssl/ec.h>
+#endif /* OPENSSL_HAS_ECC */
 
 #include "ssherr.h"
 #include "sshbuf.h"

From djm at mindrot.org  Fri Aug 22 17:48:54 2014
From: djm at mindrot.org (Damien Miller)
Date: Fri, 22 Aug 2014 17:48:54 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <53F64361.2020202@jupiterrise.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
 <53F5111C.5060803@jupiterrise.com>
 <alpine.BSO.2.11.1408211059040.22887@natsu.mindrot.org>
 <53F64361.2020202@jupiterrise.com>
Message-ID: <alpine.BSO.2.11.1408221732520.7008@natsu.mindrot.org>

On Thu, 21 Aug 2014, Tom Christensen wrote:

> On 21/08/14 03:00, Damien Miller wrote:
> > Thanks for figuring this out. I'd prefer to keep the dependencies from
> > the tests to a minimum, at least until we have the API defined in
> > libopenssh, so here's a workaround that uses argv[0]:
> > 
> <snip patch>
> 
> That took care of the segfault but unfortunately test_sshbuf fails:
> test_sshbuf: ........................................................
> regress/unittests/sshbuf/test_sshbuf_getput_basic.c:412 test #57 "sshbuf_putf"
> ASSERT_INT_EQ(r, 0) failed:
>            r = -10
>            0 = 0
> 
> The rest of the testsuite is a total loss presumably due to this early
> failure.
> 
> This is on Solaris 9/SPARC with gcc 4.9.1.

It looks like this is failing:

        if ((len = vsnprintf(NULL, 0, fmt, ap2)) < 0) {

Does your libc vsnprintf() support checking the length of the formatted
string this way? (AFAIK SUSv3 requires it).

We should check for it in configure anyway...

Index: configure.ac
===================================================================
RCS file: /var/cvs/openssh/configure.ac,v
retrieving revision 1.580
diff -u -p -r1.580 configure.ac
--- configure.ac	22 Aug 2014 07:36:20 -0000	1.580
+++ configure.ac	22 Aug 2014 07:48:42 -0000
@@ -1887,11 +1887,9 @@ if test "x$ac_cv_func_snprintf" = "xyes"
 	)
 fi
 
-# If we don't have a working asprintf, then we strongly depend on vsnprintf
-# returning the right thing on overflow: the number of characters it tried to
-# create (as per SUSv3)
-if test "x$ac_cv_func_asprintf" != "xyes" && \
-   test "x$ac_cv_func_vsnprintf" = "xyes" ; then
+# We depend on vsnprintf returning the right thing on overflow: the
+# number of characters it tried to create (as per SUSv3)
+if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
 	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
 	AC_RUN_IFELSE(
 		[AC_LANG_PROGRAM([[
@@ -1899,15 +1897,23 @@ if test "x$ac_cv_func_asprintf" != "xyes
 #include <stdio.h>
 #include <stdarg.h>
 
-int x_snprintf(char *str,size_t count,const char *fmt,...)
+int x_snprintf(char *str, size_t count, const char *fmt, ...)
 {
-	size_t ret; va_list ap;
-	va_start(ap, fmt); ret = vsnprintf(str, count, fmt, ap); va_end(ap);
+	size_t ret;
+	va_list ap;
+
+	va_start(ap, fmt);
+	ret = vsnprintf(str, count, fmt, ap);
+	va_end(ap);
 	return ret;
 }
 		]], [[
-	char x[1];
-	exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1);
+char x[1];
+if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
+	return 1;
+if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
+	return 1;
+return 0;
 		]])],
 		[AC_MSG_RESULT([yes])],
 		[


From djm at mindrot.org  Sat Aug 23 02:28:09 2014
From: djm at mindrot.org (Damien Miller)
Date: Sat, 23 Aug 2014 02:28:09 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <20140821201059.GA6173@doctor.nl2k.ab.ca>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
 <53F5111C.5060803@jupiterrise.com>
 <alpine.BSO.2.11.1408211059040.22887@natsu.mindrot.org>
 <53F64361.2020202@jupiterrise.com> <20140821201059.GA6173@doctor.nl2k.ab.ca>
Message-ID: <alpine.BSO.2.11.1408230223150.15419@natsu.mindrot.org>

On Thu, 21 Aug 2014, The Doctor wrote:

> Getting back to BSD/OS old serverware
> 
> The tests came back as
...
> run test connect.sh ...
> tset: standard error: Operation not supported
> 
> 12:09PM  up 66 days,  3:56, 1 user, load averages: 9.60, 11.32, 14.74
> USER     TTY FROM              LOGIN@  IDLE WHAT
> doctor   p0  ts1p17.nl2k.ab.c  8:38AM    18 script
> Filesystem     Type  Size  Used Avail Use% Mounted on
> /dev/sd0a      ufs   3.9G  1.7G  2.0G  46% /
> /dev/sd0h      ufs    88G   63G   21G  76% /usr
> /dev/sd0g      ufs    88G   53G   31G  63% /usr/var
> /dev/sd0f      ufs    88G   69G   16G  82% /usr/home
> mfs:27         mfs   992M   14M  930M   2% /tmp
> Delete is backspace
> /root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
> daemon: /var/news/etc/send-uucp: No such file or directory
> tset: standard error: Operation not supported

It could be that this .bashrc is interfering with the tests (e.g. by
generating unexpected output).


From djm at mindrot.org  Sat Aug 23 02:28:51 2014
From: djm at mindrot.org (Damien Miller)
Date: Sat, 23 Aug 2014 02:28:51 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <20140821201228.GA4192@calimero.vinschen.de>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
 <53F5111C.5060803@jupiterrise.com>
 <alpine.BSO.2.11.1408211059040.22887@natsu.mindrot.org>
 <53F64361.2020202@jupiterrise.com>
 <20140821201228.GA4192@calimero.vinschen.de>
Message-ID: <alpine.BSO.2.11.1408230228200.15419@natsu.mindrot.org>

On Thu, 21 Aug 2014, Corinna Vinschen wrote:

> > The rest of the testsuite is a total loss presumably due to this early
> > failure.
> 
> Try this:
> 
>   $ make tests REGRESS_TARGETS='t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec'
> 
> This runs all non-unit tests.  See regress/Makefile, right at the top.

"make tests SKIP_UNIT=1" exists for this purpose :)

-d

From djm at mindrot.org  Sat Aug 23 02:29:47 2014
From: djm at mindrot.org (Damien Miller)
Date: Sat, 23 Aug 2014 02:29:47 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <53F6E123.5040304@jupiterrise.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
 <53F5111C.5060803@jupiterrise.com>
 <alpine.BSO.2.11.1408211059040.22887@natsu.mindrot.org>
 <53F64361.2020202@jupiterrise.com>
 <20140821201228.GA4192@calimero.vinschen.de>
 <53F6E123.5040304@jupiterrise.com>
Message-ID: <alpine.BSO.2.11.1408230229201.15419@natsu.mindrot.org>

On Fri, 22 Aug 2014, Tom Christensen wrote:

> On 21/08/14 22:12, Corinna Vinschen wrote:
> > This runs all non-unit tests.  See regress/Makefile, right at the top.
> > 
> Right.
> 
> Looks like ssh-keygen is busted.
> It passes t1 but t2 is fail:

That's probably related to sshbuf_putf() being broken.

-d

From tgc at jupiterrise.com  Sat Aug 23 07:26:29 2014
From: tgc at jupiterrise.com (Tom Christensen)
Date: Fri, 22 Aug 2014 23:26:29 +0200
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408221732520.7008@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
 <53F5111C.5060803@jupiterrise.com>
 <alpine.BSO.2.11.1408211059040.22887@natsu.mindrot.org>
 <53F64361.2020202@jupiterrise.com>
 <alpine.BSO.2.11.1408221732520.7008@natsu.mindrot.org>
Message-ID: <53F7B585.2050702@jupiterrise.com>

On 22/08/14 09:48, Damien Miller wrote:
> Does your libc vsnprintf() support checking the length of the formatted
> string this way? (AFAIK SUSv3 requires it).
>
No, this does not work on Solaris 9 and older.
Gnulib has a list of platforms with this bug here:
https://www.gnu.org/software/gnulib/manual/html_node/snprintf.html

> We should check for it in configure anyway...
>
<snip patch>

checking whether vsnprintf returns correct values on overflow... no
configure: WARNING: ****** Your vsnprintf() function is broken, complain 
to your vendor

The testsuite now passes on Solaris 8 and 9.

-tgc

From tgc at jupiterrise.com  Sat Aug 23 21:43:20 2014
From: tgc at jupiterrise.com (Tom Christensen)
Date: Sat, 23 Aug 2014 13:43:20 +0200
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
Message-ID: <53F87E58.7040609@jupiterrise.com>

On 18/08/14 03:23, Damien Miller wrote:
> Hi,
>
> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release
> containing a number of features, a lot of internal refactoring and some
> potentially-incompatible changes.
>

It fails to build on IRIX 6.2:

cc-1020 cc: ERROR File = sftp-server.c, Line = 1536
   The identifier "PR_SET_DUMPABLE" is undefined.

         if (prctl(PR_SET_DUMPABLE, 0) != 0)
                   ^

1 error detected in the compilation of "sftp-server.c".

AFAIK no version of IRIX has PR_SET_DUMPABLE.

Fixing that, the build completes.

The sshkey unit test fails:
test_sshkey: ...........................
regress/unittests/sshkey/test_sshkey.c:338 test #28 "nested certificate"
ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1"), &k1), 0) failed:
sshkey_load_cert(test_data_file("rsa_1"), &k1) = -4
            0 = 0
make[1]: *** [unit] Error 134

The rest of the testsuite is running now but so far it looks like the 
problems there are the same as previous releases.

-tgc

From fredports at mufley.com  Sun Aug 24 05:02:49 2014
From: fredports at mufley.com (Frederico Costa)
Date: Sat, 23 Aug 2014 20:02:49 +0100
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
Message-ID: <410173937022477f005475a5ffdd43d8@www.mufley.com>

Hi there

Tested openssh-SNAP-20140823.tar.gz on FreeBSD versions:

FreeBSD 10.0-RELEASE-p6 #0 r267862
FreeBSD 9.3-RELEASE #0 r268564

with generic kernel.

All tests passed.

Fred


On 2014-08-18 02:23, Damien Miller wrote:
> Hi,
> 
> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release
> containing a number of features, a lot of internal refactoring and some
> potentially-incompatible changes.
> 
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
> 
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
> 
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs or
> via Git at https://anongit.mindrot.org/openssh.git/
> 
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> 
> $ ./configure && make tests
> 
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
> 
> Below is a summary of changes. More detail may be found in the 
> ChangeLog
> in the portable OpenSSH tarballs.
> 
> Thanks to the many people who contributed to this release.
> 
> Changes since OpenSSH 6.6
> =========================
> 
> Potentially-incompatible changes
> 
>  * sshd(8): The default set of ciphers and MACs has been altered to
>    remove unsafe algorithms. In particular, CBC ciphers and arcfour*
>    are disabled by default.
> 
>    The full set of algorithms remains available if configured
>    explicitly via the Ciphers and MACs sshd_config options.
> 
>  * sshd(8): Support for tcpwrappers/libwrap has been removed.
> 
>  * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
>    using the curve25519-sha256 at libssh.org KEX exchange method to fail
>    when connecting with something that implements the specification
>    correctly. OpenSSH 6.7 disables this KEX method when speaking to
>    one of the affected versions.
> 
> New Features
> 
>  * Major internal refactoring to begin to make part of OpenSSH usable
>    as a library. So far the wire parsing, key handling and KRL code
>    has been refactored. Please note that we do not consider the API
>    stable yet, nor do we offer the library in separable form.
> 
>  * ssh(1), sshd(8): Add support for Unix domain socket forwarding.
>    A remote TCP port may be forwarded to a local Unix domain socket
>    and vice versa or both ends may be a Unix domain socket.
> 
>  * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
>    ED25519 key types.
> 
>  * sftp(1): Allow resumption of interrupted uploads.
> 
>  * ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it
>    is the same as the one sent during initial key exchange; bz#2154
> 
>  * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind
>    addresses when GatewayPorts=no; allows client to choose address
>    family; bz#2222
> 
>  * sshd(8): Add a sshd_config PermitUserRC option to control whether
>    ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
>    option; bz#2160
> 
>  * ssh(1): Add a %C escape sequence for LocalCommand and ControlPath
>    that expands to a unique identifer based on a hash of the tuple of
>    (local host, remote user, hostname, port). Helps avoid exceeding
>    miserly pathname limits for Unix domain sockets in multiplexing
>    control paths; bz#2220
> 
>  * sshd(8): Make the "Too many authentication failures" message
>    include the user, source address, port and protocol in a format
>    similar to the authentication success / failure messages; bz#2199
> 
>  * Added unit and fuzz tests for refactored code. These are run
>    automatically in portable OpenSSH via the "make tests" target.
> 
> Bugfixes
> 
>  * sshd(8): Fix remote fwding with same listen port but different
>    listen address.
> 
>  * ssh(1): Fix inverted test that caused PKCS#11 keys that were
>    explicitly listed in ssh_config or on the commandline not to be
>    preferred.
> 
>  * ssh-keygen(1): Fix bug in KRL generation: multiple consecutive
>    revoked certificate serial number ranges could be serialised to an
>    invalid format. Readers of a broken KRL caused by this bug will
>    fail closed, so no should-have-been-revoked key will be accepted.
> 
>  * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in
>    exit status. Previously we were always returning 0; bz#2255
> 
>  * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the
>    randomart border; bz#2247
> 
>  * ssh-agent(1): Only cleanup agent socket in the main agent process
>    and not in any subprocesses it may have started (e.g. forked
>    askpass). Fixes agent sockets being zapped when askpass processes
>    fatal(); bz#2236
> 
>  * ssh-add(1): Make stdout line-buffered; saves partial output getting
>    lost when ssh-add fatal()s part-way through (e.g. when listing keys
>    from an agent that supports key types that ssh-add doesn't);
>    bz#2234
> 
>  * ssh-keygen(1): When hashing or removing hosts, don't choke on
>    @revoked markers and don't remove @cert-authority markers; bz#2241
> 
>  * ssh(1): Don't fatal when hostname canonicalisation fails and a
>    ProxyCommand is in use; continue and allow the ProxyCommand to
>    connect anyway (e.g. to a host with a name outside the DNS behind
>    a bastion)
> 
>  * scp(1): When copying local->remote fails during read, don't send
>    uninitialised heap to the remote end.
> 
>  * sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing
>    filenames with  a single quote char somewhere in the string;
>    bz#2238
> 
>  * ssh-keyscan(1): Scan for Ed25519 keys by default.
> 
>  * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-
>    convert any certificate keys to plain keys and attempt SSHFP
>    resolution.  Prevents a server from skipping SSHFP lookup and
>    forcing a new-hostkey dialog by offering only certificate keys.
> 
>  * sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225
> 
>  * Fix some strict-alignment errors.
> 
> Portable OpenSSH
> 
>  * Portable OpenSSH now supports building against libressl-portable.
> 
>  * Portable OpenSSH now requires openssl 0.9.8f or greater. Older
>    versions are no longer supported.
> 
>  * In the OpenSSL version check, allow fix version upgrades (but not
>    downgrades. Debian bug #748150.
> 
>  * sshd(8): On Cygwin, determine privilege separation user at runtime,
>    since it may need to be a domain account.
> 
>  * sshd(8): Don't attempt to use vhangup on Linux. It doens't work for
>    non-root users, and for them it just messes up the tty settings.
> 
>  * Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
>    available. It takes into account time spent suspended, thereby
>    ensuring timeouts (e.g. for expiring agent keys) fire correctly.
>    bz#2228
> 
>  * Add support for ed25519 to opensshd.init init script.
> 
>  * sftp-server(8): On platforms that support it, use prctl() to
>    prevent sftp-server from accessing /proc/self/{mem,maps}
> 
> Reporting Bugs:
> ===============
> 
> - Please read http://www.openssh.com/report.html
>   Security bugs should be reported directly to openssh at openssh.com
> 
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de 
> Raadt,
> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice 
> and
> Ben Lindstrom.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

From Karim.Harouat at alcatel-lucent.com  Wed Aug 20 19:06:25 2014
From: Karim.Harouat at alcatel-lucent.com (HAROUAT, KARIM (KARIM))
Date: Wed, 20 Aug 2014 09:06:25 +0000
Subject: Cipher Order in  sshd_config
Message-ID: <7D3014B65786B449AE07B3604CC777DA22661594@FR711WXCHMBA02.zeu.alcatel-lucent.com>

Hi 

Sorry to disturb you but I am looking for a question I have, but I don't find any clue for it on the archive list, neither Internet (google search).
Id like to know in sshd_config file, if the order given for cipher key word has an impact  please?
I mean is there a difference for the server if I do the config like :
e.g
Ciphers aes128-ctr,aes256-ctr
vs
Ciphers aes256-ctr,aes128-ctr 
?



Best Regards,
Karim HAROUAT
Alcatel-Lucent

From djm at mindrot.org  Tue Aug 26 02:52:29 2014
From: djm at mindrot.org (Damien Miller)
Date: Tue, 26 Aug 2014 02:52:29 +1000 (EST)
Subject: Cipher Order in sshd_config
In-Reply-To: <7D3014B65786B449AE07B3604CC777DA22661594@FR711WXCHMBA02.zeu.alcatel-lucent.com>
References: <7D3014B65786B449AE07B3604CC777DA22661594@FR711WXCHMBA02.zeu.alcatel-lucent.com>
Message-ID: <alpine.BSO.2.11.1408260244260.31810@natsu.mindrot.org>

On Wed, 20 Aug 2014, HAROUAT, KARIM (KARIM) wrote:

> Hi 
> 
> Sorry to disturb you but I am looking for a question I have, but I don't find any clue for it on the archive list, neither Internet (google search).
> Id like to know in sshd_config file, if the order given for cipher key word has an impact  please?
> I mean is there a difference for the server if I do the config like :
> e.g
> Ciphers aes128-ctr,aes256-ctr
> vs
> Ciphers aes256-ctr,aes128-ctr 

It matters on the client but not on the server (see RFC4253 section 7.1)
The selected method will be the first on the client's list that appears on
the server's list.

-d

From kevin.brott at gmail.com  Tue Aug 26 07:27:54 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Mon, 25 Aug 2014 14:27:54 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
 <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
 <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>
Message-ID: <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>

Slightly better results this time 'round ... still having non-ec.h build
issues, what I think is a race condition on RHEL 3, and PIE issues (fixed
with --without-pie config option) on RHEL 5 64-bit systems with a
just-built copy of openssl

Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140826.tar.gz

OS              Build_Target                CC
OpenSSL       BUILD    TEST
==============  =========================== ================
============= ======   =================
Centos 2.1      i386-redhat-linux           gcc 2.9.6
1.0.1i**      OK*1     all tests passed
*RHEL 3.4        i386-redhat-linux           gcc 3.2.3-47
1.0.1i**      OK*1     FAIL*1   *
Fedora Core r2  i386-redhat-linux           gcc 3.3.3-7
1.0.1i**      OK*1*2   all tests passed
RHEL 4.8        i386-redhat-linux           gcc 3.4.6-11
1.0.1i**      OK*1*2   all tests passed
RHEL 4.8        x86_64-redhat-linux         gcc 3.4.6-11
1.0.1i**      OK*1*2   all tests passed
RHEL 5.4        i386-redhat-linux           gcc 4.1.2-46
1.0.1i**      OK*1     all tests passed
RHEL 5.4        x86_64-redhat-linux         gcc 4.1.2-46
1.0.1i**      OK*1*3   all tests passed
...more of same...
RHEL 5.10       i686-redhat-linux           gcc 4.1.2-54
1.0.1i**      OK*1     all tests passed
RHEL 5.10       x86_64-redhat-linux         gcc 4.1.2-54
1.0.1i**      OK*1*3   all tests passed





*RHEL 6.0        i686-redhat-linux           gcc 4.4.4-13
1.0.0-fips    FAIL*2   RHEL 6.0        x86_64-redhat-linux         gcc
4.4.4-13        1.0.0-fips    FAIL*2  ....more of same...RHEL 6.4
i686-redhat-linux           gcc 4.4.7-3         1.0.0-fips    FAIL*2   RHEL
6.4        x86_64-redhat-linux         gcc 4.4.7-3         1.0.0-fips
FAIL*2   *RHEL 6.5        i686-redhat-linux           gcc 4.4.7-4
1.0.1e-fips   OK       all tests passed
RHEL 6.5        x86_64-redhat-linux         gcc 4.4.7-4
1.0.1e-fips   OK       all tests passed
RHEL 7.0        x86_64-redhat-linux         gcc 4.8.2-16
1.0.1e-fips   OK       all tests passed
Debian 7.6      x86_64-linux-gnu            gcc Debian 4.7.2-5
1.0.1e        OK       all tests passed


*AIX 5300-12-02  powerpc-ibm-aix5.3.0.0      xlc 8.0.0.16
0.9.8k        FAIL*2AIX 5300-12-04  powerpc-ibm-aix5.3.0.0      gcc
4.2.0-3         0.9.8k        FAIL*2*AIX 6100-07-08
powerpc-ibm-aix6.1.0.0      xlc 11.1.0.6        1.0.1e        OK       all
tests passed
AIX 6100-07-08  powerpc-ibm-aix6.1.0.0      gcc 4.2.0
1.0.1e        OK       all tests passed
AIX 7100-03-01  powerpc-ibm-aix7.1.0.0      xlc 12.1.0.6
1.0.1e        OK       all tests passed
AIX 7100-03-01  powerpc-ibm-aix7.1.0.0      gcc 4.4.7
1.0.1e        OK       all tests passed
HP-UX 11.23     ia64-hp-hpux11.23           C/aC++ C.11.23.12
0.9.8w        OK       all tests passed
HP-UX 11.23     ia64-hp-hpux11.23           gcc 4.3.1
0.9.8w        OK       all tests passed
HP-UX 11.31     ia64-hp-hpux11.31           C/aC++ C.11.31.05
0.9.8y        OK       all tests passed
HP-UX 11.31     ia64-hp-hpux11.31           gcc 4.6.2
0.9.8y        OK       all tests passed

RHEL    Red Hat Enterprise Linux

**  OpenSSH will no longer configure/build against OS-native openssl,
    openssl-1.0.1i installed in /usr/local/ssl/ (./config && make && make
test && make install),
*1  ./configure --with-ssl-dir=/usr/local/ssl && make tests
*2  --without-zlib-version-check # old zlib on server
*3  --without-pie  # otherwise will not load openssl - which doesn't use
PIE during compile on 64-bit systems
*4  IBM auto-generated prologs in openssl 1.0.1e /usr/include/openssl/ec*.h
break
    compile, commented out properly (/*/ vs #) and then everything is go.

FAIL*1 ran make tests three (3) times ... died here each time:
  run test login-timeout.sh ...
  ssh connect after login grace timeout failed without privsep
  failed connect after login grace timeout
  make[1]: *** [t-exec] Error 1
  make[1]: Leaving directory `/usr/src/openssh/regress'
  make: *** [tests] Error 2

FAIL*2 compile fails at bufexc.c like so - another ec.h issue?
  GCC:
    gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -Wno-pointer-sign -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset  -I. -I.
-DSSHDIR=\"/usr/local/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"
-DHAVE_CONFIG_H -c bufec.c -o bufec.o
    bufec.c:30: warning: type defaults to 'int' in declaration of 'EC_GROUP'
    bufec.c:30: error: expected ';', ',' or ')' before '*' token
    bufec.c:43: warning: type defaults to 'int' in declaration of 'EC_GROUP'
    bufec.c:43: error: expected ';', ',' or ')' before '*' token
    bufec.c:51: warning: type defaults to 'int' in declaration of 'EC_GROUP'
    bufec.c:51: error: expected ';', ',' or ')' before '*' token
    bufec.c:64: warning: type defaults to 'int' in declaration of 'EC_GROUP'
    bufec.c:64: error: expected ';', ',' or ')' before '*' token
    make: The error code from the last command is 1.
  XLC:
    gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -Wno-pointer-sign -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset  -I. -I. -I/usr/include
-I/var/tmp/ssh/include  -DSSHDIR=\"/usr/local/etc\"
-D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"
-DHAVE_CONFIG_H -c bufec.c -o bufec.o
    bufec.c:30: warning: type defaults to 'int' in declaration of 'EC_GROUP'
    bufec.c:30: error: parse error before '*' token
    bufec.c: In function 'buffer_put_ecpoint_ret':
    bufec.c:35: warning: implicit declaration of function 'sshbuf_put_ec'
    bufec.c:35: error: 'buffer' undeclared (first use in this function)
    bufec.c:35: error: (Each undeclared identifier is reported only once
    bufec.c:35: error: for each function it appears in.)
    bufec.c:35: error: 'point' undeclared (first use in this function)
    bufec.c:35: error: 'curve' undeclared (first use in this function)
    bufec.c: At top level:
    bufec.c:43: warning: type defaults to 'int' in declaration of 'EC_GROUP'
    bufec.c:43: error: parse error before '*' token
    bufec.c: In function 'buffer_put_ecpoint':
    bufec.c:46: error: 'buffer' undeclared (first use in this function)
    bufec.c:46: error: 'curve' undeclared (first use in this function)
    bufec.c:46: error: 'point' undeclared (first use in this function)
    bufec.c: At top level:
    bufec.c:51: warning: type defaults to 'int' in declaration of 'EC_GROUP'
    bufec.c:51: error: parse error before '*' token
    bufec.c: In function 'buffer_get_ecpoint_ret':
    bufec.c:56: warning: implicit declaration of function 'sshbuf_get_ec'
    bufec.c:56: error: 'buffer' undeclared (first use in this function)
    bufec.c:56: error: 'point' undeclared (first use in this function)
    bufec.c:56: error: 'curve' undeclared (first use in this function)
    bufec.c: At top level:
    bufec.c:64: warning: type defaults to 'int' in declaration of 'EC_GROUP'
    bufec.c:64: error: parse error before '*' token
    bufec.c: In function 'buffer_get_ecpoint':
    bufec.c:67: error: 'buffer' undeclared (first use in this function)
    bufec.c:67: error: 'curve' undeclared (first use in this function)
    bufec.c:67: error: 'point' undeclared (first use in this function)
    make: 1254-004 The error code from the last command is 1.





On Fri, Aug 22, 2014 at 12:31 AM, Damien Miller <djm at mindrot.org> wrote:

> On Thu, 21 Aug 2014, Kevin Brott wrote:
>
> >               sshbuf-getput-crypto.c:27:24: error: openssl/ec.h: No such
> > file or directory
> >               gmake: *** [sshbuf-getput-crypto.o] Error 1
>
> I'll commit this momentarily. Will be in the 20140823 snapshot.
>
>
> Index: sshbuf-getput-crypto.c
> ===================================================================
> RCS file: /var/cvs/openssh/sshbuf-getput-crypto.c,v
> retrieving revision 1.3
> diff -u -p -r1.3 sshbuf-getput-crypto.c
> --- sshbuf-getput-crypto.c      2 Jul 2014 02:48:05 -0000       1.3
> +++ sshbuf-getput-crypto.c      22 Aug 2014 07:30:38 -0000
> @@ -24,7 +24,9 @@
>  #include <string.h>
>
>  #include <openssl/bn.h>
> -#include <openssl/ec.h>
> +#ifdef OPENSSL_HAS_ECC
> +# include <openssl/ec.h>
> +#endif /* OPENSSL_HAS_ECC */
>
>  #include "ssherr.h"
>  #include "sshbuf.h"
>



-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From imorgan at nas.nasa.gov  Tue Aug 26 07:57:08 2014
From: imorgan at nas.nasa.gov (Iain Morgan)
Date: Mon, 25 Aug 2014 14:57:08 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>
References: <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
 <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
 <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>
 <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>
Message-ID: <20140825215708.GE10370@linux124.nas.nasa.gov>

On Mon, Aug 25, 2014 at 14:27:54 -0700, Kevin Brott wrote:
> Slightly better results this time 'round ... still having non-ec.h build
> issues, what I think is a race condition on RHEL 3, and PIE issues (fixed
> with --without-pie config option) on RHEL 5 64-bit systems with a
> just-built copy of openssl
> 

Sorry, I haven't been following this thread closely, but have you tried
adding -fPIC when you configure OpenSSL? That's an issue that comes up
on the mailing list from time to time with installs of OpenSSL.

If that is the issue you are encountering, we should probably add a note
about it to the INSTALL file and possibly the online FAQ.

-- 
Iain 

From ronf at timeheart.net  Tue Aug 26 08:08:51 2014
From: ronf at timeheart.net (Ron Frederick)
Date: Mon, 25 Aug 2014 15:08:51 -0700
Subject: Cipher Order in sshd_config
In-Reply-To: <alpine.BSO.2.11.1408260244260.31810@natsu.mindrot.org>
References: <7D3014B65786B449AE07B3604CC777DA22661594@FR711WXCHMBA02.zeu.alcatel-lucent.com>
 <alpine.BSO.2.11.1408260244260.31810@natsu.mindrot.org>
Message-ID: <80880B40-E20D-4293-B9BD-2DCDB4822D1F@timeheart.net>

On Aug 25, 2014, at 9:52 AM, Damien Miller <djm at mindrot.org> wrote:
> On Wed, 20 Aug 2014, HAROUAT, KARIM (KARIM) wrote:
>> Sorry to disturb you but I am looking for a question I have, but I don't find any clue for it on the archive list, neither Internet (google search).
>> Id like to know in sshd_config file, if the order given for cipher key word has an impact  please?
>> I mean is there a difference for the server if I do the config like :
>> e.g
>> Ciphers aes128-ctr,aes256-ctr
>> vs
>> Ciphers aes256-ctr,aes128-ctr 
> 
> It matters on the client but not on the server (see RFC4253 section 7.1)
> The selected method will be the first on the client's list that appears on
> the server's list.

I noticed some time ago that OpenSSH still prefers aes128 over aes192/aes256 ciphers in multiple cases (CTR, GCM, and CBC). Is this due to concerns about CPU usage? These days, I would think we?d want to have clients prefer AES256.

It also still prefers MD5 over everything else for hashing, and SHA1 over SHA2. While it still makes sense to support MD5 for backward compatibility (and indeed the SSH RFC requires it), I?m not sure it still makes sense to prefer either it or SHA1 at this point.
-- 
Ron Frederick
ronf at timeheart.net




From mikep at noc.utoronto.ca  Tue Aug 26 08:14:33 2014
From: mikep at noc.utoronto.ca (mikep at noc.utoronto.ca)
Date: Mon, 25 Aug 2014 18:14:33 -0400 (EDT)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <Pine.GSO.4.64.1408210736020.5422@kraken.noc.utoronto.ca>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
 <53F5111C.5060803@jupiterrise.com>
 <Pine.GSO.4.64.1408201825060.12352@kraken.noc.utoronto.ca>
 <alpine.BSO.2.11.1408211101450.22887@natsu.mindrot.org>
 <Pine.GSO.4.64.1408210736020.5422@kraken.noc.utoronto.ca>
Message-ID: <Pine.GSO.4.64.1408251605470.25540@kraken.noc.utoronto.ca>

> On Thu, 21 Aug 2014, Damien Miller wrote:
>
>> On Wed, 20 Aug 2014, mikep at noc.utoronto.ca wrote:
>> 
>>> Tested on Solaris 10, gcc 3.4.6, openssl 1.0.1i.
>>> 
>>> 'make' works, 'make tests' fails with:
>> 
>> This is likely the __progname problem that I just posted a patch for. Could
>> you give that a try?
>> 
>> -d
>
> Still fails same place.

Tried again with SNAP-20140826; gets much farther into the tests:

  ...
run test sftp-perm.sh ...
sftp permissions: read-only upload
sftp permissions: read-only setstat
postcondition check failed: setstat readonly
sftp permissions: read-only rm
sftp permissions: read-only mkdir
sftp permissions: read-only rmdir
sftp permissions: read-only posix-rename
sftp permissions: read-only oldrename
sftp permissions: read-only symlink
sftp permissions: read-only hardlink
sftp permissions: explicit open
sftp permissions: explicit read
sftp permissions: explicit write
sftp permissions: explicit lstat
sftp permissions: explicit opendir
sftp permissions: explicit readdir
sftp permissions: explicit setstat
postcondition check failed: setstat blacklisted
postcondition check failed: setstat not in whitelist
sftp permissions: explicit remove
sftp permissions: explicit mkdir
sftp permissions: explicit rmdir
sftp permissions: explicit posix-rename
sftp permissions: explicit rename
sftp permissions: explicit symlink
sftp permissions: explicit hardlink
sftp permissions: explicit statvfs
failed sftp permissions
make[1]: *** [t-exec] Error 1
make[1]: Leaving directory `/opt/local/src/security/openssh/regress'
make: *** [tests] Error 2

Mike
--
Mike Peterson                            Information Security Analyst - Audit
E-mail: mikep at noc.utoronto.ca                WWW: http://www.noc.utoronto.ca/
Tel: 416-978-5230                                           Fax: 416-978-6620

From djm at mindrot.org  Tue Aug 26 08:42:23 2014
From: djm at mindrot.org (Damien Miller)
Date: Tue, 26 Aug 2014 08:42:23 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
 <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
 <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>
 <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>
Message-ID: <alpine.BSO.2.11.1408260837530.17249@natsu.mindrot.org>

On Mon, 25 Aug 2014, Kevin Brott wrote:

> Slightly better results this time 'round ... still having non-ec.h build
> issues, what I think is a race condition on RHEL 3, and PIE issues (fixed
> with --without-pie config option) on RHEL 5 64-bit systems with a just-built
> copy of openssl
> 
> Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140826.tar.gz

Thanks again!

...

> *3  --without-pie  # otherwise will not load openssl - which doesn't use PIE
> during compile on 64-bit systems

We should probably find a way to delay the PIE checks until after we have
most dependency libraries located to catch this.

> FAIL*1 ran make tests three (3) times ... died here each time:
>   run test login-timeout.sh ...
>   ssh connect after login grace timeout failed without privsep
>   failed connect after login grace timeout
>   make[1]: *** [t-exec] Error 1
>   make[1]: Leaving directory `/usr/src/openssh/regress'
>   make: *** [tests] Error 2

any clues in regress/failed-*?

> FAIL*2 compile fails at bufexc.c like so - another ec.h issue?

Yep, fixed in tomorrow's snapshot

-d

From scott_n at xypro.com  Tue Aug 26 08:53:13 2014
From: scott_n at xypro.com (Scott Neugroschl)
Date: Mon, 25 Aug 2014 22:53:13 +0000
Subject: GSSAPI
In-Reply-To: <3162583.seGC0hIEk4@magrathea>
References: <D358E5B1511A314F8160ADC6F375498706916B11@XYSVEX01.XYPRO-23.LOCAL>
 <3162583.seGC0hIEk4@magrathea>
Message-ID: <D358E5B1511A314F8160ADC6F37549870695E0BE@XYSVEX02.XYPRO-23.LOCAL>

In the patch,  at  line 2687 of http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.6p1-gsskex.patch, we have

@@ -2488,6 +2495,48 @@ do_ssh2_kex(void)
 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
 	    list_hostkey_types());
 
+#ifdef GSSAPI
+	{
+	char *orig;
+	char *gss = NULL;
+	char *newstr = NULL;
+	orig = myproposal[PROPOSAL_KEX_ALGS];   <<<=== HERE 1
+
+	/* 
+	 * If we don't have a host key, then there's no point advertising
+	 * the other key exchange algorithms
+	 */
+
+	if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)  <<<=== HERE 2
+		orig = NULL;

Note that at the lines marked HERE 1 and HERE 2, orig refers to two separate things.
Is this inconsistency in reference intended?



-----Original Message-----
From: Andreas Schneider [mailto:asn at cryptomilk.org] 
Sent: Monday, July 21, 2014 4:16 AM
To: openssh-unix-dev at mindrot.org
Cc: Scott Neugroschl
Subject: Re: GSSAPI

On Tuesday 15 July 2014 21:52:33 Scott Neugroschl wrote:
> If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I 
> still need to get Simon Wilkinson's patches?

As the FreeIPA project has support for managing SSH Keys they have a maintained patchset for GSSAPI support. You can take a look here:


http://pkgs.fedoraproject.org/cgit/openssh.git/tree/


	-- andreas


-- 
Andreas Schneider                   GPG-ID: CC014E3D
www.cryptomilk.org                asn at cryptomilk.org


From djm at mindrot.org  Tue Aug 26 09:07:16 2014
From: djm at mindrot.org (Damien Miller)
Date: Tue, 26 Aug 2014 09:07:16 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <Pine.GSO.4.64.1408251605470.25540@kraken.noc.utoronto.ca>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <53F3B623.2020409@purdue.edu>
 <alpine.BSO.2.11.1408201145010.414@natsu.mindrot.org>
 <53F412B6.70000@purdue.edu>
 <alpine.BSO.2.11.1408201349580.414@natsu.mindrot.org>
 <53F5111C.5060803@jupiterrise.com>
 <Pine.GSO.4.64.1408201825060.12352@kraken.noc.utoronto.ca>
 <alpine.BSO.2.11.1408211101450.22887@natsu.mindrot.org>
 <Pine.GSO.4.64.1408210736020.5422@kraken.noc.utoronto.ca>
 <Pine.GSO.4.64.1408251605470.25540@kraken.noc.utoronto.ca>
Message-ID: <alpine.BSO.2.11.1408260845290.17249@natsu.mindrot.org>

On Mon, 25 Aug 2014, mikep at noc.utoronto.ca wrote:

> Tried again with SNAP-20140826; gets much farther into the tests:

Thanks!

> sftp permissions: explicit setstat
> postcondition check failed: setstat blacklisted
> postcondition check failed: setstat not in whitelist

This is probably a problem with the test itself. Could you try applying
the below patch, rerunning the just the affected sftp-perm.sh test (using
"make tests LTESTS=sftp-perm SKIP_UNIT=1") and sending me the output along
with regress/sftp.log?

-d

Index: regress/sftp-perm.sh
===================================================================
RCS file: /var/cvs/openssh/regress/sftp-perm.sh,v
retrieving revision 1.2
diff -u -p -r1.2 sftp-perm.sh
--- regress/sftp-perm.sh	24 Oct 2013 19:22:50 -0000	1.2
+++ regress/sftp-perm.sh	25 Aug 2014 23:06:41 -0000
@@ -29,7 +29,7 @@ postcondition() {
 	_title="$1"
 	_check="$2"
 	test -z "$_check" && return
-	${TEST_SHELL} -c "$_check" || fail "postcondition check failed: $_title"
+	${TEST_SHELL} -c "$_check" || fatal "postcondition check failed: $_title"
 }
 
 ro_test() {
@@ -72,7 +72,13 @@ perm_test() {
 	# Blacklist
 	prepare_files "$_prep"
 	prepare_server -P $_op
+echo "blacklist pre"
+ls -l $COPY
 	run_client "$_cmd" && fail "blacklisted $_op succeeded"
+echo "blacklist post"
+ls -l $COPY
+test -x $COPY && echo "test -x"
+test -x $COPY || echo "!test -x"
 	postcondition "$_op blacklisted" "$_expect_fail_post"
 	# Whitelist with op missing.
 	prepare_files "$_prep"

From djm at mindrot.org  Tue Aug 26 09:12:06 2014
From: djm at mindrot.org (Damien Miller)
Date: Tue, 26 Aug 2014 09:12:06 +1000 (EST)
Subject: Cipher Order in sshd_config
In-Reply-To: <80880B40-E20D-4293-B9BD-2DCDB4822D1F@timeheart.net>
References: <7D3014B65786B449AE07B3604CC777DA22661594@FR711WXCHMBA02.zeu.alcatel-lucent.com>
 <alpine.BSO.2.11.1408260244260.31810@natsu.mindrot.org>
 <80880B40-E20D-4293-B9BD-2DCDB4822D1F@timeheart.net>
Message-ID: <alpine.BSO.2.11.1408260907590.17249@natsu.mindrot.org>

On Mon, 25 Aug 2014, Ron Frederick wrote:

> I noticed some time ago that OpenSSH still prefers aes128 over aes192/aes256
> ciphers in multiple cases (CTR, GCM, and CBC). Is this due to concerns about
> CPU usage? These days, I would think we?d want to have clients prefer AES256.

It's a tradeoff for performance/security. I don't think attacks on AES128
are particularly feasible.

> It also still prefers MD5 over everything else for hashing, and SHA1 over
> SHA2. While it still makes sense to support MD5 for backward compatibility
> (and indeed the SSH RFC requires it), I?m not sure it still makes sense to
> prefer either it or SHA1 at this point.

For OpenSSH 6.7, the default MAC ordering does indeed demote HMAC-MD5.
That being said, there are no practical attacks on HMAC-MD5 that I know
of. HMAC is pretty forgiving of problems with the underlying hash.

-d

From djm at mindrot.org  Tue Aug 26 09:28:27 2014
From: djm at mindrot.org (Damien Miller)
Date: Tue, 26 Aug 2014 09:28:27 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <20140825215708.GE10370@linux124.nas.nasa.gov>
References: <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
 <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
 <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>
 <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>
 <20140825215708.GE10370@linux124.nas.nasa.gov>
Message-ID: <alpine.BSO.2.11.1408260927360.17249@natsu.mindrot.org>

On Mon, 25 Aug 2014, Iain Morgan wrote:

> Sorry, I haven't been following this thread closely, but have you tried
> adding -fPIC when you configure OpenSSL? That's an issue that comes up
> on the mailing list from time to time with installs of OpenSSL.
> 
> If that is the issue you are encountering, we should probably add a note
> about it to the INSTALL file and possibly the online FAQ.

I've added a note to the INSTALL file. The FAQ really needs a massive
overhaul, it hasn't been touched for years.

-d


From djm at mindrot.org  Tue Aug 26 09:30:27 2014
From: djm at mindrot.org (Damien Miller)
Date: Tue, 26 Aug 2014 09:30:27 +1000 (EST)
Subject: GSSAPI
In-Reply-To: <D358E5B1511A314F8160ADC6F37549870695E0BE@XYSVEX02.XYPRO-23.LOCAL>
References: <D358E5B1511A314F8160ADC6F375498706916B11@XYSVEX01.XYPRO-23.LOCAL>
 <3162583.seGC0hIEk4@magrathea>
 <D358E5B1511A314F8160ADC6F37549870695E0BE@XYSVEX02.XYPRO-23.LOCAL>
Message-ID: <alpine.BSO.2.11.1408260929220.17249@natsu.mindrot.org>

On Mon, 25 Aug 2014, Scott Neugroschl wrote:

> In the patch,  at  line 2687 of http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.6p1-gsskex.patch, we have
> 
> @@ -2488,6 +2495,48 @@ do_ssh2_kex(void)
>  	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
>  	    list_hostkey_types());
>  
> +#ifdef GSSAPI
> +	{
> +	char *orig;
> +	char *gss = NULL;
> +	char *newstr = NULL;
> +	orig = myproposal[PROPOSAL_KEX_ALGS];   <<<=== HERE 1
> +
> +	/* 
> +	 * If we don't have a host key, then there's no point advertising
> +	 * the other key exchange algorithms
> +	 */
> +
> +	if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)  <<<=== HERE 2
> +		orig = NULL;
> 
> Note that at the lines marked HERE 1 and HERE 2, orig refers to two
> separate things. Is this inconsistency in reference intended?

AFAIK yes - it's intended to change the KEX method proposal based on whether
any hostkeys are loaded.

-d

From kevin.brott at gmail.com  Tue Aug 26 09:32:37 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Mon, 25 Aug 2014 16:32:37 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408260837530.17249@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
 <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
 <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>
 <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>
 <alpine.BSO.2.11.1408260837530.17249@natsu.mindrot.org>
Message-ID: <CAMv58rYnYQQ5ODyFVumGFxiOPOZVCrQqXXj94Ro4=axaWL_5ig@mail.gmail.com>

On Mon, Aug 25, 2014 at 3:42 PM, Damien Miller <djm at mindrot.org> wrote:

> On Mon, 25 Aug 2014, Kevin Brott wrote:
>
> > Slightly better results this time 'round ... still having non-ec.h build
> > issues, what I think is a race condition on RHEL 3, and PIE issues (fixed
> > with --without-pie config option) on RHEL 5 64-bit systems with a
> just-built
> > copy of openssl
> >
> > Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140826.tar.gz
>
> Thanks again!
>
>
De nada ...



> ...
>
> > *3  --without-pie  # otherwise will not load openssl - which doesn't use
> PIE
> > during compile on 64-bit systems
>
> We should probably find a way to delay the PIE checks until after we have
> most dependency libraries located to catch this.
>

Per IAN's comment - I tried building openssl on another x64 system
using ./config
shared instead of just ./config (builds static library) so that it would
try to use -fPIC.  After installing and creating an
/etc/ld.so.conf.d/openssl-101.conf pointing to /usr/local/ssl/lib
(configure pukes without this - it can't find libssl.so.1.0.0 even with an
explicit --with-ssl-dir) ... configure works as advertised without telling
it --without-pie, and make test is 'all tests passed'.  Perhaps a quick
check to see if libssl is a static or shared library would be in order
before asking for a slice of pie? ;p


> > FAIL*1 ran make tests three (3) times ... died here each time:
> >   run test login-timeout.sh ...
> >   ssh connect after login grace timeout failed without privsep
> >   failed connect after login grace timeout
> >   make[1]: *** [t-exec] Error 1
> >   make[1]: Leaving directory `/usr/src/openssh/regress'
> >   make: *** [tests] Error 2
>
> any clues in regress/failed-*?
>
>
Brought that VM back up (admittedly I didn't look too deep at this one -
was trying to get through the test suite first), looking at those files I
see this:

# ls -alrt failed-*
-rw-r--r--    1 root     root          308 Aug 25 09:05 failed-ssh.log
-rw-r--r--    1 root     root          236 Aug 25 09:05 failed-sshd.log
-rw-r--r--    1 root     root           89 Aug 25 09:05 failed-regress.log
[root at buildhost regress]# cat failed-regress.log
trace: wait for sshd
FAIL: ssh connect after login grace timeout failed without privsep

[root at buildhost regress]# cat failed-sshd.log
trace: wait for sshd
Received signal 15; terminating.
debug2: channel 0: rcvd close
Received disconnect from 127.0.0.1: 11: disconnected by user
debug1: do_cleanup
FAIL: ssh connect after login grace timeout failed without privsep

[root at buildhost regress]# cat failed-ssh.log
trace: wait for sshd
debug2: ssh_connect: needpriv 0
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 4242.
debug1: connect to address 127.0.0.1 port 4242: Connection refused
ssh: connect to host 127.0.0.1 port 4242: Connection refused
FAIL: ssh connect after login grace timeout failed without privsep

Need to dig through my email archives - I would swear this is a
(previously fixed) race in the test suite where it wasn't waiting properly.


> FAIL*2 compile fails at bufexc.c like so - another ec.h issue?
>
> Yep, fixed in tomorrow's snapshot
>
> -d
>

Awesome.


-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From kevin.brott at gmail.com  Tue Aug 26 09:40:15 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Mon, 25 Aug 2014 16:40:15 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rYnYQQ5ODyFVumGFxiOPOZVCrQqXXj94Ro4=axaWL_5ig@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rYWTW-PR4dCcGTAk3kikeiw4tPfzufCqhc6Ai2OZHz1Bw@mail.gmail.com>
 <alpine.BSO.2.11.1408191123250.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
 <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
 <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>
 <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>
 <alpine.BSO.2.11.1408260837530.17249@natsu.mindrot.org>
 <CAMv58rYnYQQ5ODyFVumGFxiOPOZVCrQqXXj94Ro4=axaWL_5ig@mail.gmail.com>
Message-ID: <CAMv58raLTA_2m8Ad8VAERRri5haN+3JZ4YY9Jo1CsDTRxMyD5g@mail.gmail.com>

Close - I'm remembering the race in rexec where ...

DM:
 
"turns out to be a race condition in the test itself:

adding a "sleep 1" after each "kill" statement makes the test pass.
We need a better way of handling this in the tests, perhaps polling for
sshd's pidfile being deleted."


On Mon, Aug 25, 2014 at 4:32 PM, Kevin Brott <kevin.brott at gmail.com> wrote:

> On Mon, Aug 25, 2014 at 3:42 PM, Damien Miller <djm at mindrot.org> wrote:
>
>> On Mon, 25 Aug 2014, Kevin Brott wrote:
>>
>> > Slightly better results this time 'round ... still having non-ec.h build
>> > issues, what I think is a race condition on RHEL 3, and PIE issues
>> (fixed
>> > with --without-pie config option) on RHEL 5 64-bit systems with a
>> just-built
>> > copy of openssl
>> >
>> > Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140826.tar.gz
>>
>> Thanks again!
>>
>>
> De nada ...
>
>
>> ...
>>
>> > *3  --without-pie  # otherwise will not load openssl - which doesn't
>> use PIE
>> > during compile on 64-bit systems
>>
>> We should probably find a way to delay the PIE checks until after we have
>> most dependency libraries located to catch this.
>>
>
> Per IAN's comment - I tried building openssl on another x64 system using ./config
> shared instead of just ./config (builds static library) so that it would
> try to use -fPIC.  After installing and creating an
> /etc/ld.so.conf.d/openssl-101.conf pointing to /usr/local/ssl/lib
> (configure pukes without this - it can't find libssl.so.1.0.0 even with an
> explicit --with-ssl-dir) ... configure works as advertised without telling
> it --without-pie, and make test is 'all tests passed'.  Perhaps a quick
> check to see if libssl is a static or shared library would be in order
> before asking for a slice of pie? ;p
>
>
>> > FAIL*1 ran make tests three (3) times ... died here each time:
>> >   run test login-timeout.sh ...
>> >   ssh connect after login grace timeout failed without privsep
>> >   failed connect after login grace timeout
>> >   make[1]: *** [t-exec] Error 1
>> >   make[1]: Leaving directory `/usr/src/openssh/regress'
>> >   make: *** [tests] Error 2
>>
>> any clues in regress/failed-*?
>>
>>
> Brought that VM back up (admittedly I didn't look too deep at this one -
> was trying to get through the test suite first), looking at those files I
> see this:
>
> # ls -alrt failed-*
> -rw-r--r--    1 root     root          308 Aug 25 09:05 failed-ssh.log
> -rw-r--r--    1 root     root          236 Aug 25 09:05 failed-sshd.log
> -rw-r--r--    1 root     root           89 Aug 25 09:05 failed-regress.log
> [root at buildhost regress]# cat failed-regress.log
> trace: wait for sshd
> FAIL: ssh connect after login grace timeout failed without privsep
>
> [root at buildhost regress]# cat failed-sshd.log
> trace: wait for sshd
> Received signal 15; terminating.
> debug2: channel 0: rcvd close
> Received disconnect from 127.0.0.1: 11: disconnected by user
> debug1: do_cleanup
> FAIL: ssh connect after login grace timeout failed without privsep
>
> [root at buildhost regress]# cat failed-ssh.log
> trace: wait for sshd
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to 127.0.0.1 [127.0.0.1] port 4242.
> debug1: connect to address 127.0.0.1 port 4242: Connection refused
> ssh: connect to host 127.0.0.1 port 4242: Connection refused
> FAIL: ssh connect after login grace timeout failed without privsep
>
> Need to dig through my email archives - I would swear this is a
> (previously fixed) race in the test suite where it wasn't waiting properly.
>
>
> > FAIL*2 compile fails at bufexc.c like so - another ec.h issue?
>>
>> Yep, fixed in tomorrow's snapshot
>>
>> -d
>>
>
> Awesome.
>
> --
> # include <stddisclaimer.h>
> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>
>


-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From djm at mindrot.org  Tue Aug 26 09:45:57 2014
From: djm at mindrot.org (Damien Miller)
Date: Tue, 26 Aug 2014 09:45:57 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rYnYQQ5ODyFVumGFxiOPOZVCrQqXXj94Ro4=axaWL_5ig@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
 <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
 <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>
 <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>
 <alpine.BSO.2.11.1408260837530.17249@natsu.mindrot.org>
 <CAMv58rYnYQQ5ODyFVumGFxiOPOZVCrQqXXj94Ro4=axaWL_5ig@mail.gmail.com>
Message-ID: <alpine.BSO.2.11.1408260941520.17249@natsu.mindrot.org>

On Mon, 25 Aug 2014, Kevin Brott wrote:

> > ...
> >
> > > *3  --without-pie  # otherwise will not load openssl - which doesn't use
> > PIE
> > > during compile on 64-bit systems
> >
> > We should probably find a way to delay the PIE checks until after we have
> > most dependency libraries located to catch this.
> >
> 
> Per IAN's comment - I tried building openssl on another x64 system
> using ./config
> shared instead of just ./config (builds static library) so that it would
> try to use -fPIC.  After installing and creating an
> /etc/ld.so.conf.d/openssl-101.conf pointing to /usr/local/ssl/lib
> (configure pukes without this - it can't find libssl.so.1.0.0 even with an
> explicit --with-ssl-dir) ... configure works as advertised without telling
> it --without-pie, and make test is 'all tests passed'.  Perhaps a quick
> check to see if libssl is a static or shared library would be in order
> before asking for a slice of pie? ;p

Yes, the only impediment to doing it before this release are 1) making it
work cross-platform (simply delaying the PIE checks until after OpenSSL
has been located might be sufficient for this) and 2) not breaking
anything else in the process (unfortunately, delaying the OpenSSL checks
would almost certainly break something)

> > any clues in regress/failed-*?
> >
> >
> Brought that VM back up (admittedly I didn't look too deep at this one -
> was trying to get through the test suite first), looking at those files I
> see this:
> 
> # ls -alrt failed-*
> -rw-r--r--    1 root     root          308 Aug 25 09:05 failed-ssh.log
> -rw-r--r--    1 root     root          236 Aug 25 09:05 failed-sshd.log
> -rw-r--r--    1 root     root           89 Aug 25 09:05 failed-regress.log
> [root at buildhost regress]# cat failed-regress.log
> trace: wait for sshd
> FAIL: ssh connect after login grace timeout failed without privsep
> 
> [root at buildhost regress]# cat failed-sshd.log
> trace: wait for sshd
> Received signal 15; terminating.
> debug2: channel 0: rcvd close
> Received disconnect from 127.0.0.1: 11: disconnected by user
> debug1: do_cleanup
> FAIL: ssh connect after login grace timeout failed without privsep
> 
> [root at buildhost regress]# cat failed-ssh.log
> trace: wait for sshd
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to 127.0.0.1 [127.0.0.1] port 4242.
> debug1: connect to address 127.0.0.1 port 4242: Connection refused
> ssh: connect to host 127.0.0.1 port 4242: Connection refused
> FAIL: ssh connect after login grace timeout failed without privsep
> 
> Need to dig through my email archives - I would swear this is a
> (previously fixed) race in the test suite where it wasn't waiting properly.

Yes, this was supposed to "fix" it

       - djm at cvs.openbsd.org 2014/03/13 20:44:49
         [login-timeout.sh]
         this test is a sorry mess of race conditions; add another sleep
         to avoid a failure on slow machines (at least until I find a
         better way)

Guess I'll have to look for that "better way" soon...

-d

From scott_n at xypro.com  Tue Aug 26 09:45:09 2014
From: scott_n at xypro.com (Scott Neugroschl)
Date: Mon, 25 Aug 2014 23:45:09 +0000
Subject: GSSAPI
In-Reply-To: <alpine.BSO.2.11.1408260929220.17249@natsu.mindrot.org>
References: <D358E5B1511A314F8160ADC6F375498706916B11@XYSVEX01.XYPRO-23.LOCAL>
 <3162583.seGC0hIEk4@magrathea>
 <D358E5B1511A314F8160ADC6F37549870695E0BE@XYSVEX02.XYPRO-23.LOCAL>
 <alpine.BSO.2.11.1408260929220.17249@natsu.mindrot.org>
Message-ID: <D358E5B1511A314F8160ADC6F37549870695E131@XYSVEX02.XYPRO-23.LOCAL>



-----Original Message-----
From: Damien Miller [mailto:djm at mindrot.org] 


On Mon, 25 Aug 2014, Scott Neugroschl wrote:

> In the patch,  at  line 2687 of 
> http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.6p1-gssk
> ex.patch, we have
> 
> @@ -2488,6 +2495,48 @@ do_ssh2_kex(void)
>  	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
>  	    list_hostkey_types());
>  
> +#ifdef GSSAPI
> +	{
> +	char *orig;
> +	char *gss = NULL;
> +	char *newstr = NULL;
> +	orig = myproposal[PROPOSAL_KEX_ALGS];   <<<=== HERE 1
> +
> +	/* 
> +	 * If we don't have a host key, then there's no point advertising
> +	 * the other key exchange algorithms
> +	 */
> +
> +	if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)  <<<=== HERE 2
> +		orig = NULL;
> 
> Note that at the lines marked HERE 1 and HERE 2, orig refers to two 
> separate things. Is this inconsistency in reference intended?

AFAIK yes - it's intended to change the KEX method proposal based on whether any hostkeys are loaded.

-d

---------

Thanks, Damien.   I was trying to debug an issue in this code.  Turns out there was a trailing blank in
my host key file name.  I'll look at ssh-keygen.c and see if I can rectify that.

ScottN



From scott_n at xypro.com  Tue Aug 26 10:05:07 2014
From: scott_n at xypro.com (Scott Neugroschl)
Date: Tue, 26 Aug 2014 00:05:07 +0000
Subject: Blanks in filenames generated by ssh-keygen (Was RE: GSSAPI)
Message-ID: <D358E5B1511A314F8160ADC6F37549870695E159@XYSVEX02.XYPRO-23.LOCAL>

Scott Neugroschl wrote:
>Thanks, Damien.   I was trying to debug an issue in this code.  Turns out there was a trailing blank in
> my host key file name.  I'll look at ssh-keygen.c and see if I can rectify that.

Is there a particular reason to allow leading/trailing blanks in the key file name?   If there is
no such reason, then buf should be trimmed in ask_filename(), around line 250 (OpenSSH 6.6p1).


ScottN

From Karim.Harouat at alcatel-lucent.com  Tue Aug 26 16:27:37 2014
From: Karim.Harouat at alcatel-lucent.com (HAROUAT, KARIM (KARIM))
Date: Tue, 26 Aug 2014 06:27:37 +0000
Subject: Cipher Order in sshd_config
In-Reply-To: <alpine.BSO.2.11.1408260244260.31810@natsu.mindrot.org>
References: <7D3014B65786B449AE07B3604CC777DA22661594@FR711WXCHMBA02.zeu.alcatel-lucent.com>
 <alpine.BSO.2.11.1408260244260.31810@natsu.mindrot.org>
Message-ID: <7D3014B65786B449AE07B3604CC777DA226621B9@FR711WXCHMBA02.zeu.alcatel-lucent.com>

Hi Damien

Ok thank you a lot for the answer.


Best Rgds,

Karim HAROUAT


-----Message d'origine-----
De?: Damien Miller [mailto:djm at mindrot.org] 
Envoy??: lundi 25 ao?t 2014 18:52
??: HAROUAT, KARIM (KARIM)
Cc?: openssh-unix-dev at mindrot.org
Objet?: Re: Cipher Order in sshd_config

On Wed, 20 Aug 2014, HAROUAT, KARIM (KARIM) wrote:

> Hi
> 
> Sorry to disturb you but I am looking for a question I have, but I don't find any clue for it on the archive list, neither Internet (google search).
> Id like to know in sshd_config file, if the order given for cipher key word has an impact  please?
> I mean is there a difference for the server if I do the config like :
> e.g
> Ciphers aes128-ctr,aes256-ctr
> vs
> Ciphers aes256-ctr,aes128-ctr

It matters on the client but not on the server (see RFC4253 section 7.1) The selected method will be the first on the client's list that appears on the server's list.

-d

From kevin.brott at gmail.com  Wed Aug 27 03:52:29 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Tue, 26 Aug 2014 10:52:29 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408260941520.17249@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58ra6mtacGja9x_-MqkN6svQ+WQyWUGbKOJZqjX5rW-yHmg@mail.gmail.com>
 <alpine.BSO.2.11.1408191425570.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
 <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
 <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>
 <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>
 <alpine.BSO.2.11.1408260837530.17249@natsu.mindrot.org>
 <CAMv58rYnYQQ5ODyFVumGFxiOPOZVCrQqXXj94Ro4=axaWL_5ig@mail.gmail.com>
 <alpine.BSO.2.11.1408260941520.17249@natsu.mindrot.org>
Message-ID: <CAMv58rbiuzBNrZV8-TbdfR7cdAkCUxV1=qZy3P+EGpy6+SDGFg@mail.gmail.com>

Good news/Bad News

The test race in RHEL 3.4 seems to be gone ... but another ec.h failure ...

Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140827.tar.gz
OS              Build_Target                CC
OpenSSL       BUILD    TEST
==============  =========================== ================
============= ======   =================
*RHEL 3.4        i386-redhat-linux           gcc 3.2.3-47
1.0.1i**a     OK*1     all tests passed*

*AIX 5300-12-04  powerpc-ibm-aix5.3.0.0      gcc 4.2.0-3         0.9.8k
   FAIL*1     *
*FAIL*1 missing e.h in test_sshbuf_getput_crypto*
  gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -Wno-pointer-sign -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset  -I. -I.
-DSSHDIR=\"/usr/local/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"
-DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_getput_crypto.c -o
regress/unittests/sshbuf/test_sshbuf_getput_crypto.o
  regress/unittests/sshbuf/test_sshbuf_getput_crypto.c:20:24: error:
openssl/ec.h: No such file or directory
  regress/unittests/sshbuf/test_sshbuf_getput_crypto.c: In function
'sshbuf_getput_crypto_tests':
  regress/unittests/sshbuf/test_sshbuf_getput_crypto.c:35: warning: unused
variable 'bn_y'
  regress/unittests/sshbuf/test_sshbuf_getput_crypto.c:35: warning: unused
variable 'bn_x'
  regress/unittests/sshbuf/test_sshbuf_getput_crypto.c:34: warning: unused
variable 's'
  regress/unittests/sshbuf/test_sshbuf_getput_crypto.c:33: warning: unused
variable 'd'
  make: The error code from the last command is 1.




On Mon, Aug 25, 2014 at 4:45 PM, Damien Miller <djm at mindrot.org> wrote:

> On Mon, 25 Aug 2014, Kevin Brott wrote:
>
> > > ...
> > >
> > > > *3  --without-pie  # otherwise will not load openssl - which doesn't
> use
> > > PIE
> > > > during compile on 64-bit systems
> > >
> > > We should probably find a way to delay the PIE checks until after we
> have
> > > most dependency libraries located to catch this.
> > >
> >
> > Per IAN's comment - I tried building openssl on another x64 system
> > using ./config
> > shared instead of just ./config (builds static library) so that it would
> > try to use -fPIC.  After installing and creating an
> > /etc/ld.so.conf.d/openssl-101.conf pointing to /usr/local/ssl/lib
> > (configure pukes without this - it can't find libssl.so.1.0.0 even with
> an
> > explicit --with-ssl-dir) ... configure works as advertised without
> telling
> > it --without-pie, and make test is 'all tests passed'.  Perhaps a quick
> > check to see if libssl is a static or shared library would be in order
> > before asking for a slice of pie? ;p
>
> Yes, the only impediment to doing it before this release are 1) making it
> work cross-platform (simply delaying the PIE checks until after OpenSSL
> has been located might be sufficient for this) and 2) not breaking
> anything else in the process (unfortunately, delaying the OpenSSL checks
> would almost certainly break something)
>
> > > any clues in regress/failed-*?
> > >
> > >
> > Brought that VM back up (admittedly I didn't look too deep at this one -
> > was trying to get through the test suite first), looking at those files I
> > see this:
> >
> > # ls -alrt failed-*
> > -rw-r--r--    1 root     root          308 Aug 25 09:05 failed-ssh.log
> > -rw-r--r--    1 root     root          236 Aug 25 09:05 failed-sshd.log
> > -rw-r--r--    1 root     root           89 Aug 25 09:05
> failed-regress.log
> > [root at buildhost regress]# cat failed-regress.log
> > trace: wait for sshd
> > FAIL: ssh connect after login grace timeout failed without privsep
> >
> > [root at buildhost regress]# cat failed-sshd.log
> > trace: wait for sshd
> > Received signal 15; terminating.
> > debug2: channel 0: rcvd close
> > Received disconnect from 127.0.0.1: 11: disconnected by user
> > debug1: do_cleanup
> > FAIL: ssh connect after login grace timeout failed without privsep
> >
> > [root at buildhost regress]# cat failed-ssh.log
> > trace: wait for sshd
> > debug2: ssh_connect: needpriv 0
> > debug1: Connecting to 127.0.0.1 [127.0.0.1] port 4242.
> > debug1: connect to address 127.0.0.1 port 4242: Connection refused
> > ssh: connect to host 127.0.0.1 port 4242: Connection refused
> > FAIL: ssh connect after login grace timeout failed without privsep
> >
> > Need to dig through my email archives - I would swear this is a
> > (previously fixed) race in the test suite where it wasn't waiting
> properly.
>
> Yes, this was supposed to "fix" it
>
>        - djm at cvs.openbsd.org 2014/03/13 20:44:49
>          [login-timeout.sh]
>          this test is a sorry mess of race conditions; add another sleep
>          to avoid a failure on slow machines (at least until I find a
>          better way)
>
> Guess I'll have to look for that "better way" soon...
>
> -d
>



-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From djm at mindrot.org  Wed Aug 27 04:02:58 2014
From: djm at mindrot.org (Damien Miller)
Date: Wed, 27 Aug 2014 04:02:58 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rbiuzBNrZV8-TbdfR7cdAkCUxV1=qZy3P+EGpy6+SDGFg@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
 <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
 <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>
 <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>
 <alpine.BSO.2.11.1408260837530.17249@natsu.mindrot.org>
 <CAMv58rYnYQQ5ODyFVumGFxiOPOZVCrQqXXj94Ro4=axaWL_5ig@mail.gmail.com>
 <alpine.BSO.2.11.1408260941520.17249@natsu.mindrot.org>
 <CAMv58rbiuzBNrZV8-TbdfR7cdAkCUxV1=qZy3P+EGpy6+SDGFg@mail.gmail.com>
Message-ID: <alpine.BSO.2.11.1408270401430.8964@natsu.mindrot.org>

On Tue, 26 Aug 2014, Kevin Brott wrote:

> Good news/Bad News
> 
> The test race in RHEL 3.4 seems to be gone ... but another ec.h failure ...
> 
> Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140827.tar.gz
> OS              Build_Target                CC                 
> OpenSSL       BUILD    TEST
> ==============  =========================== ================   
> ============= ======   =================
> RHEL 3.4        i386-redhat-linux           gcc 3.2.3-47       
> 1.0.1i**a     OK*1     all tests passed
> AIX 5300-12-04  powerpc-ibm-aix5.3.0.0      gcc 4.2.0-3         0.9.8k    
>    FAIL*1    
> 
> regress/unittests/sshbuf/test_sshbuf_getput_crypto.o
>   regress/unittests/sshbuf/test_sshbuf_getput_crypto.c:20:24: error:
> openssl/ec.h: No such file or directory

The other good news is that it has made it to unittests :)

Index: regress/unittests/sshbuf/test_sshbuf_getput_crypto.c
===================================================================
RCS file: /var/cvs/openssh/regress/unittests/sshbuf/test_sshbuf_getput_crypto.c,v
retrieving revision 1.4
diff -u -p -r1.4 test_sshbuf_getput_crypto.c
--- regress/unittests/sshbuf/test_sshbuf_getput_crypto.c	11 Jun 2014 19:32:29 -0000	1.4
+++ regress/unittests/sshbuf/test_sshbuf_getput_crypto.c	26 Aug 2014 18:02:30 -0000
@@ -17,8 +17,10 @@
 #include <string.h>
 
 #include <openssl/bn.h>
-#include <openssl/ec.h>
 #include <openssl/objects.h>
+#ifdef OPENSSL_HAS_NISTP256
+# include <openssl/ec.h>
+#endif
 
 #include "../test_helper/test_helper.h"
 #include "ssherr.h"
@@ -32,7 +34,7 @@ sshbuf_getput_crypto_tests(void)
 	struct sshbuf *p1;
 	const u_char *d;
 	size_t s;
-	BIGNUM *bn, *bn2, *bn_x, *bn_y;
+	BIGNUM *bn, *bn2;
 	/* This one has num_bits != num_bytes * 8 to test bignum1 encoding */
 	const char *hexbn1 = "0102030405060708090a0b0c0d0e0f10";
 	/* This one has MSB set to test bignum2 encoding negative-avoidance */
@@ -47,6 +49,7 @@ sshbuf_getput_crypto_tests(void)
 		0x7f, 0xff, 0x11
 	};
 #ifdef OPENSSL_HAS_NISTP256
+	BIGNUM *bn_x, *bn_y;
 	int ec256_nid = NID_X9_62_prime256v1;
 	char *ec256_x = "0C828004839D0106AA59575216191357"
 		        "34B451459DADB586677EF9DF55784999";
Index: regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c
===================================================================
RCS file: /var/cvs/openssh/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c,v
retrieving revision 1.5
diff -u -p -r1.5 test_sshbuf_getput_fuzz.c
--- regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c	11 Jun 2014 19:32:29 -0000	1.5
+++ regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c	26 Aug 2014 18:02:30 -0000
@@ -17,8 +17,10 @@
 #include <string.h>
 
 #include <openssl/bn.h>
-#include <openssl/ec.h>
 #include <openssl/objects.h>
+#ifdef OPENSSL_HAS_NISTP256
+# include <openssl/ec.h>
+#endif
 
 #include "../test_helper/test_helper.h"
 #include "ssherr.h"
Index: regress/unittests/sshkey/common.c
===================================================================
RCS file: /var/cvs/openssh/regress/unittests/sshkey/common.c,v
retrieving revision 1.2
diff -u -p -r1.2 common.c
--- regress/unittests/sshkey/common.c	20 Jul 2014 20:30:26 -0000	1.2
+++ regress/unittests/sshkey/common.c	26 Aug 2014 18:02:30 -0000
@@ -20,10 +20,12 @@
 #include <unistd.h>
 
 #include <openssl/bn.h>
-#include <openssl/ec.h>
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
 #include <openssl/objects.h>
+#ifdef OPENSSL_HAS_NISTP256
+# include <openssl/ec.h>
+#endif
 
 #include "../test_helper/test_helper.h"
 
Index: regress/unittests/sshkey/test_file.c
===================================================================
RCS file: /var/cvs/openssh/regress/unittests/sshkey/test_file.c,v
retrieving revision 1.3
diff -u -p -r1.3 test_file.c
--- regress/unittests/sshkey/test_file.c	22 Jul 2014 18:27:51 -0000	1.3
+++ regress/unittests/sshkey/test_file.c	26 Aug 2014 18:02:31 -0000
@@ -20,10 +20,12 @@
 #include <unistd.h>
 
 #include <openssl/bn.h>
-#include <openssl/ec.h>
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
 #include <openssl/objects.h>
+#ifdef OPENSSL_HAS_NISTP256
+# include <openssl/ec.h>
+#endif
 
 #include "../test_helper/test_helper.h"
 
Index: regress/unittests/sshkey/test_fuzz.c
===================================================================
RCS file: /var/cvs/openssh/regress/unittests/sshkey/test_fuzz.c,v
retrieving revision 1.3
diff -u -p -r1.3 test_fuzz.c
--- regress/unittests/sshkey/test_fuzz.c	22 Jul 2014 18:27:51 -0000	1.3
+++ regress/unittests/sshkey/test_fuzz.c	26 Aug 2014 18:02:31 -0000
@@ -20,10 +20,12 @@
 #include <unistd.h>
 
 #include <openssl/bn.h>
-#include <openssl/ec.h>
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
 #include <openssl/objects.h>
+#ifdef OPENSSL_HAS_NISTP256
+# include <openssl/ec.h>
+#endif
 
 #include "../test_helper/test_helper.h"
 
Index: regress/unittests/sshkey/test_sshkey.c
===================================================================
RCS file: /var/cvs/openssh/regress/unittests/sshkey/test_sshkey.c,v
retrieving revision 1.3
diff -u -p -r1.3 test_sshkey.c
--- regress/unittests/sshkey/test_sshkey.c	22 Jul 2014 18:27:51 -0000	1.3
+++ regress/unittests/sshkey/test_sshkey.c	26 Aug 2014 18:02:31 -0000
@@ -17,9 +17,11 @@
 #include <string.h>
 
 #include <openssl/bn.h>
-#include <openssl/ec.h>
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
+#ifdef OPENSSL_HAS_NISTP256
+# include <openssl/ec.h>
+#endif
 
 #include "../test_helper/test_helper.h"
 

From kevin.brott at gmail.com  Wed Aug 27 04:26:04 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Tue, 26 Aug 2014 11:26:04 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408270401430.8964@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
 <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
 <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>
 <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>
 <alpine.BSO.2.11.1408260837530.17249@natsu.mindrot.org>
 <CAMv58rYnYQQ5ODyFVumGFxiOPOZVCrQqXXj94Ro4=axaWL_5ig@mail.gmail.com>
 <alpine.BSO.2.11.1408260941520.17249@natsu.mindrot.org>
 <CAMv58rbiuzBNrZV8-TbdfR7cdAkCUxV1=qZy3P+EGpy6+SDGFg@mail.gmail.com>
 <alpine.BSO.2.11.1408270401430.8964@natsu.mindrot.org>
Message-ID: <CAMv58rY+Ji9NDcScNzA6WM5OKu1PY9udD9Q0-5JohwPbgJ2Bbw@mail.gmail.com>

On Tue, Aug 26, 2014 at 11:02 AM, Damien Miller <djm at mindrot.org> wrote:

> The other good news is that it has made it to unittests :)
>
>
Indeed ... patch applied - and everything builds (yay!) - waiting on test
suite to complete.  Will go test on the RHEL 5 VM's and see how the
1.0.0-fipsmsystems fare.  full report later today.

From kevin.brott at gmail.com  Wed Aug 27 09:40:52 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Tue, 26 Aug 2014 16:40:52 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rY+Ji9NDcScNzA6WM5OKu1PY9udD9Q0-5JohwPbgJ2Bbw@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <CAMv58rZeNWhcdD=1aafzAvDXQg4f5CQFiXCcNh2CziJi7BK_hg@mail.gmail.com>
 <CAMv58rYE251SE-yi1TbP4y9AOykPs-14oNrHE+vCmBjrdZ34EQ@mail.gmail.com>
 <CAMv58rZUwFf9Zgw_Bb4djDzypbOyH3x3qbBRxG7jb8fZvhFKOQ@mail.gmail.com>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
 <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
 <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>
 <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>
 <alpine.BSO.2.11.1408260837530.17249@natsu.mindrot.org>
 <CAMv58rYnYQQ5ODyFVumGFxiOPOZVCrQqXXj94Ro4=axaWL_5ig@mail.gmail.com>
 <alpine.BSO.2.11.1408260941520.17249@natsu.mindrot.org>
 <CAMv58rbiuzBNrZV8-TbdfR7cdAkCUxV1=qZy3P+EGpy6+SDGFg@mail.gmail.com>
 <alpine.BSO.2.11.1408270401430.8964@natsu.mindrot.org>
 <CAMv58rY+Ji9NDcScNzA6WM5OKu1PY9udD9Q0-5JohwPbgJ2Bbw@mail.gmail.com>
Message-ID: <CAMv58rYQYd9z3A5WPMCuF4BeFW4CHnDhTQVsdUeVh4VWkVK1-Q@mail.gmail.com>

So results of testing ...

Conditional caveats:
1) current snapshot will not build against native openssl on any system
with openssl version <0.9.8f  (i.e RHEL <=6.4) ... requiring alternate
openssl installs .
2) openssl 1.0.1i on RHEL 4 and lower (gcc 2/3) only builds and tests
cleanly static libssl.a
    and the current patched  snapshot builds and tests to completion
against it just fine
2) openssl 1.0.1i on RHEL 5-6 can be built either as static or shared on
i386/i686 systems
    and the current patched snapshot builds and tests to completion against
it
3) openssl 1.0.1i on RHEL 5-6 on x86_64 systems -
    a) if built as static - must pass --without-pie to ./configure for
openssh snapshot to find working libraries - all tests pass
    b) if built as shared - all tests pass with just ./configure && make
tests

On all other systems tested (Debian 7.6, AIX 6100-07, 7011-03/HP-UX
11.23/11.31) the current patched snapshot builds and tests to completion
with one exception:











*AIX 5300-12-02  powerpc-ibm-aix5.3.0.0      xlc 8.0.0.16
0.9.8k        FAILxlc_r -g  -I. -I. -I/var/tmp/ssh/include
-DSSHDIR=\"/usr/local/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"  -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"
-DHAVE_CONFIG_H -c roaming_client.c -o
roaming_client.o"/usr/include/stdarg.h", line 89.9: 1506-236 (W) Macro name
va_copy has been redefined."/usr/include/stdarg.h", line 89.9: 1506-358 (I)
"va_copy" is defined on line 829 of defines.h. xlc_r -o ssh ssh.o
readconf.o clientloop.o sshtty.o  sshconnect.o sshconnect1.o sshconnect2.o
mux.o  roaming_common.o roaming_client.o -L. -Lopenbsd-compat/
-L/var/tmp/ssh/lib  -blibpath:/usr/lib:/lib -lssh -lopenbsd-compat
-lcrypto -lz    ld: 0711-317 ERROR: Undefined symbol: .va_copy  ld:
0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.
make: 1254-004 The error code from the last command is 8.*
Mind you - AIX 5300-XX is deprecated, and this is an *old* version of the
IBM compiler ... but several earlier versions of openssh have built on this
system without issue.



On Tue, Aug 26, 2014 at 11:26 AM, Kevin Brott <kevin.brott at gmail.com> wrote:

>
> On Tue, Aug 26, 2014 at 11:02 AM, Damien Miller <djm at mindrot.org> wrote:
>
>> The other good news is that it has made it to unittests :)
>>
>>
> Indeed ... patch applied - and everything builds (yay!) - waiting on test
> suite to complete.  Will go test on the RHEL 5 VM's and see how the
> 1.0.0-fipsmsystems fare.  full report later today.
>
>
>



-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From djm at mindrot.org  Wed Aug 27 10:28:31 2014
From: djm at mindrot.org (Damien Miller)
Date: Wed, 27 Aug 2014 10:28:31 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rYQYd9z3A5WPMCuF4BeFW4CHnDhTQVsdUeVh4VWkVK1-Q@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
 <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
 <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>
 <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>
 <alpine.BSO.2.11.1408260837530.17249@natsu.mindrot.org>
 <CAMv58rYnYQQ5ODyFVumGFxiOPOZVCrQqXXj94Ro4=axaWL_5ig@mail.gmail.com>
 <alpine.BSO.2.11.1408260941520.17249@natsu.mindrot.org>
 <CAMv58rbiuzBNrZV8-TbdfR7cdAkCUxV1=qZy3P+EGpy6+SDGFg@mail.gmail.com>
 <alpine.BSO.2.11.1408270401430.8964@natsu.mindrot.org>
 <CAMv58rY+Ji9NDcScNzA6WM5OKu1PY9udD9Q0-5JohwPbgJ2Bbw@mail.gmail.com>
 <CAMv58rYQYd9z3A5WPMCuF4BeFW4CHnDhTQVsdUeVh4VWkVK1-Q@mail.gmail.com>
Message-ID: <alpine.BSO.2.11.1408271024010.8964@natsu.mindrot.org>

On Tue, 26 Aug 2014, Kevin Brott wrote:

> So results of testing ...
> 
> Conditional caveats:
> 1) current snapshot will not build against native openssl on any system
> with openssl version <0.9.8f  (i.e RHEL <=6.4) ... requiring alternate
> openssl installs .

What OpenSSL does RHEL 6.4 use?

> 2) openssl 1.0.1i on RHEL 4 and lower (gcc 2/3) only builds and tests
> cleanly static libssl.a
>     and the current patched  snapshot builds and tests to completion
> against it just fine

What goes wrong with when building against a shared OpenSSL here?

I'll see if I can get some CentOS VMs up to take a closer look later.

> *AIX 5300-12-02  powerpc-ibm-aix5.3.0.0      xlc 8.0.0.16
> 0.9.8k        FAILxlc_r -g  -I. -I. -I/var/tmp/ssh/include
...
> roaming_client.o"/usr/include/stdarg.h", line 89.9: 1506-236 (W) Macro name
> va_copy has been redefined."/usr/include/stdarg.h", line 89.9: 1506-358 (I)
> "va_copy" is defined on line 829 of defines.h. xlc_r -o ssh ssh.o

It looks like configure has failed to detect va_copy and is trying to
supply a surrogate. There might be some clues as to what went wrong
if you search for "va_copy"

Thanks,
Damien

From kevin.brott at gmail.com  Wed Aug 27 10:39:23 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Tue, 26 Aug 2014 17:39:23 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408271024010.8964@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <alpine.BSO.2.11.1408200954280.414@natsu.mindrot.org>
 <CAMv58ra=xPwrmc8kZ+7_+XJTGHYp9swHHpiNrhAKVz2vZGWMxA@mail.gmail.com>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
 <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
 <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>
 <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>
 <alpine.BSO.2.11.1408260837530.17249@natsu.mindrot.org>
 <CAMv58rYnYQQ5ODyFVumGFxiOPOZVCrQqXXj94Ro4=axaWL_5ig@mail.gmail.com>
 <alpine.BSO.2.11.1408260941520.17249@natsu.mindrot.org>
 <CAMv58rbiuzBNrZV8-TbdfR7cdAkCUxV1=qZy3P+EGpy6+SDGFg@mail.gmail.com>
 <alpine.BSO.2.11.1408270401430.8964@natsu.mindrot.org>
 <CAMv58rY+Ji9NDcScNzA6WM5OKu1PY9udD9Q0-5JohwPbgJ2Bbw@mail.gmail.com>
 <CAMv58rYQYd9z3A5WPMCuF4BeFW4CHnDhTQVsdUeVh4VWkVK1-Q@mail.gmail.com>
 <alpine.BSO.2.11.1408271024010.8964@natsu.mindrot.org>
Message-ID: <CAMv58rYnsPa3afdxup5MLofKJoQgS1ujmUwWJZ33+b7EmXo=8g@mail.gmail.com>

On Tue, Aug 26, 2014 at 5:28 PM, Damien Miller <djm at mindrot.org> wrote:

> On Tue, 26 Aug 2014, Kevin Brott wrote:
>
> > So results of testing ...
> >
> > Conditional caveats:
> > 1) current snapshot will not build against native openssl on any system
> > with openssl version <0.9.8f  (i.e RHEL <=6.4) ... requiring alternate
> > openssl installs .
>
> What OpenSSL does RHEL 6.4 use?
>

My bad here - that should say RHEL 5.10, as everything from there down use
0.9.8e or lower.  It's what I get for a last-thing before I leave post.
RHEL 6.0-6.4 use 1.0.0-fips which was plagued by the ec.h issue (fixed).


> > 2) openssl 1.0.1i on RHEL 4 and lower (gcc 2/3) only builds and tests
> > cleanly static libssl.a
> >     and the current patched  snapshot builds and tests to completion
> > against it just fine
>
> What goes wrong with when building against a shared OpenSSL here?
>
>
This I think is a gcc issue - I can't get openssl 1.0.1i to build cleanly
as shared on anything lower than gcc 4.x



> I'll see if I can get some CentOS VMs up to take a closer look later.
>
> > *AIX 5300-12-02  powerpc-ibm-aix5.3.0.0      xlc 8.0.0.16
> > 0.9.8k        FAILxlc_r -g  -I. -I. -I/var/tmp/ssh/include
> ...
> > roaming_client.o"/usr/include/stdarg.h", line 89.9: 1506-236 (W) Macro
> name
> > va_copy has been redefined."/usr/include/stdarg.h", line 89.9: 1506-358
> (I)
> > "va_copy" is defined on line 829 of defines.h. xlc_r -o ssh ssh.o
>
> It looks like configure has failed to detect va_copy and is trying to
> supply a surrogate. There might be some clues as to what went wrong
> if you search for "va_copy"
>
>
I'll dig into this in the morning.


-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From djm at mindrot.org  Wed Aug 27 16:37:05 2014
From: djm at mindrot.org (Damien Miller)
Date: Wed, 27 Aug 2014 16:37:05 +1000 (EST)
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rYnsPa3afdxup5MLofKJoQgS1ujmUwWJZ33+b7EmXo=8g@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
 <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
 <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>
 <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>
 <alpine.BSO.2.11.1408260837530.17249@natsu.mindrot.org>
 <CAMv58rYnYQQ5ODyFVumGFxiOPOZVCrQqXXj94Ro4=axaWL_5ig@mail.gmail.com>
 <alpine.BSO.2.11.1408260941520.17249@natsu.mindrot.org>
 <CAMv58rbiuzBNrZV8-TbdfR7cdAkCUxV1=qZy3P+EGpy6+SDGFg@mail.gmail.com>
 <alpine.BSO.2.11.1408270401430.8964@natsu.mindrot.org>
 <CAMv58rY+Ji9NDcScNzA6WM5OKu1PY9udD9Q0-5JohwPbgJ2Bbw@mail.gmail.com>
 <CAMv58rYQYd9z3A5WPMCuF4BeFW4CHnDhTQVsdUeVh4VWkVK1-Q@mail.gmail.com>
 <alpine.BSO.2.11.1408271024010.8964@natsu.mindrot.org>
 <CAMv58rYnsPa3afdxup5MLofKJoQgS1ujmUwWJZ33+b7EmXo=8g@mail.gmail.com>
Message-ID: <alpine.BSO.2.11.1408271636380.16373@natsu.mindrot.org>

On Tue, 26 Aug 2014, Kevin Brott wrote:

>       > 0.9.8k        FAILxlc_r -g  -I. -I. -I/var/tmp/ssh/include
>       ...
>       > roaming_client.o"/usr/include/stdarg.h", line 89.9: 1506-236
>       (W) Macro name
>       > va_copy has been redefined."/usr/include/stdarg.h", line 89.9:
>       1506-358 (I)
>       > "va_copy" is defined on line 829 of defines.h. xlc_r -o ssh
>       ssh.o
> 
>       It looks like configure has failed to detect va_copy and is
>       trying to
>       supply a surrogate. There might be some clues as to what went
>       wrong
>       if you search for "va_copy"

I meant to say: search config.log for "va_copy" 

-d

From vinschen at redhat.com  Wed Aug 27 21:21:35 2014
From: vinschen at redhat.com (Corinna Vinschen)
Date: Wed, 27 Aug 2014 13:21:35 +0200
Subject: pty_setowner and tty permissions
Message-ID: <20140827112135.GI20700@calimero.vinschen.de>

Hi,


while looking into Cygwin's tty code, I stumbled over this problem:

Every time you log in to Cygwin via sshd, the pty's permissions are
set like this:

  $ ls -l `tty`
  crw--w--w- 1 user   group           136, 2 Aug 27 13:06 /dev/pty2

Since Cygwin sets the permissions more tight to begin with, I was
wondering why the permissions are this open.  Turns out, sshd sets
them like this:

  /* Determine the group to make the owner of the tty. */
  grp = getgrnam("tty");
  if (grp) {
	  gid = grp->gr_gid;
	  mode = S_IRUSR | S_IWUSR | S_IWGRP;
  } else {
	  gid = pw->pw_gid;
	  mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
  }

On Windows no group called "tty" exists, so sshd always sets the
permissions to 0622 on Cygwin.

My question is, isn't that a security problem?  Shouldn't the
permissions set to 0600 if a "tty" group doesn't exist, otherwise
everyone can write to the user's tty?  What am I missing?


Thanks,
Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140827/b2b3ca39/attachment.bin>

From djm at mindrot.org  Thu Aug 28 03:27:58 2014
From: djm at mindrot.org (Damien Miller)
Date: Thu, 28 Aug 2014 03:27:58 +1000 (EST)
Subject: pty_setowner and tty permissions
In-Reply-To: <20140827112135.GI20700@calimero.vinschen.de>
References: <20140827112135.GI20700@calimero.vinschen.de>
Message-ID: <alpine.BSO.2.11.1408280251240.19955@natsu.mindrot.org>

On Wed, 27 Aug 2014, Corinna Vinschen wrote:

> Hi,
> 
> 
> while looking into Cygwin's tty code, I stumbled over this problem:
> 
> Every time you log in to Cygwin via sshd, the pty's permissions are
> set like this:
> 
>   $ ls -l `tty`
>   crw--w--w- 1 user   group           136, 2 Aug 27 13:06 /dev/pty2
> 
> Since Cygwin sets the permissions more tight to begin with, I was
> wondering why the permissions are this open.  Turns out, sshd sets
> them like this:
> 
>   /* Determine the group to make the owner of the tty. */
>   grp = getgrnam("tty");
>   if (grp) {
> 	  gid = grp->gr_gid;
> 	  mode = S_IRUSR | S_IWUSR | S_IWGRP;
>   } else {
> 	  gid = pw->pw_gid;
> 	  mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
>   }
> 
> On Windows no group called "tty" exists, so sshd always sets the
> permissions to 0622 on Cygwin.
> 
> My question is, isn't that a security problem?  Shouldn't the
> permissions set to 0600 if a "tty" group doesn't exist, otherwise
> everyone can write to the user's tty?  What am I missing?

I think the intention was to allow tools like wall(1) and write(1)
to function on systems without a "tty" group, but IMO it's better
to let the admin decide that.

-d

From vinschen at redhat.com  Thu Aug 28 06:42:33 2014
From: vinschen at redhat.com (Corinna Vinschen)
Date: Wed, 27 Aug 2014 22:42:33 +0200
Subject: pty_setowner and tty permissions
In-Reply-To: <alpine.BSO.2.11.1408280251240.19955@natsu.mindrot.org>
References: <20140827112135.GI20700@calimero.vinschen.de>
 <alpine.BSO.2.11.1408280251240.19955@natsu.mindrot.org>
Message-ID: <20140827204233.GA1889@calimero.vinschen.de>

On Aug 28 03:27, Damien Miller wrote:
> On Wed, 27 Aug 2014, Corinna Vinschen wrote:
> 
> > Hi,
> > 
> > 
> > while looking into Cygwin's tty code, I stumbled over this problem:
> > 
> > Every time you log in to Cygwin via sshd, the pty's permissions are
> > set like this:
> > 
> >   $ ls -l `tty`
> >   crw--w--w- 1 user   group           136, 2 Aug 27 13:06 /dev/pty2
> > 
> > Since Cygwin sets the permissions more tight to begin with, I was
> > wondering why the permissions are this open.  Turns out, sshd sets
> > them like this:
> > 
> >   /* Determine the group to make the owner of the tty. */
> >   grp = getgrnam("tty");
> >   if (grp) {
> > 	  gid = grp->gr_gid;
> > 	  mode = S_IRUSR | S_IWUSR | S_IWGRP;
> >   } else {
> > 	  gid = pw->pw_gid;
> > 	  mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
> >   }
> > 
> > On Windows no group called "tty" exists, so sshd always sets the
> > permissions to 0622 on Cygwin.
> > 
> > My question is, isn't that a security problem?  Shouldn't the
> > permissions set to 0600 if a "tty" group doesn't exist, otherwise
> > everyone can write to the user's tty?  What am I missing?
> 
> I think the intention was to allow tools like wall(1) and write(1)
> to function on systems without a "tty" group, but IMO it's better
> to let the admin decide that.

What does that mean for the existing code?  How can we empower the admin
to decide it?  The current code only lets the admin decide to invent a
"tty" group to get tighter permissions, but that won't work in
environments with account naming rules.  Even worse, since that
dependency on the "tty" group name is hidden in source code, it's not
clear to admins how to handle this scenario.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140827/3bdcdb0e/attachment.bin>

From djm at mindrot.org  Thu Aug 28 07:07:39 2014
From: djm at mindrot.org (Damien Miller)
Date: Thu, 28 Aug 2014 07:07:39 +1000 (EST)
Subject: pty_setowner and tty permissions
In-Reply-To: <20140827204233.GA1889@calimero.vinschen.de>
References: <20140827112135.GI20700@calimero.vinschen.de>
 <alpine.BSO.2.11.1408280251240.19955@natsu.mindrot.org>
 <20140827204233.GA1889@calimero.vinschen.de>
Message-ID: <alpine.BSO.2.11.1408280705510.19955@natsu.mindrot.org>

On Wed, 27 Aug 2014, Corinna Vinschen wrote:

> > I think the intention was to allow tools like wall(1) and write(1)
> > to function on systems without a "tty" group, but IMO it's better
> > to let the admin decide that.
> 
> What does that mean for the existing code?  How can we empower the admin
> to decide it?  The current code only lets the admin decide to invent a
> "tty" group to get tighter permissions, but that won't work in
> environments with account naming rules.  Even worse, since that
> dependency on the "tty" group name is hidden in source code, it's not
> clear to admins how to handle this scenario.

by deleting the code that alters the tty mode based on the presence
of the group and letting them either a) add it themselves or b) arrange
for the tty permissions to be changed as part of the login process.

Many systems do (b) already for a bunch of stuff in /dev so it isn't
irrational.

Index: sshpty.c
===================================================================
RCS file: /var/cvs/openssh/sshpty.c,v
retrieving revision 1.47
diff -u -p -r1.47 sshpty.c
--- sshpty.c	21 May 2014 07:06:47 -0000	1.47
+++ sshpty.c	27 Aug 2014 21:07:22 -0000
@@ -191,18 +191,12 @@ pty_setowner(struct passwd *pw, const ch
 {
 	struct group *grp;
 	gid_t gid;
-	mode_t mode;
+	mode_t mode = S_IRUSR | S_IWUSR | S_IWGRP;
 	struct stat st;
 
 	/* Determine the group to make the owner of the tty. */
 	grp = getgrnam("tty");
-	if (grp) {
-		gid = grp->gr_gid;
-		mode = S_IRUSR | S_IWUSR | S_IWGRP;
-	} else {
-		gid = pw->pw_gid;
-		mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
-	}
+	gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
 
 	/*
 	 * Change owner and mode of the tty as required.

From vinschen at redhat.com  Thu Aug 28 07:41:56 2014
From: vinschen at redhat.com (Corinna Vinschen)
Date: Wed, 27 Aug 2014 23:41:56 +0200
Subject: pty_setowner and tty permissions
In-Reply-To: <alpine.BSO.2.11.1408280705510.19955@natsu.mindrot.org>
References: <20140827112135.GI20700@calimero.vinschen.de>
 <alpine.BSO.2.11.1408280251240.19955@natsu.mindrot.org>
 <20140827204233.GA1889@calimero.vinschen.de>
 <alpine.BSO.2.11.1408280705510.19955@natsu.mindrot.org>
Message-ID: <20140827214156.GA3072@calimero.vinschen.de>

On Aug 28 07:07, Damien Miller wrote:
> On Wed, 27 Aug 2014, Corinna Vinschen wrote:
> 
> > > I think the intention was to allow tools like wall(1) and write(1)
> > > to function on systems without a "tty" group, but IMO it's better
> > > to let the admin decide that.
> > 
> > What does that mean for the existing code?  How can we empower the admin
> > to decide it?  The current code only lets the admin decide to invent a
> > "tty" group to get tighter permissions, but that won't work in
> > environments with account naming rules.  Even worse, since that
> > dependency on the "tty" group name is hidden in source code, it's not
> > clear to admins how to handle this scenario.
> 
> by deleting the code that alters the tty mode based on the presence
> of the group and letting them either a) add it themselves or b) arrange
> for the tty permissions to be changed as part of the login process.
> 
> Many systems do (b) already for a bunch of stuff in /dev so it isn't
> irrational.

Your code change makes sense to me, albeit I'm wondering if the default
permission on "tty"-less systems shouldn't be 0600.  Consider that the
default group for users is often something along the lines of the
"users" group.  On Windows it's the "Domain Users" group, or its local
machine equivalent.  In most environments that means that *all* users
will be allowed to write to your tty since it's rather uncommon to
change the primary group on Windows.

Apart from that I'm probably a bit dense but I'm puzzled about your
points a and b:

a) Add what themselves?  A "tty" group?  If the system doesn't provide
   one by default, there's probably not much sense to add it.

b) How would an admin be able to influence the tty permissions as part
   of the login process?  If sshd starts the user shell, where is the
   point the admin can intervene?
  

Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140827/4c6e78a5/attachment.bin>

From kevin.brott at gmail.com  Thu Aug 28 10:03:30 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Wed, 27 Aug 2014 17:03:30 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408271636380.16373@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
 <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
 <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>
 <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>
 <alpine.BSO.2.11.1408260837530.17249@natsu.mindrot.org>
 <CAMv58rYnYQQ5ODyFVumGFxiOPOZVCrQqXXj94Ro4=axaWL_5ig@mail.gmail.com>
 <alpine.BSO.2.11.1408260941520.17249@natsu.mindrot.org>
 <CAMv58rbiuzBNrZV8-TbdfR7cdAkCUxV1=qZy3P+EGpy6+SDGFg@mail.gmail.com>
 <alpine.BSO.2.11.1408270401430.8964@natsu.mindrot.org>
 <CAMv58rY+Ji9NDcScNzA6WM5OKu1PY9udD9Q0-5JohwPbgJ2Bbw@mail.gmail.com>
 <CAMv58rYQYd9z3A5WPMCuF4BeFW4CHnDhTQVsdUeVh4VWkVK1-Q@mail.gmail.com>
 <alpine.BSO.2.11.1408271024010.8964@natsu.mindrot.org>
 <CAMv58rYnsPa3afdxup5MLofKJoQgS1ujmUwWJZ33+b7EmXo=8g@mail.gmail.com>
 <alpine.BSO.2.11.1408271636380.16373@natsu.mindrot.org>
Message-ID: <CAMv58rZxWA+GZRL5_q-rzAtkq2MZcQcRhHFX6gNP6ctFGjcvug@mail.gmail.com>

Must have bolluxed something up in the compile environment - that or
http://www.mindrot.org/openssh_snap/openssh-SNAP-20140828.tar.gz had a
configure tweak that fixed it.  All systems tested now build and pass all
tests.

That said - the stupid race condition in that one test is cropping up
sporadically still - I think it's related to the load (or lack thereof) on
the VM host.

With, of course, the caveat that any system with a native openssl < 0.9.8.f
will not compile OOTB. A supplemental openssl needs to be installed that
meets the version requirements, and then ./configure needs a
--with-ssl-dir= directive that points to it.



On Tue, Aug 26, 2014 at 11:37 PM, Damien Miller <djm at mindrot.org> wrote:

> On Tue, 26 Aug 2014, Kevin Brott wrote:
>
> >       > 0.9.8k        FAILxlc_r -g  -I. -I. -I/var/tmp/ssh/include
> >       ...
> >       > roaming_client.o"/usr/include/stdarg.h", line 89.9: 1506-236
> >       (W) Macro name
> >       > va_copy has been redefined."/usr/include/stdarg.h", line 89.9:
> >       1506-358 (I)
> >       > "va_copy" is defined on line 829 of defines.h. xlc_r -o ssh
> >       ssh.o
> >
> >       It looks like configure has failed to detect va_copy and is
> >       trying to
> >       supply a surrogate. There might be some clues as to what went
> >       wrong
> >       if you search for "va_copy"
>
> I meant to say: search config.log for "va_copy"
>
> -d
>



-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From kevin.brott at gmail.com  Thu Aug 28 10:51:25 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Wed, 27 Aug 2014 17:51:25 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rZxWA+GZRL5_q-rzAtkq2MZcQcRhHFX6gNP6ctFGjcvug@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
 <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
 <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>
 <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>
 <alpine.BSO.2.11.1408260837530.17249@natsu.mindrot.org>
 <CAMv58rYnYQQ5ODyFVumGFxiOPOZVCrQqXXj94Ro4=axaWL_5ig@mail.gmail.com>
 <alpine.BSO.2.11.1408260941520.17249@natsu.mindrot.org>
 <CAMv58rbiuzBNrZV8-TbdfR7cdAkCUxV1=qZy3P+EGpy6+SDGFg@mail.gmail.com>
 <alpine.BSO.2.11.1408270401430.8964@natsu.mindrot.org>
 <CAMv58rY+Ji9NDcScNzA6WM5OKu1PY9udD9Q0-5JohwPbgJ2Bbw@mail.gmail.com>
 <CAMv58rYQYd9z3A5WPMCuF4BeFW4CHnDhTQVsdUeVh4VWkVK1-Q@mail.gmail.com>
 <alpine.BSO.2.11.1408271024010.8964@natsu.mindrot.org>
 <CAMv58rYnsPa3afdxup5MLofKJoQgS1ujmUwWJZ33+b7EmXo=8g@mail.gmail.com>
 <alpine.BSO.2.11.1408271636380.16373@natsu.mindrot.org>
 <CAMv58rZxWA+GZRL5_q-rzAtkq2MZcQcRhHFX6gNP6ctFGjcvug@mail.gmail.com>
Message-ID: <CAMv58rZY8vu+NTx1qkVPcW-7hYSuCevU4WjqigZThXu14wDVjQ@mail.gmail.com>

Tangentially related - the openssl quirks have me intrigued, so I'm going
to dive deeper into what's really required vs the quick hacks I did to get
the snapshots to build and pass tests.

Assuming I can find the time tomorrow, I plan on sitting down and figuring
out exactly what the openssl build requirements really are, but briefly on
the hosts I'm using this is what I've seen:

  a) gcc < 4.x.x - openssl 1.0.1i will not build as shared
  b) gcc >= 4.x.x - openssl 1.0.1i will build either as dynamic or static
  c) on i386 systems - openssh 6.7 will build against static or dynamic
libssl with no issues
  d) on x86_64 systems - openssh 6.7 will build against static libssl only
using --without-pie, otherwise libssl must be dynamic

I'm going to look at the current (and minimal) versions of the openssl
0.9.8, 1.0.0, and 1.0.1 series and see if I can figure out where the break
point is on static vs shared libraries (because I'm curious and I've not
looked into this before). And there's always the hope someone else will
benefit.



On Wed, Aug 27, 2014 at 5:03 PM, Kevin Brott <kevin.brott at gmail.com> wrote:

>
> Must have bolluxed something up in the compile environment - that or
> http://www.mindrot.org/openssh_snap/openssh-SNAP-20140828.tar.gz had a
> configure tweak that fixed it.  All systems tested now build and pass all
> tests.
>
> That said - the stupid race condition in that one test is cropping up
> sporadically still - I think it's related to the load (or lack thereof) on
> the VM host.
>
> With, of course, the caveat that any system with a native openssl <
> 0.9.8.f will not compile OOTB. A supplemental openssl needs to be installed
> that meets the version requirements, and then ./configure needs a
> --with-ssl-dir= directive that points to it.
>
>
>
> On Tue, Aug 26, 2014 at 11:37 PM, Damien Miller <djm at mindrot.org> wrote:
>
>> On Tue, 26 Aug 2014, Kevin Brott wrote:
>>
>> >       > 0.9.8k        FAILxlc_r -g  -I. -I. -I/var/tmp/ssh/include
>> >       ...
>> >       > roaming_client.o"/usr/include/stdarg.h", line 89.9: 1506-236
>> >       (W) Macro name
>> >       > va_copy has been redefined."/usr/include/stdarg.h", line 89.9:
>> >       1506-358 (I)
>> >       > "va_copy" is defined on line 829 of defines.h. xlc_r -o ssh
>> >       ssh.o
>> >
>> >       It looks like configure has failed to detect va_copy and is
>> >       trying to
>> >       supply a surrogate. There might be some clues as to what went
>> >       wrong
>> >       if you search for "va_copy"
>>
>> I meant to say: search config.log for "va_copy"
>>
>> -d
>>
>
>
>
> --
> # include <stddisclaimer.h>
> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>
>


-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From anonymous at hoi-polloi.org  Fri Aug 29 02:20:29 2014
From: anonymous at hoi-polloi.org (Anonymous)
Date: Thu, 28 Aug 2014 18:20:29 +0200
Subject: SSH completely locks up if you have a NOT PERFECT con
Message-ID: <f32b010b771d43dfb3cd799910d4798b@hoi-polloi.org>

This is a SSH BUG !

The problem is programmers who say things like this: "disconnection is the responsibility of the TCP stack" or "TCP layer 1 should take care of that".

TCP will close and SSH doesn't seem to notice, I am really tired of it getting stuck. I kill it and immediately re-connect and all is OK, so how did TCP save me? IT DOESN'T - layer 1 2 3 4 5 whatever failed because YOU didn't do your part!

Programmers: Ap level stuff knows when to time out not TCP, so you need to send a RST to the TCP stack so it will try to re-establish the connection or something!!! A few missing packets and you are screwed! I AM REALLY TIRED OF BAD PROGRAMMING assuming that some other layer is going to do everything for you. It's not a perfect connection world.

From mancha1 at zoho.com  Sat Aug 30 03:56:50 2014
From: mancha1 at zoho.com (mancha)
Date: Fri, 29 Aug 2014 17:56:50 +0000
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
Message-ID: <20140829175650.GA19237@zoho.com>

On Mon, Aug 18, 2014 at 11:23:41AM +1000, Damien Miller wrote:
> 
> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release
> containing a number of features, a lot of internal refactoring and some
> potentially-incompatible changes.

No problems with regression tests with snapshot-20140830 on Slackware
14.1.

--mancha
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140829/f63aa08d/attachment.bin>

From vinschen at redhat.com  Sat Aug 30 07:25:07 2014
From: vinschen at redhat.com (Corinna Vinschen)
Date: Fri, 29 Aug 2014 23:25:07 +0200
Subject: [patch/cygwin]: Remove setting extra permissions on system directories
Message-ID: <20140829212507.GA5854@calimero.vinschen.de>

Hi,

please consider the below patch for OpenSSH 6.7.  A fix in POSIX ACL
handling in Cygwin turned up this rather old code in the ssh-host-config
script.  It opens the permissions for some directories, especially
/var/empty, for the "system" user for no good reason.

This results in sshd refusing to start because the permissions on
/var/empty are too open.

The below patch fixes that by dropping the code adding an ACL entry
for the "system" user.


Thanks,
Corinna


Index: contrib/cygwin/ssh-host-config
===================================================================
RCS file: /cvs/openssh/contrib/cygwin/ssh-host-config,v
retrieving revision 1.35
diff -u -p -r1.35 ssh-host-config
--- contrib/cygwin/ssh-host-config	27 May 2014 04:31:59 -0000	1.35
+++ contrib/cygwin/ssh-host-config	29 Aug 2014 21:24:02 -0000
@@ -37,7 +37,6 @@ declare -a csih_required_commands=(
   /usr/bin/mkpasswd cygwin
   /usr/bin/mount cygwin
   /usr/bin/ps cygwin
-  /usr/bin/setfacl cygwin
   /usr/bin/umount cygwin
   /usr/bin/cmp diffutils
   /usr/bin/grep grep
@@ -658,11 +657,6 @@ then
   csih_warning "Can't set permissions on ${SYSCONFDIR}!"
   let ++warning_cnt
 fi
-if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
-  let ++warning_cnt
-fi
 
 # Check for /var/log directory
 csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
@@ -671,11 +665,6 @@ then
   csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
   let ++warning_cnt
 fi
-if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
-  let ++warning_cnt
-fi
 
 # Create /var/log/lastlog if not already exists
 if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
@@ -699,11 +688,6 @@ csih_make_dir "${LOCALSTATEDIR}/empty" "
 if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
 then
   csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
-  let ++warning_cnt
-fi
-if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
   let ++warning_cnt
 fi
 

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140829/9afe3f28/attachment.bin>

From vinschen at redhat.com  Sat Aug 30 07:36:10 2014
From: vinschen at redhat.com (Corinna Vinschen)
Date: Fri, 29 Aug 2014 23:36:10 +0200
Subject: [patch/cygwin]: Remove setting extra permissions on system
 directories
In-Reply-To: <20140829212507.GA5854@calimero.vinschen.de>
References: <20140829212507.GA5854@calimero.vinschen.de>
Message-ID: <20140829213610.GA6202@calimero.vinschen.de>

On Aug 29 23:25, Corinna Vinschen wrote:
> Hi,
> 
> please consider the below patch for OpenSSH 6.7.  A fix in POSIX ACL
> handling in Cygwin turned up this rather old code in the ssh-host-config
> script.  It opens the permissions for some directories, especially
> /var/empty, for the "system" user for no good reason.
> 
> This results in sshd refusing to start because the permissions on
> /var/empty are too open.
> 
> The below patch fixes that by dropping the code adding an ACL entry
> for the "system" user.

Actually, please disregard the previous patch and use the below one.
The script really shows its age.  It tries to create directories which
for a long time now have been installed with correct permissions by the
base installation already.

The only directory the script really has to care for is /var/empty.

New patch below.


Thanks,
Corinna


Index: contrib/cygwin/ssh-host-config
===================================================================
RCS file: /cvs/openssh/contrib/cygwin/ssh-host-config,v
retrieving revision 1.35
diff -u -p -r1.35 ssh-host-config
--- contrib/cygwin/ssh-host-config	27 May 2014 04:31:59 -0000	1.35
+++ contrib/cygwin/ssh-host-config	29 Aug 2014 21:34:00 -0000
@@ -37,7 +37,6 @@ declare -a csih_required_commands=(
   /usr/bin/mkpasswd cygwin
   /usr/bin/mount cygwin
   /usr/bin/ps cygwin
-  /usr/bin/setfacl cygwin
   /usr/bin/umount cygwin
   /usr/bin/cmp diffutils
   /usr/bin/grep grep
@@ -651,32 +650,6 @@ echo
 
 warning_cnt=0
 
-# Check for ${SYSCONFDIR} directory
-csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
-if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
-then
-  csih_warning "Can't set permissions on ${SYSCONFDIR}!"
-  let ++warning_cnt
-fi
-if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
-  let ++warning_cnt
-fi
-
-# Check for /var/log directory
-csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
-if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
-then
-  csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
-  let ++warning_cnt
-fi
-if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
-  let ++warning_cnt
-fi
-
 # Create /var/log/lastlog if not already exists
 if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
 then
@@ -699,11 +672,6 @@ csih_make_dir "${LOCALSTATEDIR}/empty" "
 if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
 then
   csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
-  let ++warning_cnt
-fi
-if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
   let ++warning_cnt
 fi
 
-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140829/10e2fb05/attachment.bin>

From kevin.brott at gmail.com  Sat Aug 30 07:56:50 2014
From: kevin.brott at gmail.com (Kevin Brott)
Date: Fri, 29 Aug 2014 14:56:50 -0700
Subject: Call for testing: OpenSSH 6.7
In-Reply-To: <CAMv58rZY8vu+NTx1qkVPcW-7hYSuCevU4WjqigZThXu14wDVjQ@mail.gmail.com>
References: <alpine.BSO.2.11.1408181120070.414@natsu.mindrot.org>
 <alpine.BSO.2.11.1408211044470.22887@natsu.mindrot.org>
 <CAMv58rYY+VvVVtsAMYpZtvY-80NM9g4t0k29oX=oKhaVorLbsg@mail.gmail.com>
 <CAMv58rbYEcHJQxgF5yodz5n2427BsKftKGz2Feout6DWoCZ00A@mail.gmail.com>
 <alpine.BSO.2.11.1408221730410.7008@natsu.mindrot.org>
 <CAMv58rbhyX4xHUFEkES9jnppTpmG37thKMinhdvAfgCjqkftrw@mail.gmail.com>
 <alpine.BSO.2.11.1408260837530.17249@natsu.mindrot.org>
 <CAMv58rYnYQQ5ODyFVumGFxiOPOZVCrQqXXj94Ro4=axaWL_5ig@mail.gmail.com>
 <alpine.BSO.2.11.1408260941520.17249@natsu.mindrot.org>
 <CAMv58rbiuzBNrZV8-TbdfR7cdAkCUxV1=qZy3P+EGpy6+SDGFg@mail.gmail.com>
 <alpine.BSO.2.11.1408270401430.8964@natsu.mindrot.org>
 <CAMv58rY+Ji9NDcScNzA6WM5OKu1PY9udD9Q0-5JohwPbgJ2Bbw@mail.gmail.com>
 <CAMv58rYQYd9z3A5WPMCuF4BeFW4CHnDhTQVsdUeVh4VWkVK1-Q@mail.gmail.com>
 <alpine.BSO.2.11.1408271024010.8964@natsu.mindrot.org>
 <CAMv58rYnsPa3afdxup5MLofKJoQgS1ujmUwWJZ33+b7EmXo=8g@mail.gmail.com>
 <alpine.BSO.2.11.1408271636380.16373@natsu.mindrot.org>
 <CAMv58rZxWA+GZRL5_q-rzAtkq2MZcQcRhHFX6gNP6ctFGjcvug@mail.gmail.com>
 <CAMv58rZY8vu+NTx1qkVPcW-7hYSuCevU4WjqigZThXu14wDVjQ@mail.gmail.com>
Message-ID: <CAMv58rZJVHEEZ8Bua86ibP2ddj8T9xe3p7X=LQd+q_1fUJWxGA@mail.gmail.com>

Mea Culpa.

So ... I did some hard digging, and *part* of my problem was a pair of
missing steps in my test build methodology.  Here's what I've found  ...

On Centos 2.1 ... openssl build status ... all revs of 0.9.[6-7] arefine
for static/shared library builds. Shared builds are broken in all versions
from 0.9.8 upwards, while static builds are fine.
CentOS 2.1AS i386    gcc-2.96-128.7.2    binutils-2.11.90.0.8-12.4
    0.9.6*  STATIC = OK[D] / SHARED = OK
    0.9.7*  STATIC = OK[D] / SHARED = OK
    0.9.8*  STATIC = OK[D] / SHARED = FAIL :: test BN_sqr make[1]: ***
[test_bn] Error 139
    1.0.*   STATIC = OK[D] / SHARED = FAIL :: output word alignment test 0
1 2 3 make[1]: *** [test_des] Segmentation fault

On RHEL 3.x - 5.10 - all tested versions of openssl from 0.9.6 to 1.0.1i
build and pass all tests as static or shared - without issue in a clean
environment (specifically nothing already in /usr/local/ssl - and no
C*FLAGS variables set with *facepalm* forgotten wonky settings from
previous debug builds of other packages).

As a result ... the current snapshot openssh-SNAP-20140830.tar.gz builds
and passes all tests in all versions of where the native openssl is
insufficient.  But only when a version of openssl >= 0.9.8f is installed
(in /usr/local/ssl or whereever you put non-OS libs) and
ld.so.conf(.d./openssl.conf - depending on OS version) is updated and
ldconfig run before starting configure (<- my bad here).  The holdouts for
working shared openssl is RH <=2.x - on these systems the library must be
static unless someone figures out where the builds are broken.



On Wed, Aug 27, 2014 at 5:51 PM, Kevin Brott <kevin.brott at gmail.com> wrote:

>
> Tangentially related - the openssl quirks have me intrigued, so I'm going
> to dive deeper into what's really required vs the quick hacks I did to get
> the snapshots to build and pass tests.
>
> Assuming I can find the time tomorrow, I plan on sitting down and figuring
> out exactly what the openssl build requirements really are, but briefly on
> the hosts I'm using this is what I've seen:
>
>   a) gcc < 4.x.x - openssl 1.0.1i will not build as shared
>   b) gcc >= 4.x.x - openssl 1.0.1i will build either as dynamic or static
>   c) on i386 systems - openssh 6.7 will build against static or dynamic
> libssl with no issues
>   d) on x86_64 systems - openssh 6.7 will build against static libssl only
> using --without-pie, otherwise libssl must be dynamic
>
> I'm going to look at the current (and minimal) versions of the openssl
> 0.9.8, 1.0.0, and 1.0.1 series and see if I can figure out where the break
> point is on static vs shared libraries (because I'm curious and I've not
> looked into this before). And there's always the hope someone else will
> benefit.
>
>
>
> On Wed, Aug 27, 2014 at 5:03 PM, Kevin Brott <kevin.brott at gmail.com>
> wrote:
>
>>
>> Must have bolluxed something up in the compile environment - that or
>> http://www.mindrot.org/openssh_snap/openssh-SNAP-20140828.tar.gz had a
>> configure tweak that fixed it.  All systems tested now build and pass all
>> tests.
>>
>> That said - the stupid race condition in that one test is cropping up
>> sporadically still - I think it's related to the load (or lack thereof) on
>> the VM host.
>>
>> With, of course, the caveat that any system with a native openssl <
>> 0.9.8.f will not compile OOTB. A supplemental openssl needs to be installed
>> that meets the version requirements, and then ./configure needs a
>> --with-ssl-dir= directive that points to it.
>>
>>
>>
>> On Tue, Aug 26, 2014 at 11:37 PM, Damien Miller <djm at mindrot.org> wrote:
>>
>>> On Tue, 26 Aug 2014, Kevin Brott wrote:
>>>
>>> >       > 0.9.8k        FAILxlc_r -g  -I. -I. -I/var/tmp/ssh/include
>>> >       ...
>>> >       > roaming_client.o"/usr/include/stdarg.h", line 89.9: 1506-236
>>> >       (W) Macro name
>>> >       > va_copy has been redefined."/usr/include/stdarg.h", line 89.9:
>>> >       1506-358 (I)
>>> >       > "va_copy" is defined on line 829 of defines.h. xlc_r -o ssh
>>> >       ssh.o
>>> >
>>> >       It looks like configure has failed to detect va_copy and is
>>> >       trying to
>>> >       supply a surrogate. There might be some clues as to what went
>>> >       wrong
>>> >       if you search for "va_copy"
>>>
>>> I meant to say: search config.log for "va_copy"
>>>
>>> -d
>>>
>>
>>
>>
>> --
>> # include <stddisclaimer.h>
>> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>>
>>
>
>
> --
> # include <stddisclaimer.h>
> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>
>


-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

From aris at 0xbadc0de.be  Sun Aug 31 04:46:11 2014
From: aris at 0xbadc0de.be (Aris Adamantiadis)
Date: Sat, 30 Aug 2014 20:46:11 +0200
Subject: SSH completely locks up if you have a NOT PERFECT con
In-Reply-To: <f32b010b771d43dfb3cd799910d4798b@hoi-polloi.org>
References: <f32b010b771d43dfb3cd799910d4798b@hoi-polloi.org>
Message-ID: <54021BF3.8090107@0xbadc0de.be>

Network session stability is responsibility of layer 4 - That's why
these things are split in layers, so you don't have to reimplement all
functionalities (badly) on every layer. Read about OSI layers.
OpenSSH does not implement the TCP stack and the magical settings you
ask for are not provided by the OS.
Forward your bug to Linux, FreeBSD, Microsoft or to the dev team of
whatever OS you didn't even bother to mention.

Or use mosh, which is designed to continue working even when changing IP
addresses.

I would change my tone if you expect more than a patronizing answer like
this one.

Aris
Le 28/08/14 18:20, Anonymous a ?crit :
> This is a SSH BUG !
>
> The problem is programmers who say things like this: "disconnection is the responsibility of the TCP stack" or "TCP layer 1 should take care of that".
>
> TCP will close and SSH doesn't seem to notice, I am really tired of it getting stuck. I kill it and immediately re-connect and all is OK, so how did TCP save me? IT DOESN'T - layer 1 2 3 4 5 whatever failed because YOU didn't do your part!
>
> Programmers: Ap level stuff knows when to time out not TCP, so you need to send a RST to the TCP stack so it will try to re-establish the connection or something!!! A few missing packets and you are screwed! I AM REALLY TIRED OF BAD PROGRAMMING assuming that some other layer is going to do everything for you. It's not a perfect connection world.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


From dovecot at r.paypc.com  Sun Aug 31 13:08:42 2014
From: dovecot at r.paypc.com (Robin)
Date: Sat, 30 Aug 2014 20:08:42 -0700
Subject: SSH completely locks up if you have a NOT PERFECT con
In-Reply-To: <f32b010b771d43dfb3cd799910d4798b@hoi-polloi.org>
References: <f32b010b771d43dfb3cd799910d4798b@hoi-polloi.org>
Message-ID: <540291BA.4060103@r.paypc.com>

On 8/28/2014 9:20 AM, Anonymous wrote:
> This is a SSH BUG !

It sounds like your main problem is with the specification of TCP, not 
SSH.  TCP/IP was developed with a few overarching assumptions:

1) Your own (source interface) IP#s and possibly the server's didn't 
change "often".  I am pretty sure its original designers didn't develop 
TCP in an environment "featuring" bouncing IP#s from flaky WiFi spots' 
DHCP implementations issuing you a new IP# all the time when your link 
resumes.

2) The route path to your server was reasonably stable, and fairly 
static.  Most of the transient path-'outages' are usually due to some 
leg's BGP changes or flakiness.  Occasionally, connections get 
half-broken, even if both sides don't notice any especial "outage" to 
the Internet-at-large.

Projects with security as their first priority generally don't have the 
mandate, let alone resources to try to work around all of the problems 
caused by the "modern flaky reality" of Internet connectivity.

TCP's always had a problem of detecting half-broken connections on the 
server side when the normal "idle" state of the server is awaiting for 
input from the client.  With TCP - unless you enable KEEPALIVES or build 
in a "HEARTBEAT" into your protocol, you generally don't know the link's 
dead until you try to send data to your endpoint.

If you really do want "auto-closure" of half-disconnected connections, 
there are many options open to you, ranging from a mix of enabling TCP 
keep-alives with semi-shortish timeout intervals (note, this isn't 
protected by any crypto or MAC of any kind), to enabling an "SSH inband 
'ping'" to more securely implement a "heartbeat" type of functionality.

Read the manuals, educate yourself about your kernel's TCP stack tuning 
knobs (if you can even get at those on your system), but don't shriek 
like a lunatic to every software project that inherits the limitations 
of underlying protocols and demand that they redress the accumulated 
shortcomings of decades of ad-hoc and often chaotic "progress" that have 
exposed the cracks in a 30+ year old networking specification.

Not an SSH Bug, but a USER Bug.

=R=