Call for testing: OpenSSH 7.4
Zev Weiss
zev at bewilderbeest.net
Thu Dec 15 16:22:51 AEDT 2016
On Wed, Dec 14, 2016 at 11:53:32AM +1100, Damien Miller wrote:
>Hi,
>
>OpenSSH 7.4 is almost ready for release, so we would appreciate testing
>on as many platforms and systems as possible. This release contains some
>substantial new features and a number of bugfixes.
>
Hi,
I tested (or tried) git commit b737e4d7 on three systems, with somewhat
mixed results.
On Mac OSX (macOS?) 10.9, configure failed with:
...
checking OpenSSL header version... 1000208f (OpenSSL 1.0.2h 3 May 2016)
checking OpenSSL library version... 009081df (OpenSSL 0.9.8zg 14 July 2015)
checking whether OpenSSL's headers match the library... no
configure: error: Your OpenSSL headers do not match your
library. Check config.log for details.
A second attempt with configure's openssl-dir pointed at a macports
install in /opt/local built successfully and passed all tests, though
there were some warnings during the build (mostly noticed just because I
configured with -Werror and then manually papered over them; not sure
how important these really are):
- daemon() deprecated (ssh.c, sshd.c)
- utmp, login, logout, logwtmp deprecated (loginrec.c)
- sandbox_init() deprecated (sandbox-darwin.c)
- struct monitor declared in ssh_sandbox_init() parameter list
(sandbox-darwin.c)
- set-but-unused 'flag' variable in sys_tun_open() (port-tun.c)
On Void Linux (which uses LibreSSL, for what it's worth): unable to
compile due to undeclared arc4random*() functions. The symbols exist in
libcrypto so configure's tests for them pass, but they're not declared
in any header files. I'm not sure where exactly these are "supposed" to
be declared, so I don't know if this is a problem with OpenSSH or
LibreSSL or some packaging bungle on Void's part.
On Debian testing: discovered a small-but-significant problem in
auth.c's allowed_user() function. Commit 010359b3 expanded the body of
the loop that checks DenyUsers entries, but didn't add the necessary
braces around it, so it didn't exactly have the intended effect, instead
resulting in only the last entry in DenyUsers actually being enforced.
(Credit to gcc's -Wmisleading-indentation warning here.)
The attached patch 0001-Unbreak-DenyUsers-with-1-user-specified.patch
fixes the bug; the next two patches
(0002-Add-and-use-stop_sshd-helper-function.patch and
0003-Add-regression-test-for-AllowUsers-DenyUsers.patch) add a
regression test that detects it (failing before and passing after patch
0001).
With those patches applied a -Werror build completed successfully and
passed all tests.
(I also noticed a mis-typed error message in dh.c, addressed in the
attached 0004-Fix-mis-worded-error-message-in-choose_dh.patch.)
Thanks,
Zev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Unbreak-DenyUsers-with-1-user-specified.patch
Type: text/x-diff
Size: 1129 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161214/6db87cb7/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Add-and-use-stop_sshd-helper-function.patch
Type: text/x-diff
Size: 2222 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161214/6db87cb7/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Add-regression-test-for-AllowUsers-DenyUsers.patch
Type: text/x-diff
Size: 2739 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161214/6db87cb7/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Fix-mis-worded-error-message-in-choose_dh.patch
Type: text/x-diff
Size: 725 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161214/6db87cb7/attachment-0007.bin>
More information about the openssh-unix-dev
mailing list