Call for testing: OpenSSH 9.7

Chris Rapier rapier at psc.edu
Wed Mar 6 06:01:49 AEDT 2024 

On my test systems:

Ubuntu 22.04 with GCC 11.4 and OpenSSL 3.0.2 on AMD: PASS
Fedora 39 with GCC 12.3.1 and OpenSSL 3.0.9 on Intel: PASS
OS X 14.3.1 with clang 15.0.0 on Apple M2 (--without-openssl): FAIL

The failure is with "make tests" specifically when it runs
/Users/rapier/openssh-portable/ssh-keygen -if 
/Users/rapier/openssh-portable/regress/rsa_ssh2.prv | diff - 
/Users/rapier/openssh-portable/regress/rsa_openssh.prv
key conversion disabled at compile time
0a1,15
 > -----BEGIN RSA PRIVATE KEY-----
 > // elided //
 > -----END RSA PRIVATE KEY-----
make[1]: *** [t1] Error 1

Make t-exec, in contrast, does pass all tests. I'm seeing the same 
behaviour on Ubuntu 22.04 if I use --without-openssl so I'm guessing 
this is expected behaviour.


Chris

On 3/4/24 7:24 PM, Damien Miller wrote:
> 
> Hi,
> 
> OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
> 
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
> 
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
> 
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
> 
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> 
> $ ./configure && make tests
> 
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev at mindrot.org. Security bugs should be reported
> directly to openssh at openssh.com.
> 
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
> 
> Thanks to the many people who contributed to this release.
> 
> Future deprecation notice
> =========================
> 
> OpenSSH plans to remove support for the DSA signature algorithm in
> early 2025 and compile-time disable it later this year.
> 
> DSA, as specified in the SSHv2 protocol, is inherently weak - being
> limited to a 160 bit private key and use of the SHA1 digest. Its
> estimated security level is only 80 bits symmetric equivalent.
> 
> OpenSSH has disabled DSA keys by default since 2015 but has retained
> run-time optional support for them. DSA was the only mandatory-to-
> implement algorithm in the SSHv2 RFCs[3], mostly because alternative
> algorithms were encumbered by patents when the SSHv2 protocol was
> specified.
> 
> This has not been the case for decades at this point and better
> algorithms are well supported by all actively-maintained SSH
> implementations. We do not consider the costs of maintaining DSA in
> OpenSSH to be justified and hope that removing it from OpenSSH can
> accelerate its wider deprecation in supporting cryptography
> libraries.
> 
> This release makes DSA support in OpenSSH compile-time optional,
> defaulting to on. We intend the next release to change the default
> to disable DSA at compile time. The first OpenSSH release of 2025
> will remove DSA support entirely.
> 
> Changes since OpenSSH 9.6
> =========================
> 
> This release contains mostly bugfixes.
> 
> New features
> ------------
> 
>   * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches
>     all open channels and will close all open channels if there is no
>     traffic on any of them for the specified interval. This is in
>     addition to the existing per-channel timeouts added recently.
> 
>     This supports situations like having both session and x11
>     forwarding channels open where one may be idle for an extended
>     period but the other is actively used. The global timeout could
>     close both channels when both have been idle for too long.
> 
>   * All: make DSA key support compile-time optional, defaulting to on.
> 
> Bugfixes
> --------
> 
>   * sshd(8): don't append an unnecessary space to the end of subsystem
>     arguments (bz3667)
> 
>   * ssh(1): fix the multiplexing "channel proxy" mode, broken when
>     keystroke timing obfuscation was added. (GHPR#463)
> 
>   * ssh(1), sshd(8): fix spurious configuration parsing errors when
>     options that accept array arguments are overridden (bz3657).
> 
>   * Many fixes to manual pages and other documentation, including
>     GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
> 
>   * Greatly improve interop testing against PuTTY.
> 
> Portability
> -----------
> 
>   * Improve the error message when the autoconf OpenSSL header check
>     fails (bz#3668)
> 
>   * Improve detection of broken toolchain -fzero-call-used-regs support
>     (bz3645).
> 
>   * Fix regress/misc/fuzz-harness fuzzers and make them compile without
>     warnings when using clang16
> 
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list