Call for testing: OpenSSH 10.1p1
Leonardo Saavedra
leosaa at gmx.com
Thu Oct 2 02:26:05 AEST 2025
Just a little detail in version
[leo at boxer tmp]$ tar -xzvf ../openssh-10.0p1.tar.gz
openssh-10.0p1/version.h | xargs cat
/* $OpenBSD: version.h,v 1.105 2025/04/09 07:00:21 djm Exp $ */
#define SSH_VERSION "OpenSSH_10.0"
#define SSH_PORTABLE "p2"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
[leo at boxer openssh-10.0p1]$ diff -u version.h.orig version.h
--- version.h.orig 2025-10-01 09:20:07.508606652 -0700
+++ version.h 2025-10-01 09:20:15.404580439 -0700
@@ -2,5 +2,5 @@
#define SSH_VERSION "OpenSSH_10.0"
-#define SSH_PORTABLE "p2"
+#define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
On 10/1/25 10:09, Leonardo Saavedra via openssh-unix-dev wrote:
> Hi,
>
> The build process went pretty smooth in a RHEL 8.10, except the `make
> tests` as follow:
>
>
> [leo at boxer build]$ uname -a
> Linux boxer 4.18.0-553.75.1.el8_10.x86_64 #1 SMP Wed Sep 10 00:05:32
> EDT 2025 x86_64 x86_64 x86_64 GNU/Linux
>
> [leo at boxer build]$ cat /etc/redhat-release
> Red Hat Enterprise Linux release 8.10 (Ootpa)
>
> [leo at boxer build]$ openssl version
> OpenSSL 3.5.4 30 Sep 2025 (Library: OpenSSL 3.5.4 30 Sep 2025)
>
> [leo at boxer build]$ ssh -V
> OpenSSH_10.0p2, OpenSSL 3.5.4 30 Sep 2025
>
>
> [...]
>
> unexpected ssh output
> multihop restricted
> multihop username
> multihop wildcard username
> multihop wrong username
> multihop cycle no agent
> multihop cycle agent unrestricted
> 12d11
> < ssh-ed25519
> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> 13a13
> > ssh-ed25519
> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> 22d21
> < ssh-ed25519
> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> 23a23
> > ssh-ed25519
> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> 32d31
> < ssh-ed25519
> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> 33a33
> > ssh-ed25519
> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> 42d41
> < ssh-ed25519
> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> 43a43
> > ssh-ed25519
> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> 52d51
> < ssh-ed25519
> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> 53a53
> > ssh-ed25519
> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> 62d61
> < ssh-ed25519
> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> 63a63
> > ssh-ed25519
> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> 72d71
> < ssh-ed25519
> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> 73a73
> > ssh-ed25519
> AAAAC3NzaC1lZDI1NTE5AAAAIHdIhChwRPGof+kImHrQHDaaqgvwVGIMCMik1lc2Ux1d
> unexpected ssh output
> multihop cycle restricted deny
> multihop cycle restricted allow
> failed agent restrictions
> make[1]: *** [Makefile:255: t-exec] Error 1
> make[1]: Leaving directory '/export/home/leo/src/openssh-10.0p1/regress'
> make: *** [Makefile:788: t-exec] Error 2
>
>
>
> Regards,
>
> --
>
> Leo
>
>
> On 9/30/25 07:45, Damien Miller wrote:
>> Hi,
>>
>> OpenSSH 10.1p1 is almost ready for release, so we would appreciate
>> testing
>> on as many platforms and systems as possible.
>>
>> Snapshot releases for portable OpenSSH are available from
>> http://www.mindrot.org/openssh_snap/
>>
>> The OpenBSD version is available in CVS HEAD:
>> http://www.openbsd.org/anoncvs.html
>>
>> Portable OpenSSH is also available via git using the
>> instructions at http://www.openssh.com/portable.html#cvs
>> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
>> https://github.com/openssh/openssh-portable
>>
>> Running the regression tests supplied with Portable OpenSSH does not
>> require installation and is a simply:
>>
>> $ ./configure && make tests
>>
>> Live testing on suitable non-production systems is also appreciated.
>> Please send reports of success or failure to
>> openssh-unix-dev at mindrot.org. Security bugs should be reported
>> directly to openssh at openssh.com.
>>
>> Below is a summary of changes. More detail may be found in the ChangeLog
>> in the portable OpenSSH tarballs.
>>
>> Thanks to the many people who contributed to this release.
>>
>> Potentially-incompatible changes
>> --------------------------------
>>
>> * ssh(1): add a warning when the connection negotiates a non-post
>> quantum key agreement algorithm.
>>
>> This warning has been added due to the risk of "store now, decrypt
>> later" attacks. More details at https://openssh.com/pq.html
>>
>> This warning may be controlled via a new WarnWeakCrypto ssh_config
>> option, defaulting to on. This option is likely to control
>> additional weak crypto warnings in the future.
>>
>> * ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS
>>
>> Both the client and the server have changed the default DCSP
>> (a.k.a IPQos) values and the way these values are selected at
>> runtime.
>>
>> Both endpoints now use Expedited Forward (EF) for interactive
>> traffic by default. This provides better prioritisation,
>> especially on wireless media (cf. RFC 8325). Non-interactive
>> traffic now uses the operating system default DSCP marking.
>> Both the interactive and non-interactive DSCP values may be
>> overridden via the IPQoS keyword in ssh_config(5) and
>> sshd_config(5).
>>
>> The DSCP value selected may now change over the course of a
>> connection. ssh(1) and sshd(8) will automatically select between
>> the interactive and non-interactive IPQoS values depending on
>> the type of SSH channels open. E.g. if a sftp session is using
>> the connectionn, then the non-interactive value will be used.
>>
>> This is important now that the default interactive IPQoS is EF
>> (Expedited Forwarding), as many networks are configured to allow
>> only relatively small amounts of traffic of this class and they will
>> aggressively deprioritise the entire connection if this is exceeded.
>>
>> * ssh-add(1): when adding certificates to an agent, set the expiry
>> to the certificate expiry time plus a short (5 min) grace period.
>>
>> This will cause the agent to automtically remove certificates
>> shortly
>> after they expire. A new ssh-add -N option disables this behaviour.
>>
>> * All: remove experimental support for XMSS keys. This was never
>> enabled by default. We expect to implement a new post-quantu
>> signature scheme in the near future.
>>
>> * ssh(1), sshd(8): deprecate support for IPv4 type-of-service (TOS)
>> keywords in the IPQoS configuration directive.
>>
>> Type of Service (ToS) was deprecated in the late nineties and
>> replaced with the Differentiated Services architecture. Diffserv
>> has significant advantages for operators because this mechanism
>> offers more granularity.
>>
>> OpenSSH switched its default IPQoS from ToS to DSCP values in 2018.
>>
>> IPQoS configurations with 'lowdelay', 'reliability', or
>> 'throughput' will be ignored and instead the system default QoS
>> settings apply. Additionally, a debug message is logged about the
>> deprecation with a suggestion to use DSCP.
>>
>> * ssh-agent(1), sshd(8): move agent listener sockets from /tmp to
>> under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets
>> in sshd(8).
>>
>> This ensures processes that have restricted filesystem access
>> that includes /tmp do not ambiently have the ability to use keys
>> in an agent.
>>
>> Moving the default directory has the consequence that the OS will
>> no longer clean up stale agent sockets, so ssh-agent now gains
>> this ability.
>>
>> To support $HOME on NFS, the socket path includes a truncated
>> hash of
>> the hostname. ssh-agent will by default only clean up sockets from
>> the same hostname.
>>
>> ssh-agent(1) gains some new flags: -U suppresses the automatic
>> cleanup of stale sockets when it starts. -u forces a cleanup
>> without keeping a running agent, -uu forces a cleanup that ignores
>> the hostname. -T makes ssh-agent put the socket back in /tmp.
>>
>> Changes since OpenSSH 10.0
>> ==========================
>>
>> New features
>> ------------
>>
>> * ssh(1), sshd(8): add SIGINFO handlers to log active channel and
>> session information.
>>
>> * sshd(8): when refusing a certificate for user authentication, log
>> enough information to identify the certificate in addition to the
>> reason why it was being denied. Makes debugging certificate
>> authorisation problems a bit easier.
>>
>> * ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11
>> tokens.
>>
>> * ssh(1): add a ssh_config(5) RefuseConnection option that, when
>> encountered while processing an active section in a
>> configuration terminates ssh(1) with an error message that
>> contains the argument to the option.
>>
>> This may be useful for expressing reminders or warnings in config
>> files, for example:
>>
>> Match host foo
>> RefuseConnection "foo is deprecated, use splork instead"
>>
>> * sshd(8): make the X11 display number check relative to
>> X11DisplayOffset. This will allows people to use X11DisplayOffset
>> to configure much higher port ranges if they really want, while
>> not changing the default behaviour.
>>
>> * unit tests: the unit test framework now includes some basic
>> benchmarking capabilities. Run with "make UNITTEST_BENCHMARK=yes"
>> on OpenBSD or "make unit-bench" on Portable OpenSSH.
>>
>> Bugfixes
>> --------
>>
>> * sshd(8): fix mistracking of MaxStartups process exits in some
>> situations. At worst, this could cause all MaxStartups slots to
>> fill and sshd to refuse new connections.
>>
>> * ssh(1): fix delay on X client startup when ObscureKeystrokeTiming
>> is enabled. bz#3820
>>
>> * sshd(8): increase the maximum size of the supported configuration
>> from 256KB to 4MB, which ought to be enough for anybody. Fail
>> early and visibly when this limit is breached. bz3808
>>
>> * sftp(1): during sftp uploads, avoid a condition where a failed
>> write could be ignored if a subsequent write succeeded. This is
>> unlikely but technically possible because sftp servers are
>> allowed to reorder requests.
>>
>> * sftp(1): avoid a fatal() when sftp tab-completes filenames that
>> share common utf-8 characters that don't encode to a complete
>> codepoint.
>>
>> * sshd(8): avoid a race condition when the sshd-auth process exits
>> tha could cause a spurious error message to be logged.
>>
>> * sshd(8): log at level INFO when PerSourcePenalties actually
>> blocks access to a source address range. Previously this was
>> logged at level VERBOSE, which hid enforcement actions under
>> default config settings.
>>
>> * sshd(8): GssStrictAcceptor was missing from sshd -T output; fix
>>
>> * sshd(8): Make the MaxStartups and PerSourceNetBlockSize options
>> first-match-wins as advertised. bz3859
>>
>> * ssh(1): fix an incorrect return value check in the local forward
>> cancellation path that would cause failed cancellations not to be
>> logged.
>>
>> * sshd(8): make "Match !final" not trigger a 2nd pass ssh_config
>> parsing pass (unless hostname canonicalisation or a separate
>> "Match final" does). bz3843
>>
>> * ssh(1): better debug diagnostics when loading keys. Will now list
>> key fingerprint and algorithm (not just algorithm number) as well
>> as making it explicit which keys didn't load.
>>
>> * All: fix a number of memory leaks found by LeakSanitizer,
>> Coverity and manual inspection.
>>
>> * sshd(8): : Output the current name for PermitRootLogin's
>> "prohibit-password" in sshd -T instead of its deprecated alias
>> "without-password". bz#3788
>>
>> * ssh(1): make writing known_hosts lines more atomic by writing
>> the entire line in one operation and using unbuffered stdio.
>>
>> Usually writes to this file are serialised on the "Are you sure you
>> want to continue connecting?" prompt, but if host key checking is
>> disabled and connections were being made with high concurrency
>> then interleaved writes might have been possible.
>>
>> Portability
>> -----------
>>
>> * sshd(8): check the username didn't change during the PAM
>> transactions.
>>
>> PAM modules can change the user during their execution, but
>> this is not supported by sshd(8). If such a case was incorrectly
>> configured by the system administrator, then sshd(8) could end up
>> using a different username to the one authorised by PAM.
>>
>> * sshd(8): don't log audit messages with UNKNOWN hostname to avoid
>> slow DNS lookups in the audit subsystem.
>>
>> * All: when making a copy of struct passwd, ensure struct fields are
>> non-NULL. Android libc can return NULL pw_gecos, for example.
>>
>> * All: Remove status bits from OpenSSL >=3 version check.
>>
>> * sshd(8), ssh(1): Use SSH_TUN_COMPAT_AF on FreeBSD. Otherwise tun
>> forwarding from other OSes fails as soon as the first IPv6 message
>> is sent by the other side (which is usually a Router Solicitation
>> ICMPv6 message which is sent as soon as the interface is up).
>>
>> * ssh(1), ssh-agent(8): check for nlist function presence before
>> attenmpting to use it instead of relying on the presence of the
>> nlist.h header. Mac OS X, in particular has the header, but only
>> has the function in the 32bit libraries.
>>
>> * All: fill in missing system header files.
>>
>> Create replacement header files inside openbsd-compat for common
>> headers that are missing on a given platform. Usually these are
>> just empty, but in some cases they'll include the equivalent file.
>> This avoids having to wrap those includes in '#ifdef HAVE_FOO_H'
>> and reduces the diff between Portable OpenSSH and OpenBSD.
>>
>> * sshd(8): handle futex_time64 properly in seccomp sandbox
>> Previously we only allowed __NR_futex, but some 32-bit systems
>> apparently support __NR_futex_time64. We had support for this
>> in the sandbox, but because of a macro error only __NR_futex was
>> allowlisted.
>>
>> * Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API.
>>
>> * sshd(8): let ga_init() fail gracefully if getgrouplist does.
>> Apparently getgrouplist() can fail on OSX when passed a
>> non-existent group name. Other platforms seem to return a group
>> list consisting of the numeric gid passed to the function. bz3848
>>
>> * ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation,
>> preventing a graceful shutdown of an agent via systemd from
>> incorrectly marking the service as "failed".
>>
>> * build: wrap some autoconf macros in AC_CACHE_CHECK.
>>
>> This allows skipping/overriding the OSSH_CHECK_CFLAG_COMPILE and
>> OSSH_CHECK_CFLAG_LINK macros used to discover supported compiler
>> or linker flags. E.g.
>>
>> $ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no
>> [...]
>> checking if cc supports compile flag -fzero-call-used-regs=used
>> and linking succeeds... (cached) no
>>
>> Reporting Bugs:
>> ===============
>>
>> - Please read https://www.openssh.com/report.html
>> Security bugs should be reported directly to openssh at openssh.com
>>
>> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
>> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
>> Tim Rice and Ben Lindstrom.
>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list