Call for testing: OpenSSH 10.1p1

[Damien Miller]

Hi,

OpenSSH 10.1p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible.

Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable OpenSSH is also available via git using the
instructions at http://www.openssh.com/portable.html#cvs
At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
https://github.com/openssh/openssh-portable

Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:

$ ./configure && make tests

Live testing on suitable non-production systems is also appreciated.
Please send reports of success or failure to
openssh-unix-dev at mindrot.org. Security bugs should be reported
directly to openssh at openssh.com.

Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.

Thanks to the many people who contributed to this release.

Potentially-incompatible changes
--------------------------------

 * ssh(1): add a warning when the connection negotiates a non-post
   quantum key agreement algorithm.

   This warning has been added due to the risk of "store now, decrypt
   later" attacks. More details at https://openssh.com/pq.html

   This warning may be controlled via a new WarnWeakCrypto ssh_config
   option, defaulting to on. This option is likely to control
   additional weak crypto warnings in the future.

 * ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS

   Both the client and the server have changed the default DCSP
   (a.k.a IPQos) values and the way these values are selected at
   runtime.

   Both endpoints now use Expedited Forward (EF) for interactive
   traffic by default. This provides better prioritisation,
   especially on wireless media (cf. RFC 8325). Non-interactive
   traffic now uses the operating system default DSCP marking.
   Both the interactive and non-interactive DSCP values may be
   overridden via the IPQoS keyword in ssh_config(5) and
   sshd_config(5).

   The DSCP value selected may now change over the course of a
   connection. ssh(1) and sshd(8) will automatically select between
   the interactive and non-interactive IPQoS values depending on
   the type of SSH channels open. E.g. if a sftp session is using
   the connectionn, then the non-interactive value will be used.

   This is important now that the default interactive IPQoS is EF
   (Expedited Forwarding), as many networks are configured to allow
   only relatively small amounts of traffic of this class and they will
   aggressively deprioritise the entire connection if this is exceeded.

 * ssh-add(1): when adding certificates to an agent, set the expiry
   to the certificate expiry time plus a short (5 min) grace period.

   This will cause the agent to automtically remove certificates shortly
   after they expire. A new ssh-add -N option disables this behaviour.

 * All: remove experimental support for XMSS keys. This was never
   enabled by default. We expect to implement a new post-quantu
   signature scheme in the near future.

 * ssh(1), sshd(8): deprecate support for IPv4 type-of-service (TOS)
   keywords in the IPQoS configuration directive.

   Type of Service (ToS) was deprecated in the late nineties and
   replaced with the Differentiated Services architecture. Diffserv
   has significant advantages for operators because this mechanism
   offers more granularity.

   OpenSSH switched its default IPQoS from ToS to DSCP values in 2018.

   IPQoS configurations with 'lowdelay', 'reliability', or
   'throughput' will be ignored and instead the system default QoS
   settings apply. Additionally, a debug message is logged about the
   deprecation with a suggestion to use DSCP.

 * ssh-agent(1), sshd(8): move agent listener sockets from /tmp to
   under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets
   in sshd(8).

   This ensures processes that have restricted filesystem access
   that includes /tmp do not ambiently have the ability to use keys
   in an agent.

   Moving the default directory has the consequence that the OS will
   no longer clean up stale agent sockets, so ssh-agent now gains
   this ability.

   To support $HOME on NFS, the socket path includes a truncated hash of
   the hostname. ssh-agent will by default only clean up sockets from
   the same hostname.

   ssh-agent(1) gains some new flags: -U suppresses the automatic
   cleanup of stale sockets when it starts. -u forces a cleanup
   without keeping a running agent, -uu forces a cleanup that ignores
   the hostname. -T makes ssh-agent put the socket back in /tmp.

Changes since OpenSSH 10.0
==========================

New features
------------

 * ssh(1), sshd(8): add SIGINFO handlers to log active channel and
   session information.

 * sshd(8): when refusing a certificate for user authentication, log
   enough information to identify the certificate in addition to the
   reason why it was being denied. Makes debugging certificate
   authorisation problems a bit easier.

 * ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11
   tokens.

 * ssh(1): add a ssh_config(5) RefuseConnection option that, when
    encountered while processing an active section in a
    configuration terminates ssh(1) with an error message that
    contains the argument to the option.

    This may be useful for expressing reminders or warnings in config
    files, for example:

    Match host foo
           RefuseConnection "foo is deprecated, use splork instead"

 * sshd(8): make the X11 display number check relative to
   X11DisplayOffset. This will allows people to use X11DisplayOffset
   to configure much higher port ranges if they really want, while
   not changing the default behaviour.

 * unit tests: the unit test framework now includes some basic
   benchmarking capabilities. Run with "make UNITTEST_BENCHMARK=yes"
   on OpenBSD or "make unit-bench" on Portable OpenSSH.

Bugfixes
--------

 * sshd(8): fix mistracking of MaxStartups process exits in some
   situations. At worst, this could cause all MaxStartups slots to
   fill and sshd to refuse new connections.

 * ssh(1): fix delay on X client startup when ObscureKeystrokeTiming
   is enabled. bz#3820

 * sshd(8): increase the maximum size of the supported configuration
   from 256KB to 4MB, which ought to be enough for anybody. Fail
   early and visibly when this limit is breached. bz3808

 * sftp(1): during sftp uploads, avoid a condition where a failed
   write could be ignored if a subsequent write succeeded. This is
   unlikely but technically possible because sftp servers are
   allowed to reorder requests.

 * sftp(1): avoid a fatal() when sftp tab-completes filenames that
   share common utf-8 characters that don't encode to a complete
   codepoint.

 * sshd(8): avoid a race condition when the sshd-auth process exits
   tha could cause a spurious error message to be logged.

 * sshd(8): log at level INFO when PerSourcePenalties actually
   blocks access to a source address range. Previously this was
   logged at level VERBOSE, which hid enforcement actions under
   default config settings.

 * sshd(8): GssStrictAcceptor was missing from sshd -T output; fix

 * sshd(8): Make the MaxStartups and PerSourceNetBlockSize options
   first-match-wins as advertised. bz3859

 * ssh(1): fix an incorrect return value check in the local forward
   cancellation path that would cause failed cancellations not to be
   logged.

 * sshd(8): make "Match !final" not trigger a 2nd pass ssh_config
   parsing pass (unless hostname canonicalisation or a separate
   "Match final" does). bz3843

 * ssh(1): better debug diagnostics when loading keys. Will now list
   key fingerprint and algorithm (not just algorithm number) as well
   as making it explicit which keys didn't load.

 * All: fix a number of memory leaks found by LeakSanitizer,
   Coverity and manual inspection.

 * sshd(8): : Output the current name for PermitRootLogin's
   "prohibit-password" in sshd -T instead of its deprecated alias
   "without-password".  bz#3788

 * ssh(1): make writing known_hosts lines more atomic by writing
   the entire line in one operation and using unbuffered stdio.

   Usually writes to this file are serialised on the "Are you sure you
   want to continue connecting?" prompt, but if host key checking is
   disabled and connections were being made with high concurrency
   then interleaved writes might have been possible.

Portability
-----------

 * sshd(8): check the username didn't change during the PAM
   transactions.

   PAM modules can change the user during their execution, but
   this is not supported by sshd(8). If such a case was incorrectly
   configured by the system administrator, then sshd(8) could end up
   using a different username to the one authorised by PAM.

 * sshd(8): don't log audit messages with UNKNOWN hostname to avoid
   slow DNS lookups in the audit subsystem.

 * All: when making a copy of struct passwd, ensure struct fields are
   non-NULL. Android libc can return NULL pw_gecos, for example.

 * All: Remove status bits from OpenSSL >=3 version check.

 * sshd(8), ssh(1): Use SSH_TUN_COMPAT_AF on FreeBSD. Otherwise tun
   forwarding from other OSes fails as soon as the first IPv6 message
   is sent by the other side (which is usually a Router Solicitation
   ICMPv6 message which is sent as soon as the interface is up).

 * ssh(1), ssh-agent(8): check for nlist function presence before
   attenmpting to use it instead of relying on the presence of the
   nlist.h header.  Mac OS X, in particular has the header, but only
   has the function in the 32bit libraries.

 * All: fill in missing system header files.

   Create replacement header files inside openbsd-compat for common
   headers that are missing on a given platform. Usually these are
   just empty, but in some cases they'll include the equivalent file.
   This avoids having to wrap those includes in '#ifdef HAVE_FOO_H'
   and reduces the diff between Portable OpenSSH and OpenBSD.

 * sshd(8): handle futex_time64 properly in seccomp sandbox
   Previously we only allowed __NR_futex, but some 32-bit systems
   apparently support __NR_futex_time64. We had support for this
   in the sandbox, but because of a macro error only __NR_futex was
   allowlisted.

 * Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API.

 * sshd(8): let ga_init() fail gracefully if getgrouplist does.
   Apparently getgrouplist() can fail on OSX when passed a
   non-existent group name. Other platforms seem to return a group
   list consisting of the numeric gid passed to the function. bz3848

 * ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation,
   preventing a graceful shutdown of an agent via systemd from
   incorrectly marking the service as "failed".

 * build: wrap some autoconf macros in AC_CACHE_CHECK.

   This allows skipping/overriding the OSSH_CHECK_CFLAG_COMPILE and
   OSSH_CHECK_CFLAG_LINK macros used to discover supported compiler
   or linker flags. E.g.

     $ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no
     [...]
     checking if cc supports compile flag -fzero-call-used-regs=used and linking succeeds... (cached) no

Reporting Bugs:
===============

- Please read https://www.openssh.com/report.html
  Security bugs should be reported directly to openssh at openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.