openssh-SNAP-20140302.tar.gz builds and passes all tests on Slackware-14.0
and 13.37, both 64-bit.
There is, however, a problem with scp which I reported earlier, Jan 20,
during 6.5 testing, and which did not get any reply. So I re-tested it,
and it is still there. Since the problem is with scp which relies on
installed ssh, I built a Slackware-13.37 openssh package, and installed it
in a VM.
The problem happens when I run `scp -3' and only when both remote accounts
require passwords. Second password is echo'ed to the terminal. Below is
a full session showing what happens:
---------------------------------------------
scp -3 andyt2 at majesty:/etc/group andyt2 at mate:/tmp/group
andyt2 at majesty's password: andyt2 at mate's password:
XXXXXX
---------------------------
As you can see, after the command is started, both remote systems prompt
for a password on the same line. So I enter a password for user andyt2
and press ENTER. What happens next is probably a bug. Line advances, and
nothing at all happens. So I am assuming that now the second system is
waiting for a password. I enter it, and it appears in the terminal in
cleartext (substituted here with XXXXXX). The command then proceeds and
finishes successfully.
A workaround I found is to simply press ENTER instead of typing a second
password. Then, you get an error saying the password is incorrect, and
a new, normal password prompt appears. Enter the password, and this time,
it is not visible.
This is what it looks like:
----------------------------
andyt at king: andyt> scp -3 andyt2 at majesty:/etc/group andyt2 at
mate:/tmp/group
andyt2 at majesty's password: andyt2 at mate's password:
Permission denied, please try again.
andyt2 at mate's password:
----------------------------
I would think scp should try to connect to the first remote machine, and
only when/if authentication completes successfully proceed with the second
remote machine.
Regards,
Andy
On Sat, 1 Mar 2014, Damien Miller wrote:
Hi,
OpenSSH 6.6 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a small release
mostly to fix some minor but annoying bugs in openssh-6.5.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH is also available via anonymous CVS using the
instructions at http://www.openssh.com/portable.html#cvs or
via Git at https://anongit.mindrot.org/openssh.git/
Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:
$ ./configure && make tests
Live testing on suitable non-production systems is also
appreciated. Please send reports of success or failure to
openssh-unix-dev@xxxxxxxxxxx.
Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.
Thanks to the many people who contributed to this release.
Changes since OpenSSH 6.5
=========================
This is primarily a bugfix release.
New / changed features:
* ssh(1), sshd(8): this release removes the J-PAKE authentication code.
This code was experimental, never enabled and had been unmaintained
for some time.
* ssh(1): when processing Match blocks, skip 'exec' clauses other clauses
predicates failed to match.
* ssh(1): if hostname canonicalisation is enabled and results in the
destination hostname being changed, then re-parse ssh_config(5) files
using the new destination hostname. This gives 'Host' and 'Match'
directives that use the expanded hostname a chance to be applied.
Bugfixes:
* ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in
ssh -W. bz#2200, debian#738692
* sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace
sandbox modes, as it is reachable if the connection is terminated
during the pre-auth phase.
* ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum
parsing. Minimum key length checks render this bug unexploitable to
compromise SSH 1 sessions.
* sshd_config(5): clarify behaviour of a keyword that appears in
multiple matching Match blocks. bz#2184
* ssh(1): avoid unnecessary hostname lookups when canonicalisation is
disabled. bz#2205
* sshd(8): avoid sandbox violation crashes in GSSAPI code by caching
the supported list of GSSAPI mechanism OIDs before entering the
sandbox. bz#2107
* ssh(1): fix possible crashes in SOCKS4 parsing caused by assumption
that the SOCKS username is nul-terminated.
* ssh(1): fix regression for UsePrivilegedPort=yes when BindAddress is
not specified.
* ssh(1), sshd(8): fix memory leak in ECDSA signature verification.
* ssh(1): fix matching of 'Host' directives in ssh_config(5) files
to be case-sensitive again (regression in 6.5).
Portable OpenSSH:
* sshd(8): don't fatal if the FreeBSD Capsicum is offered by the
system headers and libc but is not supported by the kernel.
* Fix build using the HP-UX compiler.
Reporting Bugs:
===============
- Please read http://www.openssh.com/report.html
Security bugs should be reported directly to openssh@xxxxxxxxxxx
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Dr Andy Tsouladze
Sr Unix/Storage/Security SysAdmin
PWD=`cat /dev/urandom | sed 's/[^\x21-\x7f]//g' | head -c 14`
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
