Requirement for ec.h breaks all builds on systems without the EC feature (*all Red Hat [probably variants as well] below 6.5*). New linking issue with gcc on AIX before tests run. Same systems built 6.6 release without issue. Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140819.tar.gz OS Build_Target CC OpenSSL BUILD TEST ============== =========================== ================ ============= ====== ================= Centos 2.1 i386-redhat-linux gcc 2.9.6 0.9.6b-engine FAIL*1 RHEL 3.4 i386-redhat-linux gcc 3.2.3-47 0.9.7a FAIL*1 Fedora Core r2 i386-redhat-linux gcc 3.3.3-7 0.9.7a FAIL*1 RHEL 4.8 i386-redhat-linux gcc 3.4.6-11 0.9.7a FAIL*1 RHEL 4.8 x86_64-redhat-linux gcc 3.4.6-11 0.9.7a FAIL*1 RHEL 5.4 i386-redhat-linux gcc 4.1.2-46 0.9.8e-fips FAIL*1 RHEL 5.4 x86_64-redhat-linux gcc 4.1.2-46 0.9.8e-fips FAIL*1 RHEL 5.5 i386-redhat-linux gcc 4.1.2-48 0.9.8e-fips FAIL*1 RHEL 5.5 x86_64-redhat-linux gcc 4.1.2-48 0.9.8e-fips FAIL*1 RHEL 5.6 i386-redhat-linux gcc 4.1.2-50 0.9.8e-fips FAIL*1 RHEL 5.6 x86_64-redhat-linux gcc 4.1.2-50 0.9.8e-fips FAIL*1 RHEL 5.7 i386-redhat-linux gcc 4.1.2-51 0.9.8e-fips FAIL*1 RHEL 5.7 x86_64-redhat-linux gcc 4.1.2-51 0.9.8e-fips FAIL*1 RHEL 5.8 i386-redhat-linux gcc 4.1.2-52 0.9.8e-fips FAIL*1 RHEL 5.8 x86_64-redhat-linux gcc 4.1.2-52 0.9.8e-fips FAIL*1 RHEL 5.9 i386-redhat-linux gcc 4.1.2-54 0.9.8e-fips FAIL*1 RHEL 5.9 x86_64-redhat-linux gcc 4.1.2-54 0.9.8e-fips FAIL*1 RHEL 5.10 i686-redhat-linux gcc 4.1.2-54 0.9.8e-fips FAIL*1 RHEL 5.10 x86_64-redhat-linux gcc 4.1.2-54 0.9.8e-fips FAIL*1 RHEL 6.0 i686-redhat-linux gcc 4.4.4-13 1.0.0-fips FAIL*1 RHEL 6.0 x86_64-redhat-linux gcc 4.4.4-13 1.0.0-fips FAIL*1 RHEL 6.1 i686-redhat-linux gcc 4.4.5-6 1.0.0-fips FAIL*1 RHEL 6.1 x86_64-redhat-linux gcc 4.4.5-6 1.0.0-fips FAIL*1 RHEL 6.2 i686-redhat-linux gcc 4.4.6-3 1.0.0-fips FAIL*1 RHEL 6.2 x86_64-redhat-linux gcc 4.4.6-3 1.0.0-fips FAIL*1 RHEL 6.3 i686-redhat-linux gcc 4.4.7-3 1.0.0-fips FAIL*1 RHEL 6.3 x86_64-redhat-linux gcc 4.4.7-3 1.0.0-fips FAIL*1 RHEL 6.4 i686-redhat-linux gcc 4.4.7-3 1.0.0-fips FAIL*1 RHEL 6.4 x86_64-redhat-linux gcc 4.4.7-3 1.0.0-fips FAIL*1 RHEL 6.5 i686-redhat-linux gcc 4.4.7-4 1.0.1e-fips OK all tests passed RHEL 6.5 x86_64-redhat-linux gcc 4.4.7-4 1.0.1e-fips OK all tests passed RHEL 7.0 x86_64-redhat-linux gcc 4.8.2-16 1.0.1e-fips OK all tests passed Debian 7.6 x86_64-linux-gnu gcc Debian 4.7.2-5 1.0.1e OK all tests passed AIX 5300-12-04 powerpc-ibm-aix5.3.0.0 gcc 4.2.0-3 0.9.8k FAIL*1 AIX 5300-12-02 powerpc-ibm-aix5.3.0.0 xlc 8.0.0.16 0.9.8k FAIL*1 AIX 6100-07-08 powerpc-ibm-aix6.1.0.0 gcc 4.2.0 0.9.8y FAIL*2 AIX 6100-07-08 powerpc-ibm-aix6.1.0.0 xlc 11.1.0.6 0.9.8y OK all tests passed AIX 7100-03-01 powerpc-ibm-aix7.1.0.0 gcc 4.4.7 1.0.1e FAIL*2 AIX 7100-03-01 powerpc-ibm-aix7.1.0.0 xlc 12.1.0.6 1.0.1e OK all tests passed HP-UX 11.23 ia64-hp-hpux11.23 gcc 4.3.1 0.9.8w OK all tests passed HP-UX 11.23 ia64-hp-hpux11.23 C/aC++ C.11.23.12 0.9.8w OK all tests passed HP-UX 11.31 ia64-hp-hpux11.31 gcc 4.6.2 0.9.8t OK all tests passed HP-UX 11.31 ia64-hp-hpux11.31 C/aC++ C.11.31.05 0.9.8t OK all tests passed RHL Red Hat Linux RHEL Red Hat Enterprise Linux F*1 Requires openssl with ec.h (not in RHEL 6.4 and before), HP-UX 11.23+ and AIX 5.3+ have in-place upgrades make[1]: Entering directory `/usr/src/openssh/openbsd-compat' gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -std=gnu99 -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c arc4random.c In file included from ../buffer.h:24, from ../entropy.h:30, from ../includes.h:177, from arc4random.c:27: ../sshbuf.h:25:24: openssl/ec.h: No such file or directory make[1]: *** [arc4random.o] Error 1 make[1]: Leaving directory `/usr/src/openssh/openbsd-compat' make: *** [openbsd-compat/libopenbsd-compat.a] Error 2 F*2 gcc on AIX - linking fails just before tests start - i.e. gcc -o regress/unittests/sshbuf/test_sshbuf -L. -Lopenbsd-compat/ -Wl,-blibpath:/usr/lib:/lib regress/unittests/sshbuf/tests.o regress/unittests/sshbuf/test_sshbuf.o regress/unittests/sshbuf/test_sshbuf_getput_basic.o regress/unittests/sshbuf/test_sshbuf_getput_crypto.o regress/unittests/sshbuf/test_sshbuf_misc.o regress/unittests/sshbuf/test_sshbuf_fuzz.o regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o regress/unittests/sshbuf/test_sshbuf_fixed.o \ -L regress/unittests/test_helper -ltest_helper \ -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz -lpthread collect2: library libtest_helper not found gmake: *** [regress/unittests/sshbuf/test_sshbuf] Error 1 On Mon, Aug 18, 2014 at 10:00 AM, Kevin Brott <kevin.brott@xxxxxxxxx> wrote: > > So apparently openssl/ec.h didn't show up earlier than 0.9.8m right now > it's looking like any system with earlier versions will configure, but fail > to build off the bat. > > > On Mon, Aug 18, 2014 at 9:18 AM, Kevin Brott <kevin.brott@xxxxxxxxx> > wrote: > >> Ugh - so, forgot to RT the list ... and another failed buildhost ... >> >> I know these are legacy OS version - but they're still in use here so ... >> >> OS Build_Target CC OpenSSL BUILD TEST >> =========== ================= ============ ============= ===== >> ================= >> Centos 2.1 i386-redhat-linux gcc 2.9.6 0.9.6b-engine FAIL*1 >> RHEL 3.4 i386-redhat-linux gcc 3.2.3-47 0.9.7a FAIL*1 >> >> make[1]: Entering directory `/usr/src/openssh/openbsd-compat' >> gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare >> -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 >> -fno-builtin-memset -std=gnu99 -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c >> arc4random.c >> In file included from ../buffer.h:24, >> from ../entropy.h:30, >> from ../includes.h:177, >> from arc4random.c:27: >> ../sshbuf.h:25:24: openssl/ec.h: No such file or directory >> make[1]: *** [arc4random.o] Error 1 >> make[1]: Leaving directory `/usr/src/openssh/openbsd-compat' >> make: *** [openbsd-compat/libopenbsd-compat.a] Error 2 >> [root@localhost openssh]# find ec.h >> find: ec.h: No such file or directory >> >> >> >> >> On Sun, Aug 17, 2014 at 6:23 PM, Damien Miller <djm@xxxxxxxxxxx> wrote: >> >>> Hi, >>> >>> OpenSSH 6.7 is almost ready for release, so we would appreciate testing >>> on as many platforms and systems as possible. This is a big release >>> containing a number of features, a lot of internal refactoring and some >>> potentially-incompatible changes. >>> >>> Snapshot releases for portable OpenSSH are available from >>> http://www.mindrot.org/openssh_snap/ >>> >>> The OpenBSD version is available in CVS HEAD: >>> http://www.openbsd.org/anoncvs.html >>> >>> Portable OpenSSH is also available via anonymous CVS using the >>> instructions at http://www.openssh.com/portable.html#cvs or >>> via Git at https://anongit.mindrot.org/openssh.git/ >>> >>> Running the regression tests supplied with Portable OpenSSH does not >>> require installation and is a simply: >>> >>> $ ./configure && make tests >>> >>> Live testing on suitable non-production systems is also >>> appreciated. Please send reports of success or failure to >>> openssh-unix-dev@xxxxxxxxxxx. >>> >>> Below is a summary of changes. More detail may be found in the ChangeLog >>> in the portable OpenSSH tarballs. >>> >>> Thanks to the many people who contributed to this release. >>> >>> Changes since OpenSSH 6.6 >>> ========================= >>> >>> Potentially-incompatible changes >>> >>> * sshd(8): The default set of ciphers and MACs has been altered to >>> remove unsafe algorithms. In particular, CBC ciphers and arcfour* >>> are disabled by default. >>> >>> The full set of algorithms remains available if configured >>> explicitly via the Ciphers and MACs sshd_config options. >>> >>> * sshd(8): Support for tcpwrappers/libwrap has been removed. >>> >>> * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections >>> using the curve25519-sha256@xxxxxxxxxx KEX exchange method to fail >>> when connecting with something that implements the specification >>> correctly. OpenSSH 6.7 disables this KEX method when speaking to >>> one of the affected versions. >>> >>> New Features >>> >>> * Major internal refactoring to begin to make part of OpenSSH usable >>> as a library. So far the wire parsing, key handling and KRL code >>> has been refactored. Please note that we do not consider the API >>> stable yet, nor do we offer the library in separable form. >>> >>> * ssh(1), sshd(8): Add support for Unix domain socket forwarding. >>> A remote TCP port may be forwarded to a local Unix domain socket >>> and vice versa or both ends may be a Unix domain socket. >>> >>> * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for >>> ED25519 key types. >>> >>> * sftp(1): Allow resumption of interrupted uploads. >>> >>> * ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it >>> is the same as the one sent during initial key exchange; bz#2154 >>> >>> * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind >>> addresses when GatewayPorts=no; allows client to choose address >>> family; bz#2222 >>> >>> * sshd(8): Add a sshd_config PermitUserRC option to control whether >>> ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys >>> option; bz#2160 >>> >>> * ssh(1): Add a %C escape sequence for LocalCommand and ControlPath >>> that expands to a unique identifer based on a hash of the tuple of >>> (local host, remote user, hostname, port). Helps avoid exceeding >>> miserly pathname limits for Unix domain sockets in multiplexing >>> control paths; bz#2220 >>> >>> * sshd(8): Make the "Too many authentication failures" message >>> include the user, source address, port and protocol in a format >>> similar to the authentication success / failure messages; bz#2199 >>> >>> * Added unit and fuzz tests for refactored code. These are run >>> automatically in portable OpenSSH via the "make tests" target. >>> >>> Bugfixes >>> >>> * sshd(8): Fix remote fwding with same listen port but different >>> listen address. >>> >>> * ssh(1): Fix inverted test that caused PKCS#11 keys that were >>> explicitly listed in ssh_config or on the commandline not to be >>> preferred. >>> >>> * ssh-keygen(1): Fix bug in KRL generation: multiple consecutive >>> revoked certificate serial number ranges could be serialised to an >>> invalid format. Readers of a broken KRL caused by this bug will >>> fail closed, so no should-have-been-revoked key will be accepted. >>> >>> * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in >>> exit status. Previously we were always returning 0; bz#2255 >>> >>> * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the >>> randomart border; bz#2247 >>> >>> * ssh-agent(1): Only cleanup agent socket in the main agent process >>> and not in any subprocesses it may have started (e.g. forked >>> askpass). Fixes agent sockets being zapped when askpass processes >>> fatal(); bz#2236 >>> >>> * ssh-add(1): Make stdout line-buffered; saves partial output getting >>> lost when ssh-add fatal()s part-way through (e.g. when listing keys >>> from an agent that supports key types that ssh-add doesn't); >>> bz#2234 >>> >>> * ssh-keygen(1): When hashing or removing hosts, don't choke on >>> @revoked markers and don't remove @cert-authority markers; bz#2241 >>> >>> * ssh(1): Don't fatal when hostname canonicalisation fails and a >>> ProxyCommand is in use; continue and allow the ProxyCommand to >>> connect anyway (e.g. to a host with a name outside the DNS behind >>> a bastion) >>> >>> * scp(1): When copying local->remote fails during read, don't send >>> uninitialised heap to the remote end. >>> >>> * sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing >>> filenames with a single quote char somewhere in the string; >>> bz#2238 >>> >>> * ssh-keyscan(1): Scan for Ed25519 keys by default. >>> >>> * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down- >>> convert any certificate keys to plain keys and attempt SSHFP >>> resolution. Prevents a server from skipping SSHFP lookup and >>> forcing a new-hostkey dialog by offering only certificate keys. >>> >>> * sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225 >>> >>> * Fix some strict-alignment errors. >>> >>> Portable OpenSSH >>> >>> * Portable OpenSSH now supports building against libressl-portable. >>> >>> * Portable OpenSSH now requires openssl 0.9.8f or greater. Older >>> versions are no longer supported. >>> >>> * In the OpenSSL version check, allow fix version upgrades (but not >>> downgrades. Debian bug #748150. >>> >>> * sshd(8): On Cygwin, determine privilege separation user at runtime, >>> since it may need to be a domain account. >>> >>> * sshd(8): Don't attempt to use vhangup on Linux. It doens't work for >>> non-root users, and for them it just messes up the tty settings. >>> >>> * Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is >>> available. It takes into account time spent suspended, thereby >>> ensuring timeouts (e.g. for expiring agent keys) fire correctly. >>> bz#2228 >>> >>> * Add support for ed25519 to opensshd.init init script. >>> >>> * sftp-server(8): On platforms that support it, use prctl() to >>> prevent sftp-server from accessing /proc/self/{mem,maps} >>> >>> Reporting Bugs: >>> =============== >>> >>> - Please read http://www.openssh.com/report.html >>> Security bugs should be reported directly to openssh@xxxxxxxxxxx >>> >>> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, >>> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and >>> Ben Lindstrom. >>> _______________________________________________ >>> openssh-unix-dev mailing list >>> openssh-unix-dev@xxxxxxxxxxx >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >>> >> >> >> >> -- >> # include <stddisclaimer.h> >> /* Kevin Brott <Kevin.Brott@xxxxxxxxx> */ >> >> > > > -- > # include <stddisclaimer.h> > /* Kevin Brott <Kevin.Brott@xxxxxxxxx> */ > > -- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott@xxxxxxxxx> */ _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev