OpenSSH has been configured with the following options: User binaries: /opt/bin System binaries: /opt/sbin Configuration files: /opt/etc Askpass program: /opt/libexec/ssh-askpass Manual pages: /opt/share/man/manX PID file: /opt/etc Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/opt/bin Manpage format: man PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no MD5 password support: no libedit support: no Solaris process contract support: no Solaris project support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: rlimit Host: powerpc-ibm-aix5.3.0.0 Compiler: cc -qlanglvl=extc89 Compiler flags: -g Preprocessor flags: Linker flags: -blibpath:/usr/lib:/lib Libraries: -lcrypto -lz Just one example - they are all like this: cc -qlanglvl=extc89 -g -I. -I. -DSSHDIR=\"/opt/etc\" -D_PATH_SSH_PROGRAM=\"/opt/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/opt/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/opt/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/opt/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/opt/etc\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c dns.c -o dns.o "/usr/include/stdarg.h", line 89.9: 1506-236 (W) Macro name va_copy has been redefined. "/usr/include/stdarg.h", line 89.9: 1506-358 (I) "va_copy" is defined on line 838 of defines.h. ... ranlib libssh.a cc -qlanglvl=extc89 -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o roaming_common.o roaming_client.o -L. -Lopenbsd-compat/ -blibpath:/usr/lib:/lib -lssh -lopenbsd-compat -lcrypto -lz ld: 0711-317 ERROR: Undefined symbol: .va_copy ld: 0711-317 ERROR: Undefined symbol: .EC_KEY_free ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information. The error above is a bit unusual. 1) It has been seen before that with -qlanglvl=extc89 that va_copy is not found. This is clear, I think, from the stdarg.h file: +88 #ifdef _ISOC99_SOURCE +89 #define va_copy(__list1,__list2) ((void)(__list1 = __list2)) +90 #endif +91 +92 #endif /* _ANSI_C_SOURCE */ I would think that _ISOC99_SOURCE would not be defined with -qlanglvl=extc89. 2) Simple test: cat c89.c #include <stdarg.h> /* * test what gets defined with flag -qlanglvl=extc89 and -qlanglvl=extc99 */ c89(void *a, void *b) { #ifdef _ANSI_C_SOURCE #ifdef _ISOC99_SOURCE va_copy(a,b); #else fake_ansi_copy(a,b); #endif #endif #ifndef _ANSI_C_SOURCE fake_noansi_copy(a,b); #endif } main() { char a[4], b[4]; c89(a,b); } root@x064:[/data/prj/openbsd/openssh/openssh]cc -qlanglvl=extc89 -E c89.c #line 62 "/usr/include/va_list.h" typedef char *va_list; #line 7 "c89.c" c89(void *a, void *b) { #line 12 va_copy(a,b); #line 20 } main() { char a[4], b[4]; c89(a,b); #line 29 } root@x064:[/data/prj/openbsd/openssh/openssh]cc -qlanglvl=extc89 c89.c ld: 0711-317 ERROR: Undefined symbol: .va_copy ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information. root@x064:[/data/prj/openbsd/openssh/openssh]cc -qlanglvl=extc99 -E c89.c #line 62 "/usr/include/va_list.h" typedef char *va_list; #line 7 "c89.c" c89(void *a, void *b) { #line 12 __builtin_va_copy(a,b); #line 20 } main() { char a[4], b[4]; c89(a,b); #line 29 } 3) Repeating above steps - prefixed with CC=xlc export CC configure: creating ./config.status config.status: creating Makefile config.status: creating buildpkg.sh config.status: creating opensshd.init config.status: creating openssh.xml config.status: creating openbsd-compat/Makefile config.status: creating openbsd-compat/regress/Makefile config.status: creating survey.sh config.status: creating config.h config.status: config.h is unchanged OpenSSH has been configured with the following options: User binaries: /opt/bin System binaries: /opt/sbin Configuration files: /opt/etc Askpass program: /opt/libexec/ssh-askpass Manual pages: /opt/share/man/manX PID file: /opt/etc Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/opt/bin Manpage format: man PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no MD5 password support: no libedit support: no Solaris process contract support: no Solaris project support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: rlimit Host: powerpc-ibm-aix5.3.0.0 Compiler: xlc Compiler flags: -g Preprocessor flags: Linker flags: -blibpath:/usr/lib:/lib Libraries: -lcrypto -lz gets rid of all the complaints about va_copy being redefined - but still end missing .EC_KEY_free xlc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o roaming_common.o roaming_client.o -L. -Lopenbsd-compat/ -blibpath:/usr/lib:/lib -lssh -lopenbsd-compat -lcrypto -lz ld: 0711-317 ERROR: Undefined symbol: .EC_KEY_free ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information. make: *** [ssh] Error 8 No idea where this should be coming from (the check in configure is for 0.9.8k as minimum, and that is the level installed) root@x064:[/data/prj/openbsd/openssh/openssh]lslpp -L | grep openssl openssl.base 0.9.8.1101 C F Open Secure Socket Layer openssl.license 0.9.8.1101 C F Open Secure Socket License So this would be building against openssl-0.9.8k (because k is 11th letter) Conclusion: regarding CC value: when using IBM C - force to xlc when CC seems to be cc No idea re: EC_KEY_free (newer openssl needed?) On Thu, Feb 19, 2015 at 11:21 PM, Damien Miller <djm@xxxxxxxxxxx> wrote: > Hi, > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Git at https://anongit.mindrot.org/openssh.git/ > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev@xxxxxxxxxxx. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 6.7 > ========================= > > This is a major release, containing a number of new features as > well as a large internal re-factoring. > > Potentially-incompatible changes > -------------------------------- > > * sshd(8): UseDNS now defaults to 'no'. Configurations that match > against the client host name (via sshd_config or authorized_keys) > may need to re-enable it or convert to matching against addresses. > > New Features > ------------ > > * Much of OpenSSH's internal code has been re-factored to be more > library-like. These changes are mostly not user-visible, but > have greatly improved OpenSSH's testability and internal layout. > > * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent > command-line flags to the other tools to control algorithm used > for key fingerprints. The default changes from MD5 to SHA256 and > format from hex to base64. > > Fingerprints now have the hash algorithm prepended. An example of > the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE > Please note that visual host keys will also be different. > > * ssh(1), sshd(8): Host key rotation support. Add a protocol > extension for a server to inform a client of all its available > host keys after authentication has completed. The client may > record the keys in known_hosts, allowing it to upgrade to better > host key algorithms and a server to gracefully rotate its keys. > > The client side of this is controlled by a UpdateHostkeys config > option (default on). > > * ssh(1): Add a ssh_config HostbasedKeyType option to control which > host public key types are tried during host-based authentication. > > * ssh(1), sshd(8): fix connection-killing host key mismatch errors > when sshd offers multiple ECDSA keys of different lengths. > > * ssh(1): when host name canonicalisation is enabled, try to > parse host names as addresses before looking them up for > canonicalisation. fixes bz#2074 and avoiding needless DNS > lookups in some cases. > > * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer > require OpenSSH to be compiled with OpenSSL support. > > * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based > authentication. > > * sshd(8): SSH protocol v.1 workaround for the Meyer, et al, > Bleichenbacher Side Channel Attack. Fake up a bignum key before > RSA decryption. > > * sshd(8): Remember which public keys have been used for > authentication and refuse to accept previously-used keys. > This allows AuthenticationMethods=publickey,publickey to require > that users authenticate using two _different_ public keys. > > * sshd(8): add sshd_config HostbasedAcceptedKeyTypes and > PubkeyAcceptedKeyTypes options to allow sshd to control what > public key types will be accepted. Currently defaults to all. > > * sshd(8): Don't count partial authentication success as a failure > against MaxAuthTries. > > * ssh(1): Add RevokedHostKeys option for the client to allow > text-file or KRL-based revocation of host keys. > > * ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by > serial number or key ID without scoping to a particular CA. > > * ssh(1): Add a "Match canonical" criteria that allows ssh_config > Match blocks to trigger only in the second config pass. > > * ssh(1): Add a -G option to ssh that causes it to parse its > configuration and dump the result to stdout, similar to "sshd -T". > > * ssh(1): Allow Match criteria to be negated. E.g. "Match !host". > > * The regression test suite has been extended to cover more OpenSSH > features. The unit tests have been expanded and now cover key > exchange. > > Bugfixes > -------- > > * ssh-keyscan(1): ssh-keyscan has been made much more robust again > servers that hang or violate the SSH protocol. > > * ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were > being lost as comment fields. > > * ssh(1): Allow ssh_config Port options set in the second config > parse phase to be applied (they were being ignored). bz#2286 > > * ssh(1): Tweak config re-parsing with host canonicalisation - make > the second pass through the config files always run when host name > canonicalisation is enabled (and not whenever the host name > changes) bz#2267 > > * ssh(1): Fix passing of wildcard forward bind addresses when > connection multiplexing is in use; bz#2324; > > * ssh-keygen(1): Fix broken private key conversion from non-OpenSSH > formats; bz#2345. > > * ssh-keygen(1): Fix KRL generation bug when multiple CAs are in > use. > > * Various fixed to manual pages: bz#2288, bz#2316, bz#2273 > > Portable OpenSSH > ---------------- > > * Support --without-openssl at configure time > > Disables and removes dependency on OpenSSL. Many features, > including SSH protocol 1 are not supported and the set of crypto > options is greatly restricted. This will only work on system with > native arc4random or /dev/urandom. > > Considered highly experimental for now. > > * Support --without-ssh1 option at configure time > > Allows disabling support for SSH protocol 1. > > Still experimental - not all regression and unit tests have been > been adapted for the absence of SSH protocol 1. > > * sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296 > > * Allow custom service name for sshd on Cygwin. Permits the use of > multiple sshd running with different service names. > > Reporting Bugs: > =============== > > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh@xxxxxxxxxxx > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and > Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev