Re: Call for testing: OpenSSH 6.9

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 2015-06-07 1:45 PM, aixtools wrote:
On 2015-06-03 2:43 AM, Ron Frederick wrote:
On Jun 2, 2015, at 4:46 PM, Damien Miller<djm@xxxxxxxxxxx>  wrote:
On Tue, 2 Jun 2015, Ron Frederick wrote:

The privsep chroot path is specified at build time (./configure --with-privsep-path if you want to change it).
Ok, thanks. I?ve re-run the tests on Linux with --sysconfdir=/etc/ssh
--with-privsep-path=/var/run, and I no longer see either of the issues
mentioned above. With the above config option, all tests passed for me
on Ubuntu 14.04.2 LTS.
You should use /var/run/sshd on Ubuntu. Don't use a directory with other
stuff in it.
I added --with-privsep-path=/var/run/sshd (as non-root) and when I ran "make tests" it aborted when /var/run did not exist - but ran normally when /var/run (only exists). but is not writeable by the non-root user (i.e., cannot mkdir /var/run/sshd either - so why die when /var/run is not there?)

root@x064:[/]ls -ld /var/run
drwxr-xr-x 2 root system 256 Jun  7 11:31 /var/run
root@x064:[/]ls -l /var/run
total 0

Shall I add a feature request - to have these tests ALSO run as root, and privsep is tested as downgrading from root, rather than SUDO up to root.

And, if someone will be willing to assist me with how to integrate some tests I would work on some tests for AIX using AIX's version of RBAC for privelidge control. (FYI, I will be researching what sshd actually needs to be run without 'root' as a kickstart - and, in all honesty, am hoping there is some interest to see configuration example and tests in openssh-portable)

And the message above (about make tests stopping when /var/run does not exist) - looks like I forgot reply to all the first time, sigh.
Ok, thanks. I didn’t actually do an install with those parameters. I was just using them to get around the “/var/empty” error that I got in my previous run, but I’ll keep this in mind if I upgrade OpenSSH myself on that system.


Done. This is now filed as bz#2407. No hurry on this one, as the code
still runs fine at the moment and passes all the tests. I just thought
I’d report it to avoid future problems if those APIs are ever removed.
Most of those are due to Apple soft-deprecating the OpenSSL libcrypto
API as a supported interface. If they ever fully deprecate it, we'll
ask users to build OpenSSH against an independent installation of
libcrypto.
I see. Do you know if there is any way to add something to the Makefile to suppress the warnings in the meantime?

One of the other items I called out in the bug that wasn’t a deprecation was around the assignment of ssh1_3des_cdc to a “do_cipher” function pointer. It looks like the issue there is that ssh1_3des_cbc is declared to take a “size_t” as its last argument, where the do_cipher function pointer is expecting an “unsigned int”. It looks like other instances of functions assigned to do_cipher use the type LIBCRYPTO_EVP_INL_TYPE as the type of this argument, but for some reason this wasn’t done in the ssh1 3des case. This looks like it would be an easy fix, though.

The last issue was clang not liking the “-pie” switch on compilations.


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev





[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux