Re: Call for testing: OpenSSH 7.2

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



The Solaris privilege code breaks building on Solaris 10.  If
you let configure just do its thing, you get the following error
when compiling:

"sandbox-solaris.c", line 22: #error: "--with-solaris-privs must be used with the Solaris sandbox"

So, I did add "--with-solaris-privs" to the command line for
configure, but then I got the following error messages:

Undefined                       first referenced
 symbol                             in file
priv_basicset openbsd-compat//libopenbsd-compat.a(port-solaris.o)
ld: fatal: symbol referencing errors. No output written to ssh

The function priv_basicset doesn't appear to exist on Solaris 10.

If I set --with-sandbox=none, the compile and "make tests" succeed
(except for the SUDO test, since sudo isn't in the path, and it
wouldn't work without munging the config anyway).

Damien Miller wrote:
Hi,

OpenSSH 7.2 is almost ready for release, so we would appreciate
testing on as many platforms and systems as possible. This release
contains many bugfixes and several new features.

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable OpenSSH is available via Git at
https://anongit.mindrot.org/openssh.git/ or via a mirror on Github at
https://github.com/openssh/openssh-portable

Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:

$ autoreconf && ./configure && make tests

Live testing on suitable non-production systems is also
appreciated. Please send reports of success or failure to
openssh-unix-dev@xxxxxxxxxxx.

Below is a summary of changes. More detail may be found in the git
revision log.

Thanks to the many people who contributed to this release.

Future deprecation notice
=========================

We plan on retiring more legacy cryptography in a near-future
release, specifically:

  * Refusing all RSA keys smaller than 1024 bits (the current minimum
    is 768 bits)

This list reflects our current intentions, but please check the final
release notes for future releases.

Potentially-incompatible changes
================================

This release disables a number of legacy cryptographic algorithms
by default in ssh:

  * Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants
    and the rijndael-cbc aliases for AES.

  * MD5-based and truncated HMAC algorithms.

These algorithms are already disabled by default in sshd.

Changes since OpenSSH 7.1p2
===========================

This is primarily a bugfix release.

Security
--------

  * ssh(1), sshd(8): remove unfinished and unused roaming code (was
    already forcibly disabled in OpenSSH 7.1p2).
* ssh(1): eliminate fallback from untrusted X11 forwarding to
    trusted forwarding when the X server disables the SECURITY
    extension.

  * ssh(1), sshd(8): increase the minimum modulus size supported for
    diffie-hellman-group-exchange to 2048 bits.

New Features
------------

  * all: add support for RSA signatures using SHA-256/512 hash
    algorithms based on draft-rsa-dsa-sha2-256-03.txt and
    draft-ssh-ext-info-04.txt.

  * ssh(1): Add an AddKeysToAgent client option which can be set to
    'yes', 'no', 'ask', or 'confirm', and defaults to 'no'.  When
    enabled, a private key that is used during authentication will be
    added to ssh-agent if it is running (with confirmation enabled if
    set to 'confirm').
* sshd(8): add a new authorized_keys option "restrict" that includes
    all current and future key restrictions (no-*-forwarding, etc.).
    Also add permissive versions of the existing restrictions, e.g.
    "no-pty" -> "pty". This simplifies the task of setting up
    restricted keys and ensures they are maximally-restricted,
    regardless of any permissions we might implement in the future.
* ssh(1): add ssh_config CertificateFile option to explicitly list
    certificates. bz#2436
* ssh-keygen(1): allow ssh-keygen to change the key comment for all
    supported formats.

  * ssh-keygen(1): allow fingerprinting from standard input, e.g.
    "ssh-keygen -lf -"

  * ssh-keygen(1): allow fingerprinting multiple public keys in a
    file, e.g. "ssh-keygen -lf ~/.ssh/authorized_keys" bz#1319

  * sshd(8): support "none" as an argument for sshd_config
    Foreground and ChrootDirectory. Useful inside Match blocks to
    override a global default. bz#2486

  * ssh-keygen(1): support multiple certificates (one per line) and
    reading from standard input (using "-f -") for "ssh-keygen -L"
* ssh-keyscan(1): add "ssh-keyscan -c ..." flag to allow fetching
    certificates instead of plain keys.
* ssh(1): better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in
    hostname canonicalisation - treat them as already canonical and
    trailing '.' before matching ssh_config.

Bugfixes
--------

  * sftp(1): existing destination directories should not terminate
    recursive uploads (regression in openssh 6.8) bz#2528

  * ssh(1), sshd(8): correctly send back SSH2_MSG_UNIMPLEMENTED
    replies to unexpected messages during key exchange. bz#2949

  * ssh(1): refuse attempts to set ConnectionAttempts=0, which does
    not make sense and would cause ssh to print an uninitialised stack
    variable. bz#2500

  * ssh(1): fix errors when attempting to connect to scoped IPv6
    addresses with hostname canonicalisation enabled.

  * sshd_config(5): list a couple more options usable in Match blocks.
    bz#2489

  * sshd(8): fix "PubkeyAcceptedKeyTypes +..." inside a Match block.
* ssh(1): expand tilde characters in filenames passed to -i options
    before checking whether or not the identity file exists. Avoids
    confusion for cases where shell doesn't expand (e.g. "-i ~/file"
    vs. "-i~/file"). bz#2481

  * ssh(1): do not prepend "exec" to the shell command run by "Match
    exec" in a config file, which could cause some commands to fail
    in certain environments. bz#2471

  * ssh-keyscan(1): fix output for multiple hosts/addrs on one line
    when host hashing or a non standard port is in use bz#2479
* sshd(8): skip "Could not chdir to home directory" message when
    ChrootDirectory is active. bz#2485

  * ssh(1): include PubkeyAcceptedKeyTypes in ssh -G config dump.
* sshd(8): avoid changing TunnelForwarding device flags if they are
    already what is needed; makes it possible to use tun/tap
    networking as non-root user if device permissions and interface
    flags are pre-established

  * ssh(1), sshd(8): RekeyLimits could be exceeded by one packet.
    bz#2521

  * ssh(1): fix multiplexing master failure to notice client exit.

  * ssh(1), ssh-agent(1): avoid fatal() for PKCS11 tokens that present
    empty key IDs. bz#1773

  * sshd(8): avoid printf of NULL argument. bz#2535

  * ssh(1), sshd(8): allow RekeyLimits larger than 4GB. bz#2521
* ssh-keygen(1): sshd(8): fix several bugs in (unused) KRL signature
    support.

  * ssh(1), sshd(8): fix connections with peers that use the key
    exchange guess feature of the protocol. bz#2515

  * sshd(8): include remote port number in log messages. bz#2503

  * ssh(1): don't try to load SSHv1 private key when compiled without
    SSHv1 support. bz#2505

  * ssh-agent(1), ssh(1): fix incorrect error messages during key
    loading and signing errors. bz#2507

  * ssh-keygen(1): don't leave empty temporary files when performing
    known_hosts file edits when known_hosts doesn't exist.

  * sshd(8): correct packet format for tcpip-forward replies for
    requests that don't allocate a port bz#2509

  * ssh(1), sshd(8): fix possible hang on closed output. bz#2469
* ssh(1): expand %i in ControlPath to UID. bz#2449

  * ssh(1), sshd(8): fix return type of openssh_RSA_verify. bz#2460
* ssh(1), sshd(8): fix some option parsing memory leaks. bz#2182

  * ssh(1): add a some debug output before DNS resolution; it's a
    place where ssh could previously silently stall in cases of
    unresponsive DNS servers. bz#2433
* ssh(1): remove spurious newline in visual hostkey. bz#2686 * ssh(1): fix printing (ssh -G ...) of HostKeyAlgorithms=+... * ssh(1): fix expansion of HostkeyAlgorithms=+...

Documentation
-------------

  * ssh_config(5), sshd_config(5): update default algorithm lists to
    match current reality. bz#2527

  * ssh(1): mention -Q key-plain and -Q key-cert query options.
    bz#2455

  * sshd_config(8): more clearly describe what AuthorizedKeysFile=none
    does.

  * ssh_config(5): better document ExitOnForwardFailure. bz#2444

  * sshd(5): mention internal DH-GEX fallback groups in manual.
    bz#2302

  * sshd_config(5): better description for MaxSessions option.
    bz#2531

Portability
-----------

  * ssh(1), sftp-server(8), ssh-agent(1), sshd(8): Support Illumos/
    Solaris fine-grained privileges. Including a pre-auth privsep
    sandbox and several pledge() emulations. bz#2511

  * Renovate redhat/openssh.spec, removing deprecated options and
    syntax.

  * configure: allow --without-ssl-engine with --without-openssl
* sshd(8): fix multiple authentication using S/Key. bz#2502

  * sshd(8): read back from libcrypto RAND_* before dropping
    privileges.  Avoids sandboxing violations with BoringSSL.

  * Fix name collision with system-provided glob(3) functions.
    bz#2463

  * Adapt Makefile to use ssh-keygen -A when generating host keys.
    bz#2459
* configure: correct default value for --with-ssh1 bz#2457

  * configure: better detection of _res symbol bz#2259

  * support getrandom() syscall on Linux

Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
   Security bugs should be reported directly to openssh@xxxxxxxxxxx

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


--
          Jeff Wieland            |         Purdue University
   Network Systems Administrator  |        ITIS UNIX Platforms
       Voice: (765)496-8234       |        155 S. Grant Street
        FAX: (765)496-1380        |      West Lafayette, IN 47907

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux