On 03/15/2017 01:47 AM, Damien Miller wrote:
On Tue, 14 Mar 2017, Jakub Jelen wrote:
Hello,
I don't see this option deprecated in current portable master. Still in place.
How are we going to be able to switch between Sandbox and just privilege
separation?
We might consider some way of disabling sandboxing (apart from editing
the source) if there is user demand, but I think developers/packagers
can figure out sandbox violations pretty easily from dmesg, etc.
That would be very desirable.
The sandbox (at least rlimit if I remember well) had a problems with
running under valgrind.
As far as I remember, various people still use this use case to test
other SSH implementation (privsep requires running a root, isn't it?).
No, only setuid to an unprivileged user needs that; the rest of privsep
including sandboxing is still active if sshd is run as a regular user.
* Fix various fallout and sharp edges caused by removing SSH protocol
1 support from the server, including the server banner string being
incorrectly terminated with only \n (instead of \r\n), and
confusing error messages from ssh-keyscan bz#2583.
I would vouch for this bug get fixed too in the relation to the SSH1 removal:
https://bugzilla.mindrot.org/show_bug.cgi?id=2686
Also this one is a bit confusing:
https://bugzilla.mindrot.org/show_bug.cgi?id=2682
Will take a look.
Thanks. One more thing that I noticed:
Build against OpenSSL 1.1.0 fails, because there is no
EVP_R_BN_DECODE_ERROR defined. The last usage was removed >10 years ago
from OpenSSL sources [1].
I understand that OpenSSL 1.1.0 is not a priority, but I believe it is
not used in other forks either so compatibility patch (attached) would
probably make sense.
The other tests passed so I guess we are good to go from our side.
[1] https://github.com/openssl/openssl/commit/448be743
Thanks,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat
diff --git a/sshkey.c b/sshkey.c
index ffc17ce..130217a 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -3815,7 +3815,9 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
case EVP_R_BAD_DECRYPT:
r = SSH_ERR_KEY_WRONG_PASSPHRASE;
goto out;
+#ifdef EVP_R_BN_DECODE_ERROR
case EVP_R_BN_DECODE_ERROR:
+#endif
case EVP_R_DECODE_ERROR:
#ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR
case EVP_R_PRIVATE_KEY_DECODE_ERROR:
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev