Re: Call for testing: OpenSSH 7.7

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Not working on NetBSD-current for obvious reasons:

checking OpenSSL header version... 1010007f (OpenSSL 1.1.0g  2 Nov 2017)
checking OpenSSL library version... configure: error: OpenSSL >= 1.1.0 is not yet supported (have "1010007f (OpenSSL 1.1.0g  2 Nov 2017)")

On Thu, 22 Mar 2018, Damien Miller wrote:

Hi,

OpenSSH 7.7p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a bugfix release.

Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable OpenSSH is also available via git using the
instructions at http://www.openssh.com/portable.html#cvs
At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
https://github.com/openssh/openssh-portable

Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:

$ ./configure && make tests

Live testing on suitable non-production systems is also appreciated.
Please send reports of success or failure to
openssh-unix-dev@xxxxxxxxxxx. Security bugs should be reported
directly to openssh@xxxxxxxxxxx.

Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.

Thanks to the many people who contributed to this release.

Potentially-incompatible changes
================================

This release includes a number of changes that may affect existing
configurations:

* ssh(1)/sshd(8): Drop compatibility support for some very old SSH
  implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
  These versions were all released in or before 2001 and predate the
  final SSH RFCs. The support in question isn't necessary for RFC-
  compliant SSH implementations.

Changes since OpenSSH 7.6
=========================

This is primarily a bugfix release.

New Features
------------

* All: Add experimental support for PQC XMSS keys (Extended Hash-
  Based Signatures) based on the algorithm described in
  https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
  The XMSS signature code is experimental and not compiled in by
  default.

* sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword
  to allow conditional configuration that depends on which routing
  domain a connection was received on (currently supported on OpenBSD
  and Linux).

* sshd_config(5): Add an optional rdomain qualifier to the
  ListenAddress directive to allow listening on different routing
  domains. This is supported only on OpenBSD and Linux at present.

* sshd_config(5): Add RDomain directive to allow the authenticated
  session to be placed in an explicit routing domain. This is only
  supported on OpenBSD at present.

* sshd(8): Add "expiry-time" option for authorized_keys files to
  allow for expiring keys.

* ssh(1): Add a BindInterface option to allow binding the outgoing
  connection to an interface's address (basically a more usable
  BindAddress)

* ssh(1): Expose device allocated for tun/tap forwarding via a new
  %T expansion for LocalCommand. This allows LocalCommand to be used
  to prepare the interface.

* sshd(8): Expose the device allocated for tun/tap forwarding via a
  new SSH_TUNNEL environment variable. This allows automatic setup of
  the interface and surrounding network configuration automatically on
  the server.

* ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g.
  ssh://user@host or sftp://user@host/path.  Additional connection
  parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not
  implemented since the ssh fingerprint format in the draft uses the
  deprecated MD5 hash with no way to specify the any other algorithm.

* ssh-keygen(1): Allow certificate validity intervals that specify
  only a start or stop time (instead of both or neither).

* sftp(1): Allow "cd" and "lcd" commands with no explicit path
  argument. lcd will change to the local user's home directory as
  usual. cd will change to the starting directory for session (because
  the protocol offers no way to obtain the remote user's home
  directory). bz#2760

* sshd(8): When doing a config test with sshd -T, only require the
  attributes that are actually used in Match criteria rather than (an
  incomplete list of) all criteria.

* sshd(8): Fix support for client that advertise a protocol version
  of "1.99" (indicating that they are prepared to accept both SSHv1 and
  SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1
  support. bz#2810

Bugfixes
--------

* ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when
  a rsa-sha2-256/512 signature was requested. This condition is possible
  when an old or non-OpenSSH agent is in use. bz#2799

* ssh(1)/sshd(8): More strictly check signature types during key
  exchange against what was negotiated. Prevents downgrade of RSA
  signatures made with SHA-256/512 to SHA-1.

* ssh-agent(1): Fix regression introduce in 7.6 that caused ssh-agent
  to fatally exit if presented an invalid signature request message.

* sshd_config(5): Accept yes/no flag options case-insensitively, as
  has been the case in ssh_config(5) for a long time. bz#2664

* ssh(1): Improve error reporting for failures during connection.
  Under some circumstances misleading errors were being shows. bz#2814

* ssh-keyscan(1): Add -D option to allow printing of results directly
  in SSHFP format. bz#2821

* regress tests: fix PuTTY interop test broken in last release's SSHv1
  removal. bz#2823

* ssh(1): Compatibility fix for some servers that erroneously drop the
  connection when the IUTF8 (RFC8160) option is sent.

* scp(1): Disable RemoteCommand and RequestTTY in the ssh session
  started by scp (sftp was already doing this.)

* ssh-keygen(1): Refuse to create a certificate with an unusable
  number of principals.

* ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the
  public key during key generation. Previously it would silently
  ignore errors writing the comment and terminating newline.

* ssh(1): Do not modify hostname arguments that are addresses by
  automatically forcing them to lower-case. Instead canonicalise them
  to resolve ambiguities (e.g. ::0001 => ::1) before they are matched
  against known_hosts. bz#2763

* ssh(1): Don't accept junk after "yes" or "no" responses to hostkey
  prompts. bz#2803

* sftp(1): Have sftp print a warning about shell cleanliness when
  decoding the first packet fails, which is usually caused by shells
  polluting stdout of non-interactive startups. bz#2800

* ssh(1)/sshd(8): Switch timers in packet code from using wall-clock
  time to monotonic time, allowing the packet layer to better function
  over a clock step and avoiding possible integer overflows during
  steps.

* Numerous manual page fixes and improvements.

Portability
-----------

* sshd(8): Correctly detect MIPS ABI in use at configure time. Fixes
  sandbox violations on some environments.

* sshd(8): Remove UNICOS support. The hardware and software are literal
  museum pieces and support in sshd is too intrusive to justify
  maintaining.

* All: Build and link with "retpoline" flags when available to mitigate
  the "branch target injection" style (variant 2) of the Spectre
  branch-prediction vulnerability.

* All: Add auto-generated dependency information to Makefile.

* Numerous fixed to the RPM spec files.

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


--
Hisashi T Fujinaka - htodd@xxxxxxxxxxxx
BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux