Re: Call for testing: OpenSSH 8.1

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi all,

thanks for heads up, compiles fine on Illumos based OpenIndiana /hipster distribution:

:; ssh -V
OpenSSH_8.0p1-snap20191002, OpenSSL 1.1.1d  10 Sep 2019

Regards.

On 01.10.2019 13:33, Damien Miller wrote:
Hi,

OpenSSH 8.1p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a bugfix release.

Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable OpenSSH is also available via git using the
instructions at http://www.openssh.com/portable.html#cvs
At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
https://github.com/openssh/openssh-portable

Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:

$ ./configure && make tests

Live testing on suitable non-production systems is also appreciated.
Please send reports of success or failure to
openssh-unix-dev@xxxxxxxxxxx. Security bugs should be reported
directly to openssh@xxxxxxxxxxx.

Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.

Thanks to the many people who contributed to this release.

Security
========

  * ssh(1), sshd(8), ssh-agent(1): add protection for private keys at
    rest in RAM against speculation and memory sidechannel attacks like
    Spectre, Meltdown and Rambleed. This release encrypts private keys
    when they are not in use with a symmetic key that is derived from a
    relatively large "prekey" consisting of random data (currently 16KB).
    Attackers must recover the entire prekey before they are able to
    decrypt the protected private keys, but the current generation of
    attacks have bit error rates that render this unlikely to be
    practical.

Potentially-incompatible changes
================================

This release includes one change that may affect existing
configurations:

  * ssh-keygen(1): when acting as a CA and signing certificates with
    an RSA key, default to using the rsa-sha2-512 signature algorithm.
    Certificates signed by RSA keys will therefore be incompatible
    with OpenSSH versions prior to 7.2 unless the default is
    overridden (using "ssh-keygen -t ssh-rsa -s ...").

Changes since OpenSSH 8.0
=========================

This release is focused on bugfixing.

New Features
------------

  * ssh(1): Allow %n to be expanded in ProxyCommand strings

  * ssh(1), sshd(8): Allow prepending a list of algorithms to the
    default set by starting the list with the '^' character, E.g.
    "HostKeyAlgorithms ^ssh-ed25519"

  * ssh-keygen(1): add an experimental lightweight signature and
    verification ability. Signatures may be made using regular ssh keys
    held on disk or stored in a ssh-agent and verified against an
    authorized_keys-like list of allowed keys. Signatures embed a
    namespace that prevents confusion and attacks between different
    usage domains (e.g. files vs email).
* ssh-keygen(1): print key comment when extracting publc key from a
    private key.  bz#3052

  * ssh-keygen(1): accept the verbose flag when searching for host keys
    in known hosts (i.e. "ssh-keygen -vF host") to print the matching
    host's random-art signature too. bz#3003

  * All: support PKCS8 as an optional format for storage of private
    keys to disk.  The OpenSSH native key format remains the default,
    but PKCS8 is a superior format to PEM if interoperability with
    non-OpenSSH software is required, as it may use a less insecure
    key derivation function than PEM's.
Bugfixes
--------

  * ssh(1): if a PKCS#11 token returns no keys then try to login and
    refetch them. Based on patch from Jakub Jelen; bz#2430

  * ssh(1): produce a useful error message if the user's shell is set
    incorrectly during "match exec" processing. bz#2791
* sftp(1): allow the maximimum uint32 value for the argument passed
    to -b which allows better error messages from later validation.
    bz#3050
* ssh(1): avoid pledge sandbox violations in some combinations of
    remote forwarding, connection multiplexing and ControlMaster.

  * ssh-keyscan(1): include SHA2-variant RSA key algorithms in KEX
    proposal; allows ssh-keyscan to harvest keys from servers that
    disable olde SHA1 ssh-rsa. bz#3029
* sftp(1): print explicit "not modified" message if a file was
    requested for resumed download but was considered already complete.
    bz#2978
* sftp(1): fix a typo and make <esc><right> move right to the
    closest end of a word just like <esc><left> moves left to the
    closest beginning of a word.
* sshd(8): cap the number of permiopen/permitlisten directives
    allowed to appear on a single authorized_keys line.

  * All: fix a number of memory leaks (one-off or on exit paths).

  * Regression tests: a number of fixes and improvments, including
    fixes to the interop tests, adding the ability to run most tests
    on builds that disable OpenSSL support, better support for running
    tests under Valgrind and a number of bugfixes.

  * ssh(1), sshd(8): check for convtime() refusing to accept times that
    resolve to LONG_MAX Reported by Kirk Wolf bz2977
* ssh(1): slightly more instructive error message when the user
    specifies multiple -J options on the commandline. bz3015
* ssh-agent(1): process agent requests for RSA certificate private
    keys using correct signature algorithm when requested. bz3016

  * sftp(1): check for user@host when parsing sftp target. This
    allows user@[1.2.3.4] to work without a path.  bz#2999

  * sshd(8): enlarge format buffer size for certificate serial
    number so the log message can record any 64-bit integer without
    truncation. bz#3012

  * sshd(8): for PermitOpen violations add the remote host and port to
    be able to more easily ascertain the source of the request. Add the
    same logging for PermitListen violations which where not previously
    logged at all.

  * scp(1), sftp(1): use the correct POSIX format style for left
    justification for the transfer progress meter. bz#3002

  * sshd(8) when examining a configureation using sshd -T, assume any
    attibute not provided by -C does not match, which allows it to work
    when sshd_config contains a Match directive with or without -C.
    bz#2858
* ssh(1), ssh-keygen(1): downgrade PKCS#11 "provider returned no
    slots" warning from log level error to debug. This is common when
    attempting to enumerate keys on smartcard readers with no cards
    plugged in. bz#3058

  * ssh(1), ssh-keygen(1): do not unconditionally log in to PKCS#11
    tokens. Avoids spurious PIN prompts for keys not selected for
    authentication in ssh(1) and when listing public keys available in
    a token using ssh-keygen(1). bz#3006

Portability
-----------

  * ssh(1): fix SIGWINCH delivery of Solaris for multiplexed sessions
    bz#3030

  * ssh(1), sshd(8): fix typo that prevented detection of Linux VRF

  * sshd(8): add no-op implementation of pam_putenv to avoid build
    breakage on platforms where the PAM implementation lacks this
    function (e.g. HP-UX). bz#3008

  * sftp-server(8): fix Solaris privilege sandbox from preventing
    the legacy sftp rename operation from working (was refusing to
    allow hard links to files owned by other users). bz#3036

  * All: add a proc_pidinfo()-based closefrom() for OS X to avoid
    the need to brute-force close all high-numbered file descriptors.
    bz#3049

  * sshd(8): in the Linux seccomp-bpf sandbox, allow mprotect(2) with
    PROT_(READ|WRITE|NONE) only. This syscall is used by some hardened
    heap allocators. Github PR#142

  * sshd(8): in the Linux seccomp-bpf sandbox, allow the s390-specific
    ioctl for ecc hardware support.

  * All: use "doc" man page format if the mandoc(1) tool is present on
    the system. Previously configure would not select the "doc" man
    page format if mandoc was present but nroff was not.

  * sshd(8): don't install duplicate STREAMS modules on Solaris; check
    if STREAMS modules are already installed on a pty before installing
    since when compiling with XPG>=4 they will likely be installed
    already. Prevents hangs and duplicate lines on the terminal.
    bz#2945 and bz#2998,
Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
   Security bugs should be reported directly to openssh@xxxxxxxxxxx

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux