On Jan 7 09:52, Damien Miller wrote: > Hi, > > We've landed some fairly significant changes in OpenSSH recently and > would appreciate your help in testing them. The biggest of the changes > are: > > 1. Conversion of the ssh and sshd mainloop from select() to poll() > > This should be entirely invisible to users, so any behaviour change > is a bug. If you see something and want to help debug it further, > uncomment the DEBUG_CHANNEL_POLL #define in channels.c for helps of > extra debug logging. > > 2. Restricted agent keys. > > This is a large set of changes to add destination- and path-restricted > keys to ssh-agent. A full writeup is at on the website at > https://www.openssh.com/agent-restrict.html - I'm interested to hear > feedback on how this works in practice, UI and things that could be > improved (as well as bug reports). > > 3. Running down the remaining RSA/SHA2 corner-cases > > There has been a fair bit of work to identify and fix the remaining > cases where various things behaved badly wrt RSA signature algorithms. > Recent fixes include hostbased authentication and UpdateHostkeys. > Again, [almost] any change in visible behaviour here is a bug. > > All of these changes are in git and will be in tomorrow's snapshot > (20220108). Took me a while but today I tested this on recent Cygwin. The testsuite fails at one point: run test hostkey-agent.sh ... [...] cert type sk-ssh-ed25519-cert-v01@xxxxxxxxxxx cert type sk-ssh-ed25519-cert-v01@xxxxxxxxxxx failed bad SSH_CONNECTION key type sk-ssh-ed25519-cert-v01@xxxxxxxxxxx [...] bad SSH_CONNECTION key type sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx failed hostkey agent Looking into cat failed-sshd.log I notice this message for *all* agent-key.*.pub files: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for '/home/corinna/tmp/openssh/regress/agent-key.ecdsa-sha2-nistp256.pub' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Unable to load host key "/home/corinna/tmp/openssh/regress/agent-key.ecdsa-sha2-nistp256.pub": bad permissions Shouldn't the testsuite have generated the files with correct permissions in the first place? And then again, these are PUB files. Shouldn't a 644 permission suffice? Corinna _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
