Re: Call for testing: OpenSSH 8.9

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Current master (bc16667b4a1c3cad7029304853c143a32ae04bd4) fails on Fedora
35 when building building tests with
cc -o regress/unittests/misc/test_misc -L. -Lopenbsd-compat/  -Wl,-z,relro
-Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
 regress/unittests/misc/tests.o regress/unittests/misc/test_parse.o
regress/unittests/misc/test_expand.o regress/unittests/misc/test_convtime.o
regress/unittests/misc/test_argv.o regress/unittests/misc/test_strdelim.o
regress/unittests/misc/test_hpdelim.o \
    regress/unittests/test_helper/libtest_helper.a \
    -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz  -lcrypt
/usr/bin/ld: regress/unittests/misc/test_hpdelim.o: relocation R_X86_64_32
against `.rodata.str1.1' can not be used when making a PIE object;
recompile with -fPIE
collect2: error: ld returned 1 exit status
make: *** [Makefile:665: regress/unittests/misc/test_misc] Error 1
Configuration results (after autoreconf && configure):

OpenSSH has been configured with the following options:
                     User binaries: /usr/local/bin
                   System binaries: /usr/local/sbin
               Configuration files: /usr/local/etc
                   Askpass program: /usr/local/libexec/ssh-askpass
                      Manual pages: /usr/local/share/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/empty
            sshd default user PATH:
                    Manpage format: doc
                       PAM support: no
                   OSF SIA support: no
                 KerberosV support: no
                   SELinux support: no
                   libedit support: no
                   libldns support: no
  Solaris process contract support: no
           Solaris project support: no
         Solaris privilege support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: yes
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY
             Privsep sandbox style: seccomp_filter
                   PKCS#11 support: yes
                  U2F/FIDO support: yes

              Host: x86_64-pc-linux-gnu
          Compiler: cc
    Compiler flags: -g -O2 -pipe -Wno-error=format-truncation -Wall -Wextra
-Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security
-Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter
-Wno-unused-result -Wimplicit-fallthrough -Wmisleading-indentation
-fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fzero-call-used-regs=all
-fno-builtin-memset -fstack-protector-strong -fPIE
      Linker flags:  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
-fstack-protector-strong -pie
         Libraries: -lcrypto -lz  -lcrypt

On Thu, Feb 10, 2022 at 5:21 AM Damien Miller <djm@xxxxxxxxxxx> wrote:

> Hi,
> OpenSSH 8.9p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
> Snapshot releases for portable OpenSSH are available from
> The OpenBSD version is available in CVS HEAD:
> Portable OpenSSH is also available via git using the
> instructions at
> At or via a mirror at Github:
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> $ ./configure && make tests
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev@xxxxxxxxxxx. Security bugs should be reported
> directly to openssh@xxxxxxxxxxx.
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
> Thanks to the many people who contributed to this release.
> Future deprecation notice
> =========================
> A near-future release of OpenSSH will switch scp(1) from using the
> legacy scp/rcp protocol to using SFTP by default.
> Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
> "scp host:* .") through the remote shell. This has the side effect of
> requiring double quoting of shell meta-characters in file names
> included on scp(1) command-lines, otherwise they could be interpreted
> as shell commands on the remote side.
> This creates one area of potential incompatibility: scp(1) when using
> the SFTP protocol no longer requires this finicky and brittle quoting,
> and attempts to use it may cause transfers to fail. We consider the
> removal of the need for double-quoting shell characters in file names
> to be a benefit and do not intend to introduce bug-compatibility for
> legacy scp/rcp in scp(1) when using the SFTP protocol.
> Another area of potential incompatibility relates to the use of remote
> paths relative to other user's home directories, for example -
> "scp host:~user/file /tmp". The SFTP protocol has no native way to
> expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
> support a protocol extension "expand-path@xxxxxxxxxxx" to support
> this.
> Potentially-incompatible changes
> ================================
>  * sshd(8), portable OpenSSH only: this release removes in-built
>    support for MD5-hashed passwords. If you require these on your
>    system then we recommend linking against libxcrypt or similar.
>  * This release modifies the FIDO security key middleware interface
>    and increments SSH_SK_VERSION_MAJOR.
> Changes since OpenSSH 8.8
> =========================
> This release includes a number of new features.
> New features
> ------------
>  * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
>    restricting forwarding and use of keys added to ssh-agent(1)
>    A detailed description of the feature is available at
> and the protocol
>    extensions are documented in the PROTOCOL and PROTOCOL.agent
>    files in the source release.
>  * ssh(1), sshd(8): add the sntrup761x25519-sha512@xxxxxxxxxxx hybrid
>    ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
>    default KEXAlgorithms list (after the ECDH methods but before the
>    prime-group DH ones).
>  * ssh-keygen(1): when downloading resident keys from a FIDO token,
>    pass back the user ID that was used when the key was created and
>    append it to the filename the key is written to (if it is not the
>    default). Avoids keys being clobbered if the user created multiple
>    resident keys with the same application string but different user
>    IDs.
>  * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys
>    on tokens that provide user verification (UV) on the device itself,
>    including biometric keys, avoiding unnecessary PIN prompts.
>  * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to
>    perform matching of principals names against an allowed signers
>    file. To be used towards a TOFU model for SSH signatures in git.
>  * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added
>    to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at
>    authentication time.
>  * ssh-keygen(1): allow selection of hash at sshsig signing time
>    (either sha512 (default) or sha256).
>  * ssh(1), sshd(8): read network data directly to the packet input
>    buffer instead indirectly via a small stack buffer. Provides a
>    modest performance improvement.
>  * ssh(1), sshd(8): read data directly to the channel input buffer,
>    providing a similar modest performance improvement.
>  * ssh(1): extend the PubkeyAuthentication configuration directive to
>    accept yes|no|unbound|host-bound to allow control over one of the
>    protocol extensions used to implement agent-restricted keys.
> Bugfixes
> --------
>  * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and
>    PubkeyAuthOptions can be used in a Match block. PR#277.
>  * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512
>    exchange hashes
>  * ssh(1): don't put the TTY into raw mode when SessionType=none,
>    avoids ^C being unable to kill such a session. bz3360
>  * scp(1): fix some corner-case bugs in SFTP-mode handling of
>    ~-prefixed paths.
>  * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to
>    select RSA keys when only RSA/SHA2 signature algorithms are
>    configured (this is the default case). Previously RSA keys were
>    not being considered in the default case.
>  * ssh-keysign(1): make ssh-keysign use the requested signature
>    algorithm and not the default for the key type. Part of unbreaking
>    hostbased auth for RSA/SHA2 keys.
>  * ssh(1): stricter UpdateHostkey signature verification logic on
>    the client- side. Require RSA/SHA2 signatures for RSA hostkeys
>    except when RSA/SHA1 was explicitly negotiated during initial
>    KEX; bz3375
>  * ssh(1), sshd(8): fix signature algorithm selection logic for
>    UpdateHostkeys on the server side. The previous code tried to
>    prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some
>    cases. This will use RSA/SHA2 signatures for RSA keys if the
>    client proposed these algorithms in initial KEX. bz3375
>  * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2).
>    This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1)
>    and sftp-server(8), as well as the sshd(8) listen loop and all
>    other FD read/writability checks. On platforms with missing or
>    broken poll(2)/ppoll(2) syscalls as select(2)-based compat shim is
>    available.
>  * ssh-keygen(1): the "-Y find-principals" command was verifying key
>    validity when using ca certs but not with simple key lifetimes
>    within the allowed signers file.
>  * ssh-keygen(1): make sshsig verify-time argument parsing optional
>  * ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA
>    keys (we already did this for RSA keys). Avoids fatal errors for
>    PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B
>    "cryptoauthlib"; bz#3364
>  * ssh(1), ssh-agent(1): improve the testing of credentials against
>     inserted FIDO: ask the token whether a particular key belongs to
>     it in cases where the token supports on-token user-verification
>     (e.g. biometrics) rather than just assuming that it will accept it.
>     Will reduce spurious "Confirm user presence" notifications for key
>     handles that relate to FIDO keys that are not currently inserted in at
>     least some cases. bz3366
>  * ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to
>    allow for the preceding two ECN bits. bz#3373
>  * ssh-keygen(1): add missing -O option to usage() for the "-Y sign"
>    option.
>  * ssh-keygen(1): fix a NULL deref when using the find-principals
>    function, when matching an allowed_signers line that contains a
>    namespace restriction, but no restriction specified on the
>    command-line
>  * ssh-agent(1): fix memleak in process_extension(); oss-fuzz
>    issue #42719
>  * ssh(1): suppress "Connection to xxx closed" messages when LogLevel
>    is set to "error" or above. bz3378
>  * ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing
>    compressed packet data. bz3372
>  * scp(1): when recursively transferring files in SFTP mode, create the
>    destination directory if it doesn't already exist to match scp(1) in
>    legacy RCP mode behaviour.
>  * scp(1): many improvements in error message consistency between scp(1)
>    in SFTP mode vs legacy RCP mode.
>  * sshd(8): fix potential race in SIGTERM handling PR#289
>  * ssh(1), ssh(8): since DSA keys are deprecated, move them to the
>    end of the default list of public keys so that they will be tried
>    last. PR#295
>  * ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match
>    wildcard principals in allowed_signers files
> Portability
> -----------
>  * ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's
>    implementation does not work in a chroot when the kernel does not
>    have close_range(2). It tries to read from /proc/self/fd and when
>    that fails dies with an assertion of sorts. Instead, call
>    close_range(2) directly from our compat code and fall back if
>    that fails.  bz#3349,
>  * OS X poll(2) is broken; use compat replacement. For character-
>    special devices like /dev/null, Darwin's poll(2) returns POLLNVAL
>    when polled with POLLIN. Apparently this is Apple bug 3710161 -
>    not public but a websearch will find other OSS projects
>    rediscovering it periodically since it was first identified in
>    2005.
>  * Correct handling of exceptfds/POLLPRI in our select(2)-based
>    poll(2)/ppoll(2) compat implementation.
>  * Cygwin: correct checking of mbstowcs() return value.
>  * Add a basic that refers people to the
>    website.
>  * Enable additional compiler warnings and toolchain hardening flags,
>    including -Wbitwise-instead-of-logical, -Wmisleading-indentation,
>    -fzero-call-used-regs and -ftrivial-auto-var-init.
>  * HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version
>    is not reliable.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx

Dmitry Belyavskiy
openssh-unix-dev mailing list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux