Re: Call for testing: OpenSSH 9.7

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On my test systems:

Ubuntu 22.04 with GCC 11.4 and OpenSSL 3.0.2 on AMD: PASS
Fedora 39 with GCC 12.3.1 and OpenSSL 3.0.9 on Intel: PASS
OS X 14.3.1 with clang 15.0.0 on Apple M2 (--without-openssl): FAIL

The failure is with "make tests" specifically when it runs
/Users/rapier/openssh-portable/ssh-keygen -if /Users/rapier/openssh-portable/regress/rsa_ssh2.prv | diff - /Users/rapier/openssh-portable/regress/rsa_openssh.prv
key conversion disabled at compile time
0a1,15
> -----BEGIN RSA PRIVATE KEY-----
> // elided //
> -----END RSA PRIVATE KEY-----
make[1]: *** [t1] Error 1

Make t-exec, in contrast, does pass all tests. I'm seeing the same behaviour on Ubuntu 22.04 if I use --without-openssl so I'm guessing this is expected behaviour.


Chris

On 3/4/24 7:24 PM, Damien Miller wrote:

Hi,

OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a bugfix release.

Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable OpenSSH is also available via git using the
instructions at http://www.openssh.com/portable.html#cvs
At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
https://github.com/openssh/openssh-portable

Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:

$ ./configure && make tests

Live testing on suitable non-production systems is also appreciated.
Please send reports of success or failure to
openssh-unix-dev@xxxxxxxxxxx. Security bugs should be reported
directly to openssh@xxxxxxxxxxx.

Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.

Thanks to the many people who contributed to this release.

Future deprecation notice
=========================

OpenSSH plans to remove support for the DSA signature algorithm in
early 2025 and compile-time disable it later this year.

DSA, as specified in the SSHv2 protocol, is inherently weak - being
limited to a 160 bit private key and use of the SHA1 digest. Its
estimated security level is only 80 bits symmetric equivalent.

OpenSSH has disabled DSA keys by default since 2015 but has retained
run-time optional support for them. DSA was the only mandatory-to-
implement algorithm in the SSHv2 RFCs[3], mostly because alternative
algorithms were encumbered by patents when the SSHv2 protocol was
specified.

This has not been the case for decades at this point and better
algorithms are well supported by all actively-maintained SSH
implementations. We do not consider the costs of maintaining DSA in
OpenSSH to be justified and hope that removing it from OpenSSH can
accelerate its wider deprecation in supporting cryptography
libraries.

This release makes DSA support in OpenSSH compile-time optional,
defaulting to on. We intend the next release to change the default
to disable DSA at compile time. The first OpenSSH release of 2025
will remove DSA support entirely.

Changes since OpenSSH 9.6
=========================

This release contains mostly bugfixes.

New features
------------

  * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches
    all open channels and will close all open channels if there is no
    traffic on any of them for the specified interval. This is in
    addition to the existing per-channel timeouts added recently.

    This supports situations like having both session and x11
    forwarding channels open where one may be idle for an extended
    period but the other is actively used. The global timeout could
    close both channels when both have been idle for too long.

  * All: make DSA key support compile-time optional, defaulting to on.

Bugfixes
--------

  * sshd(8): don't append an unnecessary space to the end of subsystem
    arguments (bz3667)

  * ssh(1): fix the multiplexing "channel proxy" mode, broken when
    keystroke timing obfuscation was added. (GHPR#463)

  * ssh(1), sshd(8): fix spurious configuration parsing errors when
    options that accept array arguments are overridden (bz3657).

  * Many fixes to manual pages and other documentation, including
    GHPR#462, GHPR#454, GHPR#442 and GHPR#441.

  * Greatly improve interop testing against PuTTY.

Portability
-----------

  * Improve the error message when the autoconf OpenSSL header check
    fails (bz#3668)

  * Improve detection of broken toolchain -fzero-call-used-regs support
    (bz3645).

  * Fix regress/misc/fuzz-harness fuzzers and make them compile without
    warnings when using clang16

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux