Call for testing: OpenSSH 6.7

[Damien Miller]

Hi,

OpenSSH 6.7 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a big release
containing a number of features, a lot of internal refactoring and some
potentially-incompatible changes.

Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable OpenSSH is also available via anonymous CVS using the
instructions at http://www.openssh.com/portable.html#cvs or
via Git at https://anongit.mindrot.org/openssh.git/

Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:

$ ./configure && make tests

Live testing on suitable non-production systems is also
appreciated. Please send reports of success or failure to
openssh-...@mindrot.org.

Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.

Thanks to the many people who contributed to this release.

Changes since OpenSSH 6.6
=========================

Potentially-incompatible changes

* sshd(8): The default set of ciphers and MACs has been altered to
remove unsafe algorithms. In particular, CBC ciphers and arcfour*
are disabled by default.

The full set of algorithms remains available if configured
explicitly via the Ciphers and MACs sshd_config options.

* sshd(8): Support for tcpwrappers/libwrap has been removed.

* OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
using the curve255...@libssh.org KEX exchange method to fail
when connecting with something that implements the specification
correctly. OpenSSH 6.7 disables this KEX method when speaking to
one of the affected versions.

New Features

* Major internal refactoring to begin to make part of OpenSSH usable
as a library. So far the wire parsing, key handling and KRL code
has been refactored. Please note that we do not consider the API
stable yet, nor do we offer the library in separable form.

* ssh(1), sshd(8): Add support for Unix domain socket forwarding.
A remote TCP port may be forwarded to a local Unix domain socket
and vice versa or both ends may be a Unix domain socket.

* ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
ED25519 key types.

* sftp(1): Allow resumption of interrupted uploads.

* ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it
is the same as the one sent during initial key exchange; bz#2154

* sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind
addresses when GatewayPorts=no; allows client to choose address
family; bz#2222

* sshd(8): Add a sshd_config PermitUserRC option to control whether
~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
option; bz#2160

* ssh(1): Add a %C escape sequence for LocalCommand and ControlPath
that expands to a unique identifer based on a hash of the tuple of
(local host, remote user, hostname, port). Helps avoid exceeding
miserly pathname limits for Unix domain sockets in multiplexing
control paths; bz#2220

* sshd(8): Make the "Too many authentication failures" message
include the user, source address, port and protocol in a format
similar to the authentication success / failure messages; bz#2199

* Added unit and fuzz tests for refactored code. These are run
automatically in portable OpenSSH via the "make tests" target.

Bugfixes

* sshd(8): Fix remote fwding with same listen port but different
listen address.

* ssh(1): Fix inverted test that caused PKCS#11 keys that were
explicitly listed in ssh_config or on the commandline not to be
preferred.

* ssh-keygen(1): Fix bug in KRL generation: multiple consecutive
revoked certificate serial number ranges could be serialised to an
invalid format. Readers of a broken KRL caused by this bug will
fail closed, so no should-have-been-revoked key will be accepted.

* ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in
exit status. Previously we were always returning 0; bz#2255

* ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the
randomart border; bz#2247

* ssh-agent(1): Only cleanup agent socket in the main agent process
and not in any subprocesses it may have started (e.g. forked
askpass). Fixes agent sockets being zapped when askpass processes
fatal(); bz#2236

* ssh-add(1): Make stdout line-buffered; saves partial output getting
lost when ssh-add fatal()s part-way through (e.g. when listing keys
from an agent that supports key types that ssh-add doesn't);
bz#2234

* ssh-keygen(1): When hashing or removing hosts, don't choke on
@revoked markers and don't remove @cert-authority markers; bz#2241

* ssh(1): Don't fatal when hostname canonicalisation fails and a
ProxyCommand is in use; continue and allow the ProxyCommand to
connect anyway (e.g. to a host with a name outside the DNS behind
a bastion)

* scp(1): When copying local->remote fails during read, don't send
uninitialised heap to the remote end.

* sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing
filenames with a single quote char somewhere in the string;
bz#2238

* ssh-keyscan(1): Scan for Ed25519 keys by default.

* ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-
convert any certificate keys to plain keys and attempt SSHFP
resolution. Prevents a server from skipping SSHFP lookup and
forcing a new-hostkey dialog by offering only certificate keys.

* sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225

* Fix some strict-alignment errors.

Portable OpenSSH

* Portable OpenSSH now supports building against libressl-portable.

* Portable OpenSSH now requires openssl 0.9.8f or greater. Older
versions are no longer supported.

* In the OpenSSL version check, allow fix version upgrades (but not
downgrades. Debian bug #748150.

* sshd(8): On Cygwin, determine privilege separation user at runtime,
since it may need to be a domain account.

* sshd(8): Don't attempt to use vhangup on Linux. It doens't work for
non-root users, and for them it just messes up the tty settings.

* Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
available. It takes into account time spent suspended, thereby
ensuring timeouts (e.g. for expiring agent keys) fire correctly.
bz#2228

* Add support for ed25519 to opensshd.init init script.

* sftp-server(8): On platforms that support it, use prctl() to
prevent sftp-server from accessing /proc/self/{mem,maps}

Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
Security bugs should be reported directly to ope...@openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Dirk-Willem van Gulik]

Op 18 aug. 2014, om 03:23 heeft Damien Miller <d...@mindrot.org> het volgende geschreven:

With this fix:

> * ssh(1): Fix inverted test that caused PKCS#11 keys that were
> explicitly listed in ssh_config or on the commandline not to be
> preferred.

A fairly broad range of pin-keypad readers as often used in healthcare have sprung to live. Would be nice if you could
also apply patch below.

The gist of this change is that it will revert PIN entry to the keypad of the reader if such is available/mandatory.

Thanks,

Dw.

* Allow for PIN/password entry on the keypad of the chipcard reader.

diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index c96be3b..83b5f3a 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -255,21 +255,27 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
si = &k11->provider->slotinfo[k11->slotidx];
if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
if (!pkcs11_interactive) {
- error("need pin");
+ error("need pin entry%s",
+ (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? " on reader keypad" : "");
return (-1);
}
- snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
- si->token.label);
- pin = read_passphrase(prompt, RP_ALLOW_EOF);
- if (pin == NULL)
- return (-1); /* bail out */
- if ((rv = f->C_Login(si->session, CKU_USER,
- (u_char *)pin, strlen(pin))) != CKR_OK) {
- free(pin);
+ if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) {
+ verbose("Deferring PIN entry to keypad of chipcard reader.");
+ pin = NULL;
+ } else {
+ snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
+ si->token.label);
+ pin = read_passphrase(prompt, RP_ALLOW_EOF);
+ if (pin == NULL)
+ return (-1); /* bail out */
+ };
+ if ((rv = f->C_Login(si->session, CKU_USER, pin, pin ? strlen(pin): 0))
+ != CKR_OK) {
+ if (pin) free(pin);
error("C_Login failed: %lu", rv);
return (-1);
}
- free(pin);
+ if (pin) free(pin);
si->logged_in = 1;
}
key_filter[1].pValue = k11->keyid;

[Gaetan Bisson]

Hi,

[2014-08-18 11:23:41 +1000] Damien Miller:

> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible.

(Not that this is important, but) running `make tests` I get:

run test connect.sh ...
nologin: invalid option -- 'c'

Usage:
nologin [options]

Options:
-h, --help display this help and exit
-V, --version output version information and exit

For more details see nologin(8).
ssh connect with protocol 1 failed

My nologin binary identifies itself as:

$ nologin --version
nologin from util-linux 2.25

I got it straight from my distro (Arch Linux).

Other than that, I have experienced no regression so far with
openssh-SNAP-20140818; but if I do I will report them here...

Cheers.

--
Gaetan

[Corinna Vinschen]

On Aug 18 11:23, Damien Miller wrote:
> Hi,

>
> OpenSSH 6.7 is almost ready for release, so we would appreciate testing

> on as many platforms and systems as possible. This is a big release
> containing a number of features, a lot of internal refactoring and some
> potentially-incompatible changes.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/

I tested from CVS HEAD and there's a bug in serverloop.c. On systems
not defining NO_IPPORT_RESERVED_CONCEPT, a stray "||" leads to a syntax
error. Here's a patch:

Index: serverloop.c
===================================================================
RCS file: /cvs/openssh/serverloop.c,v
retrieving revision 1.181
diff -u -p -r1.181 serverloop.c
--- serverloop.c 18 Jul 2014 04:11:26 -0000 1.181
+++ serverloop.c 18 Aug 2014 12:33:02 -0000
@@ -1173,9 +1173,9 @@ server_input_global_request(int type, u_
/* check permissions */
if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
no_port_forwarding_flag ||
- (!want_reply && fwd.listen_port == 0) ||
+ (!want_reply && fwd.listen_port == 0)
#ifndef NO_IPPORT_RESERVED_CONCEPT
- (fwd.listen_port != 0 && fwd.listen_port < IPPORT_RESERVED &&
+ || (fwd.listen_port != 0 && fwd.listen_port < IPPORT_RESERVED &&
pw->pw_uid != 0)
#endif
) {

Also, I can't run the testsuite on Cygwin anymore:

$ make tests
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
[ -d `pwd`/regress/unittests ] || mkdir -p `pwd`/regress/unittests
[ -d `pwd`/regress/unittests/test_helper ] || \
mkdir -p `pwd`/regress/unittests/test_helper
[ -d `pwd`/regress/unittests/sshbuf ] || \
mkdir -p `pwd`/regress/unittests/sshbuf
[ -d `pwd`/regress/unittests/sshkey ] || \
mkdir -p `pwd`/regress/unittests/sshkey
[ -f `pwd`/regress/Makefile ] || \
ln -s `cd ../src && pwd`/regress/Makefile `pwd`/regress/Makefile
(cd openbsd-compat && make)
make[1]: Entering directory '/home/corinna/src/openssh/build/openbsd-compat'
make[1]: Nothing to be done for 'all'.
make[1]: Leaving directory '/home/corinna/src/openssh/build/openbsd-compat'
gcc -g -O2 [...options...] -o regress/modpipe.exe ../src/regress/modpipe.c \
-L. -Lopenbsd-compat/ -fstack-protector-all -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz /usr/lib/textreadmode.o -lcrypt
gcc -g -O2 [...options...] -o regress/setuid-allowed.exe ../src/regress/setuid-allowed.c \
-L. -Lopenbsd-compat/ -fstack-protector-all -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz /usr/lib/textreadmode.o -lcrypt
make: *** No rule to make target 'regress/unittests/sshbuf/tests.o', needed by 'regress/unittests/sshbuf/test_sshbuf.exe'. Stop.

This is using GNU make. I'm not sure what's missing. Is that because
I'm not building in the source dir, by any chance?


Corinna

--
Corinna Vinschen
Cygwin Maintainer
Red Hat

[Kevin Brott]

Ugh - so, forgot to RT the list ... and another failed buildhost ...

I know these are legacy OS version - but they're still in use here so ...

OS Build_Target CC OpenSSL BUILD TEST
=========== ================= ============ ============= =====
=================
Centos 2.1 i386-redhat-linux gcc 2.9.6 0.9.6b-engine FAIL*1
RHEL 3.4 i386-redhat-linux gcc 3.2.3-47 0.9.7a FAIL*1

make[1]: Entering directory `/usr/src/openssh/openbsd-compat'
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
-fno-builtin-memset -std=gnu99 -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c
arc4random.c
In file included from ../buffer.h:24,
from ../entropy.h:30,
from ../includes.h:177,
from arc4random.c:27:
../sshbuf.h:25:24: openssl/ec.h: No such file or directory
make[1]: *** [arc4random.o] Error 1
make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
[root@localhost openssh]# find ec.h
find: ec.h: No such file or directory

On Sun, Aug 17, 2014 at 6:23 PM, Damien Miller <d...@mindrot.org> wrote:

> Hi,
>
> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release
> containing a number of features, a lot of internal refactoring and some
> potentially-incompatible changes.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>

> * ssh(1): Fix inverted test that caused PKCS#11 keys that were
> explicitly listed in ssh_config or on the commandline not to be
> preferred.
>

> _______________________________________________
> openssh-unix-dev mailing list
> openssh-...@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

--
# include <stddisclaimer.h>
/* Kevin Brott <Kevin...@gmail.com> */

[Kevin Brott]

So apparently openssl/ec.h didn't show up earlier than 0.9.8m right now
it's looking like any system with earlier versions will configure, but fail
to build off the bat.

[Corinna Vinschen]

On Aug 18 14:45, Corinna Vinschen wrote:

> On Aug 18 11:23, Damien Miller wrote:
> > Hi,
> >
> > OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> > on as many platforms and systems as possible. This is a big release
> > containing a number of features, a lot of internal refactoring and some
> > potentially-incompatible changes.
> >
> > Snapshot releases for portable OpenSSH are available from
> > http://www.mindrot.org/openssh_snap/
>

No, it's not. Even when building in the source dir, `make tests'
fails as above.

[Kevin Brott]

Requirement for ec.h breaks all builds on systems without the EC feature (*all
Red Hat [probably variants as well] below 6.5*). New linking issue with
gcc on AIX before tests run. Same systems built 6.6 release without issue.

Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140819.tar.gz

OS Build_Target CC
OpenSSL BUILD TEST
============== =========================== ================

============= ====== =================

Centos 2.1 i386-redhat-linux gcc 2.9.6
0.9.6b-engine FAIL*1
RHEL 3.4 i386-redhat-linux gcc 3.2.3-47
0.9.7a FAIL*1

Fedora Core r2 i386-redhat-linux gcc 3.3.3-7
0.9.7a FAIL*1
RHEL 4.8 i386-redhat-linux gcc 3.4.6-11
0.9.7a FAIL*1
RHEL 4.8 x86_64-redhat-linux gcc 3.4.6-11
0.9.7a FAIL*1
RHEL 5.4 i386-redhat-linux gcc 4.1.2-46
0.9.8e-fips FAIL*1
RHEL 5.4 x86_64-redhat-linux gcc 4.1.2-46
0.9.8e-fips FAIL*1
RHEL 5.5 i386-redhat-linux gcc 4.1.2-48
0.9.8e-fips FAIL*1
RHEL 5.5 x86_64-redhat-linux gcc 4.1.2-48
0.9.8e-fips FAIL*1
RHEL 5.6 i386-redhat-linux gcc 4.1.2-50
0.9.8e-fips FAIL*1
RHEL 5.6 x86_64-redhat-linux gcc 4.1.2-50
0.9.8e-fips FAIL*1
RHEL 5.7 i386-redhat-linux gcc 4.1.2-51
0.9.8e-fips FAIL*1
RHEL 5.7 x86_64-redhat-linux gcc 4.1.2-51
0.9.8e-fips FAIL*1
RHEL 5.8 i386-redhat-linux gcc 4.1.2-52
0.9.8e-fips FAIL*1
RHEL 5.8 x86_64-redhat-linux gcc 4.1.2-52
0.9.8e-fips FAIL*1
RHEL 5.9 i386-redhat-linux gcc 4.1.2-54
0.9.8e-fips FAIL*1
RHEL 5.9 x86_64-redhat-linux gcc 4.1.2-54
0.9.8e-fips FAIL*1
RHEL 5.10 i686-redhat-linux gcc 4.1.2-54
0.9.8e-fips FAIL*1
RHEL 5.10 x86_64-redhat-linux gcc 4.1.2-54
0.9.8e-fips FAIL*1
RHEL 6.0 i686-redhat-linux gcc 4.4.4-13
1.0.0-fips FAIL*1
RHEL 6.0 x86_64-redhat-linux gcc 4.4.4-13
1.0.0-fips FAIL*1
RHEL 6.1 i686-redhat-linux gcc 4.4.5-6
1.0.0-fips FAIL*1
RHEL 6.1 x86_64-redhat-linux gcc 4.4.5-6
1.0.0-fips FAIL*1
RHEL 6.2 i686-redhat-linux gcc 4.4.6-3
1.0.0-fips FAIL*1
RHEL 6.2 x86_64-redhat-linux gcc 4.4.6-3
1.0.0-fips FAIL*1
RHEL 6.3 i686-redhat-linux gcc 4.4.7-3
1.0.0-fips FAIL*1
RHEL 6.3 x86_64-redhat-linux gcc 4.4.7-3
1.0.0-fips FAIL*1
RHEL 6.4 i686-redhat-linux gcc 4.4.7-3
1.0.0-fips FAIL*1
RHEL 6.4 x86_64-redhat-linux gcc 4.4.7-3
1.0.0-fips FAIL*1
RHEL 6.5 i686-redhat-linux gcc 4.4.7-4
1.0.1e-fips OK all tests passed
RHEL 6.5 x86_64-redhat-linux gcc 4.4.7-4
1.0.1e-fips OK all tests passed
RHEL 7.0 x86_64-redhat-linux gcc 4.8.2-16
1.0.1e-fips OK all tests passed
Debian 7.6 x86_64-linux-gnu gcc Debian 4.7.2-5
1.0.1e OK all tests passed
AIX 5300-12-04 powerpc-ibm-aix5.3.0.0 gcc 4.2.0-3
0.9.8k FAIL*1
AIX 5300-12-02 powerpc-ibm-aix5.3.0.0 xlc 8.0.0.16
0.9.8k FAIL*1
AIX 6100-07-08 powerpc-ibm-aix6.1.0.0 gcc 4.2.0
0.9.8y FAIL*2
AIX 6100-07-08 powerpc-ibm-aix6.1.0.0 xlc 11.1.0.6
0.9.8y OK all tests passed
AIX 7100-03-01 powerpc-ibm-aix7.1.0.0 gcc 4.4.7
1.0.1e FAIL*2
AIX 7100-03-01 powerpc-ibm-aix7.1.0.0 xlc 12.1.0.6
1.0.1e OK all tests passed
HP-UX 11.23 ia64-hp-hpux11.23 gcc 4.3.1
0.9.8w OK all tests passed
HP-UX 11.23 ia64-hp-hpux11.23 C/aC++ C.11.23.12
0.9.8w OK all tests passed
HP-UX 11.31 ia64-hp-hpux11.31 gcc 4.6.2
0.9.8t OK all tests passed
HP-UX 11.31 ia64-hp-hpux11.31 C/aC++ C.11.31.05
0.9.8t OK all tests passed

RHL Red Hat Linux
RHEL Red Hat Enterprise Linux

F*1 Requires openssl with ec.h (not in RHEL 6.4 and before), HP-UX 11.23+
and AIX 5.3+ have in-place upgrades

make[1]: Entering directory `/usr/src/openssh/openbsd-compat'
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
-fno-builtin-memset -std=gnu99 -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c
arc4random.c
In file included from ../buffer.h:24,
from ../entropy.h:30,
from ../includes.h:177,
from arc4random.c:27:
../sshbuf.h:25:24: openssl/ec.h: No such file or directory
make[1]: *** [arc4random.o] Error 1
make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
make: *** [openbsd-compat/libopenbsd-compat.a] Error 2

F*2 gcc on AIX - linking fails just before tests start - i.e.
gcc -o regress/unittests/sshbuf/test_sshbuf -L. -Lopenbsd-compat/
-Wl,-blibpath:/usr/lib:/lib regress/unittests/sshbuf/tests.o
regress/unittests/sshbuf/test_sshbuf.o
regress/unittests/sshbuf/test_sshbuf_getput_basic.o
regress/unittests/sshbuf/test_sshbuf_getput_crypto.o
regress/unittests/sshbuf/test_sshbuf_misc.o
regress/unittests/sshbuf/test_sshbuf_fuzz.o
regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o
regress/unittests/sshbuf/test_sshbuf_fixed.o \
-L regress/unittests/test_helper -ltest_helper \
-lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz -lpthread
collect2: library libtest_helper not found
gmake: *** [regress/unittests/sshbuf/test_sshbuf] Error 1

>> On Sun, Aug 17, 2014 at 6:23 PM, Damien Miller <d...@mindrot.org> wrote:
>>
>>> Hi,
>>>
>>> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
>>> on as many platforms and systems as possible. This is a big release
>>> containing a number of features, a lot of internal refactoring and some
>>> potentially-incompatible changes.
>>>
>>> Snapshot releases for portable OpenSSH are available from
>>> http://www.mindrot.org/openssh_snap/
>>>

[Hisashi T Fujinaka]

NetBSD-current amd64

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -I. -I. -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ssh-dss.c -o ssh-dss.o
ssh-dss.c: In function 'ssh_dss_sign':
ssh-dss.c:50:2: error: unknown type name 'DSA_SIG'
DSA_SIG *sig = NULL;



--
Hisashi T Fujinaka - ht...@twofifty.com
BSEE(6/86) + BSChem(3/95) + BAEnglish(8/95) + MSCS(8/03) + $2.50 = latte

[Iain Morgan]

On Mon, Aug 18, 2014 at 11:23:41 +1000, Damien Miller wrote:
> Hi,
>
> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release
> containing a number of features, a lot of internal refactoring and some
> potentially-incompatible changes.
>

The 20140819 snapshot successfully builds and passes the tests on RHEL
6.5/x86_64 w/OpenSSL 1.0.1i.

Regarding the removal of TCP wrapper support, it would be good to remove
references to it in the contrib/*/openssh.spec files:

% egrep -i 'netkit|wrapper|tcpd' */openssh.spec
caldera/openssh.spec: --with-tcp-wrappers \
redhat/openssh.spec:BuildRequires: perl, openssl-devel, tcp_wrappers
redhat/openssh.spec: --with-tcp-wrappers \
suse/openssh.spec:# TCP Wrappers (tcpd-devel),
suse/openssh.spec:BuildPrereq: tcpd-devel
suse/openssh.spec:- Added flag to configure daemon with TCP Wrappers
support
suse/openssh.spec: --with-tcp-wrappers \

There are also references to tcpd or libwrap in INSTALL and
contrib/cygwin/README that should probably be removed or revised.

--
Iain Morgan

[Damien Miller]

On Mon, 18 Aug 2014, Corinna Vinschen wrote:

> I tested from CVS HEAD and there's a bug in serverloop.c. On systems
> not defining NO_IPPORT_RESERVED_CONCEPT, a stray "||" leads to a syntax
> error. Here's a patch:
>
> Index: serverloop.c

applied - thanks.

> Also, I can't run the testsuite on Cygwin anymore:

[...]

> -L. -Lopenbsd-compat/ -fstack-protector-all -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz /usr/lib/textreadmode.o -lcrypt
> make: *** No rule to make target 'regress/unittests/sshbuf/tests.o', needed by 'regress/unittests/sshbuf/test_sshbuf.exe'. Stop.
>
> This is using GNU make. I'm not sure what's missing. Is that because
> I'm not building in the source dir, by any chance?

I don't think so - it works on Ubuntu with GNU Make and building outside
the source directory. There is probably some other make trickery that
I've messed up.

-d

[Damien Miller]

On Mon, 18 Aug 2014, Kevin Brott wrote:

> Ugh - so, forgot to RT the list ... and another failed buildhost ...
>

> from ../entropy.h:30,
> from ../includes.h:177,
> from arc4random.c:27:
> ../sshbuf.h:25:24: openssl/ec.h: No such file or directory

This should help:

Index: sshbuf.h
===================================================================
RCS file: /var/cvs/openssh/sshbuf.h,v
retrieving revision 1.4
diff -u -p -r1.4 sshbuf.h
--- sshbuf.h 2 Jul 2014 05:28:04 -0000 1.4
+++ sshbuf.h 19 Aug 2014 01:23:22 -0000
@@ -21,8 +21,12 @@
#include <sys/types.h>
#include <stdarg.h>
#include <stdio.h>
-#include <openssl/bn.h>
-#include <openssl/ec.h>
+#ifdef WITH_OPENSSL
+# include <openssl/bn.h>
+# ifdef OPENSSL_HAS_ECC
+# include <openssl/ec.h>
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */

#define SSHBUF_SIZE_MAX 0x8000000 /* Hard maximum size */
#define SSHBUF_REFS_MAX 0x100000 /* Max child buffers */
@@ -204,17 +208,19 @@ int sshbuf_peek_string_direct(const stru
* Functions to extract or store SSH wire encoded bignums and elliptic
* curve points.
*/
+int sshbuf_put_bignum2_bytes(struct sshbuf *buf, const void *v, size_t len);
+#ifdef WITH_OPENSSL
int sshbuf_get_bignum2(struct sshbuf *buf, BIGNUM *v);
int sshbuf_get_bignum1(struct sshbuf *buf, BIGNUM *v);
int sshbuf_put_bignum2(struct sshbuf *buf, const BIGNUM *v);
int sshbuf_put_bignum1(struct sshbuf *buf, const BIGNUM *v);
-int sshbuf_put_bignum2_bytes(struct sshbuf *buf, const void *v, size_t len);
-#if !defined(WITH_OPENSSL) || defined(OPENSSL_HAS_ECC)
+# ifdef OPENSSL_HAS_ECC
int sshbuf_get_ec(struct sshbuf *buf, EC_POINT *v, const EC_GROUP *g);
int sshbuf_get_eckey(struct sshbuf *buf, EC_KEY *v);
int sshbuf_put_ec(struct sshbuf *buf, const EC_POINT *v, const EC_GROUP *g);
int sshbuf_put_eckey(struct sshbuf *buf, const EC_KEY *v);
-#endif
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */

/* Dump the contents of the buffer in a human-readable format */
void sshbuf_dump(struct sshbuf *buf, FILE *f);

[Damien Miller]

On Mon, 18 Aug 2014, Kevin Brott wrote:

> Requirement for ec.h breaks all builds on systems without the EC feature (*all
> Red Hat [probably variants as well] below 6.5*). New linking issue with
> gcc on AIX before tests run. Same systems built 6.6 release without issue.

Thanks again Kevin for the exhaustive testing.

> F*1 Requires openssl with ec.h (not in RHEL 6.4 and before), HP-UX 11.23+
> and AIX 5.3+ have in-place upgrades

I've committed a fix for this (the one I sent in a patch a few minutes ago).

> F*2 gcc on AIX - linking fails just before tests start - i.e.
> gcc -o regress/unittests/sshbuf/test_sshbuf -L. -Lopenbsd-compat/
> -Wl,-blibpath:/usr/lib:/lib regress/unittests/sshbuf/tests.o
> regress/unittests/sshbuf/test_sshbuf.o
> regress/unittests/sshbuf/test_sshbuf_getput_basic.o
> regress/unittests/sshbuf/test_sshbuf_getput_crypto.o
> regress/unittests/sshbuf/test_sshbuf_misc.o
> regress/unittests/sshbuf/test_sshbuf_fuzz.o
> regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o
> regress/unittests/sshbuf/test_sshbuf_fixed.o \
> -L regress/unittests/test_helper -ltest_helper \
> -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz -lpthread
> collect2: library libtest_helper not found

Does libtest_helper.a get created okay? It should be under
regress/unittests/test_helper/libtest_helper.a

-d

[Damien Miller]

On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:

> NetBSD-current amd64

...

> ssh-dss.c: In function 'ssh_dss_sign':
> ssh-dss.c:50:2: error: unknown type name 'DSA_SIG'
> DSA_SIG *sig = NULL;

Thanks - I think this should fix it (already committed).

Index: ssh-dss.c
===================================================================
RCS file: /var/cvs/openssh/ssh-dss.c,v
retrieving revision 1.33
diff -u -p -r1.33 ssh-dss.c
--- ssh-dss.c 2 Jul 2014 05:28:03 -0000 1.33
+++ ssh-dss.c 19 Aug 2014 01:31:26 -0000
@@ -28,6 +28,7 @@
#include <sys/types.h>

#include <openssl/bn.h>
+#include <openssl/dsa.h>
#include <openssl/evp.h>

#include <stdarg.h>

[Damien Miller]

On Mon, 18 Aug 2014, Iain Morgan wrote:

> Regarding the removal of TCP wrapper support, it would be good to remove
> references to it in the contrib/*/openssh.spec files:

...

> There are also references to tcpd or libwrap in INSTALL and
> contrib/cygwin/README that should probably be removed or revised.

Done - thanks for the reminder.

-d

[Kevin Brott]

Will test this out in the morning. Will this be in the 0820 snapshot?

--
# include <stddisclaimer.h>
/* Kevin Brott <Kevin...@gmail.com> */

[Kevin Brott]

Going to throw in my $.02 here (late) but I really think this is a bad
move. AIX doesn't natively do tcp wrappers (yes there is a *shudder* rpm
for it), but I literally just today stopped a minor syslog DoS caused by
some "monitoring" software slamming at my sshd process every second and
causing auth.log to grow like nobody's business, making it unparseable and
full of useless noise.

How did I stop it quickly? Created a /etc/hosts.deny file and threw this
into it ... knowing that sshd would process it and silently drop the
connections:
sshd : ip.add.re.ss : severity debug : deny

Yes, I could have run genfilt, if the server had ipsec4 filtering already
configured and running (it didn't). But I could write out a one-line file,
bounce sshd, and voila! Silent droppage of unwanted connections (except
into the separate debug log I was using for evidence).

I know it's a moot point at this juncture, but I disagree with the decision.

On Mon, Aug 18, 2014 at 5:11 PM, Iain Morgan <imo...@nas.nasa.gov> wrote:

> On Mon, Aug 18, 2014 at 11:23:41 +1000, Damien Miller wrote:
> > Hi,
> >
> > OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> > on as many platforms and systems as possible. This is a big release
> > containing a number of features, a lot of internal refactoring and some
> > potentially-incompatible changes.
> >
>
> The 20140819 snapshot successfully builds and passes the tests on RHEL
> 6.5/x86_64 w/OpenSSL 1.0.1i.
>

> Regarding the removal of TCP wrapper support, it would be good to remove
> references to it in the contrib/*/openssh.spec files:
>

> % egrep -i 'netkit|wrapper|tcpd' */openssh.spec
> caldera/openssh.spec: --with-tcp-wrappers \
> redhat/openssh.spec:BuildRequires: perl, openssl-devel, tcp_wrappers
> redhat/openssh.spec: --with-tcp-wrappers \
> suse/openssh.spec:# TCP Wrappers (tcpd-devel),
> suse/openssh.spec:BuildPrereq: tcpd-devel
> suse/openssh.spec:- Added flag to configure daemon with TCP Wrappers
> support
> suse/openssh.spec: --with-tcp-wrappers \
>

> There are also references to tcpd or libwrap in INSTALL and
> contrib/cygwin/README that should probably be removed or revised.
>

> --
> Iain Morgan

[Damien Miller]

On Mon, 18 Aug 2014, Kevin Brott wrote:

> Will test this out in the morning. Will this be in the 0820 snapshot?

Yes, it should be.

-d

[Hisashi T Fujinaka]

On Tue, 19 Aug 2014, Damien Miller wrote:

> On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:
>
>> NetBSD-current amd64
> ...
>

> Thanks - I think this should fix it (already committed).

Next one:

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -I. -I. -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ssh-ecdsa.c -o ssh-ecdsa.o
ssh-ecdsa.c: In function 'ssh_ecdsa_sign':
ssh-ecdsa.c:83:2: warning: implicit declaration of function 'sshbuf_put_bignum2' [-Wimplicit-function-declaration]
if ((ret = sshbuf_put_bignum2(bb, sig->r)) != 0 ||
^
ssh-ecdsa.c: In function 'ssh_ecdsa_verify':
ssh-ecdsa.c:155:2: warning: implicit declaration of function 'sshbuf_get_bignum2' [-Wimplicit-function-declaration]
if (sshbuf_get_bignum2(sigbuf, sig->r) != 0 ||

--
Hisashi T Fujinaka - ht...@twofifty.com
BSEE(6/86) + BSChem(3/95) + BAEnglish(8/95) + MSCS(8/03) + $2.50 = latte

[Damien Miller]

On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:

> Next one:
...

> 'sshbuf_put_bignum2' [-Wimplicit-function-declaration]
> if ((ret = sshbuf_put_bignum2(bb, sig->r)) != 0 ||
> ^
> ssh-ecdsa.c: In function 'ssh_ecdsa_verify':
> ssh-ecdsa.c:155:2: warning: implicit declaration of function
> 'sshbuf_get_bignum2' [-Wimplicit-function-declaration]
> if (sshbuf_get_bignum2(sigbuf, sig->r) != 0 ||

That's strange - does your config.h have "#define WITH_OPENSSL 1" in it?

-d

[Hisashi T Fujinaka]

Yes it does. I did a gmake distclean; git reset --hard; configure; gmake
and it still has the same error.

Perhaps the version of openssl is wrong?

On Tue, 19 Aug 2014, Damien Miller wrote:

> On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:
>
>> Next one:
> ...
>> 'sshbuf_put_bignum2' [-Wimplicit-function-declaration]
>> if ((ret = sshbuf_put_bignum2(bb, sig->r)) != 0 ||
>> ^
>> ssh-ecdsa.c: In function 'ssh_ecdsa_verify':
>> ssh-ecdsa.c:155:2: warning: implicit declaration of function
>> 'sshbuf_get_bignum2' [-Wimplicit-function-declaration]
>> if (sshbuf_get_bignum2(sigbuf, sig->r) != 0 ||
>
> That's strange - does your config.h have "#define WITH_OPENSSL 1" in it?
>
> -d
>

--
Hisashi T Fujinaka - ht...@twofifty.com
BSEE(6/86) + BSChem(3/95) + BAEnglish(8/95) + MSCS(8/03) + $2.50 = latte

[Damien Miller]

On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:

> Yes it does. I did a gmake distclean; git reset --hard; configure; gmake
> and it still has the same error.
>
> Perhaps the version of openssl is wrong?

no, the prototypes the compiler is complaining about are in sshbuf.h

Could you please attach your ssh-ecdsa.c, sshbuf.h and config.h?

-d

[Hisashi T Fujinaka]

On Tue, 19 Aug 2014, Damien Miller wrote:

> On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:
>
>> Yes it does. I did a gmake distclean; git reset --hard; configure; gmake
>> and it still has the same error.
>>
>> Perhaps the version of openssl is wrong?
>
> no, the prototypes the compiler is complaining about are in sshbuf.h
>
> Could you please attach your ssh-ecdsa.c, sshbuf.h and config.h?

Here they are.

[Damien Miller]

On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:

> On Tue, 19 Aug 2014, Damien Miller wrote:
>
> > On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:
> >
> > > Yes it does. I did a gmake distclean; git reset --hard; configure; gmake
> > > and it still has the same error.
> > >
> > > Perhaps the version of openssl is wrong?
> >
> > no, the prototypes the compiler is complaining about are in sshbuf.h
> >
> > Could you please attach your ssh-ecdsa.c, sshbuf.h and config.h?
>
> Here they are.

It looks like your config.h.in is out of date - it is missing WITH_OPENSSL.
My config.h has "#define WITH_OPENSSL 1"

Could you please try running "autoreconf" and starting from ./configure again.

[Corinna Vinschen]

On Aug 19 11:36, Damien Miller wrote:

> On Mon, 18 Aug 2014, Iain Morgan wrote:
>
> > Regarding the removal of TCP wrapper support, it would be good to remove
> > references to it in the contrib/*/openssh.spec files:

> ...

>
> > There are also references to tcpd or libwrap in INSTALL and
> > contrib/cygwin/README that should probably be removed or revised.
>

> Done - thanks for the reminder.

Thanks for applying your patch. While looking into contrib/cygwin/README,
I noticed it contains another small bug. The latest versions of cygport
don't support the "almostall" command anymore. This should be a simple
"all":

Index: contrib/cygwin/README
===================================================================
RCS file: /cvs/openssh/contrib/cygwin/README,v
retrieving revision 1.19
diff -u -p -r1.19 README
--- contrib/cygwin/README 19 Aug 2014 01:36:08 -0000 1.19
+++ contrib/cygwin/README 19 Aug 2014 09:58:17 -0000
@@ -69,7 +69,7 @@ Building OpenSSH
Building from source is easy. Just unpack the source archive, cd to that
directory, and call cygport:

- cygport openssh.cygport almostall
+ cygport openssh.cygport all

You must have installed the following packages to be able to build OpenSSH
with the aforementioned cygport script:


Thanks,

[Hisashi T Fujinaka]

On Tue, 19 Aug 2014, Damien Miller wrote:

> On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:
>
>> On Tue, 19 Aug 2014, Damien Miller wrote:
>>
>>> On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:
>>>
>>>> Yes it does. I did a gmake distclean; git reset --hard; configure; gmake
>>>> and it still has the same error.
>>>>
>>>> Perhaps the version of openssl is wrong?
>>>
>>> no, the prototypes the compiler is complaining about are in sshbuf.h
>>>
>>> Could you please attach your ssh-ecdsa.c, sshbuf.h and config.h?
>>
>> Here they are.
>
> It looks like your config.h.in is out of date - it is missing WITH_OPENSSL.
> My config.h has "#define WITH_OPENSSL 1"
>
> Could you please try running "autoreconf" and starting from ./configure again.

Whoops. autoreconf is the step I was missing.

--
Hisashi T Fujinaka - ht...@twofifty.com
BSEE(6/86) + BSChem(3/95) + BAEnglish(8/95) + MSCS(8/03) + $2.50 = latte

[Hisashi T Fujinaka]

On Tue, 19 Aug 2014, Damien Miller wrote:

> On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:
>
>> On Tue, 19 Aug 2014, Damien Miller wrote:
>>
>>> On Mon, 18 Aug 2014, Hisashi T Fujinaka wrote:
>>>
>>>> Yes it does. I did a gmake distclean; git reset --hard; configure; gmake
>>>> and it still has the same error.
>>>>
>>>> Perhaps the version of openssl is wrong?
>>>
>>> no, the prototypes the compiler is complaining about are in sshbuf.h
>>>
>>> Could you please attach your ssh-ecdsa.c, sshbuf.h and config.h?
>>
>> Here they are.
>
> It looks like your config.h.in is out of date - it is missing WITH_OPENSSL.
> My config.h has "#define WITH_OPENSSL 1"
>
> Could you please try running "autoreconf" and starting from ./configure again.

All tests passed on NetBSD 7.99.1 (head from 8/11). Thanks for looking at it.

[Kevin Brott]

New failures on older openssl ... will test against the RH 1.0.0-fips in a
bit ...

Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140820.tar.gz

OS Build_Target CC
OpenSSL BUILD TEST
============== =========================== ================
============= ====== =================
Centos 2.1 i386-redhat-linux gcc 2.9.6
0.9.6b-engine FAIL*1
RHEL 3.4 i386-redhat-linux gcc 3.2.3-47
0.9.7a FAIL*1

AIX 5300-12-04 powerpc-ibm-aix5.3.0.0 gcc 4.2.0-3

0.9.8k FAIL*2

FAIL*1 - Shouldn't this have been caught by configure?

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare

-Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
-fno-builtin-memset -std=gnu99 -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c

openssl-compat.c
In file included from openssl-compat.c:32:
openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required
make[1]: *** [openssl-compat.o] Error 1

make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
make: *** [openbsd-compat/libopenbsd-compat.a] Error 2

FAIL*2 - Different AIX failure on old openssl ...

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized

-Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -I. -I.. -I. -I./..
-DHAVE_CONFIG_H -c port-aix.c
In file included from ../key.h:29,
from port-aix.c:31:
../sshkey.h:34:24: error: openssl/ec.h: No such file or directory
In file included from ../key.h:29,
from port-aix.c:31:
../sshkey.h:103: error: expected specifier-qualifier-list before
'EC_KEY'
../sshkey.h:149: error: expected ')' before '*' token
../sshkey.h:151: warning: type defaults to 'int' in declaration of
'EC_GROUP'
../sshkey.h:151: error: expected ';', ',' or ')' before '*' token
../sshkey.h:152: warning: type defaults to 'int' in declaration of
'EC_KEY'
../sshkey.h:152: error: expected ';', ',' or ')' before '*' token
../sshkey.h:170: warning: type defaults to 'int' in declaration of
'EC_GROUP'
../sshkey.h:170: error: expected ';', ',' or ')' before '*' token
../sshkey.h:171: warning: type defaults to 'int' in declaration of
'EC_KEY'
../sshkey.h:171: error: expected ';', ',' or ')' before '*' token
In file included from port-aix.c:31:
../key.h:85: warning: type defaults to 'int' in declaration of
'EC_GROUP'
../key.h:85: error: expected ';', ',' or ')' before '*' token
../key.h:86: warning: type defaults to 'int' in declaration of 'EC_KEY'
../key.h:86: error: expected ';', ',' or ')' before '*' token
make: The error code from the last command is 1.

On Mon, Aug 18, 2014 at 9:26 PM, Damien Miller <d...@mindrot.org> wrote:

>
>
> On Mon, 18 Aug 2014, Kevin Brott wrote:
>
> > Will test this out in the morning. Will this be in the 0820 snapshot?
>
> Yes, it should be.
>
> -d
>

--
# include <stddisclaimer.h>
/* Kevin Brott <Kevin...@gmail.com> */

[The Doctor]

All right My old BSD/OS system still works.

Still would like to figure out

username with style protocol 2
tset: standard error: Operation not supported

10:09AM up 64 days, 1:57, 1 user, load averages: 9.04, 7.94, 7.81
USER TTY FROM LOGIN@ IDLE WHAT
doctor p0 ts1p17.nl2k.ab.c 7:57AM 0 (sshd)
Filesystem Type Size Used Avail Use% Mounted on
/dev/sd0a ufs 3.9G 1.7G 2.0G 46% /
/dev/sd0h ufs 88G 64G 20G 76% /usr
/dev/sd0g ufs 88G 52G 32G 62% /usr/var
/dev/sd0f ufs 88G 69G 15G 83% /usr/home
mfs:27 mfs 992M 13M 930M 2% /tmp
Delete is backspace
/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
failed proxy connect
*** Error code 1

Stop.
*** Error code 1

Stop.


Also I tried to use 6.7 pre on a system and got no kex alg

Rolled back to 6.6 no problem.

I was using Zap-o_com using aes256-ctr

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising!
http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism
Our envy of others devours us most of all - Alexander Solshenitsyn

[James Cloos]

I get a failure from make tests in today's master at:

run test agent.sh ...
agent fwd proto 1 failed (exit code 255)
agent fwd proto 2 failed (exit code 255)
failed simple agent test
Makefile:168: recipe for target 't-exec' failed
make[1]: *** [t-exec] Error 1
make[1]: Leaving directory '/tmp/openssh/regress'
Makefile:482: recipe for target 'tests' failed
make: *** [tests] Error 2

I also got that from openssh-SNAP-20140818.tar.gz, but one run last
night gave all tests passed. That run was from the same compile as
gave the t-exec error....

-JimC
--
James Cloos <cl...@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6

[Kevin Brott]

FAIL*1 on Centos 2.1 -> RHEL 5.10
FAIL*2 on RHEL 6.0 -> RHEL 6.4 and AIX 5.3 (using openssl 0.9.8k)

The AIX gcc builds are still failing, but - if I replace this line:
-L regress/unittests/test_helper -ltest_helper \
With this
regress/unittests/test_helper/libtest_helper.a \
....
then test_sshbuf and test_sshkey compile ok (both fail for the 'missing'
library) - and tests continue ... will report status when run is done.

[Iain Morgan]

On Mon, Aug 18, 2014 at 11:23:41 +1000, Damien Miller wrote:

> Potentially-incompatible changes
>
> * sshd(8): The default set of ciphers and MACs has been altered to
> remove unsafe algorithms. In particular, CBC ciphers and arcfour*
> are disabled by default.
>

Is this really true? I just ran "$PWD/sshd -f /dev/null -T" in my build
directory, and it lists the full set of ciphers -- not the trimmed-down
default list indicated in sshd_config(5).

--
Iain Morgan

[Kevin Brott]

AIX6/7 + gcc 4.2.0/4.4.7 passes all tests fine with the library explicitly
substituted for the -L -l construct. I'll work out a patch that does this
automagically as soon as I work out where it should go, unless someone has
a better idea

AIX native, HPX gcc+native, and Debian builds all continue to build/test.

[Jeff Wieland]

It fails under SPARC Solaris 10, running a recent patch set, with
our locally build OpenSSL 1.0.0n, and SUN Studio 12. The
test_sshbuf binary dumps core with an error code of 139:

cd ./regress || exit $?; \
make \
.OBJDIR="${BUILDDIR}/regress" \
.CURDIR="`pwd`" \
BUILDDIR="${BUILDDIR}" \
OBJ="${BUILDDIR}/regress/" \
PATH="${BUILDDIR}:${PATH}" \
TEST_ENV=MALLOC_OPTIONS="" \
TEST_SHELL="${TEST_SHELL}" \
TEST_SSH_SCP="${TEST_SSH_SCP}" \
TEST_SSH_SSH="${TEST_SSH_SSH}" \
TEST_SSH_SSHD="${TEST_SSH_SSHD}" \
TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}" \
TEST_SSH_SSHADD="${TEST_SSH_SSHADD}" \
TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" \
TEST_SSH_SSHPKCS11HELPER="${TEST_SSH_SSHPKCS11HELPER}" \
TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" \
TEST_SSH_SFTP="${TEST_SSH_SFTP}" \
TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}" \
TEST_SSH_PLINK="${TEST_SSH_PLINK}" \
TEST_SSH_PUTTYGEN="${TEST_SSH_PUTTYGEN}" \
TEST_SSH_CONCH="${TEST_SSH_CONCH}" \
TEST_SSH_IPV6="${TEST_SSH_IPV6}" \
TEST_SSH_ECC="${TEST_SSH_ECC}" \
EXEEXT="" \
tests && echo all tests passed
set -e ; if test -z "" ; then \

/opt/src/sys/openssh/openssh-SNAP-20140820/regress/unittests/sshbuf/test_sshbuf ; \

/opt/src/sys/openssh/openssh-SNAP-20140820/regress/unittests/sshkey/test_sshkey \
-d
/opt/src/sys/openssh/openssh-SNAP-20140820/regress//unittests/sshkey/testdata ; \
fi
*** Error code 139
make: Fatal error: Command failed for target `unit'
Current working directory /opt/src/sys/openssh/openssh-SNAP-20140820/regress
*** Error code 1
make: Fatal error: Command failed for target `tests'

Damien Miller wrote:
> Hi,
>
> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release
> containing a number of features, a lot of internal refactoring and some
> potentially-incompatible changes.
>

> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs or
> via Git at https://anongit.mindrot.org/openssh.git/
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-...@mindrot.org.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Changes since OpenSSH 6.6
> =========================

>
> Potentially-incompatible changes
>
> * sshd(8): The default set of ciphers and MACs has been altered to
> remove unsafe algorithms. In particular, CBC ciphers and arcfour*
> are disabled by default.
>

> The full set of algorithms remains available if configured
> explicitly via the Ciphers and MACs sshd_config options.
>
> * sshd(8): Support for tcpwrappers/libwrap has been removed.
>
> * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
> using the curve255...@libssh.org KEX exchange method to fail
> when connecting with something that implements the specification
> correctly. OpenSSH 6.7 disables this KEX method when speaking to
> one of the affected versions.
>
> New Features
>
> * Major internal refactoring to begin to make part of OpenSSH usable
> as a library. So far the wire parsing, key handling and KRL code
> has been refactored. Please note that we do not consider the API
> stable yet, nor do we offer the library in separable form.
>
> * ssh(1), sshd(8): Add support for Unix domain socket forwarding.
> A remote TCP port may be forwarded to a local Unix domain socket
> and vice versa or both ends may be a Unix domain socket.
>
> * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
> ED25519 key types.
>
> * sftp(1): Allow resumption of interrupted uploads.
>
> * ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it
> is the same as the one sent during initial key exchange; bz#2154
>
> * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind
> addresses when GatewayPorts=no; allows client to choose address
> family; bz#2222
>
> * sshd(8): Add a sshd_config PermitUserRC option to control whether
> ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
> option; bz#2160
>
> * ssh(1): Add a %C escape sequence for LocalCommand and ControlPath
> that expands to a unique identifer based on a hash of the tuple of
> (local host, remote user, hostname, port). Helps avoid exceeding
> miserly pathname limits for Unix domain sockets in multiplexing
> control paths; bz#2220
>
> * sshd(8): Make the "Too many authentication failures" message
> include the user, source address, port and protocol in a format
> similar to the authentication success / failure messages; bz#2199
>
> * Added unit and fuzz tests for refactored code. These are run
> automatically in portable OpenSSH via the "make tests" target.
>
> Bugfixes
>
> * sshd(8): Fix remote fwding with same listen port but different
> listen address.
>
> * ssh(1): Fix inverted test that caused PKCS#11 keys that were
> explicitly listed in ssh_config or on the commandline not to be
> preferred.
>
> * ssh-keygen(1): Fix bug in KRL generation: multiple consecutive
> revoked certificate serial number ranges could be serialised to an
> invalid format. Readers of a broken KRL caused by this bug will
> fail closed, so no should-have-been-revoked key will be accepted.
>
> * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in
> exit status. Previously we were always returning 0; bz#2255
>
> * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the
> randomart border; bz#2247
>
> * ssh-agent(1): Only cleanup agent socket in the main agent process
> and not in any subprocesses it may have started (e.g. forked
> askpass). Fixes agent sockets being zapped when askpass processes
> fatal(); bz#2236
>
> * ssh-add(1): Make stdout line-buffered; saves partial output getting
> lost when ssh-add fatal()s part-way through (e.g. when listing keys
> from an agent that supports key types that ssh-add doesn't);
> bz#2234
>
> * ssh-keygen(1): When hashing or removing hosts, don't choke on
> @revoked markers and don't remove @cert-authority markers; bz#2241
>
> * ssh(1): Don't fatal when hostname canonicalisation fails and a
> ProxyCommand is in use; continue and allow the ProxyCommand to
> connect anyway (e.g. to a host with a name outside the DNS behind
> a bastion)
>
> * scp(1): When copying local->remote fails during read, don't send
> uninitialised heap to the remote end.
>
> * sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing
> filenames with a single quote char somewhere in the string;
> bz#2238
>
> * ssh-keyscan(1): Scan for Ed25519 keys by default.
>
> * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-
> convert any certificate keys to plain keys and attempt SSHFP
> resolution. Prevents a server from skipping SSHFP lookup and
> forcing a new-hostkey dialog by offering only certificate keys.
>
> * sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225
>
> * Fix some strict-alignment errors.
>
> Portable OpenSSH
>
> * Portable OpenSSH now supports building against libressl-portable.
>
> * Portable OpenSSH now requires openssl 0.9.8f or greater. Older
> versions are no longer supported.
>
> * In the OpenSSL version check, allow fix version upgrades (but not
> downgrades. Debian bug #748150.
>
> * sshd(8): On Cygwin, determine privilege separation user at runtime,
> since it may need to be a domain account.
>
> * sshd(8): Don't attempt to use vhangup on Linux. It doens't work for
> non-root users, and for them it just messes up the tty settings.
>
> * Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
> available. It takes into account time spent suspended, thereby
> ensuring timeouts (e.g. for expiring agent keys) fire correctly.
> bz#2228
>
> * Add support for ed25519 to opensshd.init init script.
>
> * sftp-server(8): On platforms that support it, use prctl() to
> prevent sftp-server from accessing /proc/self/{mem,maps}
>
> Reporting Bugs:
> ===============
>
> - Please read http://www.openssh.com/report.html
> Security bugs should be reported directly to ope...@openssh.com
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
> Ben Lindstrom.

> _______________________________________________
> openssh-unix-dev mailing list
> openssh-...@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>

--
Jeff Wieland | Purdue University
Network Systems Administrator | ITIS UNIX Platforms
Voice: (765)496-8234 | 155 S. Grant Street
FAX: (765)494-6620 | West Lafayette, IN 47907

[Kevin Brott]

Oh dear ... it is to laugh .. I just realized what the problem is. This is
the failing compile example ...

gcc -o regress/unittests/sshbuf/test_sshbuf -L. -Lopenbsd-compat/

-Wl,-blibpath:/opt/phs/lib:/opt/freeware/lib:/usr/lib:/usr/ccs/lib
-L/opt/phs/lib -L/opt/freeware/lib -L/usr/lib -L/usr/ccs/lib

-Wl,-blibpath:/usr/lib:/lib regress/unittests/sshbuf/tests.o
regress/unittests/sshbuf/test_sshbuf.o
regress/unittests/sshbuf/test_sshbuf_getput_basic.o
regress/unittests/sshbuf/test_sshbuf_getput_crypto.o
regress/unittests/sshbuf/test_sshbuf_misc.o
regress/unittests/sshbuf/test_sshbuf_fuzz.o
regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o
regress/unittests/sshbuf/test_sshbuf_fixed.o \

* -L regress/unittests/test_helper -ltest_helper \*

-lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz -lpthread
collect2: library libtest_helper not found

The space between -L and the directory is what's causing the issue. the
correct line would be
* -Lregress/unittests/test_helper -ltest_helper \*

Should fixed be a simple edit in the Makefile.in ... I'm surprised this
isn't broken elsewhere for the same reason.

[Kevin Brott]

Forgot to include the patch ... completely berking it today ...

[Damien Miller]

On Tue, 19 Aug 2014, Iain Morgan wrote:

> On Mon, Aug 18, 2014 at 11:23:41 +1000, Damien Miller wrote:

> > Potentially-incompatible changes
> >
> > * sshd(8): The default set of ciphers and MACs has been altered to
> > remove unsafe algorithms. In particular, CBC ciphers and arcfour*
> > are disabled by default.
> >
>

> Is this really true? I just ran "$PWD/sshd -f /dev/null -T" in my build
> directory, and it lists the full set of ciphers -- not the trimmed-down
> default list indicated in sshd_config(5).

It is true, but you've just uncovered a bug in the code that dumps the
config :)

Index: servconf.c
===================================================================
RCS file: /var/cvs/openssh/servconf.c,v
retrieving revision 1.249
diff -u -p -r1.249 servconf.c
--- servconf.c 18 Jul 2014 04:11:26 -0000 1.249
+++ servconf.c 19 Aug 2014 23:53:44 -0000
@@ -54,6 +54,7 @@
#include "packet.h"
#include "hostfile.h"
#include "auth.h"
+#include "myproposal.h"

static void add_listen_addr(ServerOptions *, char *, int);
static void add_one_listen_addr(ServerOptions *, char *, int);
@@ -2070,9 +2071,8 @@ dump_config(ServerOptions *o)
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
dump_cfg_string(sXAuthLocation, o->xauth_location);
- dump_cfg_string(sCiphers, o->ciphers ? o->ciphers :
- cipher_alg_list(',', 0));
- dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(','));
+ dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
+ dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
dump_cfg_string(sBanner, o->banner);
dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory);
@@ -2084,8 +2084,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
- dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
- kex_alg_list(','));
+ dump_cfg_string(sKexAlgorithms,
+ o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);

/* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level));

[Damien Miller]

On Tue, 19 Aug 2014, Kevin Brott wrote:

> AIX6/7 + gcc 4.2.0/4.4.7 passes all tests fine with the library explicitly
> substituted for the -L -l construct. I'll work out a patch that does this
> automagically as soon as I work out where it should go, unless someone has a
> better idea

I think we can just do this unconditionally. (patch below)

> FAIL*1 - Shouldn't this have been caught by configure?
> gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized

..

> In file included from openssl-compat.c:32:
> openssl-compat.h:28:2: #error OpenSSL 0.9.8f or
> greater is required

good point; patch below.

> FAIL*2 - Different AIX failure on old openssl ...
> gcc -g -O2 -Wall -Wpointer-arith
> -Wuninitialized -Wsign-compare -Wformat-security
> -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2
> -ftrapv -fno-builtin-memset -I. -I.. -I. -I./..
> -DHAVE_CONFIG_H -c port-aix.c
> In file included from ../key.h:29,
> from port-aix.c:31:
> ../sshkey.h:34:24: error: openssl/ec.h: No such file
> or directory
> In file included from ../key.h:29,
> from port-aix.c:31:
> ../sshkey.h:103: error: expected
> specifier-qualifier-list before 'EC_KEY'
> ../sshkey.h:149: error: expected ')' before '*' token
> ../sshkey.h:151: warning: type defaults to 'int' in

patch below

all these are committed and will be in the 0821 snapshot

Index: Makefile.in
===================================================================
RCS file: /var/cvs/openssh/Makefile.in,v
retrieving revision 1.362
diff -u -p -r1.362 Makefile.in
--- Makefile.in 18 Jul 2014 20:33:12 -0000 1.362
+++ Makefile.in 20 Aug 2014 01:01:09 -0000
@@ -456,7 +456,7 @@ UNITTESTS_TEST_SSHBUF_OBJS=\
regress/unittests/sshbuf/test_sshbuf$(EXEEXT): ${UNITTESTS_TEST_SSHBUF_OBJS} \
regress/unittests/test_helper/libtest_helper.a libssh.a
$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHBUF_OBJS) \
- -L regress/unittests/test_helper -ltest_helper \
+ regress/unittests/test_helper/libtest_helper.a \
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

UNITTESTS_TEST_SSHKEY_OBJS=\
Index: configure.ac
===================================================================
RCS file: /var/cvs/openssh/configure.ac,v
retrieving revision 1.578
diff -u -p -r1.578 configure.ac
--- configure.ac 15 Jul 2014 00:41:39 -0000 1.578
+++ configure.ac 20 Aug 2014 01:01:09 -0000
@@ -2278,13 +2278,21 @@ AC_RUN_IFELSE(
if(fd == NULL)
exit(1);

- if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0)
+ if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(),
+ SSLeay_version(SSLEAY_VERSION))) <0)
exit(1);

exit(0);
]])],
[
ssl_library_ver=`cat conftest.ssllibver`
+ # Check version is supported.
+ case "$ssl_library_ver" in
+ 0090[0-7]*|009080[0-5]*)
+ AC_MSG_ERROR([OpenSSL >= 0.9.8f required])
+ ;;
+ *) ;;
+ esac
AC_MSG_RESULT([$ssl_library_ver])
],
[
Index: sshkey.h
===================================================================
RCS file: /var/cvs/openssh/sshkey.h,v
retrieving revision 1.1
diff -u -p -r1.1 sshkey.h
--- sshkey.h 2 Jul 2014 05:28:04 -0000 1.1
+++ sshkey.h 20 Aug 2014 01:01:09 -0000
@@ -31,13 +31,19 @@
#ifdef WITH_OPENSSL
#include <openssl/rsa.h>
#include <openssl/dsa.h>
-#include <openssl/ec.h>
-#else /* OPENSSL */
-#define RSA void
-#define DSA void
-#define EC_KEY void
-#define EC_GROUP void
-#define EC_POINT void

+# ifdef OPENSSL_HAS_ECC
+# include <openssl/ec.h>

+# else /* OPENSSL_HAS_ECC */
+# define EC_KEY void
+# define EC_GROUP void
+# define EC_POINT void

+# endif /* OPENSSL_HAS_ECC */

+#else /* WITH_OPENSSL */
+# define RSA void
+# define DSA void
+# define EC_KEY void
+# define EC_GROUP void
+# define EC_POINT void
#endif /* WITH_OPENSSL */

#define SSH_RSA_MINIMUM_MODULUS_SIZE 768
@@ -211,12 +217,16 @@ int ssh_ed25519_verify(const struct sshk
const u_char *data, size_t datalen, u_int compat);
#endif

-#ifndef WITH_OPENSSL
-#undef RSA
-#undef DSA
-#undef EC_KEY
-#undef EC_GROUP
-#undef EC_POINT
-#endif /* WITH_OPENSSL */
+#if !defined(WITH_OPENSSL)
+# undef RSA
+# undef DSA
+# undef EC_KEY
+# undef EC_GROUP
+# undef EC_POINT
+#elif !defined(OPENSSL_HAS_ECC)
+# undef EC_KEY
+# undef EC_GROUP
+# undef EC_POINT
+#endif

#endif /* SSHKEY_H */

[Damien Miller]

On Tue, 19 Aug 2014, Corinna Vinschen wrote:

> Thanks for applying your patch. While looking into contrib/cygwin/README,
> I noticed it contains another small bug. The latest versions of cygport
> don't support the "almostall" command anymore. This should be a simple
> "all":

done - thanks

[Damien Miller]

On Tue, 19 Aug 2014, The Doctor wrote:

> All right My old BSD/OS system still works.
>
> Still would like to figure out
>
> username with style protocol 2
> tset: standard error: Operation not supported

Looks like some interactive shell initialisation is running for a non-
interactive shell. tset is probably trying a termios call against a pipe.

> Also I tried to use 6.7 pre on a system and got no kex alg
>
> Rolled back to 6.6 no problem.
>
> I was using Zap-o_com using aes256-ctr

What's "Zap-o_com"?

Your client probably only supports the "diffie-hellman-group1-sha1" key
exchange method. Unfortunately this is weak by modern standards, since it
uses a 768 bit group.

kexalgorithms curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

-d

[Damien Miller]

On Tue, 19 Aug 2014, Corinna Vinschen wrote:

> Maybe it was the fact that I called `cvs up' without the -d flag...?
>
> Duh. Sorry about that.

:) no problem

> So, now I can run the testsuite and I'm having a problem with the
> "forwarding" test. The older version of this test worked fine, the
> latest from CVS sometimes fails:
>
> run test forwarding.sh ...
> failed copy /bin/ls.exe
> cmp: EOF on /home/corinna/src/openssh/64bin/regress/copy
> corrupted copy of /bin/ls.exe
[...]
> Running the test another time, it runs to completion. Running it
> again, it fails. It fails more often than succeeding, though.

I've had problems with this test leaving a ssh or sshd (can't remember
which right now) laying around after completion, which could interfere
with future test runs. I thought I fixed it already, but maybe I didn't
do so completely?

[Damien Miller]

On Tue, 19 Aug 2014, James Cloos wrote:

> I get a failure from make tests in today's master at:
>
> run test agent.sh ...
> agent fwd proto 1 failed (exit code 255)
> agent fwd proto 2 failed (exit code 255)
> failed simple agent test
> Makefile:168: recipe for target 't-exec' failed
> make[1]: *** [t-exec] Error 1
> make[1]: Leaving directory '/tmp/openssh/regress'
> Makefile:482: recipe for target 'tests' failed
> make: *** [tests] Error 2
>
> I also got that from openssh-SNAP-20140818.tar.gz, but one run last
> night gave all tests passed. That run was from the same compile as
> gave the t-exec error....

There should be some failed-* files in the regress/ directory that
might yield some clues here.

[Damien Miller]

On Tue, 19 Aug 2014, Jeff Wieland wrote:

> It fails under SPARC Solaris 10, running a recent patch set, with
> our locally build OpenSSL 1.0.0n, and SUN Studio 12. The

> test_sshbuf binary dumps core with an error code of 139. I'm
> attaching the output of the ./configure and the "make tests".

Could you try running "regress/unittests/sshbuf/test_sshbuf -v" to
see which test is crashing?

[Jeff Wieland]

Damien Miller wrote:
> regress/unittests/sshbuf/test_sshbuf -v

All I get is:

Segmentation Fault(coredump)

--
Jeff Wieland | Purdue University
Network Systems Administrator | ITIS UNIX Platforms
Voice: (765)496-8234 | 155 S. Grant Street

FAX: (765)494-2253 | West Lafayette, IN 47907

[Damien Miller]

On Tue, 19 Aug 2014, Jeff Wieland wrote:

> Damien Miller wrote:
> > regress/unittests/sshbuf/test_sshbuf -v
>
> All I get is:
>
> Segmentation Fault(coredump)

Does the ssh (or other) binaries dump core too?

Can you attach a debugger to it and see where it crashes?

-d

[The Doctor]

On Wed, Aug 20, 2014 at 11:32:36AM +1000, Damien Miller wrote:
> On Tue, 19 Aug 2014, The Doctor wrote:
>
> > All right My old BSD/OS system still works.
> >
> > Still would like to figure out
> >
> > username with style protocol 2
> > tset: standard error: Operation not supported
>
> Looks like some interactive shell initialisation is running for a non-
> interactive shell. tset is probably trying a termios call against a pipe.
>
> > Also I tried to use 6.7 pre on a system and got no kex alg
> >
> > Rolled back to 6.6 no problem.
> >
> > I was using Zap-o_com using aes256-ctr
>
> What's "Zap-o_com"?
>
> Your client probably only supports the "diffie-hellman-group1-sha1" key
> exchange method. Unfortunately this is weak by modern standards, since it
> uses a 768 bit group.
>
> kexalgorithms curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>
> -d
>

ZOC as it is more commonly known.

Newer version work, so not real issue.

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising!
http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism

22 Sept 2014 New Brunswick save the province vote Liberal!

[Kevin Brott]

Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140821.tar.gz

OS Build_Target CC
OpenSSL BUILD TEST
============== =========================== ================
============= ====== =================
Centos 2.1 i386-redhat-linux gcc 2.9.6
0.9.6b-engine FAIL*1
RHEL 3.4 i386-redhat-linux gcc 3.2.3-47
0.9.7a FAIL*1

...Fedora Core r2...RHEL 4.8 i386...same...
RHEL 4.8 x86_64-redhat-linux gcc 3.4.6-11
0.9.7a FAIL*1
RHEL 5.4 i386-redhat-linux gcc 4.1.2-46
0.9.8e-fips FAIL*1
...all RHEL 5...
RHEL 5.10 x86_64-redhat-linux gcc 4.1.2-54
0.9.8e-fips FAIL*1
RHEL 6.0 i686-redhat-linux gcc 4.4.4-13
1.0.0-fips FAIL*2
...RHEL 6.1 - 6.4...
RHEL 6.4 x86_64-redhat-linux gcc 4.4.7-3
1.0.0-fips FAIL*2
RHEL 6.5 i686-redhat-linux gcc 4.4.7-4
1.0.1e-fips OK all tests passed
RHEL 6.5 x86_64-redhat-linux gcc 4.4.7-4
1.0.1e-fips OK all tests passed
RHEL 7.0 x86_64-redhat-linux gcc 4.8.2-16
1.0.1e-fips OK all tests passed
Debian 7.6 x86_64-linux-gnu gcc Debian 4.7.2-5
1.0.1e OK all tests passed
AIX 5300-12-02 powerpc-ibm-aix5.3.0.0 xlc 8.0.0.16
0.9.8k FAIL*2

AIX 5300-12-04 powerpc-ibm-aix5.3.0.0 gcc 4.2.0-3
0.9.8k FAIL*2

AIX 6100-07-08 powerpc-ibm-aix6.1.0.0 xlc 11.1.0.6
0.9.8y OK all tests passed
AIX 6100-07-08 powerpc-ibm-aix6.1.0.0 gcc 4.2.0
0.9.8y FIX*1 all tests passed
... further tests pending...


FAIL*1 - configure completes without errors ...
make[1]: Entering directory `/usr/src/openssh/openbsd-compat'

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare

-Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
-fno-builtin-memset -std=gnu99 -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c
openssl-compat.c

In file included from openssl-compat.c:32:
openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required

make[1]: *** [openssl-compat.o] Error 1
make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
make: *** [openbsd-compat/libopenbsd-compat.a] Error 2

FAIL*2 - port-aix.c still fails to compile on RHEL and AIX where ec.h isn't
part of openssl ...

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -Wno-pointer-sign -fno-strict-aliasing

-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all
-fPIE -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c port-aix.c

In file included from port-aix.c:31:
../key.h:85: warning: type defaults to 'int' in declaration of 'EC_GROUP'
../key.h:85: error: expected ';', ',' or ')' before '*' token
../key.h:86: warning: type defaults to 'int' in declaration of 'EC_KEY'
../key.h:86: error: expected ';', ',' or ')' before '*' token

make[1]: *** [port-aix.o] Error 1

make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
make: *** [openbsd-compat/libopenbsd-compat.a] Error 2

FIX*1 - looks like Makefile.in only got updated for test_sshbuf and not
test_sshkey ...
gcc -o regress/unittests/sshkey/test_sshkey -L. -Lopenbsd-compat/
-Wl,-blibpath:/opt/phs/lib:/usr/lib:/usr/ccs/lib -L/opt/phs/lib -L/usr/lib
-L/usr/ccs/lib -Wl,-blibpath:/usr/lib:/lib
regress/unittests/sshkey/test_fuzz.o regress/unittests/sshkey/tests.o
regress/unittests/sshkey/common.o regress/unittests/sshkey/test_file.o
regress/unittests/sshkey/test_sshkey.o \
-L regress/unittests/test_helper -ltest_helper \

-lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz
-lpthread
collect2: library libtest_helper not found

gmake: *** [regress/unittests/sshkey/test_sshkey] Error 1

This patch fixes this issue cross-platform/compiler AFAICT.

---CUT---
*** openssh-SNAP-20140821/Makefile.in 2014-08-19 18:06:21 -0700
--- openssh-SNAP-20140821/Makefile.in.fixed 2014-08-20 10:32:23 -0700
***************
*** 457,461 ****

regress/unittests/test_helper/libtest_helper.a libssh.a
$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHBUF_OBJS) \

! regress/unittests/test_helper/libtest_helper.a \

-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

--- 457,461 ----

regress/unittests/test_helper/libtest_helper.a libssh.a
$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHBUF_OBJS) \

! -Lregress/unittests/test_helper -ltest_helper \

-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

***************
*** 470,474 ****
regress/unittests/test_helper/libtest_helper.a libssh.a
$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHKEY_OBJS) \
! -L regress/unittests/test_helper -ltest_helper \

-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

--- 470,474 ----
regress/unittests/test_helper/libtest_helper.a libssh.a
$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHKEY_OBJS) \
! -Lregress/unittests/test_helper -ltest_helper \

-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

---CUT---

--
# include <stddisclaimer.h>
/* Kevin Brott <Kevin...@gmail.com> */

[James Cloos]

>>>>> "DM" == Damien Miller <d...@mindrot.org> writes:

DM> There should be some failed-* files in the regress/ directory that
DM> might yield some clues here.

I got the impression that my local configs were an issue, so I tried
again in script(1) after running:

:; set|awk -F= '/SSH/ {print $1}'|xargs unset
:; export HOME=/tmp/empty
:; mkdir $HOME

but it still fails there, noting that it tried to use the keys from my
running agent.

I'm trying again as a temp user.

-JimC
--
James Cloos <cl...@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6

[Corinna Vinschen]

On Aug 20 11:34, Damien Miller wrote:
> On Tue, 19 Aug 2014, Corinna Vinschen wrote:
>
> > Maybe it was the fact that I called `cvs up' without the -d flag...?
> >
> > Duh. Sorry about that.
>
> :) no problem
>
> > So, now I can run the testsuite and I'm having a problem with the
> > "forwarding" test. The older version of this test worked fine, the
> > latest from CVS sometimes fails:
> >
> > run test forwarding.sh ...
> > failed copy /bin/ls.exe
> > cmp: EOF on /home/corinna/src/openssh/64bin/regress/copy
> > corrupted copy of /bin/ls.exe
> [...]
> > Running the test another time, it runs to completion. Running it
> > again, it fails. It fails more often than succeeding, though.
>
> I've had problems with this test leaving a ssh or sshd (can't remember
> which right now) laying around after completion, which could interfere
> with future test runs. I thought I fixed it already, but maybe I didn't
> do so completely?

That may very well be the problem. I reduced the forwarding script to
just starting sshd and then running the final "transfer over chained
unix domain socket forwards and check result" test loop, and it runs
fine every time.

[James Cloos]

JC> I'm trying again as a temp user.

In addition to using a uid which does not have anything in ~/.ssh and
which sets no envs matching /SSH/, I also moved /etc/ssh/ssh_config
out of the way while the test was running.

With that, the tests all passed. It is a Gentoo ~amd64 box.

[Tom Christensen]

On 20/08/14 05:50, Damien Miller wrote:
> On Tue, 19 Aug 2014, Jeff Wieland wrote:
>
>> Damien Miller wrote:
>>> regress/unittests/sshbuf/test_sshbuf -v
>>
>> All I get is:
>>
>> Segmentation Fault(coredump)

I'm seeing the same on Solaris 9 with gcc 4.9.1 and openssl 1.0.1i.

>
> Does the ssh (or other) binaries dump core too?
>

Only the test_sshbuf and test_sshkey binaries dump core for me,
ssh-keygen and ssh run.

> Can you attach a debugger to it and see where it crashes?
>

$ gdb test_sshbuf core
GNU gdb (GDB) 7.8
<..boilerplate..>
Reading symbols from test_sshbuf...done.
[New LWP 1]
Core was generated by `./test_sshbuf'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0xfedb4b14 in strlen () from /usr/lib/libc.so.1
(gdb) bt
#0 0xfedb4b14 in strlen () from /usr/lib/libc.so.1
#1 0xfee07a20 in _doprnt () from /usr/lib/libc.so.1
#2 0xfee095e0 in printf () from /usr/lib/libc.so.1
#3 0x00023e7c in main (argc=1, argv=0xffbfec24) at
regress/unittests/test_helper/test_helper.c:141
(gdb) f 3
#3 0x00023e7c in main (argc=1, argv=0xffbfec24) at
regress/unittests/test_helper/test_helper.c:141
141 printf("%s: ", __progname);
(gdb) p __progname
$1 = 0x0
(gdb)

test_helper.c should probably use ssh_get_progname() from bsd-misc.c.

-tgc

[mi...@noc.utoronto.ca]

Tested on Solaris 10, gcc 3.4.6, openssl 1.0.1i.

'make' works, 'make tests' fails with:

gcc -o regress/unittests/sshkey/test_sshkey -L. -Lopenbsd-compat/

-L/opt/local/lib -R/opt/local/lib -Wl,-z,now

regress/unittests/sshkey/test_fuzz.o regress/unittests/sshkey/tests.o
regress/unittests/sshkey/common.o regress/unittests/sshkey/test_file.o
regress/unittests/sshkey/test_sshkey.o \
-L regress/unittests/test_helper -ltest_helper \

-lssh -lopenbsd-compat -lssh -lopenbsd-compat -lresolv -lcrypto -lrt
-lz -lsocket -lnsl
BUILDDIR=`pwd`; \
TEST_SHELL="/bin/bash"; \
TEST_SSH_SCP="${BUILDDIR}/scp"; \
TEST_SSH_SSH="${BUILDDIR}/ssh"; \
TEST_SSH_SSHD="${BUILDDIR}/sshd"; \
TEST_SSH_SSHAGENT="${BUILDDIR}/ssh-agent"; \
TEST_SSH_SSHADD="${BUILDDIR}/ssh-add"; \
TEST_SSH_SSHKEYGEN="${BUILDDIR}/ssh-keygen"; \
TEST_SSH_SSHPKCS11HELPER="${BUILDDIR}/ssh-pkcs11-helper"; \
TEST_SSH_SSHKEYSCAN="${BUILDDIR}/ssh-keyscan"; \
TEST_SSH_SFTP="${BUILDDIR}/sftp"; \
TEST_SSH_SFTPSERVER="${BUILDDIR}/sftp-server"; \
TEST_SSH_PLINK="plink"; \
TEST_SSH_PUTTYGEN="puttygen"; \
TEST_SSH_CONCH="conch"; \
TEST_SSH_IPV6="yes" ; \
TEST_SSH_ECC="yes" ; \

make[1]: Entering directory `/opt/local/src/security/openssh/regress'

set -e ; if test -z "" ; then \

/opt/local/src/security/openssh/regress/unittests/sshbuf/test_sshbuf ; \

/opt/local/src/security/openssh/regress/unittests/sshkey/test_sshkey \
-d
/opt/local/src/security/openssh/regress//unittests/sshkey/testdata ; \
fi
make[1]: *** [unit] Error 139
make[1]: Leaving directory `/opt/local/src/security/openssh/regress'

make: *** [tests] Error 2

Mike
--
Mike Peterson Information Security Analyst - Audit
E-mail: mi...@noc.utoronto.ca WWW: http://www.noc.utoronto.ca/
Tel: 416-978-5230 Fax: 416-978-6620

[Damien Miller]

On Wed, 20 Aug 2014, Kevin Brott wrote:

> FAIL*1 - configure completes without errors ...
> make[1]: Entering directory `/usr/src/openssh/openbsd-compat'
> gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
> -fno-builtin-memset -std=gnu99 -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c
> openssl-compat.c
> In file included from openssl-compat.c:32:
> openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required

that's strange - you aren't cross-compiling? The test in configure.ac
won't work for x-compiles.

If not, what does configure report your OpenSSL version as? e.g.

checking OpenSSL header version... 1000106f (OpenSSL 1.0.1f 6 Jan 2014)
checking OpenSSL library version... 1000106f (OpenSSL 1.0.1f 6 Jan 2014)

> make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
> make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
>
> FAIL*2 - port-aix.c still fails to compile on RHEL and AIX where ec.h isn't
> part of openssl ...
> gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2
> -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE -I. -I.. -I.
> -I./.. -DHAVE_CONFIG_H -c port-aix.c
> In file included from port-aix.c:31:

> ../key.h:85: warning: type defaults to ?int? in declaration of ?EC_GROUP?
> ../key.h:85: error: expected ?;?, ?,? or ?)? before ?*? token
> ../key.h:86: warning: type defaults to ?int? in declaration of ?EC_KEY?
> ../key.h:86: error: expected ?;?, ?,? or ?)? before ?*? token

another missing check for no-ECC OpenSSL:

Index: key.h
===================================================================
RCS file: /var/cvs/openssh/key.h,v
retrieving revision 1.45
diff -u -p -r1.45 key.h
--- key.h 2 Jul 2014 05:28:03 -0000 1.45
+++ key.h 21 Aug 2014 00:46:48 -0000
@@ -81,10 +81,10 @@ int key_cert_check_authority(const Key
const char **);
char *key_alg_list(int, int);

-#ifdef WITH_OPENSSL
+#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
int key_ec_validate_public(const EC_GROUP *, const EC_POINT *);
int key_ec_validate_private(const EC_KEY *);
-#endif /* WITH_OPENSSL */
+#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */

Key *key_from_blob(const u_char *, u_int);
int key_to_blob(const Key *, u_char **, u_int *);

[Damien Miller]

On Wed, 20 Aug 2014, Tom Christensen wrote:

> (gdb) p __progname
> $1 = 0x0
> (gdb)
>
> test_helper.c should probably use ssh_get_progname() from bsd-misc.c.

Thanks for figuring this out. I'd prefer to keep the dependencies from
the tests to a minimum, at least until we have the API defined in
libopenssh, so here's a workaround that uses argv[0]:

Index: regress/unittests/test_helper/test_helper.c
===================================================================
RCS file: /var/cvs/openssh/regress/unittests/test_helper/test_helper.c,v
retrieving revision 1.3
diff -u -p -r1.3 test_helper.c
--- regress/unittests/test_helper/test_helper.c 11 Jun 2014 19:32:30 -0000 1.3
+++ regress/unittests/test_helper/test_helper.c 21 Aug 2014 00:59:02 -0000
@@ -117,6 +117,19 @@ main(int argc, char **argv)
{
int ch;

+ /* Handle systems without __progname */
+ if (__progname == NULL) {
+ __progname = strrchr(argv[0], '/');
+ if (__progname == NULL || __progname[1] == '\0')
+ __progname = argv[0];
+ else
+ __progname++;
+ if ((__progname = strdup(__progname)) == NULL) {
+ fprintf(stderr, "strdup failed\n");
+ exit(1);
+ }
+ }
+
while ((ch = getopt(argc, argv, "vqd:")) != -1) {
switch (ch) {
case 'd':

[Damien Miller]

On Wed, 20 Aug 2014, James Cloos wrote:

> JC> I'm trying again as a temp user.
>
> In addition to using a uid which does not have anything in ~/.ssh and
> which sets no envs matching /SSH/, I also moved /etc/ssh/ssh_config
> out of the way while the test was running.
>
> With that, the tests all passed. It is a Gentoo ~amd64 box.

Thanks, I'll take a look to see where the hermiticity of the test is
breaking...

[Damien Miller]

On Wed, 20 Aug 2014, mi...@noc.utoronto.ca wrote:

> Tested on Solaris 10, gcc 3.4.6, openssl 1.0.1i.
>
> 'make' works, 'make tests' fails with:

This is likely the __progname problem that I just posted a patch for. Could
you give that a try?

-d

[Jeff Wieland]

Damien Miller wrote:
> On Tue, 19 Aug 2014, Jeff Wieland wrote:
>
>> Damien Miller wrote:
>>> regress/unittests/sshbuf/test_sshbuf -v
>> All I get is:
>>
>> Segmentation Fault(coredump)

> Does the ssh (or other) binaries dump core too?
>

> Can you attach a debugger to it and see where it crashes?
>

> -d
>

Sorry -- I've been tied up all day. I've applied the patch
that you posted, and thetests are running now. I'll know more
after a while.

--
Jeff Wieland | Purdue University
Network Systems Administrator | ITIS UNIX Platforms
Voice: (765)496-8234 | 155 S. Grant Street
FAX: (765)494-2253 | West Lafayette, IN 47907

[Kevin Brott]

No cross-compiling at all. Completely native builds on the appropriate
OS. The ./configure script is correctly reporting the library and header
versions listed in the build reports. (0.9.8k, etc). But I'll do more runs
in the morning and paste the configure detections.

--
# include <stddisclaimer.h>
/* Kevin Brott <Kevin...@gmail.com> */

[Jeff Wieland]

Jeff Wieland wrote:
> Damien Miller wrote:
>> On Tue, 19 Aug 2014, Jeff Wieland wrote:
>>
>>> Damien Miller wrote:
>>>> regress/unittests/sshbuf/test_sshbuf -v
>>> All I get is:
>>>
>>> Segmentation Fault(coredump)
>> Does the ssh (or other) binaries dump core too?
>>
>> Can you attach a debugger to it and see where it crashes?
>>
>> -d
>>
>
> Sorry -- I've been tied up all day. I've applied the patch
> that you posted, and thetests are running now. I'll know more
> after a while.
>

With the patch to regress/unittests/test_helper/test_helper.c Solaris 10
on SPARC
passed all tests.

--
Jeff Wieland | Purdue University
Network Systems Administrator | ITIS UNIX Platforms
Voice: (765)496-8234 | 155 S. Grant Street
FAX: (765)494-2253 | West Lafayette, IN 47907

[Damien Miller]

On Thu, 21 Aug 2014, Jeff Wieland wrote:

> With the patch to regress/unittests/test_helper/test_helper.c Solaris 10 on
> SPARC
> passed all tests.

Thanks - committed. It will be in the 20140822 snapshot.

-d

[mi...@noc.utoronto.ca]

On Thu, 21 Aug 2014, Damien Miller wrote:

> On Wed, 20 Aug 2014, mi...@noc.utoronto.ca wrote:
>
>> Tested on Solaris 10, gcc 3.4.6, openssl 1.0.1i.
>>
>> 'make' works, 'make tests' fails with:
>
> This is likely the __progname problem that I just posted a patch for. Could
> you give that a try?
>
> -d

Still fails same place.

Mike
--
Mike Peterson Information Security Analyst - Audit
E-mail: mi...@noc.utoronto.ca WWW: http://www.noc.utoronto.ca/
Tel: 416-978-5230 Fax: 416-978-6620

[Kevin Brott]

Example ...

Using openssh-SNAP-20140822.tar.gz ... on Centos 2.1 ..

$ openssl version
OpenSSL 0.9.6b [engine] 9 Jul 2001

$ ./configure
...
checking OpenSSL header version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul
2001)
checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul
2001)
checking whether OpenSSL's headers match the library... yes
checking if programs using OpenSSL functions will link... yes
checking whether OpenSSL has crippled AES support... yes
checking whether OpenSSL has AES CTR via EVP... no
checking whether OpenSSL has AES GCM via EVP... no
checking whether OpenSSL has NID_X9_62_prime256v1... no
checking whether OpenSSL has NID_secp384r1... no
checking whether OpenSSL has NID_secp521r1... no
checking whether OpenSSL's PRNG is internally seeded... yes
...
Host: i686-pc-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized

-Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
-fno-builtin-memset -std=gnu99

Preprocessor flags:
Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
Libraries: -lresolv -lcrypto -lrt -ldl -lutil -lz -lnsl -lcrypt

$ gmake

...
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare

-Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
-fno-builtin-memset -std=gnu99 -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c
openssl-compat.c
In file included from openssl-compat.c:32:
openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required

gmake[1]: *** [openssl-compat.o] Error 1
gmake[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
gmake: *** [openbsd-compat/libopenbsd-compat.a] Error 2

This happens on all the Red Hat based systems where openssl < 1.0.0-fips

[Kevin Brott]

Another missing ec.h failure ... AIX openssl 0.9.8k and RH 1.0.0-fips

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all

-fPIE -I. -I. -DSSHDIR=\"/usr/local/etc\"
-D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"
-DHAVE_CONFIG_H -c sshbuf-getput-crypto.c -o sshbuf-getput-crypto.o
sshbuf-getput-crypto.c:27:24: error: openssl/ec.h: No such
file or directory
gmake: *** [sshbuf-getput-crypto.o] Error 1

[Tom Christensen]

On 21/08/14 03:00, Damien Miller wrote:
> Thanks for figuring this out. I'd prefer to keep the dependencies from
> the tests to a minimum, at least until we have the API defined in
> libopenssh, so here's a workaround that uses argv[0]:
>

<snip patch>

That took care of the segfault but unfortunately test_sshbuf fails:
test_sshbuf: ........................................................
regress/unittests/sshbuf/test_sshbuf_getput_basic.c:412 test #57
"sshbuf_putf"
ASSERT_INT_EQ(r, 0) failed:
r = -10
0 = 0

The rest of the testsuite is a total loss presumably due to this early
failure.

This is on Solaris 9/SPARC with gcc 4.9.1.

-tgc

[Kevin Brott]

I've worked it out. The test in configure.ac (and the resulting test in
configure) is not correct, as it's expecting (I think) a variant of the
value from opensslv.h (i.e. OPENSSL_VERSION_NUMBER 0x009080bfL), which is
not what configure is actually testing against. That, and it's missing the
second set of brackets needed for the regxep test.

Values of $ssl_library_ver from configure being tested against ...
Centos 2.1 "90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001)"
RHEL 3-4 "90701f (OpenSSL 0.9.7a Feb 19 2003)"
RHEL 5 "90802f (OpenSSL 0.9.8e-rhel5 01 Jul 2008)"
AIX 5.3 "90811f (OpenSSL 0.9.8k 25 Mar 2009)"
HP-UX 11.23 "90817f (OpenSSL 0.9.8w 23 Apr 2012)"
HP-UX 11.31 "90819f (OpenSSL 0.9.8y 5 Feb 2013)"
RHEL 6.0-4 "10000003 (OpenSSL 1.0.0-fips 29 Mar 2010)"
AIX 6-7/RHEL 6.5+ "1000105f (OpenSSL 1.0.1e 11 Feb 2013)"

So after applying this patch - and re-running autoconf - configure will
error out on old openssl versions as expected.
---CUT---
*** openssh/configure.ac 2014-08-19 18:05:03.000000000 -0700
--- openssh-fix/configure.ac 2014-08-21 12:39:23.038445826 -0700
***************
*** 2289,2293 ****

# Check version is supported.

case "$ssl_library_ver" in
! 0090[0-7]*|009080[0-5]*)

AC_MSG_ERROR([OpenSSL >= 0.9.8f required])

;;
--- 2289,2293 ----

# Check version is supported.

case "$ssl_library_ver" in
! 90[[0-7]]*|9080[[0-5]]*)

AC_MSG_ERROR([OpenSSL >= 0.9.8f required])

;;
---CUT---

It should generate this (depending on your version of autoconf) in
configure
ssl_library_ver=`cat conftest.ssllibver`

# Check version is supported.

case "$ssl_library_ver" in
90[0-7]*|9080[0-5]*)
as_fn_error $? "OpenSSL >= 0.9.8f required"
"$LINENO" 5
;;
*) ;;
esac

[The Doctor]

Getting back to BSD/OS old serverware

The tests came back as


Script started on Thu Aug 21 11:50:09 2014
doctor.nl2k.ab.ca//usr/source/openssh-SNAP-20140822$ w
11:50AM up 66 days, 3:37, 1 user, load averages: 19.64, 22.72, 20.72
USER TTY FROM LOGIN@ IDLE WHAT
doctor p0 ts1p17.nl2k.ab.c 8:38AM 0 script
doctor.nl2k.ab.ca//usr/source/openssh-SNAP-20140822$ make -k tests
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
[ -d `pwd`/regress/unittests ] || mkdir -p `pwd`/regress/unittests
[ -d `pwd`/regress/unittests/test_helper ] || mkdir -p `pwd`/regress/unittests/test_helper
[ -d `pwd`/regress/unittests/sshbuf ] || mkdir -p `pwd`/regress/unittests/sshbuf
[ -d `pwd`/regress/unittests/sshkey ] || mkdir -p `pwd`/regress/unittests/sshkey
[ -f `pwd`/regress/Makefile ] || ln -s `cd . && pwd`/regress/Makefile `pwd`/regress/Makefile
(cd openbsd-compat && make)
/usr/bin/ar rv libssh.a ssherr.o sshbuf.o sshkey.o sshbuf-getput-basic.o sshbuf-misc.o sshbuf-getput-crypto.o authfd.o authfile.o bufaux.o bufbn.o buffer.o canohost.o channels.o cipher.o cipher-aes.o cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o compat.o compress.o crc32.o deattack.o fatal.o hostfile.o log.o match.o md-sha256.o moduli.o nchan.o packet.o readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o ssh-pkcs11.o krl.o smult_curve25519_ref.o kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o ssh-ed25519.o digest-openssl.o hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o
r - ssherr.o
r - sshbuf.o
r - sshkey.o
r - sshbuf-getput-basic.o
r - sshbuf-misc.o
r - sshbuf-getput-crypto.o
r - authfd.o
r - authfile.o
r - bufaux.o
r - bufbn.o
r - buffer.o
r - canohost.o
r - channels.o
r - cipher.o
r - cipher-aes.o
r - cipher-bf1.o
r - cipher-ctr.o
r - cipher-3des1.o
r - cleanup.o
r - compat.o
r - compress.o
r - crc32.o
r - deattack.o
r - fatal.o
r - hostfile.o
r - log.o
r - match.o
r - md-sha256.o
r - moduli.o
r - nchan.o
r - packet.o
r - readpass.o
r - rsa.o
r - ttymodes.o
r - xmalloc.o
r - addrmatch.o
r - atomicio.o
r - key.o
r - dispatch.o
r - kex.o
r - mac.o
r - uidswap.o
r - uuencode.o
r - misc.o
r - monitor_fdpass.o
r - rijndael.o
r - ssh-dss.o
r - ssh-ecdsa.o
r - ssh-rsa.o
r - dh.o
r - kexdh.o
r - kexgex.o
r - kexdhc.o
r - kexgexc.o
r - bufec.o
r - kexecdh.o
r - kexecdhc.o
r - msg.o
r - progressmeter.o
r - dns.o
r - entropy.o
r - gss-genr.o
r - umac.o
r - umac128.o
r - ssh-pkcs11.o
r - krl.o
r - smult_curve25519_ref.o
r - kexc25519.o
r - kexc25519c.o
r - poly1305.o
r - chacha.o
r - cipher-chachapoly.o
r - ssh-ed25519.o
r - digest-openssl.o
r - hmac.o
r - sc25519.o
r - ge25519.o
r - fe25519.o
r - ed25519.o
r - verify.o
r - hash.o
r - blocks.o
ranlib libssh.a
gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o roaming_common.o roaming_client.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o audit.o audit-bsm.o audit-linux.o platform.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o sftp-server.o sftp-common.o roaming_common.o roaming_serv.o sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o sandbox-seccomp-filter.o sandbox-capsicum.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -o ssh-add ssh-add.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -o ssh-keygen ssh-keygen.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -o ssh-keyscan ssh-keyscan.o roaming_dummy.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lssh -lcrypto -ldl -lutil -lz
gcc -o ssh-keysign ssh-keysign.o readconf.o roaming_dummy.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -o ssh-pkcs11-helper ssh-pkcs11-helper.o ssh-pkcs11.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -o ssh-agent ssh-agent.o ssh-pkcs11-client.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -o scp scp.o progressmeter.o bufaux.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -o sftp-server sftp-server.o sftp-common.o sftp-server-main.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -o sftp progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -o regress/modpipe ./regress/modpipe.c -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -o regress/setuid-allowed ./regress/setuid-allowed.c -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/tests.c -o regress/unittests/sshbuf/tests.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf.c -o regress/unittests/sshbuf/test_sshbuf.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_getput_basic.c -o regress/unittests/sshbuf/test_sshbuf_getput_basic.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_getput_crypto.c -o regress/unittests/sshbuf/test_sshbuf_getput_crypto.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_misc.c -o regress/unittests/sshbuf/test_sshbuf_misc.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_fuzz.c -o regress/unittests/sshbuf/test_sshbuf_fuzz.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c -o regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_fixed.c -o regress/unittests/sshbuf/test_sshbuf_fixed.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/test_helper/test_helper.c -o regress/unittests/test_helper/test_helper.o
regress/unittests/test_helper/test_helper.c: In function `test_data_file':
regress/unittests/test_helper/test_helper.c:173: warning: implicit declaration of function `strlcpy'
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/test_helper/fuzz.c -o regress/unittests/test_helper/fuzz.o
/usr/bin/ar rv regress/unittests/test_helper/libtest_helper.a regress/unittests/test_helper/test_helper.o regress/unittests/test_helper/fuzz.o
a - regress/unittests/test_helper/test_helper.o
a - regress/unittests/test_helper/fuzz.o
ranlib regress/unittests/test_helper/libtest_helper.a
gcc -o regress/unittests/sshbuf/test_sshbuf -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack regress/unittests/sshbuf/tests.o regress/unittests/sshbuf/test_sshbuf.o regress/unittests/sshbuf/test_sshbuf_getput_basic.o regress/unittests/sshbuf/test_sshbuf_getput_crypto.o regress/unittests/sshbuf/test_sshbuf_misc.o regress/unittests/sshbuf/test_sshbuf_fuzz.o regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o regress/unittests/sshbuf/test_sshbuf_fixed.o regress/unittests/test_helper/libtest_helper.a -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/test_fuzz.c -o regress/unittests/sshkey/test_fuzz.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/tests.c -o regress/unittests/sshkey/tests.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/common.c -o regress/unittests/sshkey/common.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/test_file.c -o regress/unittests/sshkey/test_file.o
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib/include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/test_sshkey.c -o regress/unittests/sshkey/test_sshkey.o
gcc -o regress/unittests/sshkey/test_sshkey -L. -Lopenbsd-compat/ -L/usr/contrib/lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack regress/unittests/sshkey/test_fuzz.o regress/unittests/sshkey/tests.o regress/unittests/sshkey/common.o regress/unittests/sshkey/test_file.o regress/unittests/sshkey/test_sshkey.o regress/unittests/test_helper/libtest_helper.a -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
BUILDDIR=`pwd`; TEST_SHELL="sh"; TEST_SSH_SCP="${BUILDDIR}/scp"; TEST_SSH_SSH="${BUILDDIR}/ssh"; TEST_SSH_SSHD="${BUILDDIR}/sshd"; TEST_SSH_SSHAGENT="${BUILDDIR}/ssh-agent"; TEST_SSH_SSHADD="${BUILDDIR}/ssh-add"; TEST_SSH_SSHKEYGEN="${BUILDDIR}/ssh-keygen"; TEST_SSH_SSHPKCS11HELPER="${BUILDDIR}/ssh-pkcs11-helper"; TEST_SSH_SSHKEYSCAN="${BUILDDIR}/ssh-keyscan"; TEST_SSH_SFTP="${BUILDDIR}/sftp"; TEST_SSH_SFTPSERVER="${BUILDDIR}/sftp-server"; TEST_SSH_PLINK="plink"; TEST_SSH_PUTTYGEN="puttygen"; TEST_SSH_CONCH="conch"; TEST_SSH_IPV6="yes" ; TEST_SSH_ECC="yes" ; cd ./regress || exit $?; make .OBJDIR="${BUILDDIR}/regress" .CURDIR="`pwd`" BUILDDIR="${BUILDDIR}" OBJ="${BUILDDIR}/regress/" PATH="${BUILDDIR}:${PATH}" TEST_ENV=MALLOC_OPTIONS="" TEST_SHELL="${TEST_SHELL}" TEST_SSH_SCP="${TEST_SSH_SCP}" TEST_SSH_SSH="${TEST_SSH_SSH}" TEST_SSH_SSHD="${TEST_SSH_SSHD}" TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}" TEST_SSH_SSHADD="${TEST_SSH_SSHADD}" TEST_SSH_SSHK!

EYGEN="${
TEST_SSH_SSHKEYGEN}" TEST_SSH_SSHPKCS11HELPER="${TEST_SSH_SSHPKCS11HELPER}" TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" TEST_SSH_SFTP="${TEST_SSH_SFTP}" TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}" TEST_SSH_PLINK="${TEST_SSH_PLINK}" TEST_SSH_PUTTYGEN="${TEST_SSH_PUTTYGEN}" TEST_SSH_CONCH="${TEST_SSH_CONCH}" TEST_SSH_IPV6="${TEST_SSH_IPV6}" TEST_SSH_ECC="${TEST_SSH_ECC}" EXEEXT="" tests && echo all tests passed

set -e ; if test -z "" ; then /usr/source/openssh-SNAP-20140822/regress/unittests/sshbuf/test_sshbuf ; /usr/source/openssh-SNAP-20140822/regress/unittests/sshkey/test_sshkey -d /usr/source/openssh-SNAP-20140822/regress//unittests/sshkey/testdata ; fi
test_sshbuf: ................................................................................................... 100 tests ok
test_sshkey: ......................................................................................... 89 tests ok
/usr/source/openssh-SNAP-20140822/ssh-keygen -if /usr/source/openssh-SNAP-20140822/regress/rsa_ssh2.prv | diff - /usr/source/openssh-SNAP-20140822/regress/rsa_openssh.prv
tr '\n' '\r' </usr/source/openssh-SNAP-20140822/regress/rsa_ssh2.prv > /usr/source/openssh-SNAP-20140822/regress/rsa_ssh2_cr.prv
/usr/source/openssh-SNAP-20140822/ssh-keygen -if /usr/source/openssh-SNAP-20140822/regress/rsa_ssh2_cr.prv | diff - /usr/source/openssh-SNAP-20140822/regress/rsa_openssh.prv
awk '{print $0 "\r"}' /usr/source/openssh-SNAP-20140822/regress/rsa_ssh2.prv > /usr/source/openssh-SNAP-20140822/regress/rsa_ssh2_crnl.prv
/usr/source/openssh-SNAP-20140822/ssh-keygen -if /usr/source/openssh-SNAP-20140822/regress/rsa_ssh2_crnl.prv | diff - /usr/source/openssh-SNAP-20140822/regress/rsa_openssh.prv
cat /usr/source/openssh-SNAP-20140822/regress/rsa_openssh.prv > /usr/source/openssh-SNAP-20140822/regress//t2.out
chmod 600 /usr/source/openssh-SNAP-20140822/regress//t2.out
/usr/source/openssh-SNAP-20140822/ssh-keygen -yf /usr/source/openssh-SNAP-20140822/regress//t2.out | diff - /usr/source/openssh-SNAP-20140822/regress/rsa_openssh.pub
/usr/source/openssh-SNAP-20140822/ssh-keygen -ef /usr/source/openssh-SNAP-20140822/regress/rsa_openssh.pub >/usr/source/openssh-SNAP-20140822/regress//t3.out
/usr/source/openssh-SNAP-20140822/ssh-keygen -if /usr/source/openssh-SNAP-20140822/regress//t3.out | diff - /usr/source/openssh-SNAP-20140822/regress/rsa_openssh.pub
/usr/source/openssh-SNAP-20140822/ssh-keygen -lf /usr/source/openssh-SNAP-20140822/regress/rsa_openssh.pub | awk '{print $2}' | diff - /usr/source/openssh-SNAP-20140822/regress/t4.ok
/usr/source/openssh-SNAP-20140822/ssh-keygen -Bf /usr/source/openssh-SNAP-20140822/regress/rsa_openssh.pub | awk '{print $2}' | diff - /usr/source/openssh-SNAP-20140822/regress/t5.ok
/usr/source/openssh-SNAP-20140822/ssh-keygen -if /usr/source/openssh-SNAP-20140822/regress/dsa_ssh2.prv > /usr/source/openssh-SNAP-20140822/regress//t6.out1
/usr/source/openssh-SNAP-20140822/ssh-keygen -if /usr/source/openssh-SNAP-20140822/regress/dsa_ssh2.pub > /usr/source/openssh-SNAP-20140822/regress//t6.out2
chmod 600 /usr/source/openssh-SNAP-20140822/regress//t6.out1
/usr/source/openssh-SNAP-20140822/ssh-keygen -yf /usr/source/openssh-SNAP-20140822/regress//t6.out1 | diff - /usr/source/openssh-SNAP-20140822/regress//t6.out2
/usr/source/openssh-SNAP-20140822/ssh-keygen -q -t rsa -N '' -f /usr/source/openssh-SNAP-20140822/regress//t7.out
/usr/source/openssh-SNAP-20140822/ssh-keygen -lf /usr/source/openssh-SNAP-20140822/regress//t7.out > /dev/null
/usr/source/openssh-SNAP-20140822/ssh-keygen -Bf /usr/source/openssh-SNAP-20140822/regress//t7.out > /dev/null
/usr/source/openssh-SNAP-20140822/ssh-keygen -q -t dsa -N '' -f /usr/source/openssh-SNAP-20140822/regress//t8.out
/usr/source/openssh-SNAP-20140822/ssh-keygen -lf /usr/source/openssh-SNAP-20140822/regress//t8.out > /dev/null
/usr/source/openssh-SNAP-20140822/ssh-keygen -Bf /usr/source/openssh-SNAP-20140822/regress//t8.out > /dev/null
test "yes" != yes || /usr/source/openssh-SNAP-20140822/ssh-keygen -q -t ecdsa -N '' -f /usr/source/openssh-SNAP-20140822/regress//t9.out
test "yes" != yes || /usr/source/openssh-SNAP-20140822/ssh-keygen -lf /usr/source/openssh-SNAP-20140822/regress//t9.out > /dev/null
test "yes" != yes || /usr/source/openssh-SNAP-20140822/ssh-keygen -Bf /usr/source/openssh-SNAP-20140822/regress//t9.out > /dev/null
/usr/source/openssh-SNAP-20140822/ssh-keygen -q -t ed25519 -N '' -f /usr/source/openssh-SNAP-20140822/regress//t10.out
/usr/source/openssh-SNAP-20140822/ssh-keygen -lf /usr/source/openssh-SNAP-20140822/regress//t10.out > /dev/null
/usr/source/openssh-SNAP-20140822/ssh-keygen -Bf /usr/source/openssh-SNAP-20140822/regress//t10.out > /dev/null
run test connect.sh ...

tset: standard error: Operation not supported

12:09PM up 66 days, 3:56, 1 user, load averages: 9.60, 11.32, 14.74
USER TTY FROM LOGIN@ IDLE WHAT
doctor p0 ts1p17.nl2k.ab.c 8:38AM 18 script
Filesystem Type Size Used Avail Use% Mounted on
/dev/sd0a ufs 3.9G 1.7G 2.0G 46% /
/dev/sd0h ufs 88G 63G 21G 76% /usr
/dev/sd0g ufs 88G 53G 31G 63% /usr/var
/dev/sd0f ufs 88G 69G 16G 82% /usr/home
mfs:27 mfs 992M 14M 930M 2% /tmp
Delete is backspace
/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory

tset: standard error: Operation not supported

12:09PM up 66 days, 3:56, 1 user, load averages: 8.43, 11.01, 14.59
USER TTY FROM LOGIN@ IDLE WHAT
doctor p0 ts1p17.nl2k.ab.c 8:38AM 19 script
Filesystem Type Size Used Avail Use% Mounted on
/dev/sd0a ufs 3.9G 1.7G 2.0G 46% /
/dev/sd0h ufs 88G 63G 21G 76% /usr
/dev/sd0g ufs 88G 53G 31G 63% /usr/var
/dev/sd0f ufs 88G 69G 16G 82% /usr/home
mfs:27 mfs 992M 14M 930M 2% /tmp
Delete is backspace
/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
ok simple connect
run test proxy-connect.sh ...
test: syntax error
test: syntax error
plain username protocol 1 privsep=no comp=no

tset: standard error: Operation not supported

/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 1 privsep=no comp=no
plain username protocol 1 privsep=no comp=yes

tset: standard error: Operation not supported

/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 1 privsep=no comp=yes
plain username protocol 2 privsep=no comp=no

tset: standard error: Operation not supported

/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 2 privsep=no comp=no
plain username protocol 2 privsep=no comp=yes

tset: standard error: Operation not supported

/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 2 privsep=no comp=yes
plain username protocol 1 privsep=yes comp=no

tset: standard error: Operation not supported

/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 1 privsep=yes comp=no
plain username protocol 1 privsep=yes comp=yes

tset: standard error: Operation not supported

/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 1 privsep=yes comp=yes
plain username protocol 2 privsep=yes comp=no

tset: standard error: Operation not supported

/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 2 privsep=yes comp=no
plain username protocol 2 privsep=yes comp=yes

tset: standard error: Operation not supported

/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 2 privsep=yes comp=yes
username with style protocol 1

tset: standard error: Operation not supported

12:10PM up 66 days, 3:57, 1 user, load averages: 13.49, 12.05, 14.79
USER TTY FROM LOGIN@ IDLE WHAT
doctor p0 ts1p17.nl2k.ab.c 8:38AM 19 script
Filesystem Type Size Used Avail Use% Mounted on
/dev/sd0a ufs 3.9G 1.7G 2.0G 46% /
/dev/sd0h ufs 88G 63G 21G 76% /usr
/dev/sd0g ufs 88G 53G 31G 63% /usr/var
/dev/sd0f ufs 88G 69G 16G 82% /usr/home
mfs:27 mfs 992M 14M 929M 2% /tmp
Delete is backspace
/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory

username with style protocol 2
tset: standard error: Operation not supported

12:10PM up 66 days, 3:57, 1 user, load averages: 13.49, 12.05, 14.79
USER TTY FROM LOGIN@ IDLE WHAT
doctor p0 ts1p17.nl2k.ab.c 8:38AM 19 script
Filesystem Type Size Used Avail Use% Mounted on
/dev/sd0a ufs 3.9G 1.7G 2.0G 46% /
/dev/sd0h ufs 88G 63G 21G 76% /usr
/dev/sd0g ufs 88G 53G 31G 63% /usr/var
/dev/sd0f ufs 88G 69G 16G 82% /usr/home
mfs:27 mfs 992M 14M 929M 2% /tmp
Delete is backspace
/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
failed proxy connect
*** Error code 1 (continuing)
`tests' not remade because of errors.
all tests passed
You have new mail in /var/mail/doctor
doctor.nl2k.ab.ca//usr/source/openssh-SNAP-20140822$ exit
exit

Script done on Thu Aug 21 12:17:12 2014

Why suddenly this failure?

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising!
http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism
22 Sept 2014 New Brunswick save the province vote Liberal!

[Corinna Vinschen]

On Aug 21 21:07, Tom Christensen wrote:
> On 21/08/14 03:00, Damien Miller wrote:
> >Thanks for figuring this out. I'd prefer to keep the dependencies from
> >the tests to a minimum, at least until we have the API defined in
> >libopenssh, so here's a workaround that uses argv[0]:
> >
> <snip patch>
>
> That took care of the segfault but unfortunately test_sshbuf fails:
> test_sshbuf: ........................................................
> regress/unittests/sshbuf/test_sshbuf_getput_basic.c:412 test #57
> "sshbuf_putf"
> ASSERT_INT_EQ(r, 0) failed:
> r = -10
> 0 = 0
>
> The rest of the testsuite is a total loss presumably due to this early
> failure.

Try this:

$ make tests REGRESS_TARGETS='t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec'

This runs all non-unit tests. See regress/Makefile, right at the top.

[Tom Christensen]

On 21/08/14 22:12, Corinna Vinschen wrote:
> This runs all non-unit tests. See regress/Makefile, right at the top.
>

Right.

Looks like ssh-keygen is busted.
It passes t1 but t2 is fail:

make[1]: Entering directory
`/export/home/tgc/buildpkg/openssh/src/openssh/regress'
cat
/export/home/tgc/buildpkg/openssh/src/openssh/regress/rsa_openssh.prv >
/export/home/tgc/buildpkg/openssh/src/openssh/regress/t
chmod 600 /export/home/tgc/buildpkg/openssh/src/openssh/regress//t2.out
/export/home/tgc/buildpkg/openssh/src/openssh/ssh-keygen -yf
/export/home/tgc/buildpkg/openssh/src/openssh/regress//t2.out | diff b
key_write failed1c1
<
---
> ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko+dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX8=
make[1]: *** [t2] Error 1


Running the command by hand:
$ /export/home/tgc/buildpkg/openssh/src/openssh/ssh-keygen -yf
/export/home/tgc/buildpkg/openssh/src/openssh/regress//t2.out
key_write failed
$

-tgc

[Damien Miller]

On Thu, 21 Aug 2014, Kevin Brott wrote:

> checking OpenSSL header version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul
> 2001)
> checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul
> 2001)

ah, it's missing the leading zeroes that I expected.

Index: configure.ac
===================================================================
RCS file: /var/cvs/openssh/configure.ac,v

retrieving revision 1.579
diff -u -p -r1.579 configure.ac
--- configure.ac 20 Aug 2014 01:05:03 -0000 1.579
+++ configure.ac 22 Aug 2014 07:29:08 -0000
@@ -2243,7 +2243,7 @@ AC_RUN_IFELSE(
if(fd == NULL)
exit(1);

- if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
+ if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
exit(1);

exit(0);
@@ -2278,7 +2278,7 @@ AC_RUN_IFELSE(

if(fd == NULL)
exit(1);

- if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(),

+ if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
SSLeay_version(SSLEAY_VERSION))) <0)
exit(1);

[Damien Miller]

On Thu, 21 Aug 2014, Kevin Brott wrote:

> sshbuf-getput-crypto.c:27:24: error: openssl/ec.h: No such
> file or directory

> gmake: *** [sshbuf-getput-crypto.o] Error 1

I'll commit this momentarily. Will be in the 20140823 snapshot.


Index: sshbuf-getput-crypto.c
===================================================================
RCS file: /var/cvs/openssh/sshbuf-getput-crypto.c,v
retrieving revision 1.3
diff -u -p -r1.3 sshbuf-getput-crypto.c
--- sshbuf-getput-crypto.c 2 Jul 2014 02:48:05 -0000 1.3
+++ sshbuf-getput-crypto.c 22 Aug 2014 07:30:38 -0000
@@ -24,7 +24,9 @@
#include <string.h>

#include <openssl/bn.h>
-#include <openssl/ec.h>
+#ifdef OPENSSL_HAS_ECC
+# include <openssl/ec.h>
+#endif /* OPENSSL_HAS_ECC */

#include "ssherr.h"
#include "sshbuf.h"

[Damien Miller]

On Thu, 21 Aug 2014, Tom Christensen wrote:

> On 21/08/14 03:00, Damien Miller wrote:
> > Thanks for figuring this out. I'd prefer to keep the dependencies from
> > the tests to a minimum, at least until we have the API defined in
> > libopenssh, so here's a workaround that uses argv[0]:
> >
> <snip patch>
>
> That took care of the segfault but unfortunately test_sshbuf fails:
> test_sshbuf: ........................................................
> regress/unittests/sshbuf/test_sshbuf_getput_basic.c:412 test #57 "sshbuf_putf"
> ASSERT_INT_EQ(r, 0) failed:
> r = -10
> 0 = 0
>
> The rest of the testsuite is a total loss presumably due to this early
> failure.
>

> This is on Solaris 9/SPARC with gcc 4.9.1.

It looks like this is failing:

if ((len = vsnprintf(NULL, 0, fmt, ap2)) < 0) {

Does your libc vsnprintf() support checking the length of the formatted
string this way? (AFAIK SUSv3 requires it).

We should check for it in configure anyway...

Index: configure.ac
===================================================================
RCS file: /var/cvs/openssh/configure.ac,v

retrieving revision 1.580
diff -u -p -r1.580 configure.ac
--- configure.ac 22 Aug 2014 07:36:20 -0000 1.580
+++ configure.ac 22 Aug 2014 07:48:42 -0000
@@ -1887,11 +1887,9 @@ if test "x$ac_cv_func_snprintf" = "xyes"
)
fi

-# If we don't have a working asprintf, then we strongly depend on vsnprintf
-# returning the right thing on overflow: the number of characters it tried to
-# create (as per SUSv3)
-if test "x$ac_cv_func_asprintf" != "xyes" && \
- test "x$ac_cv_func_vsnprintf" = "xyes" ; then
+# We depend on vsnprintf returning the right thing on overflow: the
+# number of characters it tried to create (as per SUSv3)
+if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
@@ -1899,15 +1897,23 @@ if test "x$ac_cv_func_asprintf" != "xyes
#include <stdio.h>
#include <stdarg.h>

-int x_snprintf(char *str,size_t count,const char *fmt,...)
+int x_snprintf(char *str, size_t count, const char *fmt, ...)
{
- size_t ret; va_list ap;
- va_start(ap, fmt); ret = vsnprintf(str, count, fmt, ap); va_end(ap);
+ size_t ret;
+ va_list ap;
+
+ va_start(ap, fmt);
+ ret = vsnprintf(str, count, fmt, ap);
+ va_end(ap);
return ret;
}
]], [[
- char x[1];
- exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1);
+char x[1];
+if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
+ return 1;
+if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
+ return 1;
+return 0;
]])],
[AC_MSG_RESULT([yes])],
[

[Damien Miller]

On Fri, 22 Aug 2014, Tom Christensen wrote:

> On 21/08/14 22:12, Corinna Vinschen wrote:
> > This runs all non-unit tests. See regress/Makefile, right at the top.
> >
> Right.
>
> Looks like ssh-keygen is busted.
> It passes t1 but t2 is fail:

That's probably related to sshbuf_putf() being broken.

-d

[Damien Miller]

On Thu, 21 Aug 2014, Corinna Vinschen wrote:

> > The rest of the testsuite is a total loss presumably due to this early
> > failure.
>

> Try this:
>
> $ make tests REGRESS_TARGETS='t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec'
>

> This runs all non-unit tests. See regress/Makefile, right at the top.

"make tests SKIP_UNIT=1" exists for this purpose :)

[Damien Miller]

On Thu, 21 Aug 2014, The Doctor wrote:

> Getting back to BSD/OS old serverware
>
> The tests came back as

...

> run test connect.sh ...
> tset: standard error: Operation not supported
>
> 12:09PM up 66 days, 3:56, 1 user, load averages: 9.60, 11.32, 14.74
> USER TTY FROM LOGIN@ IDLE WHAT
> doctor p0 ts1p17.nl2k.ab.c 8:38AM 18 script
> Filesystem Type Size Used Avail Use% Mounted on
> /dev/sd0a ufs 3.9G 1.7G 2.0G 46% /
> /dev/sd0h ufs 88G 63G 21G 76% /usr
> /dev/sd0g ufs 88G 53G 31G 63% /usr/var
> /dev/sd0f ufs 88G 69G 16G 82% /usr/home
> mfs:27 mfs 992M 14M 930M 2% /tmp
> Delete is backspace

> /root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
> daemon: /var/news/etc/send-uucp: No such file or directory

> tset: standard error: Operation not supported

It could be that this .bashrc is interfering with the tests (e.g. by
generating unexpected output).

[Tom Christensen]

On 22/08/14 09:48, Damien Miller wrote:
> Does your libc vsnprintf() support checking the length of the formatted
> string this way? (AFAIK SUSv3 requires it).
>

No, this does not work on Solaris 9 and older.
Gnulib has a list of platforms with this bug here:
https://www.gnu.org/software/gnulib/manual/html_node/snprintf.html

> We should check for it in configure anyway...
>

<snip patch>

checking whether vsnprintf returns correct values on overflow... no
configure: WARNING: ****** Your vsnprintf() function is broken, complain
to your vendor

The testsuite now passes on Solaris 8 and 9.

-tgc

[Tom Christensen]

On 18/08/14 03:23, Damien Miller wrote:
> Hi,
>
> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release
> containing a number of features, a lot of internal refactoring and some
> potentially-incompatible changes.
>

It fails to build on IRIX 6.2:

cc-1020 cc: ERROR File = sftp-server.c, Line = 1536
The identifier "PR_SET_DUMPABLE" is undefined.

if (prctl(PR_SET_DUMPABLE, 0) != 0)
^

1 error detected in the compilation of "sftp-server.c".

AFAIK no version of IRIX has PR_SET_DUMPABLE.

Fixing that, the build completes.

The sshkey unit test fails:
test_sshkey: ...........................
regress/unittests/sshkey/test_sshkey.c:338 test #28 "nested certificate"
ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1"), &k1), 0) failed:
sshkey_load_cert(test_data_file("rsa_1"), &k1) = -4
0 = 0
make[1]: *** [unit] Error 134

The rest of the testsuite is running now but so far it looks like the
problems there are the same as previous releases.

[Frederico Costa]

Hi there

Tested openssh-SNAP-20140823.tar.gz on FreeBSD versions:

FreeBSD 10.0-RELEASE-p6 #0 r267862
FreeBSD 9.3-RELEASE #0 r268564

with generic kernel.

All tests passed.

Fred

On 2014-08-18 02:23, Damien Miller wrote:
> Hi,
>
> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release
> containing a number of features, a lot of internal refactoring and some
> potentially-incompatible changes.
>

> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs or
> via Git at https://anongit.mindrot.org/openssh.git/
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-...@mindrot.org.
>
> Below is a summary of changes. More detail may be found in the
> ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Changes since OpenSSH 6.6
> =========================
>
> Potentially-incompatible changes
>
> * sshd(8): The default set of ciphers and MACs has been altered to
> remove unsafe algorithms. In particular, CBC ciphers and arcfour*
> are disabled by default.
>
> The full set of algorithms remains available if configured
> explicitly via the Ciphers and MACs sshd_config options.
>
> * sshd(8): Support for tcpwrappers/libwrap has been removed.
>
> * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
> using the curve255...@libssh.org KEX exchange method to fail
> when connecting with something that implements the specification
> correctly. OpenSSH 6.7 disables this KEX method when speaking to
> one of the affected versions.
>
> New Features
>
> * Major internal refactoring to begin to make part of OpenSSH usable
> as a library. So far the wire parsing, key handling and KRL code
> has been refactored. Please note that we do not consider the API
> stable yet, nor do we offer the library in separable form.
>
> * ssh(1), sshd(8): Add support for Unix domain socket forwarding.
> A remote TCP port may be forwarded to a local Unix domain socket
> and vice versa or both ends may be a Unix domain socket.
>
> * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
> ED25519 key types.
>
> * sftp(1): Allow resumption of interrupted uploads.
>
> * ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it
> is the same as the one sent during initial key exchange; bz#2154
>
> * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind
> addresses when GatewayPorts=no; allows client to choose address
> family; bz#2222
>
> * sshd(8): Add a sshd_config PermitUserRC option to control whether
> ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
> option; bz#2160
>
> * ssh(1): Add a %C escape sequence for LocalCommand and ControlPath
> that expands to a unique identifer based on a hash of the tuple of
> (local host, remote user, hostname, port). Helps avoid exceeding
> miserly pathname limits for Unix domain sockets in multiplexing
> control paths; bz#2220
>
> * sshd(8): Make the "Too many authentication failures" message
> include the user, source address, port and protocol in a format
> similar to the authentication success / failure messages; bz#2199
>
> * Added unit and fuzz tests for refactored code. These are run
> automatically in portable OpenSSH via the "make tests" target.
>
> Bugfixes
>
> * sshd(8): Fix remote fwding with same listen port but different
> listen address.
>
> * ssh(1): Fix inverted test that caused PKCS#11 keys that were
> explicitly listed in ssh_config or on the commandline not to be
> preferred.
>
> * ssh-keygen(1): Fix bug in KRL generation: multiple consecutive
> revoked certificate serial number ranges could be serialised to an
> invalid format. Readers of a broken KRL caused by this bug will
> fail closed, so no should-have-been-revoked key will be accepted.
>
> * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in
> exit status. Previously we were always returning 0; bz#2255
>
> * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the
> randomart border; bz#2247
>
> * ssh-agent(1): Only cleanup agent socket in the main agent process
> and not in any subprocesses it may have started (e.g. forked
> askpass). Fixes agent sockets being zapped when askpass processes
> fatal(); bz#2236
>
> * ssh-add(1): Make stdout line-buffered; saves partial output getting
> lost when ssh-add fatal()s part-way through (e.g. when listing keys
> from an agent that supports key types that ssh-add doesn't);
> bz#2234
>
> * ssh-keygen(1): When hashing or removing hosts, don't choke on
> @revoked markers and don't remove @cert-authority markers; bz#2241
>
> * ssh(1): Don't fatal when hostname canonicalisation fails and a
> ProxyCommand is in use; continue and allow the ProxyCommand to
> connect anyway (e.g. to a host with a name outside the DNS behind
> a bastion)
>
> * scp(1): When copying local->remote fails during read, don't send
> uninitialised heap to the remote end.
>
> * sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing
> filenames with a single quote char somewhere in the string;
> bz#2238
>
> * ssh-keyscan(1): Scan for Ed25519 keys by default.
>
> * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-
> convert any certificate keys to plain keys and attempt SSHFP
> resolution. Prevents a server from skipping SSHFP lookup and
> forcing a new-hostkey dialog by offering only certificate keys.
>
> * sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225
>
> * Fix some strict-alignment errors.
>
> Portable OpenSSH
>
> * Portable OpenSSH now supports building against libressl-portable.
>
> * Portable OpenSSH now requires openssl 0.9.8f or greater. Older
> versions are no longer supported.
>
> * In the OpenSSL version check, allow fix version upgrades (but not
> downgrades. Debian bug #748150.
>
> * sshd(8): On Cygwin, determine privilege separation user at runtime,
> since it may need to be a domain account.
>
> * sshd(8): Don't attempt to use vhangup on Linux. It doens't work for
> non-root users, and for them it just messes up the tty settings.
>
> * Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
> available. It takes into account time spent suspended, thereby
> ensuring timeouts (e.g. for expiring agent keys) fire correctly.
> bz#2228
>
> * Add support for ed25519 to opensshd.init init script.
>
> * sftp-server(8): On platforms that support it, use prctl() to
> prevent sftp-server from accessing /proc/self/{mem,maps}
>
> Reporting Bugs:
> ===============
>
> - Please read http://www.openssh.com/report.html
> Security bugs should be reported directly to ope...@openssh.com
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt,
> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice
> and
> Ben Lindstrom.

[Kevin Brott]

Slightly better results this time 'round ... still having non-ec.h build
issues, what I think is a race condition on RHEL 3, and PIE issues (fixed
with --without-pie config option) on RHEL 5 64-bit systems with a
just-built copy of openssl

Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140826.tar.gz

OS Build_Target CC
OpenSSL BUILD TEST
============== =========================== ================
============= ====== =================
Centos 2.1 i386-redhat-linux gcc 2.9.6
1.0.1i** OK*1 all tests passed
*RHEL 3.4 i386-redhat-linux gcc 3.2.3-47
1.0.1i** OK*1 FAIL*1 *
Fedora Core r2 i386-redhat-linux gcc 3.3.3-7
1.0.1i** OK*1*2 all tests passed
RHEL 4.8 i386-redhat-linux gcc 3.4.6-11
1.0.1i** OK*1*2 all tests passed
RHEL 4.8 x86_64-redhat-linux gcc 3.4.6-11
1.0.1i** OK*1*2 all tests passed
RHEL 5.4 i386-redhat-linux gcc 4.1.2-46
1.0.1i** OK*1 all tests passed
RHEL 5.4 x86_64-redhat-linux gcc 4.1.2-46
1.0.1i** OK*1*3 all tests passed
...more of same...
RHEL 5.10 i686-redhat-linux gcc 4.1.2-54
1.0.1i** OK*1 all tests passed
RHEL 5.10 x86_64-redhat-linux gcc 4.1.2-54
1.0.1i** OK*1*3 all tests passed





*RHEL 6.0 i686-redhat-linux gcc 4.4.4-13
1.0.0-fips FAIL*2 RHEL 6.0 x86_64-redhat-linux gcc
4.4.4-13 1.0.0-fips FAIL*2 ....more of same...RHEL 6.4
i686-redhat-linux gcc 4.4.7-3 1.0.0-fips FAIL*2 RHEL
6.4 x86_64-redhat-linux gcc 4.4.7-3 1.0.0-fips
FAIL*2 *RHEL 6.5 i686-redhat-linux gcc 4.4.7-4
1.0.1e-fips OK all tests passed
RHEL 6.5 x86_64-redhat-linux gcc 4.4.7-4
1.0.1e-fips OK all tests passed
RHEL 7.0 x86_64-redhat-linux gcc 4.8.2-16
1.0.1e-fips OK all tests passed
Debian 7.6 x86_64-linux-gnu gcc Debian 4.7.2-5
1.0.1e OK all tests passed


*AIX 5300-12-02 powerpc-ibm-aix5.3.0.0 xlc 8.0.0.16
0.9.8k FAIL*2AIX 5300-12-04 powerpc-ibm-aix5.3.0.0 gcc
4.2.0-3 0.9.8k FAIL*2*AIX 6100-07-08
powerpc-ibm-aix6.1.0.0 xlc 11.1.0.6 1.0.1e OK all
tests passed
AIX 6100-07-08 powerpc-ibm-aix6.1.0.0 gcc 4.2.0
1.0.1e OK all tests passed
AIX 7100-03-01 powerpc-ibm-aix7.1.0.0 xlc 12.1.0.6
1.0.1e OK all tests passed
AIX 7100-03-01 powerpc-ibm-aix7.1.0.0 gcc 4.4.7
1.0.1e OK all tests passed
HP-UX 11.23 ia64-hp-hpux11.23 C/aC++ C.11.23.12
0.9.8w OK all tests passed
HP-UX 11.23 ia64-hp-hpux11.23 gcc 4.3.1
0.9.8w OK all tests passed
HP-UX 11.31 ia64-hp-hpux11.31 C/aC++ C.11.31.05
0.9.8y OK all tests passed
HP-UX 11.31 ia64-hp-hpux11.31 gcc 4.6.2
0.9.8y OK all tests passed

RHEL Red Hat Enterprise Linux

** OpenSSH will no longer configure/build against OS-native openssl,
openssl-1.0.1i installed in /usr/local/ssl/ (./config && make && make
test && make install),
*1 ./configure --with-ssl-dir=/usr/local/ssl && make tests
*2 --without-zlib-version-check # old zlib on server
*3 --without-pie # otherwise will not load openssl - which doesn't use
PIE during compile on 64-bit systems
*4 IBM auto-generated prologs in openssl 1.0.1e /usr/include/openssl/ec*.h
break
compile, commented out properly (/*/ vs #) and then everything is go.

FAIL*1 ran make tests three (3) times ... died here each time:
run test login-timeout.sh ...
ssh connect after login grace timeout failed without privsep
failed connect after login grace timeout
make[1]: *** [t-exec] Error 1
make[1]: Leaving directory `/usr/src/openssh/regress'
make: *** [tests] Error 2

FAIL*2 compile fails at bufexc.c like so - another ec.h issue?
GCC:

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare

-Wformat-security -Wno-pointer-sign -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -I. -I.

-DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\"

-D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"
-DHAVE_CONFIG_H -c bufec.c -o bufec.o
bufec.c:30: warning: type defaults to 'int' in declaration of 'EC_GROUP'
bufec.c:30: error: expected ';', ',' or ')' before '*' token
bufec.c:43: warning: type defaults to 'int' in declaration of 'EC_GROUP'
bufec.c:43: error: expected ';', ',' or ')' before '*' token
bufec.c:51: warning: type defaults to 'int' in declaration of 'EC_GROUP'
bufec.c:51: error: expected ';', ',' or ')' before '*' token
bufec.c:64: warning: type defaults to 'int' in declaration of 'EC_GROUP'
bufec.c:64: error: expected ';', ',' or ')' before '*' token
make: The error code from the last command is 1.
XLC:

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare

-Wformat-security -Wno-pointer-sign -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -I. -I. -I/usr/include
-I/var/tmp/ssh/include -DSSHDIR=\"/usr/local/etc\"

-D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\"

-D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"
-DHAVE_CONFIG_H -c bufec.c -o bufec.o
bufec.c:30: warning: type defaults to 'int' in declaration of 'EC_GROUP'
bufec.c:30: error: parse error before '*' token
bufec.c: In function 'buffer_put_ecpoint_ret':
bufec.c:35: warning: implicit declaration of function 'sshbuf_put_ec'
bufec.c:35: error: 'buffer' undeclared (first use in this function)
bufec.c:35: error: (Each undeclared identifier is reported only once
bufec.c:35: error: for each function it appears in.)
bufec.c:35: error: 'point' undeclared (first use in this function)
bufec.c:35: error: 'curve' undeclared (first use in this function)
bufec.c: At top level:
bufec.c:43: warning: type defaults to 'int' in declaration of 'EC_GROUP'
bufec.c:43: error: parse error before '*' token
bufec.c: In function 'buffer_put_ecpoint':
bufec.c:46: error: 'buffer' undeclared (first use in this function)
bufec.c:46: error: 'curve' undeclared (first use in this function)
bufec.c:46: error: 'point' undeclared (first use in this function)
bufec.c: At top level:
bufec.c:51: warning: type defaults to 'int' in declaration of 'EC_GROUP'
bufec.c:51: error: parse error before '*' token
bufec.c: In function 'buffer_get_ecpoint_ret':
bufec.c:56: warning: implicit declaration of function 'sshbuf_get_ec'
bufec.c:56: error: 'buffer' undeclared (first use in this function)
bufec.c:56: error: 'point' undeclared (first use in this function)
bufec.c:56: error: 'curve' undeclared (first use in this function)
bufec.c: At top level:
bufec.c:64: warning: type defaults to 'int' in declaration of 'EC_GROUP'
bufec.c:64: error: parse error before '*' token
bufec.c: In function 'buffer_get_ecpoint':
bufec.c:67: error: 'buffer' undeclared (first use in this function)
bufec.c:67: error: 'curve' undeclared (first use in this function)
bufec.c:67: error: 'point' undeclared (first use in this function)
make: 1254-004 The error code from the last command is 1.

On Fri, Aug 22, 2014 at 12:31 AM, Damien Miller <d...@mindrot.org> wrote:

> On Thu, 21 Aug 2014, Kevin Brott wrote:
>

> > sshbuf-getput-crypto.c:27:24: error: openssl/ec.h: No such
> > file or directory

> > gmake: *** [sshbuf-getput-crypto.o] Error 1
>
> I'll commit this momentarily. Will be in the 20140823 snapshot.
>
>
> Index: sshbuf-getput-crypto.c
> ===================================================================
> RCS file: /var/cvs/openssh/sshbuf-getput-crypto.c,v
> retrieving revision 1.3
> diff -u -p -r1.3 sshbuf-getput-crypto.c
> --- sshbuf-getput-crypto.c 2 Jul 2014 02:48:05 -0000 1.3
> +++ sshbuf-getput-crypto.c 22 Aug 2014 07:30:38 -0000
> @@ -24,7 +24,9 @@
> #include <string.h>
>
> #include <openssl/bn.h>
> -#include <openssl/ec.h>
> +#ifdef OPENSSL_HAS_ECC
> +# include <openssl/ec.h>
> +#endif /* OPENSSL_HAS_ECC */
>
> #include "ssherr.h"
> #include "sshbuf.h"
>

--
# include <stddisclaimer.h>
/* Kevin Brott <Kevin...@gmail.com> */

[Iain Morgan]

On Mon, Aug 25, 2014 at 14:27:54 -0700, Kevin Brott wrote:
> Slightly better results this time 'round ... still having non-ec.h build
> issues, what I think is a race condition on RHEL 3, and PIE issues (fixed
> with --without-pie config option) on RHEL 5 64-bit systems with a
> just-built copy of openssl
>

Sorry, I haven't been following this thread closely, but have you tried
adding -fPIC when you configure OpenSSL? That's an issue that comes up
on the mailing list from time to time with installs of OpenSSL.

If that is the issue you are encountering, we should probably add a note
about it to the INSTALL file and possibly the online FAQ.

--
Iain

[mi...@noc.utoronto.ca]

> On Thu, 21 Aug 2014, Damien Miller wrote:
>
>> On Wed, 20 Aug 2014, mi...@noc.utoronto.ca wrote:
>>
>>> Tested on Solaris 10, gcc 3.4.6, openssl 1.0.1i.
>>>
>>> 'make' works, 'make tests' fails with:
>>
>> This is likely the __progname problem that I just posted a patch for. Could
>> you give that a try?
>>
>> -d
>
> Still fails same place.

Tried again with SNAP-20140826; gets much farther into the tests:

...
run test sftp-perm.sh ...
sftp permissions: read-only upload
sftp permissions: read-only setstat
postcondition check failed: setstat readonly
sftp permissions: read-only rm
sftp permissions: read-only mkdir
sftp permissions: read-only rmdir
sftp permissions: read-only posix-rename
sftp permissions: read-only oldrename
sftp permissions: read-only symlink
sftp permissions: read-only hardlink
sftp permissions: explicit open
sftp permissions: explicit read
sftp permissions: explicit write
sftp permissions: explicit lstat
sftp permissions: explicit opendir
sftp permissions: explicit readdir
sftp permissions: explicit setstat
postcondition check failed: setstat blacklisted
postcondition check failed: setstat not in whitelist
sftp permissions: explicit remove
sftp permissions: explicit mkdir
sftp permissions: explicit rmdir
sftp permissions: explicit posix-rename
sftp permissions: explicit rename
sftp permissions: explicit symlink
sftp permissions: explicit hardlink
sftp permissions: explicit statvfs
failed sftp permissions

make[1]: *** [t-exec] Error 1

make[1]: Leaving directory `/opt/local/src/security/openssh/regress'

make: *** [tests] Error 2

Mike
--
Mike Peterson Information Security Analyst - Audit
E-mail: mi...@noc.utoronto.ca WWW: http://www.noc.utoronto.ca/
Tel: 416-978-5230 Fax: 416-978-6620

[Damien Miller]

On Mon, 25 Aug 2014, Kevin Brott wrote:

> Slightly better results this time 'round ... still having non-ec.h build
> issues, what I think is a race condition on RHEL 3, and PIE issues (fixed
> with --without-pie config option) on RHEL 5 64-bit systems with a just-built
> copy of openssl
>

> Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140826.tar.gz

Thanks again!

...

> *3 --without-pie # otherwise will not load openssl - which doesn't use PIE
> during compile on 64-bit systems

We should probably find a way to delay the PIE checks until after we have
most dependency libraries located to catch this.

> FAIL*1 ran make tests three (3) times ... died here each time:
> run test login-timeout.sh ...
> ssh connect after login grace timeout failed without privsep
> failed connect after login grace timeout

> make[1]: *** [t-exec] Error 1

> make[1]: Leaving directory `/usr/src/openssh/regress'

> make: *** [tests] Error 2

any clues in regress/failed-*?

> FAIL*2 compile fails at bufexc.c like so - another ec.h issue?

Yep, fixed in tomorrow's snapshot

-d

[Damien Miller]

On Mon, 25 Aug 2014, mi...@noc.utoronto.ca wrote:

> Tried again with SNAP-20140826; gets much farther into the tests:

Thanks!

> sftp permissions: explicit setstat
> postcondition check failed: setstat blacklisted
> postcondition check failed: setstat not in whitelist

This is probably a problem with the test itself. Could you try applying
the below patch, rerunning the just the affected sftp-perm.sh test (using
"make tests LTESTS=sftp-perm SKIP_UNIT=1") and sending me the output along
with regress/sftp.log?

-d

Index: regress/sftp-perm.sh
===================================================================
RCS file: /var/cvs/openssh/regress/sftp-perm.sh,v
retrieving revision 1.2
diff -u -p -r1.2 sftp-perm.sh
--- regress/sftp-perm.sh 24 Oct 2013 19:22:50 -0000 1.2
+++ regress/sftp-perm.sh 25 Aug 2014 23:06:41 -0000
@@ -29,7 +29,7 @@ postcondition() {
_title="$1"
_check="$2"
test -z "$_check" && return
- ${TEST_SHELL} -c "$_check" || fail "postcondition check failed: $_title"
+ ${TEST_SHELL} -c "$_check" || fatal "postcondition check failed: $_title"
}

ro_test() {
@@ -72,7 +72,13 @@ perm_test() {
# Blacklist
prepare_files "$_prep"
prepare_server -P $_op
+echo "blacklist pre"
+ls -l $COPY
run_client "$_cmd" && fail "blacklisted $_op succeeded"
+echo "blacklist post"
+ls -l $COPY
+test -x $COPY && echo "test -x"
+test -x $COPY || echo "!test -x"
postcondition "$_op blacklisted" "$_expect_fail_post"
# Whitelist with op missing.
prepare_files "$_prep"

[Damien Miller]

On Mon, 25 Aug 2014, Iain Morgan wrote:

> Sorry, I haven't been following this thread closely, but have you tried
> adding -fPIC when you configure OpenSSL? That's an issue that comes up
> on the mailing list from time to time with installs of OpenSSL.
>
> If that is the issue you are encountering, we should probably add a note
> about it to the INSTALL file and possibly the online FAQ.

I've added a note to the INSTALL file. The FAQ really needs a massive
overhaul, it hasn't been touched for years.

-d

[Kevin Brott]

On Mon, Aug 25, 2014 at 3:42 PM, Damien Miller <d...@mindrot.org> wrote:

> On Mon, 25 Aug 2014, Kevin Brott wrote:
>
> > Slightly better results this time 'round ... still having non-ec.h build
> > issues, what I think is a race condition on RHEL 3, and PIE issues (fixed
> > with --without-pie config option) on RHEL 5 64-bit systems with a
> just-built
> > copy of openssl
> >
> > Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140826.tar.gz
>
> Thanks again!
>
>

De nada ...

> ...
>
> > *3 --without-pie # otherwise will not load openssl - which doesn't use
> PIE
> > during compile on 64-bit systems
>
> We should probably find a way to delay the PIE checks until after we have
> most dependency libraries located to catch this.
>

Per IAN's comment - I tried building openssl on another x64 system
using ./config
shared instead of just ./config (builds static library) so that it would
try to use -fPIC. After installing and creating an
/etc/ld.so.conf.d/openssl-101.conf pointing to /usr/local/ssl/lib
(configure pukes without this - it can't find libssl.so.1.0.0 even with an
explicit --with-ssl-dir) ... configure works as advertised without telling
it --without-pie, and make test is 'all tests passed'. Perhaps a quick
check to see if libssl is a static or shared library would be in order
before asking for a slice of pie? ;p

> > FAIL*1 ran make tests three (3) times ... died here each time:
> > run test login-timeout.sh ...
> > ssh connect after login grace timeout failed without privsep
> > failed connect after login grace timeout
> > make[1]: *** [t-exec] Error 1
> > make[1]: Leaving directory `/usr/src/openssh/regress'
> > make: *** [tests] Error 2
>
> any clues in regress/failed-*?
>
>

Brought that VM back up (admittedly I didn't look too deep at this one -
was trying to get through the test suite first), looking at those files I
see this:

# ls -alrt failed-*
-rw-r--r-- 1 root root 308 Aug 25 09:05 failed-ssh.log
-rw-r--r-- 1 root root 236 Aug 25 09:05 failed-sshd.log
-rw-r--r-- 1 root root 89 Aug 25 09:05 failed-regress.log
[root@buildhost regress]# cat failed-regress.log
trace: wait for sshd
FAIL: ssh connect after login grace timeout failed without privsep

[root@buildhost regress]# cat failed-sshd.log
trace: wait for sshd
Received signal 15; terminating.
debug2: channel 0: rcvd close
Received disconnect from 127.0.0.1: 11: disconnected by user
debug1: do_cleanup
FAIL: ssh connect after login grace timeout failed without privsep

[root@buildhost regress]# cat failed-ssh.log
trace: wait for sshd
debug2: ssh_connect: needpriv 0
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 4242.
debug1: connect to address 127.0.0.1 port 4242: Connection refused
ssh: connect to host 127.0.0.1 port 4242: Connection refused
FAIL: ssh connect after login grace timeout failed without privsep

Need to dig through my email archives - I would swear this is a
(previously fixed) race in the test suite where it wasn't waiting properly.

> FAIL*2 compile fails at bufexc.c like so - another ec.h issue?
>
> Yep, fixed in tomorrow's snapshot
>
> -d
>

Awesome.

--
# include <stddisclaimer.h>
/* Kevin Brott <Kevin...@gmail.com> */

[Kevin Brott]

Close - I'm remembering the race in rexec where ...

DM:

"turns out to be a race condition in the test itself:

adding a "sleep 1" after each "kill" statement makes the test pass.
We need a better way of handling this in the tests, perhaps polling for
sshd's pidfile being deleted."

[Damien Miller]

On Mon, 25 Aug 2014, Kevin Brott wrote:

> > ...
> >
> > > *3 --without-pie # otherwise will not load openssl - which doesn't use
> > PIE
> > > during compile on 64-bit systems
> >
> > We should probably find a way to delay the PIE checks until after we have
> > most dependency libraries located to catch this.
> >
>
> Per IAN's comment - I tried building openssl on another x64 system
> using ./config
> shared instead of just ./config (builds static library) so that it would
> try to use -fPIC. After installing and creating an
> /etc/ld.so.conf.d/openssl-101.conf pointing to /usr/local/ssl/lib
> (configure pukes without this - it can't find libssl.so.1.0.0 even with an
> explicit --with-ssl-dir) ... configure works as advertised without telling
> it --without-pie, and make test is 'all tests passed'. Perhaps a quick
> check to see if libssl is a static or shared library would be in order
> before asking for a slice of pie? ;p

Yes, the only impediment to doing it before this release are 1) making it
work cross-platform (simply delaying the PIE checks until after OpenSSL
has been located might be sufficient for this) and 2) not breaking
anything else in the process (unfortunately, delaying the OpenSSL checks
would almost certainly break something)

Yes, this was supposed to "fix" it

- d...@cvs.openbsd.org 2014/03/13 20:44:49
[login-timeout.sh]
this test is a sorry mess of race conditions; add another sleep
to avoid a failure on slow machines (at least until I find a
better way)

Guess I'll have to look for that "better way" soon...

-d

[Kevin Brott]

Good news/Bad News

The test race in RHEL 3.4 seems to be gone ... but another ec.h failure ...

Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140827.tar.gz

OS Build_Target CC
OpenSSL BUILD TEST
============== =========================== ================
============= ====== =================

*RHEL 3.4 i386-redhat-linux gcc 3.2.3-47

1.0.1i**a OK*1 all tests passed*

*AIX 5300-12-04 powerpc-ibm-aix5.3.0.0 gcc 4.2.0-3 0.9.8k
FAIL*1 *
*FAIL*1 missing e.h in test_sshbuf_getput_crypto*

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -Wno-pointer-sign -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -I. -I.
-DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"

-DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_getput_crypto.c -o
regress/unittests/sshbuf/test_sshbuf_getput_crypto.o
regress/unittests/sshbuf/test_sshbuf_getput_crypto.c:20:24: error:

openssl/ec.h: No such file or directory

regress/unittests/sshbuf/test_sshbuf_getput_crypto.c: In function
'sshbuf_getput_crypto_tests':
regress/unittests/sshbuf/test_sshbuf_getput_crypto.c:35: warning: unused
variable 'bn_y'
regress/unittests/sshbuf/test_sshbuf_getput_crypto.c:35: warning: unused
variable 'bn_x'
regress/unittests/sshbuf/test_sshbuf_getput_crypto.c:34: warning: unused
variable 's'
regress/unittests/sshbuf/test_sshbuf_getput_crypto.c:33: warning: unused
variable 'd'

make: The error code from the last command is 1.

--
# include <stddisclaimer.h>
/* Kevin Brott <Kevin...@gmail.com> */

[Damien Miller]

On Tue, 26 Aug 2014, Kevin Brott wrote:

> Good news/Bad News
>
> The test race in RHEL 3.4 seems to be gone ... but another ec.h failure ...
>
> Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140827.tar.gz
> OS Build_Target CC
> OpenSSL BUILD TEST
> ============== =========================== ================
> ============= ====== =================

> RHEL 3.4 i386-redhat-linux gcc 3.2.3-47
> 1.0.1i**a OK*1 all tests passed

> AIX 5300-12-04 powerpc-ibm-aix5.3.0.0 gcc 4.2.0-3 0.9.8k
> FAIL*1
>

> regress/unittests/sshbuf/test_sshbuf_getput_crypto.o
> regress/unittests/sshbuf/test_sshbuf_getput_crypto.c:20:24: error:
> openssl/ec.h: No such file or directory

The other good news is that it has made it to unittests :)

Index: regress/unittests/sshbuf/test_sshbuf_getput_crypto.c
===================================================================
RCS file: /var/cvs/openssh/regress/unittests/sshbuf/test_sshbuf_getput_crypto.c,v
retrieving revision 1.4
diff -u -p -r1.4 test_sshbuf_getput_crypto.c
--- regress/unittests/sshbuf/test_sshbuf_getput_crypto.c 11 Jun 2014 19:32:29 -0000 1.4
+++ regress/unittests/sshbuf/test_sshbuf_getput_crypto.c 26 Aug 2014 18:02:30 -0000
@@ -17,8 +17,10 @@

#include <string.h>

#include <openssl/bn.h>
-#include <openssl/ec.h>

#include <openssl/objects.h>
+#ifdef OPENSSL_HAS_NISTP256
+# include <openssl/ec.h>
+#endif

#include "../test_helper/test_helper.h"
#include "ssherr.h"
@@ -32,7 +34,7 @@ sshbuf_getput_crypto_tests(void)
struct sshbuf *p1;
const u_char *d;
size_t s;
- BIGNUM *bn, *bn2, *bn_x, *bn_y;
+ BIGNUM *bn, *bn2;
/* This one has num_bits != num_bytes * 8 to test bignum1 encoding */
const char *hexbn1 = "0102030405060708090a0b0c0d0e0f10";
/* This one has MSB set to test bignum2 encoding negative-avoidance */
@@ -47,6 +49,7 @@ sshbuf_getput_crypto_tests(void)
0x7f, 0xff, 0x11
};
#ifdef OPENSSL_HAS_NISTP256
+ BIGNUM *bn_x, *bn_y;
int ec256_nid = NID_X9_62_prime256v1;
char *ec256_x = "0C828004839D0106AA59575216191357"
"34B451459DADB586677EF9DF55784999";
Index: regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c
===================================================================
RCS file: /var/cvs/openssh/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c,v
retrieving revision 1.5
diff -u -p -r1.5 test_sshbuf_getput_fuzz.c
--- regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c 11 Jun 2014 19:32:29 -0000 1.5
+++ regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c 26 Aug 2014 18:02:30 -0000
@@ -17,8 +17,10 @@

#include <string.h>

#include <openssl/bn.h>
-#include <openssl/ec.h>

#include <openssl/objects.h>
+#ifdef OPENSSL_HAS_NISTP256
+# include <openssl/ec.h>
+#endif

#include "../test_helper/test_helper.h"
#include "ssherr.h"
Index: regress/unittests/sshkey/common.c
===================================================================
RCS file: /var/cvs/openssh/regress/unittests/sshkey/common.c,v
retrieving revision 1.2
diff -u -p -r1.2 common.c
--- regress/unittests/sshkey/common.c 20 Jul 2014 20:30:26 -0000 1.2
+++ regress/unittests/sshkey/common.c 26 Aug 2014 18:02:30 -0000
@@ -20,10 +20,12 @@
#include <unistd.h>

#include <openssl/bn.h>
-#include <openssl/ec.h>
#include <openssl/rsa.h>
#include <openssl/dsa.h>
#include <openssl/objects.h>
+#ifdef OPENSSL_HAS_NISTP256
+# include <openssl/ec.h>
+#endif

#include "../test_helper/test_helper.h"

Index: regress/unittests/sshkey/test_file.c
===================================================================
RCS file: /var/cvs/openssh/regress/unittests/sshkey/test_file.c,v
retrieving revision 1.3
diff -u -p -r1.3 test_file.c
--- regress/unittests/sshkey/test_file.c 22 Jul 2014 18:27:51 -0000 1.3
+++ regress/unittests/sshkey/test_file.c 26 Aug 2014 18:02:31 -0000
@@ -20,10 +20,12 @@
#include <unistd.h>

#include <openssl/bn.h>
-#include <openssl/ec.h>
#include <openssl/rsa.h>
#include <openssl/dsa.h>
#include <openssl/objects.h>
+#ifdef OPENSSL_HAS_NISTP256
+# include <openssl/ec.h>
+#endif

#include "../test_helper/test_helper.h"

Index: regress/unittests/sshkey/test_fuzz.c
===================================================================
RCS file: /var/cvs/openssh/regress/unittests/sshkey/test_fuzz.c,v
retrieving revision 1.3
diff -u -p -r1.3 test_fuzz.c
--- regress/unittests/sshkey/test_fuzz.c 22 Jul 2014 18:27:51 -0000 1.3
+++ regress/unittests/sshkey/test_fuzz.c 26 Aug 2014 18:02:31 -0000
@@ -20,10 +20,12 @@
#include <unistd.h>

#include <openssl/bn.h>
-#include <openssl/ec.h>
#include <openssl/rsa.h>
#include <openssl/dsa.h>
#include <openssl/objects.h>
+#ifdef OPENSSL_HAS_NISTP256
+# include <openssl/ec.h>
+#endif

#include "../test_helper/test_helper.h"

Index: regress/unittests/sshkey/test_sshkey.c
===================================================================
RCS file: /var/cvs/openssh/regress/unittests/sshkey/test_sshkey.c,v
retrieving revision 1.3
diff -u -p -r1.3 test_sshkey.c
--- regress/unittests/sshkey/test_sshkey.c 22 Jul 2014 18:27:51 -0000 1.3
+++ regress/unittests/sshkey/test_sshkey.c 26 Aug 2014 18:02:31 -0000
@@ -17,9 +17,11 @@

#include <string.h>

#include <openssl/bn.h>
-#include <openssl/ec.h>

#include <openssl/rsa.h>
#include <openssl/dsa.h>
+#ifdef OPENSSL_HAS_NISTP256
+# include <openssl/ec.h>
+#endif

#include "../test_helper/test_helper.h"

[Kevin Brott]

On Tue, Aug 26, 2014 at 11:02 AM, Damien Miller <d...@mindrot.org> wrote:

> The other good news is that it has made it to unittests :)
>
>

Indeed ... patch applied - and everything builds (yay!) - waiting on test
suite to complete. Will go test on the RHEL 5 VM's and see how the
1.0.0-fipsmsystems fare. full report later today.

[Kevin Brott]

So results of testing ...

Conditional caveats:
1) current snapshot will not build against native openssl on any system
with openssl version <0.9.8f (i.e RHEL <=6.4) ... requiring alternate
openssl installs .
2) openssl 1.0.1i on RHEL 4 and lower (gcc 2/3) only builds and tests
cleanly static libssl.a
and the current patched snapshot builds and tests to completion
against it just fine
2) openssl 1.0.1i on RHEL 5-6 can be built either as static or shared on
i386/i686 systems
and the current patched snapshot builds and tests to completion against
it
3) openssl 1.0.1i on RHEL 5-6 on x86_64 systems -
a) if built as static - must pass --without-pie to ./configure for
openssh snapshot to find working libraries - all tests pass
b) if built as shared - all tests pass with just ./configure && make
tests

On all other systems tested (Debian 7.6, AIX 6100-07, 7011-03/HP-UX
11.23/11.31) the current patched snapshot builds and tests to completion
with one exception:

*AIX 5300-12-02 powerpc-ibm-aix5.3.0.0 xlc 8.0.0.16

0.9.8k FAILxlc_r -g -I. -I. -I/var/tmp/ssh/include

-DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"

-DHAVE_CONFIG_H -c roaming_client.c -o
roaming_client.o"/usr/include/stdarg.h", line 89.9: 1506-236 (W) Macro name
va_copy has been redefined."/usr/include/stdarg.h", line 89.9: 1506-358 (I)
"va_copy" is defined on line 829 of defines.h. xlc_r -o ssh ssh.o

readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o
mux.o roaming_common.o roaming_client.o -L. -Lopenbsd-compat/

-L/var/tmp/ssh/lib -blibpath:/usr/lib:/lib -lssh -lopenbsd-compat
-lcrypto -lz ld: 0711-317 ERROR: Undefined symbol: .va_copy ld:
0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.
make: 1254-004 The error code from the last command is 8.*
Mind you - AIX 5300-XX is deprecated, and this is an *old* version of the
IBM compiler ... but several earlier versions of openssh have built on this
system without issue.

On Tue, Aug 26, 2014 at 11:26 AM, Kevin Brott <kevin...@gmail.com> wrote:

>
> On Tue, Aug 26, 2014 at 11:02 AM, Damien Miller <d...@mindrot.org> wrote:
>
>> The other good news is that it has made it to unittests :)
>>
>>
> Indeed ... patch applied - and everything builds (yay!) - waiting on test
> suite to complete. Will go test on the RHEL 5 VM's and see how the
> 1.0.0-fipsmsystems fare. full report later today.
>
>
>

--
# include <stddisclaimer.h>
/* Kevin Brott <Kevin...@gmail.com> */

[Damien Miller]

On Tue, 26 Aug 2014, Kevin Brott wrote:

> So results of testing ...
>
> Conditional caveats:
> 1) current snapshot will not build against native openssl on any system
> with openssl version <0.9.8f (i.e RHEL <=6.4) ... requiring alternate
> openssl installs .

What OpenSSL does RHEL 6.4 use?

> 2) openssl 1.0.1i on RHEL 4 and lower (gcc 2/3) only builds and tests
> cleanly static libssl.a
> and the current patched snapshot builds and tests to completion
> against it just fine

What goes wrong with when building against a shared OpenSSL here?

I'll see if I can get some CentOS VMs up to take a closer look later.

> *AIX 5300-12-02 powerpc-ibm-aix5.3.0.0 xlc 8.0.0.16
> 0.9.8k FAILxlc_r -g -I. -I. -I/var/tmp/ssh/include

...

> roaming_client.o"/usr/include/stdarg.h", line 89.9: 1506-236 (W) Macro name
> va_copy has been redefined."/usr/include/stdarg.h", line 89.9: 1506-358 (I)
> "va_copy" is defined on line 829 of defines.h. xlc_r -o ssh ssh.o

It looks like configure has failed to detect va_copy and is trying to
supply a surrogate. There might be some clues as to what went wrong
if you search for "va_copy"

Thanks,
Damien

[Kevin Brott]

On Tue, Aug 26, 2014 at 5:28 PM, Damien Miller <d...@mindrot.org> wrote:

> On Tue, 26 Aug 2014, Kevin Brott wrote:
>
> > So results of testing ...
> >
> > Conditional caveats:
> > 1) current snapshot will not build against native openssl on any system
> > with openssl version <0.9.8f (i.e RHEL <=6.4) ... requiring alternate
> > openssl installs .
>
> What OpenSSL does RHEL 6.4 use?
>

My bad here - that should say RHEL 5.10, as everything from there down use
0.9.8e or lower. It's what I get for a last-thing before I leave post.
RHEL 6.0-6.4 use 1.0.0-fips which was plagued by the ec.h issue (fixed).

> > 2) openssl 1.0.1i on RHEL 4 and lower (gcc 2/3) only builds and tests
> > cleanly static libssl.a
> > and the current patched snapshot builds and tests to completion
> > against it just fine
>
> What goes wrong with when building against a shared OpenSSL here?
>
>

This I think is a gcc issue - I can't get openssl 1.0.1i to build cleanly
as shared on anything lower than gcc 4.x

> I'll see if I can get some CentOS VMs up to take a closer look later.
>
> > *AIX 5300-12-02 powerpc-ibm-aix5.3.0.0 xlc 8.0.0.16
> > 0.9.8k FAILxlc_r -g -I. -I. -I/var/tmp/ssh/include
> ...
> > roaming_client.o"/usr/include/stdarg.h", line 89.9: 1506-236 (W) Macro
> name
> > va_copy has been redefined."/usr/include/stdarg.h", line 89.9: 1506-358
> (I)
> > "va_copy" is defined on line 829 of defines.h. xlc_r -o ssh ssh.o
>
> It looks like configure has failed to detect va_copy and is trying to
> supply a surrogate. There might be some clues as to what went wrong
> if you search for "va_copy"
>
>

I'll dig into this in the morning.

--
# include <stddisclaimer.h>
/* Kevin Brott <Kevin...@gmail.com> */

[Damien Miller]

On Tue, 26 Aug 2014, Kevin Brott wrote:

> > 0.9.8k FAILxlc_r -g -I. -I. -I/var/tmp/ssh/include
> ...
> > roaming_client.o"/usr/include/stdarg.h", line 89.9: 1506-236
> (W) Macro name
> > va_copy has been redefined."/usr/include/stdarg.h", line 89.9:
> 1506-358 (I)
> > "va_copy" is defined on line 829 of defines.h. xlc_r -o ssh
> ssh.o
>
> It looks like configure has failed to detect va_copy and is
> trying to
> supply a surrogate. There might be some clues as to what went
> wrong
> if you search for "va_copy"

I meant to say: search config.log for "va_copy"

-d

[Kevin Brott]

Must have bolluxed something up in the compile environment - that or
http://www.mindrot.org/openssh_snap/openssh-SNAP-20140828.tar.gz had a
configure tweak that fixed it. All systems tested now build and pass all
tests.

That said - the stupid race condition in that one test is cropping up
sporadically still - I think it's related to the load (or lack thereof) on
the VM host.

With, of course, the caveat that any system with a native openssl < 0.9.8.f
will not compile OOTB. A supplemental openssl needs to be installed that
meets the version requirements, and then ./configure needs a
--with-ssl-dir= directive that points to it.

On Tue, Aug 26, 2014 at 11:37 PM, Damien Miller <d...@mindrot.org> wrote:

> On Tue, 26 Aug 2014, Kevin Brott wrote:
>
> > > 0.9.8k FAILxlc_r -g -I. -I. -I/var/tmp/ssh/include
> > ...
> > > roaming_client.o"/usr/include/stdarg.h", line 89.9: 1506-236
> > (W) Macro name
> > > va_copy has been redefined."/usr/include/stdarg.h", line 89.9:
> > 1506-358 (I)
> > > "va_copy" is defined on line 829 of defines.h. xlc_r -o ssh
> > ssh.o
> >
> > It looks like configure has failed to detect va_copy and is
> > trying to
> > supply a surrogate. There might be some clues as to what went
> > wrong
> > if you search for "va_copy"
>
> I meant to say: search config.log for "va_copy"
>
> -d
>

--
# include <stddisclaimer.h>
/* Kevin Brott <Kevin...@gmail.com> */

[Kevin Brott]

Tangentially related - the openssl quirks have me intrigued, so I'm going
to dive deeper into what's really required vs the quick hacks I did to get
the snapshots to build and pass tests.

Assuming I can find the time tomorrow, I plan on sitting down and figuring
out exactly what the openssl build requirements really are, but briefly on
the hosts I'm using this is what I've seen:

a) gcc < 4.x.x - openssl 1.0.1i will not build as shared
b) gcc >= 4.x.x - openssl 1.0.1i will build either as dynamic or static
c) on i386 systems - openssh 6.7 will build against static or dynamic
libssl with no issues
d) on x86_64 systems - openssh 6.7 will build against static libssl only
using --without-pie, otherwise libssl must be dynamic

I'm going to look at the current (and minimal) versions of the openssl
0.9.8, 1.0.0, and 1.0.1 series and see if I can figure out where the break
point is on static vs shared libraries (because I'm curious and I've not
looked into this before). And there's always the hope someone else will
benefit.

[mancha]

On Mon, Aug 18, 2014 at 11:23:41AM +1000, Damien Miller wrote:
>
> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release
> containing a number of features, a lot of internal refactoring and some
> potentially-incompatible changes.

No problems with regression tests with snapshot-20140830 on Slackware
14.1.

--mancha

[Kevin Brott]

Mea Culpa.

So ... I did some hard digging, and *part* of my problem was a pair of
missing steps in my test build methodology. Here's what I've found ...

On Centos 2.1 ... openssl build status ... all revs of 0.9.[6-7] arefine
for static/shared library builds. Shared builds are broken in all versions
from 0.9.8 upwards, while static builds are fine.
CentOS 2.1AS i386 gcc-2.96-128.7.2 binutils-2.11.90.0.8-12.4
0.9.6* STATIC = OK[D] / SHARED = OK
0.9.7* STATIC = OK[D] / SHARED = OK
0.9.8* STATIC = OK[D] / SHARED = FAIL :: test BN_sqr make[1]: ***
[test_bn] Error 139
1.0.* STATIC = OK[D] / SHARED = FAIL :: output word alignment test 0
1 2 3 make[1]: *** [test_des] Segmentation fault

On RHEL 3.x - 5.10 - all tested versions of openssl from 0.9.6 to 1.0.1i
build and pass all tests as static or shared - without issue in a clean
environment (specifically nothing already in /usr/local/ssl - and no
C*FLAGS variables set with *facepalm* forgotten wonky settings from
previous debug builds of other packages).

As a result ... the current snapshot openssh-SNAP-20140830.tar.gz builds
and passes all tests in all versions of where the native openssl is
insufficient. But only when a version of openssl >= 0.9.8f is installed
(in /usr/local/ssl or whereever you put non-OS libs) and
ld.so.conf(.d./openssl.conf - depending on OS version) is updated and
ldconfig run before starting configure (<- my bad here). The holdouts for
working shared openssl is RH <=2.x - on these systems the library must be
static unless someone figures out where the builds are broken.

[Corinna Vinschen]

On Aug 18 11:23, Damien Miller wrote:
> Hi,
>

> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a big release
> containing a number of features, a lot of internal refactoring and some
> potentially-incompatible changes.

Btw., I'm getting two new warnings during build:

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -Wno-attributes -I. -I../src -I/usr/include/editline -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/sbin/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/sbin/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/sbin/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/sbin/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ../src/sshbuf.c -o sshbuf.o
../src/sshbuf.c:34:0: warning: "__predict_true" redefined [enabled by default]
#define __predict_true(exp) __builtin_expect(((exp) != 0), 1)
^
In file included from /usr/include/features.h:14:0,
from /usr/include/sys/socket.h:15,
from ../src/includes.h:26,
from ../src/sshbuf.c:19:
/usr/lib/gcc/x86_64-pc-cygwin/4.8.3/include-fixed/sys/cdefs.h:445:0: note: this is the location of the previous definition
#define __predict_true(exp) __builtin_expect((exp), 1)
^
../src/sshbuf.c:35:0: warning: "__predict_false" redefined [enabled by default]
#define __predict_false(exp) __builtin_expect(((exp) != 0), 0)
^
In file included from /usr/include/features.h:14:0,
from /usr/include/sys/socket.h:15,
from ../src/includes.h:26,
from ../src/sshbuf.c:19:
/usr/lib/gcc/x86_64-pc-cygwin/4.8.3/include-fixed/sys/cdefs.h:446:0: note: this is the location of the previous definition
#define __predict_false(exp) __builtin_expect((exp), 0)
^

Shouldn't these be avoided by only defining them if they are not already
defined?


Corinna

--
Corinna Vinschen
Cygwin Maintainer
Red Hat

[mancha]

On Mon, Aug 18, 2014 at 11:23:41AM +1000, Damien Miller wrote:
> Hi,
>
> OpenSSH 6.7 is almost ready for release, so we would appreciate
> testing on as many platforms and systems as possible.

Hi.

If there's still time it would be good to ensure nuking the source seed
in OpenSSH-Portable's arc4random rs_stir:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/crypt/arc4random.c.diff?r1=1.28&r2=1.29

--mancha

[Phil Pennock]

On 2014-08-18 at 11:23 +1000, Damien Miller wrote:
> OpenSSH 6.7 is almost ready for release, so we would appreciate testing

> on as many platforms and systems as possible. This is a big release
> containing a number of features, a lot of internal refactoring and some
> potentially-incompatible changes.
>

> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/

Downloaded openssh-SNAP-20140911.tar.gz onto MacOS 10.8.5, using Clang
(Apple LLVM version 5.1 (clang-503.0.40) (based on LLVM 3.4svn)).

Configured with:

./configure --with-libedit --with-pam --with-kerberos5 \
--prefix=/opt/openssh --sysconfdir=/etc/ssh \
--with-ssl-dir=/usr/local/Cellar/openssl/1.0.1i \
--with-ldns

stolen/derived from the Homebrew configuration: so I think this will
match a common configuration profile on this platform (everything except
the --prefix value chosen).

"all tests passed".

The Unix port forwarding appears to be undocumented. From reading the
code, presence of a '/' anywhere in the PORT field causes
parse_fwd_field() to mark the item as a path. When I supply an absolute
path, this works and works great! :) If I supply a relative path, then
it's passed to the server as a path but fails, triggering a warning
message:

Warning: remote port forwarding failed for listen path tmp/FRED

The server-side debug logs:
----------------------------8< cut here >8------------------------------
debug1: server_input_global_request: rtype streamloc...@openssh.com want_reply 1
debug1: server_input_global_request: streamlocal-forward listen path usr/fred
debug3: channel_setup_fwd_listener_streamlocal: type 19 path usr/fred
bind: Permission denied
unix_listener: cannot bind to path: usr/fred
----------------------------8< cut here >8------------------------------

This is with client and server both on the same MacOS box.

Since I'm not sure if it's only supposed to work if the path _starts_
with a slash, or if it _should_ work for _contains_ a slash, I'm not
offering a documentation patch; I'll note that I'd expect to see this
documented under -L, -R or the ssh_config options, or perhaps in a new
section in ssh(1) "Port Forwarding" and cut down on a bunch of the
duplication by referring to a full spec in that.

(If you want an nroff patch and say what the behaviour should be, I'd be
happy to contribute).


To finish off, compilation warnings until the end of the email, so if
not interested in these, then there's nothing else to read here.

Thanks,
-Phil

I'll list them all for completeness, despite the lack of visible
replacements for some deprecation-warning items:

* `getrrsetbyname-ldns.c` had complaints on multiple lines of the form:
----------------------------8< cut here >8------------------------------
getrrsetbyname-ldns.c:92:6: warning: variable 'ldns_res' is used uninitialized whenever 'if' condition is true
----------------------------8< cut here >8------------------------------
Always for `ldns_res`.
These were classed as `-Wsometimes-uninitialized` warnings.

* Lots of ranlib complaints of files having no symbols; which I suspect
come down to not defining things like USE_BUILTIN_RIJNDAEL so these
are just noise

* Two complaints of daemon() deprecation in ssh.c, lines 1288 & 1300;
also in sshd.c:1892:
----------------------------8< cut here >8------------------------------
ssh.c:1288:2: warning: 'daemon' is deprecated: first deprecated in OS X 10.5 [-Wdeprecated-declarations]
----------------------------8< cut here >8------------------------------
Man-page daemon(3) says nothing about a deprecation; stdlib.h just
has:
----------------------------8< cut here >8------------------------------
int daemon(int, int) __DARWIN_1050(daemon) __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_0, __MAC_10_5, __IPHONE_2_0, __IPHONE_2_0);
----------------------------8< cut here >8------------------------------
and I'm not seeing what replaces it, unless the answer is just
"use launchd".

* Many of these:
----------------------------8< cut here >8------------------------------
clang: warning: argument unused during compilation: '-pie'
----------------------------8< cut here >8------------------------------

* loginrec.c : `struct utmp` and the `login()`, `logout()` and
`logwtmp()` functions are triggering deprecation warnings:
----------------------------8< cut here >8------------------------------
loginrec.c:188:49: warning: 'utmp' is deprecated [-Wdeprecated-declarations]
void set_utmp_time(struct logininfo *li, struct utmp *ut);
----------------------------8< cut here >8------------------------------
The function at least has a deprecated-since label of 10.5:
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_0,__MAC_10_5,__IPHONE_NA,__IPHONE_NA);

* sandbox-darwin.c warnings and deprecations:
----------------------------8< cut here >8------------------------------
sandbox-darwin.c:43:25: warning: declaration of 'struct monitor' will not be visible outside of this function [-Wvisibility]
ssh_sandbox_init(struct monitor *monitor)
^
sandbox-darwin.c:65:6: warning: 'sandbox_init' is deprecated: first deprecated in OS X 10.8 [-Wdeprecated-declarations]
if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED,
^
/usr/include/sandbox.h:65:5: note: 'sandbox_init' declared here
int sandbox_init(const char *profile, uint64_t flags, char **errorbuf);
^
sandbox-darwin.c:65:19: warning: 'kSBXProfilePureComputation' is deprecated: first deprecated in OS X 10.8
[-Wdeprecated-declarations]
if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED,
^
/usr/include/sandbox.h:97:19: note: 'kSBXProfilePureComputation' declared here
extern const char kSBXProfilePureComputation[];
^
3 warnings generated.
----------------------------8< cut here >8------------------------------