Call for testing: OpenSSH 7.6

[Damien Miller]

Hi,

OpenSSH 7.6p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a bugfix release.

Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable OpenSSH is also available via git using the
instructions at http://www.openssh.com/portable.html#cvs
At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
https://github.com/openssh/openssh-portable

Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:

$ ./configure && make tests

Live testing on suitable non-production systems is also appreciated.
Please send reports of success or failure to
openssh-...@mindrot.org. Security bugs should be reported
directly to ope...@openssh.com.

Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.

Thanks to the many people who contributed to this release.

Potentially-incompatible changes
================================

This release includes a number of changes that may affect existing
configurations:

* ssh(1): delete SSH protocol version 1 support, associated
configuration options and documentation.

* ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC.

* ssh(1)/sshd(8): remove support the arcfour, blowfish and CAST
ciphers.

* Refuse RSA keys <1024 bits in length and improve reporting for keys
that do not meet this requirement.

* ssh(1): do not offer CBC ciphers by default.

Changes since OpenSSH 7.5
=========================

This is primarily a bugfix release. It also contains substantial
internal refactoring.

New Features
------------

* ssh(1): add RemoteCommand option to specify a command in the ssh
config file instead of giving it on the client's command line. This
allows the configuration file to specify the command that will be
executed on the remote host.

* sshd(8): add ExposeAuthInfo option that enables writing details of
the authentication methods used (including public keys where
applicable) to a file that is exposed via a $SSH_USER_AUTH
environment variable in the subsequent session.

* sshd(8): allow LogLevel directive in sshd_config Match blocks;
bz#2717

* ssh-keygen(1): allow inclusion of arbitrary string or flag
certificate extensions and critical options.

* ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as
a CA when signing certificates. bz#2377

* ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit
ToS/DSCP value and just use the operating system default.

* ssh-add(1): added -q option to make ssh-add quiet on success.

* ssh(1): expand the StrictModes option with two new settings. The
first "accept-new" will automatically accept hitherto-unseen keys
but will refuse connections for changed or invalid hostkeys. This
is a safer subset of the current behaviour of StrictModes=no. The
second setting "off", is a synonym for the current behaviour of
StrictModes=no: accept hitherto-unseen keys, and continue connection
for hosts with mismatched/changed hostkeys. A future release will
change the meaning of StrictModes=no to the behaviour of
"accept-new". bz#2400

* ssh(1): add SyslogFacility option to ssh(1) matching the equivalent
option in sshd(8). bz#2705

Bugfixes
--------

* ssh(1): use HostKeyAlias if specified instead of hostname for
matching host certificate principal names; bz#2728

* sftp(1): implement sorting for globbed ls; bz#2649

* ssh(1): add a user@host prefix to client's "Permisison denied"
messages, useful in particular when using "stacked" connections
(e.g. ssh -J) where it's not clear which host is denying. bz#2720

* ssh(1): accept unknown EXT_INFO extension values that contain \0
characters. This is legal, but would previously cause fatal
connection errors if received.

* ssh(1)/sshd(8): repair compression statistics printed at
connection exit

* sftp(1): print '?' instead of incorrect link count (that the
protocol doesn't provide) for remote listings. bz#2710

* ssh(1): return failure rather than fatal() for more cases during
session multiplexing negotiations. Causes the session to fall back
to a non-mux connection if they occur. bz#2707

* ssh(1): mention that the server may send debug messages to explain
public key authentication problems under some circumstances; bz#2709

* Translate OpenSSL error codes to better report incorrect passphrase
errors when loading private keys; bz#2699

* sshd(8): adjust compatibility patterns for WinSCP to correctly
identify versions that implement only the legacy DH group exchange
scheme. bz#2748

* ssh(1): print the "Killed by signal 1" message only at LogLevel
verbose so that it is not shown at the default level; prevents it
from appearing during ssh -J and equivalent ProxyCommand configs.
bz#1906, bz#2744

* ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber
existing keys if they exist but are zero length. zero-length keys
could previously be made if ssh-keygen failed or was interrupted part
way through generating them. bz#2561

* ssh(1): fix pledge(2) violation in the escape sequence "~&" used to
place the current session in the background.

* ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734

* sshd(8): avoid reliance on shared use of pointers shared between
monitor and child sshd processes. bz#2704

* sshd_config(8): document available AuthenticationMethods; bz#2453

* ssh(1): avoid truncation in some login prompts; bz#2768

* sshd(8): Fix various compilations failures, inc bz#2767

* ssh(1): make "--" before the hostname terminate argument processing
after the hostname too.

* ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting
new-style private keys. Fixes problems related to private key
handling for no-OpenSSL builds. bz#2754

* ssh(1): warn and do not attempt to use keys when the public and
private halves do not match. bz#2737

* sftp(1): don't print verbose error message when ssh disconnects
from under sftp. bz#2750

* sshd(8): fix keepalive scheduling problem: activity on a forwarded
port from preventing the keepalive from being sent; bz#2756

* sshd(8): when started without root privileges, don't require the
privilege separation user or path to exist. Makes running the
regression tests easier without touching the filesystem.

* Make integrity.sh regression tests more robust against timeouts.
bz#2658

* ssh(1)/sshd(8): correctness fix for channels implementation: accept
channel IDs greater than 0x7FFFFFFF.

Portability
-----------

* sshd(9): drop two more privileges in the Solaris sandbox:
PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723

* sshd(8): expose list of completed authentication methods to PAM
via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408

* ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code,
mostly to do with host/network byte order confusion. bz#2735

* Add --with-cflags-after and --with-ldflags-after configure flags to
allow setting CFLAGS/LDFLAGS after configure has completed. These
are useful for setting santiser/fuzzing options that may interfere
with configure's operation.

* sshd(8): avoid Linux seccomp violations on ppc64le over the
socketcall syscall.

* Fix use of ldns when using ldns-config; bz#2697

* configure: set cache variables when cross-compiling. The cross-
compiling fallback message was saying it assumed the test passed,
but it wasn't actually set the cache variables and this would
cause later tests to fail.

* Add clang libFuzzer harnesses for public key parsing and signature
verification.

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Zev Weiss]

On Wed, Sep 20, 2017 at 07:47:59PM CDT, Damien Miller wrote:
>Hi,
>
>OpenSSH 7.6p1 is almost ready for release, so we would appreciate testing
>on as many platforms and systems as possible. This is a bugfix release.
>

Commit: 5b8da1f53854
System: Void Linux (up to date)
Configure flags: --with-pam --with-pie --with-sandbox=seccomp_filter

Build: successful, though it produced a number of undeclared-function
warnings about arc4random_buf() and one about explicit_bzero() in
openbsd-compat/freezero.c. As I think has been the case for a while,
arc4random_buf() doesn't appear to be declared anywhere in any headers
in /usr/include on Void as far as I can tell; not sure where it should
in theory be (the symbol is defined in libressl's libcrypto.so, which I
guess is why configure didn't decide to use the built-in openbsd-compat
version). explicit_bzero() is declared in <string.h> however.

'make tests': my first attempt ran into 'ssh-keygen:
.../openssh/regress//t12.out.pub: No such file or directory'; at first I
figured this was probably a result of a race condition due to having run
make with '-j', but on some (but not all) subsequent serial runs it also
occurred. That notwithstanding, however, it also failed (consistently)
on this:

test_kex:
regress/unittests/kex/test_kex.c:91 test #1 "sshkey_generate"
ASSERT_INT_EQ(sshkey_generate(keytype, bits, &private), 0) failed:
sshkey_generate(keytype, bits, &private) = -56
0 = 0
Aborted


Happy to provide any other info that would be useful for debugging.

Zev

[Darren Tucker]

On 21 September 2017 at 17:22, Zev Weiss <z...@bewilderbeest.net> wrote:
> at first I
> figured this was probably a result of a race condition due to having run
> make with '-j'

The regular build works fine with -j but tests currently don't. I
usually do something like

./configure && make -j 8 && make tests

> test_kex: regress/unittests/kex/test_kex.c:91 test #1 "sshkey_generate"
> ASSERT_INT_EQ(sshkey_generate(keytype, bits, &private), 0) failed:
> sshkey_generate(keytype, bits, &private) = -56

I'll take a look at this but in the mean time you can run the rest of
the regression tests using

SUDO=sudo make tests SKIP_UNIT=1

Thanks.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Colin Watson]

On Thu, Sep 21, 2017 at 10:47:59AM +1000, Damien Miller wrote:
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests

All tests pass on Debian unstable amd64 (using openssh.git master).

I don't suppose it would be possible to get
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 into 7.6? We're
carrying those patches at the moment, but I'd like to avoid having to
carry sandbox patches if possible.

Thanks,

--
Colin Watson [cjwa...@debian.org]

[The Doctor]

So far on FreeBSD 11.1

reject openssl 1.1.0

make with Openssl 1.0.2 l no issues

Attempt to test in openssl 1.0.2m -dev -fips

chokes on tests.

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism
Talk Sense to a fool and he calls you foolish - Euripides

[Damien Miller]

On Thu, 21 Sep 2017, Colin Watson wrote:

> On Thu, Sep 21, 2017 at 10:47:59AM +1000, Damien Miller wrote:
> > Running the regression tests supplied with Portable OpenSSH does not
> > require installation and is a simply:
> >
> > $ ./configure && make tests
>
> All tests pass on Debian unstable amd64 (using openssh.git master).
>
> I don't suppose it would be possible to get
> https://bugzilla.mindrot.org/show_bug.cgi?id=2752 into 7.6? We're
> carrying those patches at the moment, but I'd like to avoid having to
> carry sandbox patches if possible.

I don't think that will make it, and I don't much like some of the changes
in those patches (e.g. adding SysV IPC). IMO it would be better to disable
the OpenSSL engine that requires it for the pre-auth phase entirely.

-d

[Hisashi T Fujinaka]

Sorry, didn't pay too much attention, but it works fine right now with:
NetBSD current-amd64
NetBSD 8.0beta-amd64
NetBSD 8.0beta-i386

--
Hisashi T Fujinaka - ht...@twofifty.com
BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee

[Darren Tucker]

On Thu, Sep 21, 2017 at 02:22:10AM -0500, Zev Weiss wrote:
> test_kex: regress/unittests/kex/test_kex.c:91 test #1 "sshkey_generate"
> ASSERT_INT_EQ(sshkey_generate(keytype, bits, &private), 0) failed:
> sshkey_generate(keytype, bits, &private) = -56

That error code is:
$ grep -- -56 ssherr.h
#define SSH_ERR_KEY_LENGTH -56

Unfortunately there's lots of places in that code that can return that.
I have seen that on one Cygwin system (OpenSSL 1.0.2k) here so I added
the below code to try to narrow it down. On mine it gave:

test_kex: dsa_generate_private_key bits 2048 expected 1024

but I don't understand how.

Don't try to use ssh or sshd with this diff as it'll probably mess
things up pretty good.

diff --git a/ssh-sandbox.h b/ssh-sandbox.h
index bd5fd83..6bd76b3 100644
--- a/ssh-sandbox.h
+++ b/ssh-sandbox.h
@@ -22,3 +22,4 @@ struct ssh_sandbox *ssh_sandbox_init(struct monitor *);
void ssh_sandbox_child(struct ssh_sandbox *);
void ssh_sandbox_parent_finish(struct ssh_sandbox *);
void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t);
+#define setrlimit(x,y) (0)
diff --git a/sshkey.c b/sshkey.c
index e91c54f..cfdd437 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1394,8 +1394,11 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
if (rsap == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE ||
- bits > SSHBUF_MAX_BIGNUM * 8)
+ bits > SSHBUF_MAX_BIGNUM * 8) {
+ fprintf(stderr, "%s bits %d min %d max %d\n", __func__, bits,
+ SSH_RSA_MINIMUM_MODULUS_SIZE, SSHBUF_MAX_BIGNUM);
return SSH_ERR_KEY_LENGTH;
+ }
*rsap = NULL;
if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
@@ -1425,8 +1428,10 @@ dsa_generate_private_key(u_int bits, DSA **dsap)

if (dsap == NULL)
return SSH_ERR_INVALID_ARGUMENT;
- if (bits != 1024)
+ if (bits != 1024) {
+ fprintf(stderr, "%s bits %d expected %d\n", __func__, bits, 1024);
return SSH_ERR_KEY_LENGTH;
+ }
if ((private = DSA_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
@@ -1505,8 +1510,10 @@ ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap)

if (nid == NULL || ecdsap == NULL)
return SSH_ERR_INVALID_ARGUMENT;
- if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1)
+ if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) {
+ fprintf(stderr, "%s bits %d\n", __func__, bits);
return SSH_ERR_KEY_LENGTH;
+ }
*ecdsap = NULL;
if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
@@ -1881,6 +1888,8 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
goto out;
}
if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
+ fprintf(stderr, "%s num_bits %d min %d\n", __func__,
+ BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
ret = SSH_ERR_KEY_LENGTH;
goto out;
}
@@ -2664,6 +2673,8 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
(r = ssh_rsa_generate_additional_parameters(k)) != 0)
goto out;
if (BN_num_bits(k->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
+ fprintf(stderr, "%s num_bits %d min %d\n", __func__,
+ BN_num_bits(k->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
r = SSH_ERR_KEY_LENGTH;
goto out;
}
@@ -2678,6 +2689,8 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
(r = ssh_rsa_generate_additional_parameters(k)) != 0)
goto out;
if (BN_num_bits(k->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
+ fprintf(stderr, "%s num_bits %d min %d\n", __func__,
+ BN_num_bits(k->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
r = SSH_ERR_KEY_LENGTH;
goto out;
}
@@ -3476,6 +3489,8 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
goto out;
}
if (BN_num_bits(prv->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
+ fprintf(stderr, "%s num_bits %d min %d\n", __func__,
+ BN_num_bits(prv->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
r = SSH_ERR_KEY_LENGTH;
goto out;

}

--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Darren Tucker]

On Thu, Sep 21, 2017 at 06:18:59AM -0600, The Doctor wrote:
> So far on FreeBSD 11.1
>
> reject openssl 1.1.0
>
> make with Openssl 1.0.2 l no issues
>
> Attempt to test in openssl 1.0.2m -dev -fips
>
> chokes on tests.

which particular test? there's quite a lot of them...

--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[The Doctor]

I will have to scripts and rerun.

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism
Talk Sense to a fool and he calls you foolish - Euripides

[Phil Pennock]

[ Take 2, this time with outputs on web-server not attached ]

On 2017-09-21 at 10:47 +1000, Damien Miller wrote:
> OpenSSH 7.6p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.

Using vagrant, I brought this up on a few different boxes.

SHA256(openssh-SNAP-20170922.tar.gz)= c40ee9c2e03ef8e6e8558066e51cdb8ed19e3c2339f64a00a68159d938c302b0


"bento" as a prefix means that it's from Chef's "Bento" project and just
means "tuned by people who probably know what they're doing for VMs" and
is otherwise the base OS.

Failures:
* Bento Fedora 26: because system openssl is OpenSSL 1.1.0f

Success:
* Bento Debian 9.1
* Bento Centos 7
* Bento FreeBSD 11
* Debian Jessie
* Debian Stretch
* NetBSD 7
* Ubuntu Trusty
* Ubuntu Xenial

Test script as run within the VM is attached as
"openssh-snapshot-basetemplate", it chose the installs of dependencies
to take from "stock" to "ready to compile".

Result files, if anyone cares, at:

https://people.spodhuis.org/phil.pennock/openssh-testing/SNAP-20170922/bento-centos7.txt
https://people.spodhuis.org/phil.pennock/openssh-testing/SNAP-20170922/bento-debian9.1.txt
https://people.spodhuis.org/phil.pennock/openssh-testing/SNAP-20170922/bento-fedora26.txt
https://people.spodhuis.org/phil.pennock/openssh-testing/SNAP-20170922/bento-freebsd11.txt
https://people.spodhuis.org/phil.pennock/openssh-testing/SNAP-20170922/jessie.txt
https://people.spodhuis.org/phil.pennock/openssh-testing/SNAP-20170922/netbsd7.txt
https://people.spodhuis.org/phil.pennock/openssh-testing/SNAP-20170922/stretch.txt
https://people.spodhuis.org/phil.pennock/openssh-testing/SNAP-20170922/trusty.txt
https://people.spodhuis.org/phil.pennock/openssh-testing/SNAP-20170922/xenial.txt

-Phil

[Phil Pennock]

On 2017-09-22 at 16:34 -0400, Phil Pennock wrote:
> SHA256(openssh-SNAP-20170922.tar.gz)= c40ee9c2e03ef8e6e8558066e51cdb8ed19e3c2339f64a00a68159d938c302b0

Redone against:
SHA256(openssh-SNAP-20170923.tar.gz)= e5e660f4bfbf2acacb0a1daeaec3478b572108ed8b838f8e9ca9f930db5ad0bb

No changes relative to 20170923.

Outputs are in:
https://people.spodhuis.org/phil.pennock/openssh-testing/SNAP-20170923
and there's an index in:
https://people.spodhuis.org/phil.pennock/openssh-testing/
too.

I've slightly cleaned up my Vagrant setup and shoved it up on GitHub,
slapped a MIT license in there, plus some documentation (README.md in
the top level) so that it doesn't assume familiarity with Vagrant.

https://github.com/philpennock/etc-vagrant

It's a poor-man's CI system, but it lets you work locally with VMs to do
the OpenSSH testing and it's ~fully automated for the snapshots.
Consider it very much v0.0.2. It's fully working. For me.

At present, you'd need to check it out to ~/etc/vagrant because I wrote
it for personal use, not really for sharing, and you'll need
`not_at_home` to be a command in your path. I use that with Match exec
directives in my ~/.ssh/config to auto-proxy if needed. I re-used it
for my Vagrant stuff, around finding proxies/caches. Just symlink it to
`true` if you don't want to worry about it.

You'll need zsh installed locally.
You'd need decent bandwidth the first time, to download the VM images.

If you care about backups and large unnecessary blobs, then exclude
`~/.vagrant.d` as a fixed path and `.vagrant` in any dir.

I just run ./all.sh in ~/etc/vagrant/openssh to run the tests and pull
back the reports to the local box, updating an HTML index, and then
./publish-reports to copy to the URL above.

Currently runs VMs to build/test OpenSSH in a clean environment on:

arch centos7 debian9.1 fedora26 freebsd11 jessie netbsd7 stretch trusty xenial

("stretch" is Debian's VM image, "debian9.1" is a bento image)

To test on a new snapshot, edit `Version.sh`.
To add a new machine, edit the PTMACHINES list in `stub/Vagrantfile` and
if you want it used by default, edit `openssh/all.sh`.

-Phil

[Zev Weiss]

On Fri, Sep 22, 2017 at 07:28:01AM CDT, Darren Tucker wrote:
>On Thu, Sep 21, 2017 at 02:22:10AM -0500, Zev Weiss wrote:
>> test_kex: regress/unittests/kex/test_kex.c:91 test #1 "sshkey_generate"
>> ASSERT_INT_EQ(sshkey_generate(keytype, bits, &private), 0) failed:
>> sshkey_generate(keytype, bits, &private) = -56
>
>That error code is:
>$ grep -- -56 ssherr.h
>#define SSH_ERR_KEY_LENGTH -56
>
>Unfortunately there's lots of places in that code that can return that.
>I have seen that on one Cygwin system (OpenSSL 1.0.2k) here so I added
>the below code to try to narrow it down. On mine it gave:
>
>test_kex: dsa_generate_private_key bits 2048 expected 1024
>
>but I don't understand how.
>
>Don't try to use ssh or sshd with this diff as it'll probably mess
>things up pretty good.
>

And now I'm not able to reproduce the failure at all, with or without
that patch. Not sure what could possibly be different (same git commit,
same terminal session/environment, same 'make' command), but repeated
attempts have been fruitless -- now test_kex gets "352 tests ok" every
time (after printing a bunch of ENOENT warnings on
/usr/local/etc/moduli).


Zev

[Joseph S Testa II]

> Portable OpenSSH is also available via [...] Github:
https://github.com/openssh/openssh-portable

>
> Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:
>
> $ ./configure && make tests

I was going to try this on Kali Linux (latest version), but ran into
trouble right away. No "configure" script exists in the Github mirror.
I fixed this by doing "autoconf && ./configure && make tests", but that
ends up failing eventually with:

[...]
checking for struct utmp.ut_line... yes
checking whether BROKEN_GETADDRINFO is declared... no
configure: creating ./config.status
config.status: creating Makefile
config.status: creating buildpkg.sh
config.status: creating opensshd.init
config.status: creating openssh.xml
config.status: creating openbsd-compat/Makefile
config.status: creating openbsd-compat/regress/Makefile
config.status: creating survey.sh
config.status: error: cannot find input file: `config.h.in'


- Joe

[Damien Miller]

On Sat, 23 Sep 2017, Joseph S Testa II wrote:

> > Portable OpenSSH is also available via [...] Github:
> https://github.com/openssh/openssh-portable
> >
> > Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> >
> > $ ./configure && make tests
>
>
> I was going to try this on Kali Linux (latest version), but ran into trouble
> right away. No "configure" script exists in the Github mirror. I fixed this
> by doing "autoconf && ./configure && make tests", but that ends up failing
> eventually with:

If you're checking out from git, you need to run "autoreconf"

[Joseph S Testa II]

On 09/23/2017 06:09 PM, Damien Miller wrote:
>
>
> On Sat, 23 Sep 2017, Joseph S Testa II wrote:
>
>>> Portable OpenSSH is also available via [...] Github:
>> https://github.com/openssh/openssh-portable
>>>
>>> Running the regression tests supplied with Portable OpenSSH does not
>> require installation and is a simply:
>>>
>>> $ ./configure && make tests
>>
>>
>> I was going to try this on Kali Linux (latest version), but ran into trouble
>> right away. No "configure" script exists in the Github mirror. I fixed this
>> by doing "autoconf && ./configure && make tests", but that ends up failing
>> eventually with:
>
>
> If you're checking out from git, you need to run "autoreconf"
>

Ok. It got farther this time, but still failed (and there was one
compile warning):

# git clone https://github.com/openssh/openssh-portable
# cd openssh-portable/
# autoreconf
# ./configure && make tests
[...]
gcc -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign
-Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv
-fno-builtin-memset -fstack-protector-strong -fPIE -I. -I.. -I. -I./..
-D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DHAVE_CONFIG_H -c
fmt_scaled.c
fmt_scaled.c: In function ‘fmt_scaled’:
fmt_scaled.c:269:52: warning: ‘%1lld’ directive output may be truncated
writing between 1 and 17 bytes into a region of size between 0 and 5
[-Wformat-truncation=]
(void)snprintf(result, FMT_SCALED_STRSIZE, "%lld.%1lld%c",
^~~~~
fmt_scaled.c:269:46: note: directive argument in the range
[-9007199254740992, 9007199254740991]
(void)snprintf(result, FMT_SCALED_STRSIZE, "%lld.%1lld%c",
^~~~~~~~~~~~~~
In file included from /usr/include/stdio.h:938:0,
from /usr/include/resolv.h:64,
from ../openbsd-compat/getrrsetbyname.h:59,
from ../openbsd-compat/openbsd-compat.h:44,
from ../includes.h:174,
from fmt_scaled.c:41:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note:
‘__builtin___snprintf_chk’ output between 5 and 40 bytes into a
destination of size 7
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[...]
test_kex:
....................................................................................................................................................................................WARNING:
could not open /usr/local/etc/moduli (No such file or directory), using
fixed
modulus..........................................................................................
352 tests ok
[...]
run test connect.sh ...
Missing privilege separation directory: /var/empty
FATAL: sshd_proxy broken
Makefile:203: recipe for target 't-exec' failed
make[1]: *** [t-exec] Error 1
make[1]: Leaving directory '/root/openssh-portable/regress'
Makefile:586: recipe for target 'tests' failed
make: *** [tests] Error 2

[Joseph S Testa II]

On 09/23/2017 06:33 PM, Joseph S Testa II wrote:
> Missing privilege separation directory: /var/empty

I created this directory, re-ran "make tests", and all tests passed. A
few got skipped, however, due to scripts in /var/run not being executable.

- Joe

[Darren Tucker]

On 23 September 2017 at 17:37, Zev Weiss <z...@bewilderbeest.net> wrote:
[....]

> And now I'm not able to reproduce the failure at all, with or without that
> patch. Not sure what could possibly be different (same git commit, same
> terminal session/environment, same 'make' command), but repeated attempts
> have been fruitless

You didn't happen to upgrade OpenSSL since then?

> -- now test_kex gets "352 tests ok" every time (after
> printing a bunch of ENOENT warnings on /usr/local/etc/moduli).

Unfortunately the tests can't work around those warnings but you can
copy the moduli file into /usr/local/etc/moduli if they bug you (this
problem goes away as soon as you "make install" the first time with
those file paths.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Darren Tucker]

On 24 September 2017 at 02:14, Tom G. Christensen <t...@jupiterrise.com> wrote:
[...]
> I am seeing the exact same error consistently on Solaris 7/SPARC.
>
> $ ./test_kex

> test_kex: dsa_generate_private_key bits 2048 expected 1024

What version of OpenSSL do you have? (on both the good and bad
machines?) We have one data point of the problem occurring with
OpenSSL 1.0.2k but we don't know if the version is significant.

[Damien Miller]

On Sun, 24 Sep 2017, Darren Tucker wrote:

> On 23 September 2017 at 17:37, Zev Weiss <z...@bewilderbeest.net> wrote:
> [....]
> > And now I'm not able to reproduce the failure at all, with or without that
> > patch. Not sure what could possibly be different (same git commit, same
> > terminal session/environment, same 'make' command), but repeated attempts
> > have been fruitless
>
> You didn't happen to upgrade OpenSSL since then?

Or, if you were updating an existing tree e.g. using git, forget to
"make clean"?

-d

[Tom G. Christensen]

On 24/09/17 07:13, Darren Tucker wrote:
> On 24 September 2017 at 02:14, Tom G. Christensen <t...@jupiterrise.com> wrote:
> [...]
>> I am seeing the exact same error consistently on Solaris 7/SPARC.
>>
>> $ ./test_kex
>> test_kex: dsa_generate_private_key bits 2048 expected 1024
>
> What version of OpenSSL do you have? (on both the good and bad
> machines?) We have one data point of the problem occurring with
> OpenSSL 1.0.2k but we don't know if the version is significant.
>

All my Solaris hosts have 1.0.2k installed.

-tgc

[Colin Watson]

On Sat, Sep 23, 2017 at 06:33:39PM -0400, Joseph S Testa II wrote:
> fmt_scaled.c: In function ‘fmt_scaled’:
> fmt_scaled.c:269:52: warning: ‘%1lld’ directive output may be truncated
> writing between 1 and 17 bytes into a region of size between 0 and 5
> [-Wformat-truncation=]
> (void)snprintf(result, FMT_SCALED_STRSIZE, "%lld.%1lld%c",
> ^~~~~
> fmt_scaled.c:269:46: note: directive argument in the range
> [-9007199254740992, 9007199254740991]
> (void)snprintf(result, FMT_SCALED_STRSIZE, "%lld.%1lld%c",
> ^~~~~~~~~~~~~~
> In file included from /usr/include/stdio.h:938:0,
> from /usr/include/resolv.h:64,
> from ../openbsd-compat/getrrsetbyname.h:59,
> from ../openbsd-compat/openbsd-compat.h:44,
> from ../includes.h:174,
> from fmt_scaled.c:41:
> /usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note:
> ‘__builtin___snprintf_chk’ output between 5 and 40 bytes into a destination
> of size 7
> return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> __bos (__s), __fmt, __va_arg_pack ());
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This is https://bugzilla.mindrot.org/show_bug.cgi?id=2769.

--
Colin Watson [cjwa...@debian.org]

[Zev Weiss]

On Sun, Sep 24, 2017 at 12:58:20AM CDT, Damien Miller wrote:
>On Sun, 24 Sep 2017, Darren Tucker wrote:
>
>> On 23 September 2017 at 17:37, Zev Weiss <z...@bewilderbeest.net> wrote:
>> [....]
>> > And now I'm not able to reproduce the failure at all, with or without that
>> > patch. Not sure what could possibly be different (same git commit, same
>> > terminal session/environment, same 'make' command), but repeated attempts
>> > have been fruitless
>>
>> You didn't happen to upgrade OpenSSL since then?
>
>Or, if you were updating an existing tree e.g. using git, forget to
>"make clean"?
>

Nope, no OpenSSL/LibreSSL updates, and yes, did a 'make clean' (and a
'git clean -xdf', even); still unable to reproduce it.


Zev

[Kevin Brott]

On 09/20/2017 05:47 PM, Damien Miller wrote:
> Hi,
>
> OpenSSH 7.6p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.

openssh-SNAP-20170925.tar.gz && git clone as of 2017/09/24 @ 17:20 PDT

OpSys           Compiler   OpenSSL     Build     Test
Debian 8.9    gcc 4.9.2    1.0.1t        YES        all tests passed
Debian 9.1    gcc 6.3.0    1.1.0f        NO *1

Looks like the default openssl version on Debian 9 is 1.1.0f, which according to the INSTALL doc is a deal-breaker (LibreSSL or OpenSSL >= 0.9.8f < 1.1.0).
I'm hesitant to backrev the default openssl package. Simply trying to install the openssl 1.0 dev kit will force several other dev packages to un-install (like libclamav and php7.0-dev).
LibreSSL doesn't appear to be a Debian package (not an issue for me - building a side-package isn't a big deal), but this could be a dealbreaker for J. Random LinuxD00d.
Thoughts?

**1 Build Failure pretty early on:*
gcc -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE   -I. -I.  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sshkey.c -o sshkey.o
sshkey.c: In function ‘sshkey_size’:
sshkey.c:267:28: error: dereferencing pointer to incomplete type ‘RSA {aka struct rsa_st}’
   return BN_num_bits(k->rsa->n);
                            ^~
sshkey.c:270:28: error: dereferencing pointer to incomplete type ‘DSA {aka struct dsa_st}’
   return BN_num_bits(k->dsa->p);
                            ^~
sshkey.c: In function ‘sshkey_new’:
sshkey.c:470:11: error: dereferencing pointer to incomplete type ‘RSA {aka struct rsa_st}’
       (rsa->n = BN_new()) == NULL ||
           ^~
sshkey.c:482:11: error: dereferencing pointer to incomplete type ‘DSA {aka struct dsa_st}’
       (dsa->p = BN_new()) == NULL ||
           ^~
sshkey.c: In function ‘translate_libcrypto_error’:
sshkey.c:3398:8: error: ‘EVP_R_BN_DECODE_ERROR’ undeclared (first use in this function)
   case EVP_R_BN_DECODE_ERROR:
        ^~~~~~~~~~~~~~~~~~~~~
sshkey.c:3398:8: note: each undeclared identifier is reported only once for each function it appears in
sshkey.c: In function ‘sshkey_parse_private_pem_fileblob’:
sshkey.c:3463:8: error: dereferencing pointer to incomplete type ‘EVP_PKEY {aka struct evp_pkey_st}’
  if (pk->type == EVP_PKEY_RSA &&
        ^~
Makefile:152: recipe for target 'sshkey.o' failed
make: *** [sshkey.o] Error 1

[Phil Pennock]

On 2017-09-24 at 17:37 -0700, Kevin Brott wrote:
> On 09/20/2017 05:47 PM, Damien Miller wrote:
> > Hi,
> >
> > OpenSSH 7.6p1 is almost ready for release, so we would appreciate testing
> > on as many platforms and systems as possible. This is a bugfix release.
>
> openssh-SNAP-20170925.tar.gz && git clone as of 2017/09/24 @ 17:20 PDT
>
> OpSys           Compiler   OpenSSL     Build     Test
> Debian 8.9    gcc 4.9.2    1.0.1t        YES        all tests passed
> Debian 9.1    gcc 6.3.0    1.1.0f        NO *1
>
> Looks like the default openssl version on Debian 9 is 1.1.0f, which according to the INSTALL doc is a deal-breaker (LibreSSL or OpenSSL >= 0.9.8f < 1.1.0).

Debian 9.1 is one of the ones I tested on and it worked, so I looked
into this: it looks like Debian 9.1 has libssl installed for both 1.0.2l
and 1.1.0f, but then the openssl package for the latter, providing only
the command-line interface.

https://people.spodhuis.org/phil.pennock/openssh-testing/SNAP-20170925/bento-debian9.1.txt

A plain install of Debian includes neither set of dev headers, the
"apt-get build-dep openssh" step installed "libssl1.0-dev". The plain
install I got included both binary-library packages by default.

"libssl1.0-dev" and "libssl-dev" have mutual Conflicts: declarations so
installing one should auto-remove the other.

-----------------------------8< cut here >8-----------------------------
vagrant@debian-9:~$ dpkg -l \*openssl\* libssl\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-============================-===================-===================-==============================================================
un libssl-dev <none> <none> (no description available)
ii libssl1.0-dev:amd64 1.0.2l-2 amd64 Secure Sockets Layer toolkit - development files
ii libssl1.0.2:amd64 1.0.2l-2 amd64 Secure Sockets Layer toolkit - shared libraries
ii libssl1.1:amd64 1.1.0f-3 amd64 Secure Sockets Layer toolkit - shared libraries
ii openssl 1.1.0f-3 amd64 Secure Sockets Layer toolkit - cryptographic utility
un python3-openssl <none> <none> (no description available)
-----------------------------8< cut here >8-----------------------------

-Phil

[Jakub Jelen]

On Fri, 2017-09-22 at 16:34 -0400, Phil Pennock wrote:
> [ Take 2, this time with outputs on web-server not attached ]
>
> On 2017-09-21 at 10:47 +1000, Damien Miller wrote:
> > OpenSSH 7.6p1 is almost ready for release, so we would appreciate
> > testing
> > on as many platforms and systems as possible. This is a bugfix
> > release.
>
> Using vagrant, I brought this up on a few different boxes.
>
> SHA256(openssh-SNAP-20170922.tar.gz)=
> c40ee9c2e03ef8e6e8558066e51cdb8ed19e3c2339f64a00a68159d938c302b0
>
>
> "bento" as a prefix means that it's from Chef's "Bento" project and
> just
> means "tuned by people who probably know what they're doing for VMs"
> and
> is otherwise the base OS.
>
> Failures:
> * Bento Fedora 26: because system openssl is OpenSSL 1.1.0f

For testing purposes, you should be able to install compat-openssl10-
devel (OpenSSL 1.0.x) on Fedora 26, instead of openssl-devel, which
provides 1.1 interface.

Though I plan some more extensive testing with Fedora and new OpenSSL
in coming days.

Regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.

[The Doctor]

OPenssh 7.6 with test result from
FreeBSD 11.1 openssl 1.0.2m-fips-dev




Script started on Sun Sep 24 06:06:51 2017
You have mail.
root@doctor:/usr/source/openssh-SNAP-20170924 # make tests

[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
[ -d `pwd`/regress/unittests ] || mkdir -p `pwd`/regress/unittests
[ -d `pwd`/regress/unittests/test_helper ] || mkdir -p `pwd`/regress/unittests/test_helper
[ -d `pwd`/regress/unittests/sshbuf ] || mkdir -p `pwd`/regress/unittests/sshbuf
[ -d `pwd`/regress/unittests/sshkey ] || mkdir -p `pwd`/regress/unittests/sshkey
[ -d `pwd`/regress/unittests/bitmap ] || mkdir -p `pwd`/regress/unittests/bitmap
[ -d `pwd`/regress/unittests/conversion ] || mkdir -p `pwd`/regress/unittests/conversion
[ -d `pwd`/regress/unittests/hostkeys ] || mkdir -p `pwd`/regress/unittests/hostkeys
[ -d `pwd`/regress/unittests/kex ] || mkdir -p `pwd`/regress/unittests/kex
[ -d `pwd`/regress/unittests/match ] || mkdir -p `pwd`/regress/unittests/match
[ -d `pwd`/regress/unittests/utf8 ] || mkdir -p `pwd`/regress/unittests/utf8
[ -d `pwd`/regress/misc/kexfuzz ] || mkdir -p `pwd`/regress/misc/kexfuzz
[ -f `pwd`/regress/Makefile ] || ln -s `cd . && pwd`/regress/Makefile `pwd`/regress/Makefile
(cd openbsd-compat && make)
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -o regress/modpipe ./regress/modpipe.c -L. -Lopenbsd-compat/ -L/usr//lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lutil -lz -lcrypt
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -o regress/setuid-allowed ./regress/setuid-allowed.c -L. -Lopenbsd-compat/ -L/usr//lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lutil -lz -lcrypt
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -o regress/netcat ./regress/netcat.c -L. -Lopenbsd-compat/ -L/usr//lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lutil -lz -lcrypt
/tmp/netcat-b6a760.o: In function `main':
/usr/source/openssh-SNAP-20170924/./regress/netcat.c:323: warning: warning: mktemp() possibly used unsafely; consider using mkstemp()
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -o regress/check-perm ./regress/check-perm.c -L. -Lopenbsd-compat/ -L/usr//lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lutil -lz -lcrypt
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/tests.c -o regress/unittests/sshbuf/tests.o
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf.c -o regress/unittests/sshbuf/test_sshbuf.o
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_getput_basic.c -o regress/unittests/sshbuf/test_sshbuf_getput_basic.o
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_getput_crypto.c -o regress/unittests/sshbuf/test_sshbuf_getput_crypto.o
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_misc.c -o regress/unittests/sshbuf/test_sshbuf_misc.o
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_fuzz.c -o regress/unittests/sshbuf/test_sshbuf_fuzz.o
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c -o regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_fixed.c -o regress/unittests/sshbuf/test_sshbuf_fixed.o
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/test_helper/test_helper.c -o regress/unittests/test_helper/test_helper.o
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/test_helper/fuzz.c -o regress/unittests/test_helper/fuzz.o
ar rv regress/unittests/test_helper/libtest_helper.a regress/unittests/test_helper/test_helper.o regress/unittests/test_helper/fuzz.o
ar: warning: creating regress/unittests/test_helper/libtest_helper.a
a - regress/unittests/test_helper/test_helper.o
a - regress/unittests/test_helper/fuzz.o
ranlib regress/unittests/test_helper/libtest_helper.a
/usr/bin/cc -o regress/unittests/sshbuf/test_sshbuf -L. -Lopenbsd-compat/ -L/usr//lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie regress/unittests/sshbuf/tests.o regress/unittests/sshbuf/test_sshbuf.o regress/unittests/sshbuf/test_sshbuf_getput_basic.o regress/unittests/sshbuf/test_sshbuf_getput_crypto.o regress/unittests/sshbuf/test_sshbuf_misc.o regress/unittests/sshbuf/test_sshbuf_fuzz.o regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o regress/unittests/sshbuf/test_sshbuf_fixed.o regress/unittests/test_helper/libtest_helper.a -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lutil -lz -lcrypt
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/test_fuzz.c -o regress/unittests/sshkey/test_fuzz.o
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/tests.c -o regress/unittests/sshkey/tests.o
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/common.c -o regress/unittests/sshkey/common.o
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/test_file.c -o regress/unittests/sshkey/test_file.o
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/test_sshkey.c -o regress/unittests/sshkey/test_sshkey.o
/usr/bin/cc -o regress/unittests/sshkey/test_sshkey -L. -Lopenbsd-compat/ -L/usr//lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie regress/unittests/sshkey/test_fuzz.o regress/unittests/sshkey/tests.o regress/unittests/sshkey/common.o regress/unittests/sshkey/test_file.o regress/unittests/sshkey/test_sshkey.o regress/unittests/test_helper/libtest_helper.a -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lutil -lz -lcrypt
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/bitmap/tests.c -o regress/unittests/bitmap/tests.o
/usr/bin/cc -o regress/unittests/bitmap/test_bitmap -L. -Lopenbsd-compat/ -L/usr//lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie regress/unittests/bitmap/tests.o regress/unittests/test_helper/libtest_helper.a -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lutil -lz -lcrypt
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/conversion/tests.c -o regress/unittests/conversion/tests.o
/usr/bin/cc -o regress/unittests/conversion/test_conversion -L. -Lopenbsd-compat/ -L/usr//lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie regress/unittests/conversion/tests.o regress/unittests/test_helper/libtest_helper.a -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lutil -lz -lcrypt
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/hostkeys/tests.c -o regress/unittests/hostkeys/tests.o
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/hostkeys/test_iterate.c -o regress/unittests/hostkeys/test_iterate.o
/usr/bin/cc -o regress/unittests/hostkeys/test_hostkeys -L. -Lopenbsd-compat/ -L/usr//lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie regress/unittests/hostkeys/tests.o regress/unittests/hostkeys/test_iterate.o regress/unittests/test_helper/libtest_helper.a -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lutil -lz -lcrypt
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/kex/tests.c -o regress/unittests/kex/tests.o
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/kex/test_kex.c -o regress/unittests/kex/test_kex.o
/usr/bin/cc -o regress/unittests/kex/test_kex -L. -Lopenbsd-compat/ -L/usr//lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie regress/unittests/kex/tests.o regress/unittests/kex/test_kex.o regress/unittests/test_helper/libtest_helper.a -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lutil -lz -lcrypt
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/match/tests.c -o regress/unittests/match/tests.o
/usr/bin/cc -o regress/unittests/match/test_match -L. -Lopenbsd-compat/ -L/usr//lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie regress/unittests/match/tests.o regress/unittests/test_helper/libtest_helper.a -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lutil -lz -lcrypt
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/utf8/tests.c -o regress/unittests/utf8/tests.o
/usr/bin/cc -o regress/unittests/utf8/test_utf8 -L. -Lopenbsd-compat/ -L/usr//lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie regress/unittests/utf8/tests.o regress/unittests/test_helper/libtest_helper.a -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lutil -lz -lcrypt
/usr/bin/cc -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr//include -I/usr/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/misc/kexfuzz/kexfuzz.c -o regress/misc/kexfuzz/kexfuzz.o
/usr/bin/cc -o regress/misc/kexfuzz/kexfuzz -L. -Lopenbsd-compat/ -L/usr//lib -L/usr/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie regress/misc/kexfuzz/kexfuzz.o -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lutil -lz -lcrypt
BUILDDIR=`pwd`; TEST_SSH_SCP="${BUILDDIR}/scp"; TEST_SSH_SSH="${BUILDDIR}/ssh"; TEST_SSH_SSHD="${BUILDDIR}/sshd"; TEST_SSH_SSHAGENT="${BUILDDIR}/ssh-agent"; TEST_SSH_SSHADD="${BUILDDIR}/ssh-add"; TEST_SSH_SSHKEYGEN="${BUILDDIR}/ssh-keygen"; TEST_SSH_SSHPKCS11HELPER="${BUILDDIR}/ssh-pkcs11-helper"; TEST_SSH_SSHKEYSCAN="${BUILDDIR}/ssh-keyscan"; TEST_SSH_SFTP="${BUILDDIR}/sftp"; TEST_SSH_SFTPSERVER="${BUILDDIR}/sftp-server"; TEST_SSH_PLINK="plink"; TEST_SSH_PUTTYGEN="puttygen"; TEST_SSH_CONCH="conch"; TEST_SSH_IPV6="yes" ; TEST_SSH_UTF8="yes" ; TEST_SSH_ECC="yes" ; cd ./regress || exit $?; make .OBJDIR="${BUILDDIR}/regress" .CURDIR="`pwd`" BUILDDIR="${BUILDDIR}" OBJ="${BUILDDIR}/regress/" PATH="${BUILDDIR}:${PATH}" TEST_ENV=MALLOC_OPTIONS="AJRX" TEST_MALLOC_OPTIONS="AJRX" TEST_SSH_SCP="${TEST_SSH_SCP}" TEST_SSH_SSH="${TEST_SSH_SSH}" TEST_SSH_SSHD="${TEST_SSH_SSHD}" TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}" TEST_SSH_SSHADD="${TEST_SSH_SSHADD}" TEST!
_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" TEST_SSH_SSHPKCS11HELPER="${TEST_SSH_SSHPKCS11HELPER}" TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" TEST_SSH_SFTP="${TEST_SSH_SFTP}" TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}" TEST_SSH_PLINK="${TEST_SSH_PLINK}" TEST_SSH_PUTTYGEN="${TEST_SSH_PUTTYGEN}" TEST_SSH_CONCH="${TEST_SSH_CONCH}" TEST_SSH_IPV6="${TEST_SSH_IPV6}" TEST_SSH_UTF8="${TEST_SSH_UTF8}" TEST_SSH_ECC="${TEST_SSH_ECC}" TEST_SHELL="sh" EXEEXT="" tests && echo all tests passed
test "x" = "x" || mkdir -p /usr/source/openssh-SNAP-20170924/regress//valgrind-out
set -e ; if test -z "" ; then V="" ; test "x" = "x" || V=/usr/source/openssh-SNAP-20170924/regress/valgrind-unit.sh ; $V /usr/source/openssh-SNAP-20170924/regress/unittests/sshbuf/test_sshbuf ; $V /usr/source/openssh-SNAP-20170924/regress/unittests/sshkey/test_sshkey -d /usr/source/openssh-SNAP-20170924/regress/unittests/sshkey/testdata ; $V /usr/source/openssh-SNAP-20170924/regress/unittests/bitmap/test_bitmap ; $V /usr/source/openssh-SNAP-20170924/regress/unittests/conversion/test_conversion ; $V /usr/source/openssh-SNAP-20170924/regress/unittests/kex/test_kex ; $V /usr/source/openssh-SNAP-20170924/regress/unittests/hostkeys/test_hostkeys -d /usr/source/openssh-SNAP-20170924/regress/unittests/hostkeys/testdata ; $V /usr/source/openssh-SNAP-20170924/regress/unittests/match/test_match ; if test "xyes" = "xyes" ; then $V /usr/source/openssh-SNAP-20170924/regress/unittests/utf8/test_utf8 ; fi fi
test_sshbuf: .................................................................................................... 101 tests ok
test_sshkey: .......................................................................................... 90 tests ok
test_bitmap: .. 2 tests ok
test_conversion: . 1 tests ok
test_kex: ................................................................................................................................................................................................................................................................................................................................................................ 352 tests ok
test_hostkeys: .................. 18 tests ok
test_match: ...... 6 tests ok
test_utf8: .................................. 34 tests ok
/usr/source/openssh-SNAP-20170924/ssh-keygen -if /usr/source/openssh-SNAP-20170924/regress/rsa_ssh2.prv | diff - /usr/source/openssh-SNAP-20170924/regress/rsa_openssh.prv
tr '\n' '\r' </usr/source/openssh-SNAP-20170924/regress/rsa_ssh2.prv > /usr/source/openssh-SNAP-20170924/regress/rsa_ssh2_cr.prv
/usr/source/openssh-SNAP-20170924/ssh-keygen -if /usr/source/openssh-SNAP-20170924/regress/rsa_ssh2_cr.prv | diff - /usr/source/openssh-SNAP-20170924/regress/rsa_openssh.prv
awk '{print $0 "\r"}' /usr/source/openssh-SNAP-20170924/regress/rsa_ssh2.prv > /usr/source/openssh-SNAP-20170924/regress/rsa_ssh2_crnl.prv
/usr/source/openssh-SNAP-20170924/ssh-keygen -if /usr/source/openssh-SNAP-20170924/regress/rsa_ssh2_crnl.prv | diff - /usr/source/openssh-SNAP-20170924/regress/rsa_openssh.prv
cat /usr/source/openssh-SNAP-20170924/regress/rsa_openssh.prv > /usr/source/openssh-SNAP-20170924/regress//t2.out
chmod 600 /usr/source/openssh-SNAP-20170924/regress//t2.out
/usr/source/openssh-SNAP-20170924/ssh-keygen -yf /usr/source/openssh-SNAP-20170924/regress//t2.out | diff - /usr/source/openssh-SNAP-20170924/regress/rsa_openssh.pub
/usr/source/openssh-SNAP-20170924/ssh-keygen -ef /usr/source/openssh-SNAP-20170924/regress/rsa_openssh.pub >/usr/source/openssh-SNAP-20170924/regress//t3.out
/usr/source/openssh-SNAP-20170924/ssh-keygen -if /usr/source/openssh-SNAP-20170924/regress//t3.out | diff - /usr/source/openssh-SNAP-20170924/regress/rsa_openssh.pub
/usr/source/openssh-SNAP-20170924/ssh-keygen -E md5 -lf /usr/source/openssh-SNAP-20170924/regress/rsa_openssh.pub | awk '{print $2}' | diff - /usr/source/openssh-SNAP-20170924/regress/t4.ok
/usr/source/openssh-SNAP-20170924/ssh-keygen -Bf /usr/source/openssh-SNAP-20170924/regress/rsa_openssh.pub | awk '{print $2}' | diff - /usr/source/openssh-SNAP-20170924/regress/t5.ok
/usr/source/openssh-SNAP-20170924/ssh-keygen -if /usr/source/openssh-SNAP-20170924/regress/dsa_ssh2.prv > /usr/source/openssh-SNAP-20170924/regress//t6.out1
/usr/source/openssh-SNAP-20170924/ssh-keygen -if /usr/source/openssh-SNAP-20170924/regress/dsa_ssh2.pub > /usr/source/openssh-SNAP-20170924/regress//t6.out2
chmod 600 /usr/source/openssh-SNAP-20170924/regress//t6.out1
/usr/source/openssh-SNAP-20170924/ssh-keygen -yf /usr/source/openssh-SNAP-20170924/regress//t6.out1 | diff - /usr/source/openssh-SNAP-20170924/regress//t6.out2
/usr/source/openssh-SNAP-20170924/ssh-keygen -q -t rsa -N '' -f /usr/source/openssh-SNAP-20170924/regress//t7.out
/usr/source/openssh-SNAP-20170924/ssh-keygen -lf /usr/source/openssh-SNAP-20170924/regress//t7.out > /dev/null
/usr/source/openssh-SNAP-20170924/ssh-keygen -Bf /usr/source/openssh-SNAP-20170924/regress//t7.out > /dev/null
/usr/source/openssh-SNAP-20170924/ssh-keygen -q -t dsa -N '' -f /usr/source/openssh-SNAP-20170924/regress//t8.out
/usr/source/openssh-SNAP-20170924/ssh-keygen -lf /usr/source/openssh-SNAP-20170924/regress//t8.out > /dev/null
/usr/source/openssh-SNAP-20170924/ssh-keygen -Bf /usr/source/openssh-SNAP-20170924/regress//t8.out > /dev/null
test "yes" != yes || /usr/source/openssh-SNAP-20170924/ssh-keygen -q -t ecdsa -N '' -f /usr/source/openssh-SNAP-20170924/regress//t9.out
test "yes" != yes || /usr/source/openssh-SNAP-20170924/ssh-keygen -lf /usr/source/openssh-SNAP-20170924/regress//t9.out > /dev/null
test "yes" != yes || /usr/source/openssh-SNAP-20170924/ssh-keygen -Bf /usr/source/openssh-SNAP-20170924/regress//t9.out > /dev/null
/usr/source/openssh-SNAP-20170924/ssh-keygen -q -t ed25519 -N '' -f /usr/source/openssh-SNAP-20170924/regress//t10.out
/usr/source/openssh-SNAP-20170924/ssh-keygen -lf /usr/source/openssh-SNAP-20170924/regress//t10.out > /dev/null
/usr/source/openssh-SNAP-20170924/ssh-keygen -Bf /usr/source/openssh-SNAP-20170924/regress//t10.out > /dev/null
/usr/source/openssh-SNAP-20170924/ssh-keygen -E sha256 -lf /usr/source/openssh-SNAP-20170924/regress/rsa_openssh.pub | awk '{print $2}' | diff - /usr/source/openssh-SNAP-20170924/regress/t11.ok
/usr/source/openssh-SNAP-20170924/ssh-keygen -q -t ed25519 -N '' -C 'test-comment-1234' -f /usr/source/openssh-SNAP-20170924/regress//t12.out
/usr/source/openssh-SNAP-20170924/ssh-keygen -lf /usr/source/openssh-SNAP-20170924/regress//t12.out.pub | grep test-comment-1234 >/dev/null
run test connect.sh ...
ok simple connect
run test proxy-connect.sh ...
plain username privsep=no comp=no
plain username privsep=no comp=yes
plain username privsep=yes comp=no
plain username privsep=yes comp=yes
username with style
ok proxy connect
run test connect-privsep.sh ...
ok proxy connect with privsep
run test proto-version.sh ...
ok sshd version with different protocol combinations
run test proto-mismatch.sh ...
ok protocol version mismatch
run test exit-status.sh ...
test remote exit status: status 0
test remote exit status: status 1
test remote exit status: status 4
test remote exit status: status 5
test remote exit status: status 44
ok remote exit status
run test envpass.sh ...
test environment passing: pass env, don't accept
test environment passing: don't pass env, accept
test environment passing: pass single env, accept single env
test environment passing: pass multiple env, accept multiple env
ok environment passing
run test transfer.sh ...
ok transfer data
run test banner.sh ...
test banner: missing banner file
test banner: size 0
test banner: size 10
test banner: size 100
test banner: size 1000
test banner: size 10000
test banner: size 100000
test banner: suppress banner (-q)
ok banner
run test rekey.sh ...
client rekey KexAlgorithms=diffie-hellman-group1-sha1
client rekey KexAlgorithms=diffie-hellman-group14-sha1
client rekey KexAlgorithms=diffie-hellman-group14-sha256
client rekey KexAlgorithms=diffie-hellman-group16-sha512
client rekey KexAlgorithms=diffie-hellman-group18-sha512
client rekey KexAlgorithms=diffie-hellman-group-exchange-sha1
client rekey KexAlgorithms=diffie-hellman-group-exchange-sha256
client rekey KexAlgorithms=ecdh-sha2-nistp256
client rekey KexAlgorithms=ecdh-sha2-nistp384
client rekey KexAlgorithms=ecdh-sha2-nistp521
client rekey KexAlgorithms=curve25519-sha256
client rekey KexAlgorithms=curve255...@libssh.org
client rekey Ciphers=3des-cbc
client rekey Ciphers=aes128-cbc
client rekey Ciphers=aes192-cbc
client rekey Ciphers=aes256-cbc
client rekey Ciphers=rijnda...@lysator.liu.se
client rekey Ciphers=aes128-ctr
client rekey Ciphers=aes192-ctr
client rekey Ciphers=aes256-ctr
client rekey Ciphers=aes12...@openssh.com
client rekey Ciphers=aes25...@openssh.com
client rekey Ciphers=chacha20...@openssh.com
client rekey MACs=hmac-sha1
client rekey MACs=hmac-sha1-96
client rekey MACs=hmac-sha2-256
client rekey MACs=hmac-sha2-512
client rekey MACs=hmac-md5
client rekey MACs=hmac-md5-96
client rekey MACs=uma...@openssh.com
client rekey MACs=umac...@openssh.com
client rekey MACs=hmac-s...@openssh.com
client rekey MACs=hmac-sha...@openssh.com
client rekey MACs=hmac-sha...@openssh.com
client rekey MACs=hmac-sha...@openssh.com
client rekey MACs=hmac-m...@openssh.com
client rekey MACs=hmac-md...@openssh.com
client rekey MACs=umac-...@openssh.com
client rekey MACs=umac-1...@openssh.com
client rekey aes12...@openssh.com diffie-hellman-group1-sha1
client rekey aes12...@openssh.com diffie-hellman-group14-sha1
client rekey aes12...@openssh.com diffie-hellman-group14-sha256
client rekey aes12...@openssh.com diffie-hellman-group16-sha512
client rekey aes12...@openssh.com diffie-hellman-group18-sha512
client rekey aes12...@openssh.com diffie-hellman-group-exchange-sha1
client rekey aes12...@openssh.com diffie-hellman-group-exchange-sha256
client rekey aes12...@openssh.com ecdh-sha2-nistp256
client rekey aes12...@openssh.com ecdh-sha2-nistp384
client rekey aes12...@openssh.com ecdh-sha2-nistp521
client rekey aes12...@openssh.com curve25519-sha256
client rekey aes12...@openssh.com curve255...@libssh.org
client rekey aes25...@openssh.com diffie-hellman-group1-sha1
client rekey aes25...@openssh.com diffie-hellman-group14-sha1
client rekey aes25...@openssh.com diffie-hellman-group14-sha256
client rekey aes25...@openssh.com diffie-hellman-group16-sha512
client rekey aes25...@openssh.com diffie-hellman-group18-sha512
client rekey aes25...@openssh.com diffie-hellman-group-exchange-sha1
client rekey aes25...@openssh.com diffie-hellman-group-exchange-sha256
client rekey aes25...@openssh.com ecdh-sha2-nistp256
client rekey aes25...@openssh.com ecdh-sha2-nistp384
client rekey aes25...@openssh.com ecdh-sha2-nistp521
client rekey aes25...@openssh.com curve25519-sha256
client rekey aes25...@openssh.com curve255...@libssh.org
client rekey chacha20...@openssh.com diffie-hellman-group1-sha1
client rekey chacha20...@openssh.com diffie-hellman-group14-sha1
client rekey chacha20...@openssh.com diffie-hellman-group14-sha256
client rekey chacha20...@openssh.com diffie-hellman-group16-sha512
client rekey chacha20...@openssh.com diffie-hellman-group18-sha512
client rekey chacha20...@openssh.com diffie-hellman-group-exchange-sha1
client rekey chacha20...@openssh.com diffie-hellman-group-exchange-sha256
client rekey chacha20...@openssh.com ecdh-sha2-nistp256
client rekey chacha20...@openssh.com ecdh-sha2-nistp384
client rekey chacha20...@openssh.com ecdh-sha2-nistp521
client rekey chacha20...@openssh.com curve25519-sha256
client rekey chacha20...@openssh.com curve255...@libssh.org
client rekeylimit 16
client rekeylimit 1k
client rekeylimit 128k
client rekeylimit 256k
client rekeylimit default 5
client rekeylimit default 10
client rekeylimit default 5 no data
client rekeylimit default 10 no data
server rekeylimit 16
server rekeylimit 1k
server rekeylimit 128k
server rekeylimit 256k
server rekeylimit default 5 no data
server rekeylimit default 10 no data
rekeylimit parsing
ok rekey
run test stderr-data.sh ...
test stderr data transfer: ()
test stderr data transfer: (-n)
ok stderr data transfer
run test stderr-after-eof.sh ...
ok stderr data after eof
run test broken-pipe.sh ...
ok broken pipe test
run test try-ciphers.sh ...
test try ciphers: cipher 3des-cbc mac hmac-sha1
test try ciphers: cipher 3des-cbc mac hmac-sha1-96
test try ciphers: cipher 3des-cbc mac hmac-sha2-256
test try ciphers: cipher 3des-cbc mac hmac-sha2-512
test try ciphers: cipher 3des-cbc mac hmac-md5
test try ciphers: cipher 3des-cbc mac hmac-md5-96
test try ciphers: cipher 3des-cbc mac uma...@openssh.com
test try ciphers: cipher 3des-cbc mac umac...@openssh.com
test try ciphers: cipher 3des-cbc mac hmac-s...@openssh.com
test try ciphers: cipher 3des-cbc mac hmac-sha...@openssh.com
test try ciphers: cipher 3des-cbc mac hmac-sha...@openssh.com
test try ciphers: cipher 3des-cbc mac hmac-sha...@openssh.com
test try ciphers: cipher 3des-cbc mac hmac-m...@openssh.com
test try ciphers: cipher 3des-cbc mac hmac-md...@openssh.com
test try ciphers: cipher 3des-cbc mac umac-...@openssh.com
test try ciphers: cipher 3des-cbc mac umac-1...@openssh.com
test try ciphers: cipher aes128-cbc mac hmac-sha1
test try ciphers: cipher aes128-cbc mac hmac-sha1-96
test try ciphers: cipher aes128-cbc mac hmac-sha2-256
test try ciphers: cipher aes128-cbc mac hmac-sha2-512
test try ciphers: cipher aes128-cbc mac hmac-md5
test try ciphers: cipher aes128-cbc mac hmac-md5-96
test try ciphers: cipher aes128-cbc mac uma...@openssh.com
test try ciphers: cipher aes128-cbc mac umac...@openssh.com
test try ciphers: cipher aes128-cbc mac hmac-s...@openssh.com
test try ciphers: cipher aes128-cbc mac hmac-sha...@openssh.com
test try ciphers: cipher aes128-cbc mac hmac-sha...@openssh.com
test try ciphers: cipher aes128-cbc mac hmac-sha...@openssh.com
test try ciphers: cipher aes128-cbc mac hmac-m...@openssh.com
test try ciphers: cipher aes128-cbc mac hmac-md...@openssh.com
test try ciphers: cipher aes128-cbc mac umac-...@openssh.com
test try ciphers: cipher aes128-cbc mac umac-1...@openssh.com
test try ciphers: cipher aes192-cbc mac hmac-sha1
test try ciphers: cipher aes192-cbc mac hmac-sha1-96
test try ciphers: cipher aes192-cbc mac hmac-sha2-256
test try ciphers: cipher aes192-cbc mac hmac-sha2-512
test try ciphers: cipher aes192-cbc mac hmac-md5
test try ciphers: cipher aes192-cbc mac hmac-md5-96
test try ciphers: cipher aes192-cbc mac uma...@openssh.com
test try ciphers: cipher aes192-cbc mac umac...@openssh.com
test try ciphers: cipher aes192-cbc mac hmac-s...@openssh.com
test try ciphers: cipher aes192-cbc mac hmac-sha...@openssh.com
test try ciphers: cipher aes192-cbc mac hmac-sha...@openssh.com
test try ciphers: cipher aes192-cbc mac hmac-sha...@openssh.com
test try ciphers: cipher aes192-cbc mac hmac-m...@openssh.com
test try ciphers: cipher aes192-cbc mac hmac-md...@openssh.com
test try ciphers: cipher aes192-cbc mac umac-...@openssh.com
test try ciphers: cipher aes192-cbc mac umac-1...@openssh.com
test try ciphers: cipher aes256-cbc mac hmac-sha1
test try ciphers: cipher aes256-cbc mac hmac-sha1-96
test try ciphers: cipher aes256-cbc mac hmac-sha2-256
test try ciphers: cipher aes256-cbc mac hmac-sha2-512
test try ciphers: cipher aes256-cbc mac hmac-md5
test try ciphers: cipher aes256-cbc mac hmac-md5-96
test try ciphers: cipher aes256-cbc mac uma...@openssh.com
test try ciphers: cipher aes256-cbc mac umac...@openssh.com
test try ciphers: cipher aes256-cbc mac hmac-s...@openssh.com
test try ciphers: cipher aes256-cbc mac hmac-sha...@openssh.com
test try ciphers: cipher aes256-cbc mac hmac-sha...@openssh.com
test try ciphers: cipher aes256-cbc mac hmac-sha...@openssh.com
test try ciphers: cipher aes256-cbc mac hmac-m...@openssh.com
test try ciphers: cipher aes256-cbc mac hmac-md...@openssh.com
test try ciphers: cipher aes256-cbc mac umac-...@openssh.com
test try ciphers: cipher aes256-cbc mac umac-1...@openssh.com
test try ciphers: cipher rijnda...@lysator.liu.se mac hmac-sha1
test try ciphers: cipher rijnda...@lysator.liu.se mac hmac-sha1-96
test try ciphers: cipher rijnda...@lysator.liu.se mac hmac-sha2-256
test try ciphers: cipher rijnda...@lysator.liu.se mac hmac-sha2-512
test try ciphers: cipher rijnda...@lysator.liu.se mac hmac-md5
test try ciphers: cipher rijnda...@lysator.liu.se mac hmac-md5-96
test try ciphers: cipher rijnda...@lysator.liu.se mac uma...@openssh.com
test try ciphers: cipher rijnda...@lysator.liu.se mac umac...@openssh.com
test try ciphers: cipher rijnda...@lysator.liu.se mac hmac-s...@openssh.com
test try ciphers: cipher rijnda...@lysator.liu.se mac hmac-sha...@openssh.com
test try ciphers: cipher rijnda...@lysator.liu.se mac hmac-sha...@openssh.com
test try ciphers: cipher rijnda...@lysator.liu.se mac hmac-sha...@openssh.com
test try ciphers: cipher rijnda...@lysator.liu.se mac hmac-m...@openssh.com
test try ciphers: cipher rijnda...@lysator.liu.se mac hmac-md...@openssh.com
test try ciphers: cipher rijnda...@lysator.liu.se mac umac-...@openssh.com
test try ciphers: cipher rijnda...@lysator.liu.se mac umac-1...@openssh.com
test try ciphers: cipher aes128-ctr mac hmac-sha1
test try ciphers: cipher aes128-ctr mac hmac-sha1-96
test try ciphers: cipher aes128-ctr mac hmac-sha2-256
test try ciphers: cipher aes128-ctr mac hmac-sha2-512
test try ciphers: cipher aes128-ctr mac hmac-md5
test try ciphers: cipher aes128-ctr mac hmac-md5-96
test try ciphers: cipher aes128-ctr mac uma...@openssh.com
test try ciphers: cipher aes128-ctr mac umac...@openssh.com
test try ciphers: cipher aes128-ctr mac hmac-s...@openssh.com
test try ciphers: cipher aes128-ctr mac hmac-sha...@openssh.com
test try ciphers: cipher aes128-ctr mac hmac-sha...@openssh.com
test try ciphers: cipher aes128-ctr mac hmac-sha...@openssh.com
test try ciphers: cipher aes128-ctr mac hmac-m...@openssh.com
test try ciphers: cipher aes128-ctr mac hmac-md...@openssh.com
test try ciphers: cipher aes128-ctr mac umac-...@openssh.com
test try ciphers: cipher aes128-ctr mac umac-1...@openssh.com
test try ciphers: cipher aes192-ctr mac hmac-sha1
test try ciphers: cipher aes192-ctr mac hmac-sha1-96
test try ciphers: cipher aes192-ctr mac hmac-sha2-256
test try ciphers: cipher aes192-ctr mac hmac-sha2-512
test try ciphers: cipher aes192-ctr mac hmac-md5
test try ciphers: cipher aes192-ctr mac hmac-md5-96
test try ciphers: cipher aes192-ctr mac uma...@openssh.com
test try ciphers: cipher aes192-ctr mac umac...@openssh.com
test try ciphers: cipher aes192-ctr mac hmac-s...@openssh.com
test try ciphers: cipher aes192-ctr mac hmac-sha...@openssh.com
test try ciphers: cipher aes192-ctr mac hmac-sha...@openssh.com
test try ciphers: cipher aes192-ctr mac hmac-sha...@openssh.com
test try ciphers: cipher aes192-ctr mac hmac-m...@openssh.com
test try ciphers: cipher aes192-ctr mac hmac-md...@openssh.com
test try ciphers: cipher aes192-ctr mac umac-...@openssh.com
test try ciphers: cipher aes192-ctr mac umac-1...@openssh.com
test try ciphers: cipher aes256-ctr mac hmac-sha1
test try ciphers: cipher aes256-ctr mac hmac-sha1-96
test try ciphers: cipher aes256-ctr mac hmac-sha2-256
test try ciphers: cipher aes256-ctr mac hmac-sha2-512
test try ciphers: cipher aes256-ctr mac hmac-md5
test try ciphers: cipher aes256-ctr mac hmac-md5-96
test try ciphers: cipher aes256-ctr mac uma...@openssh.com
test try ciphers: cipher aes256-ctr mac umac...@openssh.com
test try ciphers: cipher aes256-ctr mac hmac-s...@openssh.com
test try ciphers: cipher aes256-ctr mac hmac-sha...@openssh.com
test try ciphers: cipher aes256-ctr mac hmac-sha...@openssh.com
test try ciphers: cipher aes256-ctr mac hmac-sha...@openssh.com
test try ciphers: cipher aes256-ctr mac hmac-m...@openssh.com
test try ciphers: cipher aes256-ctr mac hmac-md...@openssh.com
test try ciphers: cipher aes256-ctr mac umac-...@openssh.com
test try ciphers: cipher aes256-ctr mac umac-1...@openssh.com
test try ciphers: cipher aes12...@openssh.com mac hmac-sha1
test try ciphers: cipher aes25...@openssh.com mac hmac-sha1
test try ciphers: cipher chacha20...@openssh.com mac hmac-sha1
ok try ciphers
run test yes-head.sh ...
ok yes pipe head
run test login-timeout.sh ...
ok connect after login grace timeout
run test agent.sh ...
ok simple agent test
run test agent-getpeereid.sh ...
need SUDO to switch to uid nobody
run test agent-timeout.sh ...
ok agent timeout test
run test agent-ptrace.sh ...
Skipped: running as root
run test keyscan.sh ...
ok keyscan
run test keygen-change.sh ...
ok change passphrase for key
run test keygen-convert.sh ...
ok convert keys
run test keygen-moduli.sh ...
ok keygen moduli
run test key-options.sh ...
key option command="echo bar"
key option no-pty,command="echo bar"
key option proto no-pty
key option environment
key option from="127.0.0.1"
key option from="127.0.0.0/8"
ok key options
run test scp.sh ...
scp: simple copy local file to local file
scp: simple copy local file to remote file
scp: simple copy remote file to local file
scp: simple copy local file to remote dir
scp: simple copy local file to local dir
scp: simple copy remote file to local dir
scp: recursive local dir to remote dir
scp: recursive local dir to local dir
scp: recursive remote dir to local dir
scp: shell metacharacters
scp: disallow bad server #0
scp: disallow bad server #1
scp: disallow bad server #2
scp: disallow bad server #3
scp: disallow bad server #4
scp: detect non-directory target
/usr/source/openssh-SNAP-20170924/regress/copy2: Not a directory
ok scp
run test sftp.sh ...
test basic sftp put/get: buffer_size 5 num_requests 1
test basic sftp put/get: buffer_size 5 num_requests 2
test basic sftp put/get: buffer_size 5 num_requests 10
test basic sftp put/get: buffer_size 1000 num_requests 1
test basic sftp put/get: buffer_size 1000 num_requests 2
test basic sftp put/get: buffer_size 1000 num_requests 10
test basic sftp put/get: buffer_size 32000 num_requests 1
test basic sftp put/get: buffer_size 32000 num_requests 2
test basic sftp put/get: buffer_size 32000 num_requests 10
test basic sftp put/get: buffer_size 64000 num_requests 1
test basic sftp put/get: buffer_size 64000 num_requests 2
test basic sftp put/get: buffer_size 64000 num_requests 10
ok basic sftp put/get
run test sftp-chroot.sh ...
test sftp in chroot: get
ok sftp in chroot
run test sftp-cmds.sh ...
sftp commands: lls
sftp commands: lls w/path
sftp commands: ls
sftp commands: shell
sftp commands: pwd
sftp commands: lpwd
sftp commands: quit
sftp commands: help
sftp commands: get
sftp commands: get quoted
sftp commands: get filename with quotes
sftp commands: get filename with spaces
sftp commands: get filename with glob metacharacters
sftp commands: get to directory
sftp commands: glob get to directory
sftp commands: get to local dir
sftp commands: glob get to local dir
sftp commands: put
sftp commands: put filename with quotes
sftp commands: put filename with spaces
sftp commands: put to directory
sftp commands: glob put to directory
sftp commands: put to local dir
sftp commands: glob put to local dir
sftp commands: rename
sftp commands: rename directory
sftp commands: ln
sftp commands: ln -s
sftp commands: mkdir
sftp commands: chdir
sftp commands: rmdir
sftp commands: lmkdir
sftp commands: lchdir
ok sftp commands
run test sftp-badcmds.sh ...
sftp invalid commands: get nonexistent
sftp invalid commands: glob get to nonexistent directory
sftp invalid commands: put nonexistent
sftp invalid commands: glob put to nonexistent directory
sftp invalid commands: rename nonexistent
sftp invalid commands: rename target exists (directory)
sftp invalid commands: glob put files to local file
ok sftp invalid commands
run test sftp-batch.sh ...
sftp batchfile: good commands
sftp batchfile: bad commands
sftp batchfile: comments and blanks
sftp batchfile: junk command
ok sftp batchfile
run test sftp-glob.sh ...
sftp glob: file glob
sftp glob: dir glob
sftp glob: quoted glob
sftp glob: escaped glob
sftp glob: escaped quote
sftp glob: quoted quote
sftp glob: single-quoted quote
sftp glob: escaped space
sftp glob: quoted space
sftp glob: escaped slash
sftp glob: quoted slash
sftp glob: escaped slash at EOL
sftp glob: quoted slash at EOL
sftp glob: escaped slash+quote
sftp glob: quoted slash+quote
ok sftp glob
run test sftp-perm.sh ...
sftp permissions: read-only upload
sftp permissions: read-only setstat
sftp permissions: read-only rm
sftp permissions: read-only mkdir
sftp permissions: read-only rmdir
sftp permissions: read-only posix-rename
sftp permissions: read-only oldrename
sftp permissions: read-only symlink
sftp permissions: read-only hardlink
sftp permissions: explicit open
sftp permissions: explicit read
sftp permissions: explicit write
sftp permissions: explicit lstat
sftp permissions: explicit opendir
sftp permissions: explicit readdir
sftp permissions: explicit setstat
sftp permissions: explicit remove
sftp permissions: explicit mkdir
sftp permissions: explicit rmdir
sftp permissions: explicit posix-rename
sftp permissions: explicit rename
sftp permissions: explicit symlink
sftp permissions: explicit hardlink
sftp permissions: explicit statvfs
ok sftp permissions
run test reconfigure.sh ...
ok simple connect after reconfigure
run test dynamic-forward.sh ...
ok dynamic forwarding
run test forwarding.sh ...
failed copy of /bin/ls
cmp: EOF on /usr/source/openssh-SNAP-20170924/regress/copy
corrupted copy of /bin/ls
Exit request sent.

Exit request sent.

Exit request sent.

Exit request sent.

Exit request sent.

Exit request sent.

Exit request sent.

Exit request sent.

failed local and remote forwarding
*** Error code 1

Stop.
make[1]: stopped in /usr/source/openssh-SNAP-20170924/regress
*** Error code 1

Stop.
make: stopped in /usr/source/openssh-SNAP-20170924
root@doctor:/usr/source/openssh-SNAP-20170924 # exit

exit

Script done on Sun Sep 24 06:14:31 2017

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism
Talk Sense to a fool and he calls you foolish - Euripides

[Phil Pennock]

On 2017-09-25 at 09:18 +0200, Jakub Jelen wrote:
> For testing purposes, you should be able to install compat-openssl10-
> devel (OpenSSL 1.0.x) on Fedora 26, instead of openssl-devel, which
> provides 1.1 interface.

Thanks, that helps. Much appreciated. Success at:
https://people.spodhuis.org/phil.pennock/openssh-testing/SNAP-20170925/bento-fedora26.txt

Install script at:
https://people.spodhuis.org/phil.pennock/openssh-testing/SNAP-20170925/openssh-snapshot-20170925.text

In this case, for RPM-based compatibility across Centos7 and Fedora 26,
it's:

yum -y install yum-utils
yum -y groupinstall 'Development Tools'
yum-builddep -y openssh
case $(rpm -qa --queryformat '%{VERSION}\n' openssl-devel) in
1.1.*)
yum -y install --allowerasing compat-openssl10-devel
;;
esac

Regards,
-Phil

[Jeff Wieland]

Damien Miller wrote:
> Hi,

>
> OpenSSH 7.6p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
>
>

Using the 20170927 snapshot, the following combinations passed all
tests on SPARC Solaris 10:

Oracle's OpenSSL 1.0.2k & Sun Studio 12.0
Locally built OpenSSL 1.0.2l & Sun Studio 12.0
Oracle's OpenSSL 1.0.2k & Solaris Studio 12.2
Locally built OpenSSL 1.0.2l & Solaris Studio 12.2
Oracle's OpenSSL 1.0.2k & Solaris Studio 12.4
Locally built OpenSSL 1.0.2l & Solaris Studio 12.4

I generally build with Studio 12.2, as it works better/faster with some
of the old systems that I have around.

I'm still working on getting it to build with the version of gcc that
installswith Solaris 10.

--
Jeff Wieland, UNIX/Network Systems Administrator
Purdue University IT Infrastructure Services UNIX Platforms

[Jeff Wieland]

> Damien Miller wrote:
>> Hi,
>>
>> OpenSSH 7.6p1 is almost ready for release, so we would appreciate testing
>> on as many platforms and systems as possible. This is a bugfix release.
>>
>>
> Using the 20170927 snapshot, the following combinations passed all
> tests on SPARC Solaris 10:
>
> Oracle's OpenSSL 1.0.2k & Sun Studio 12.0
> Locally built OpenSSL 1.0.2l & Sun Studio 12.0
> Oracle's OpenSSL 1.0.2k & Solaris Studio 12.2
> Locally built OpenSSL 1.0.2l & Solaris Studio 12.2
> Oracle's OpenSSL 1.0.2k & Solaris Studio 12.4
> Locally built OpenSSL 1.0.2l & Solaris Studio 12.4
>
> I generally build with Studio 12.2, as it works better/faster with some
> of the old systems that I have around.
>
> I'm still working on getting it to build with the version of gcc that
> installswith Solaris 10.
>
> --
> Jeff Wieland, UNIX/Network Systems Administrator
> Purdue University IT Infrastructure Services UNIX Platforms
>

Success with gcc:

Oracle's OpenSSL 1.0.2k & gcc version 3.4.3
Locally built OpenSSL 1.0.2l & gcc version 3.4.3

[Kevin Brott]

On 09/24/2017 07:12 PM, Phil Pennock wrote:
> On 2017-09-24 at 17:37 -0700, Kevin Brott wrote:
>> On 09/20/2017 05:47 PM, Damien Miller wrote:
>>> Hi,
>>>
>>> OpenSSH 7.6p1 is almost ready for release, so we would appreciate testing
>>> on as many platforms and systems as possible. This is a bugfix release.
>> openssh-SNAP-20170925.tar.gz && git clone as of 2017/09/24 @ 17:20 PDT
>>
>> OpSys           Compiler   OpenSSL     Build     Test
>> Debian 8.9    gcc 4.9.2    1.0.1t        YES        all tests passed
>> Debian 9.1    gcc 6.3.0    1.1.0f        NO *1
>>
>> Looks like the default openssl version on Debian 9 is 1.1.0f, which according to the INSTALL doc is a deal-breaker (LibreSSL or OpenSSL >= 0.9.8f < 1.1.0).
> Debian 9.1 is one of the ones I tested on and it worked, so I looked
> into this: it looks like Debian 9.1 has libssl installed for both 1.0.2l
> and 1.1.0f, but then the openssl package for the latter, providing only
> the command-line interface.
>
> https://people.spodhuis.org/phil.pennock/openssh-testing/SNAP-20170925/bento-debian9.1.txt
>
> A plain install of Debian includes neither set of dev headers, the
> "apt-get build-dep openssh" step installed "libssl1.0-dev". The plain
> install I got included both binary-library packages by default.
>

I must not have properly cleaned up the dev environment from the tweaking run I did on clamav for our systems. You're quite right. After I installed the openssl1.0-dev package and it cleared out the conflicting 1.1 stuff, the openssh 7.6 sources then built and tested without a hitch.  Nothing on the system broke, except the dev environment for clamav, which I was done with anyway.  Interesting that there seems to be a mix of ssl dependencies on 9.1 (I got a bit dizzy trying to follow them all).

Any idea if openssh is going to roadmap into openssl 1.1 any time soon?

--
# include <stddisclaimer.h>
/* Kevin Brott <Kevin...@GMail.com> */

[Martin Hecht]

all tests passed on

Ubuntu 16.04.3 LTS and
Scientific Linux release 6.9 (Carbon)

On SUSE Linux Enterprise Server 11 SP3 LTSS I had to provide a local
installation of a newer openssl. I have chosen their current LTS version
1.0.2l with shared library support enabled, and I had to tweak with
CFLAGS and LDFLAGS to pass the configure checks (otherwise, the OS
provided, heavily patched 0.9.8j-fips version was used, even when
configure was told to use the local installation via --with-ssl-dir).
Anyhow, I managed to build, but then make tests fails with:

run test agent.sh ...
ssh-add -l via agent fwd failed (exit code 255)
agent fwd failed (exit code 255)
failed simple agent test

I know it's an old distribution, but with the newer openssl installation
one would maybe expect the tests to pass.

[Damien Miller]

On Wed, 27 Sep 2017, Martin Hecht wrote:

> all tests passed on
>
> Ubuntu 16.04.3 LTS and
> Scientific Linux release 6.9 (Carbon)
>
> On SUSE Linux Enterprise Server 11 SP3 LTSS I had to provide a local
> installation of a newer openssl. I have chosen their current LTS version
> 1.0.2l with shared library support enabled, and I had to tweak with
> CFLAGS and LDFLAGS to pass the configure checks (otherwise, the OS
> provided, heavily patched 0.9.8j-fips version was used, even when
> configure was told to use the local installation via --with-ssl-dir).
> Anyhow, I managed to build, but then make tests fails with:
>
> run test agent.sh ...
> ssh-add -l via agent fwd failed (exit code 255)
> agent fwd failed (exit code 255)
> failed simple agent test

When tests fail, you can check regress/failed-* for details of what went wrong.

-d

[The Doctor]

In FreeBSD 11.1 using Openssl 1.0.2.m-fips-dev

Here is what I got

scp: shell metacharacters
scp: disallow bad server #0
scp: disallow bad server #1
scp: disallow bad server #2
scp: disallow bad server #3
scp: disallow bad server #4
scp: detect non-directory target

/usr/source/openssh-SNAP-0929/regress/copy2: Not a directory

cmp: EOF on /usr/source/openssh-SNAP-0929/regress/copy

corrupted copy of /bin/ls
Exit request sent.
Exit request sent.
Exit request sent.
Exit request sent.
Exit request sent.
Exit request sent.
Exit request sent.
Exit request sent.
failed local and remote forwarding
*** Error code 1

Stop.

make[1]: stopped in /usr/source/openssh-SNAP-0929/regress

*** Error code 1

Stop.

make: stopped in /usr/source/openssh-SNAP-0929stopped in /usr/source/openssh-SNAP-0929/regress

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism
Talk Sense to a fool and he calls you foolish - Euripides

[Iain Morgan]

On Thu, Sep 21, 2017 at 10:47:59 +1000, Damien Miller wrote:
> Hi,
>

> OpenSSH 7.6p1 is almost ready for release, so we would appreciate testing

> on as many platforms and systems as possible. This is a bugfix release.
>

Hi Damien,

I sent this report last week, but due to a prlblem at my end it never
made it to the list.

The 20170922 snapshot successfully builds on RHEL 6.9/x86_64 with
LibreSSL 2.6.1. However, the regression tests fail with
regress/authinfo.sh:

run test authinfo.sh ...
ExposeAuthInfo=no
SSH_USER_AUTH: Undefined variable.
SSH_USER_AUTH present
ExposeAuthInfo=yes
failed authinfo

make[1]: *** [t-exec] Error 1
make[1]: Leaving directory

`/u/wk/imorgan/src/openssh/build/openssh/regress'

make: *** [tests] Error 2

This is due to my shell being csh, which is pickier about undefined
variables than the Bourne-style shells. The attached patch fixes the
issue.


--
Iain Morgan

diff --git a/regress/authinfo.sh b/regress/authinfo.sh
index e725296..e4275be 100644
--- a/regress/authinfo.sh
+++ b/regress/authinfo.sh
@@ -6,7 +6,7 @@ tid="authinfo"
# Ensure the environment variable doesn't leak when ExposeAuthInfo=no.
verbose "ExposeAuthInfo=no"
env SSH_USER_AUTH=blah ${SSH} -F $OBJ/ssh_proxy x \
- 'test -z "$SSH_USER_AUTH"' || fail "SSH_USER_AUTH present"
+ 'test -z `printenv SSH_USER_AUTH`' || fail "SSH_USER_AUTH present"

verbose "ExposeAuthInfo=yes"
echo ExposeAuthInfo=yes >> $OBJ/sshd_proxy

[Darren Tucker]

On 29 September 2017 at 11:05, Iain Morgan <imorgan...@nas.nasa.gov> wrote:
[...]

> This is due to my shell being csh, which is pickier about undefined
> variables than the Bourne-style shells. The attached patch fixes the
> issue.

Thanks for figuring this out.

> - 'test -z "$SSH_USER_AUTH"' || fail "SSH_USER_AUTH present"
> + 'test -z `printenv SSH_USER_AUTH`' || fail "SSH_USER_AUTH present"

Unfortunately printenv is not specified by posix (AFAICT it's a
gnuism) so that would likely break many other currently working
platforms.
Would it be possible to do something like:

'test -z `sh -c "echo $SSH_USER_AUTH"`' || fail "SSH_USER_AUTH present"

(plus or minus some quoting, probably) ?

--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Damien Miller]

On Fri, 29 Sep 2017, The Doctor wrote:

>
> In FreeBSD 11.1 using Openssl 1.0.2.m-fips-dev
>
> Here is what I got

> run test forwarding.sh ...
> failed copy of /bin/ls
> cmp: EOF on /usr/source/openssh-SNAP-0929/regress/copy
> corrupted copy of /bin/ls
> Exit request sent.
> Exit request sent.
> Exit request sent.
> Exit request sent.
> Exit request sent.
> Exit request sent.
> Exit request sent.
> Exit request sent.
> failed local and remote forwarding
> *** Error code 1

I can't reproduce this failure with stock FreeBSD 11.1 using
either the stock OpenSSL or 1.0.2l-fips.

Could you see if there are any clues in regress/failed-* ?

I noticed that the tests would fail in multiplex.sh on the FreeBSD
GCE VM that I was testing on because there was no entry for "localhost"
in /etc/hosts. You might want to check that too.

-d

[Iain Morgan]

On Fri, Sep 29, 2017 at 11:55:26 -0700, Darren Tucker wrote:
> On 29 September 2017 at 11:05, Iain Morgan <imorgan...@nas.nasa.gov> wrote:
> [...]
> > This is due to my shell being csh, which is pickier about undefined
> > variables than the Bourne-style shells. The attached patch fixes the
> > issue.
>
> Thanks for figuring this out.
>
> > - 'test -z "$SSH_USER_AUTH"' || fail "SSH_USER_AUTH present"
> > + 'test -z `printenv SSH_USER_AUTH`' || fail "SSH_USER_AUTH present"
>
> Unfortunately printenv is not specified by posix (AFAICT it's a
> gnuism) so that would likely break many other currently working
> platforms.
> Would it be possible to do something like:
>
> 'test -z `sh -c "echo $SSH_USER_AUTH"`' || fail "SSH_USER_AUTH present"
>
> (plus or minus some quoting, probably) ?
>

Actually, according to OpenBSD's printenv(1) man page, it first appeared
in 2BSD. The man page on OS X claims it was BSD 3.0. However, it doesn't
appear to be part of any standard.

Your suggestion ran into the same issue as the original test, but
escaping the evaluation by the user's shell appears to work:

'test -z `sh -c "echo \$SSH_USER_AUTH"`' || fail "SSH_USER_AUTH present"

--
Iain Morgan

[Damien Miller]

On Fri, 29 Sep 2017, Iain Morgan wrote:

> Actually, according to OpenBSD's printenv(1) man page, it first appeared
> in 2BSD. The man page on OS X claims it was BSD 3.0. However, it doesn't
> appear to be part of any standard.
>
> Your suggestion ran into the same issue as the original test, but
> escaping the evaluation by the user's shell appears to work:
>
> 'test -z `sh -c "echo \$SSH_USER_AUTH"`' || fail "SSH_USER_AUTH present"

How about:

diff --git a/regress/authinfo.sh b/regress/authinfo.sh
index e725296c..b47f4e5a 100644
--- a/regress/authinfo.sh
+++ b/regress/authinfo.sh
@@ -5,8 +5,10 @@ tid="authinfo"

# Ensure the environment variable doesn't leak when ExposeAuthInfo=no.
verbose "ExposeAuthInfo=no"

+

env SSH_USER_AUTH=blah ${SSH} -F $OBJ/ssh_proxy x \

- 'test -z "$SSH_USER_AUTH"' || fail "SSH_USER_AUTH present"

+ "exec sh -c 'test -z \"\$SSH_USER_AUTH\"'" || \
+ fail "SSH_USER_AUTH present"

verbose "ExposeAuthInfo=yes"
echo ExposeAuthInfo=yes >> $OBJ/sshd_proxy

[Darren Tucker]

On 29 September 2017 at 15:47, Damien Miller <d...@mindrot.org> wrote:
> On Fri, 29 Sep 2017, Iain Morgan wrote:
>
>> Actually, according to OpenBSD's printenv(1) man page, it first appeared
>> in 2BSD. The man page on OS X claims it was BSD 3.0. However, it doesn't
>> appear to be part of any standard.

of the systems I have available here: the BSDs Linux and AIX have it.
Solaris doesn't have it in the standard path but it is in /usr/ucb.

>> Your suggestion ran into the same issue as the original test, but
>> escaping the evaluation by the user's shell appears to work:
>>
>> 'test -z `sh -c "echo \$SSH_USER_AUTH"`' || fail "SSH_USER_AUTH present"

Well escaping something for the user's shell depends on the shell's
escaping rules.

> How about:

Or how about we do the escaping on the client side where we know what
the rules are and feed it to /bin/sh over stdin? Then it shouldn't
matter what the shell is.

test -z $(echo 'echo $SSH_USER_AUTH' | env SSH_USER_AUTH=blah ${SSH} -F \
$OBJ/ssh_proxy x /bin/sh) || fail "SSH_USER_AUTH present"

--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Iain Morgan]

On Sat, Sep 30, 2017 at 08:47:27 +1000, Damien Miller wrote:
> On Fri, 29 Sep 2017, Iain Morgan wrote:
>
> > Actually, according to OpenBSD's printenv(1) man page, it first appeared
> > in 2BSD. The man page on OS X claims it was BSD 3.0. However, it doesn't
> > appear to be part of any standard.
> >
> > Your suggestion ran into the same issue as the original test, but
> > escaping the evaluation by the user's shell appears to work:
> >
> > 'test -z `sh -c "echo \$SSH_USER_AUTH"`' || fail "SSH_USER_AUTH present"
>
> How about:
>

Yes, that works for me.

--
Iain Morgan

[Damien Miller]

On Fri, 29 Sep 2017, Darren Tucker wrote:

> On 29 September 2017 at 15:47, Damien Miller <d...@mindrot.org> wrote:
> > On Fri, 29 Sep 2017, Iain Morgan wrote:
> >
> >> Actually, according to OpenBSD's printenv(1) man page, it first appeared
> >> in 2BSD. The man page on OS X claims it was BSD 3.0. However, it doesn't
> >> appear to be part of any standard.
>
> of the systems I have available here: the BSDs Linux and AIX have it.
> Solaris doesn't have it in the standard path but it is in /usr/ucb.
>
> >> Your suggestion ran into the same issue as the original test, but
> >> escaping the evaluation by the user's shell appears to work:
> >>
> >> 'test -z `sh -c "echo \$SSH_USER_AUTH"`' || fail "SSH_USER_AUTH present"
>
> Well escaping something for the user's shell depends on the shell's
> escaping rules.
>
> > How about:
>
> Or how about we do the escaping on the client side where we know what
> the rules are and feed it to /bin/sh over stdin? Then it shouldn't
> matter what the shell is.
>
> test -z $(echo 'echo $SSH_USER_AUTH' | env SSH_USER_AUTH=blah ${SSH} -F \
> $OBJ/ssh_proxy x /bin/sh) || fail "SSH_USER_AUTH present"

All the escaping is on the client side in my patch, what gets sent is:

exec sh -c 'test -z "$SSH_USER_AUTH"'

which is IMO pretty unambiguous

-d

[Tom G. Christensen]

On 24/09/17 08:20, Tom G. Christensen wrote:
> On 24/09/17 07:13, Darren Tucker wrote:
>> On 24 September 2017 at 02:14, Tom G. Christensen
>> <t...@jupiterrise.com> wrote:
>> [...]
>>> I am seeing the exact same error consistently on Solaris 7/SPARC.
>>>
>>> $ ./test_kex
>>> test_kex: dsa_generate_private_key bits 2048 expected 1024
>>
>> What version of OpenSSL do you have?  (on both the good and bad
>> machines?)  We have one data point of the problem occurring with
>> OpenSSL 1.0.2k but we don't know if the version is significant.
>>
>
> All my Solaris hosts have 1.0.2k installed.
>

I have retested now with 74c1c366 and the same openssl 1.0.2k install
and I cannot reproduce the problem.