Mailing List Archive

1 2 3  View All
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
Tests are failing:
:; gmake tests
...
In file included from /pz/SFW/include/openssl/x509.h:30,
                 from /pz/SFW/include/openssl/pem.h:17,
                 from regress/misc/sk-dummy/sk-dummy.c:48:
/pz/SFW/include/openssl/sha.h:56:3: error: conflicting types for
'SHA256_CTX'
   56 | } SHA256_CTX;
      |   ^~~~~~~~~~
In file included from /usr/include/sha2.h:32,
                 from regress/misc/sk-dummy/sk-dummy.c:28:
/usr/include/sys/sha2.h:89:18: note: previous declaration of
'SHA256_CTX' was here
   89 | typedef SHA2_CTX SHA256_CTX;
      |                  ^~~~~~~~~~
/pz/SFW/include/openssl/sha.h:65:16: error: expected identifier or '('
before numeric constant
   65 | unsigned char *SHA256(const unsigned char *d, size_t n,
unsigned char *md);
      |                ^~~~~~
In file included from /pz/SFW/include/openssl/x509.h:30,
                 from /pz/SFW/include/openssl/pem.h:17,
                 from regress/misc/sk-dummy/sk-dummy.c:48:
/pz/SFW/include/openssl/sha.h:103:3: error: conflicting types for
'SHA512_CTX'
  103 | } SHA512_CTX;
      |   ^~~~~~~~~~
In file included from /usr/include/sha2.h:32,
                 from regress/misc/sk-dummy/sk-dummy.c:28:
/usr/include/sys/sha2.h:91:18: note: previous declaration of
'SHA512_CTX' was here
   91 | typedef SHA2_CTX SHA512_CTX;
      |                  ^~~~~~~~~~
/pz/SFW/include/openssl/sha.h:108:16: error: expected identifier or '('
before numeric constant
  108 | unsigned char *SHA384(const unsigned char *d, size_t n,
unsigned char *md);
      |                ^~~~~~
/pz/SFW/include/openssl/sha.h:112:16: error: expected identifier or '('
before numeric constant
  112 | unsigned char *SHA512(const unsigned char *d, size_t n,
unsigned char *md);
      |                ^~~~~~
gmake: *** [Makefile:688: regress/misc/sk-dummy/sk-dummy.lo] Error 1


------------------
:; which openssl
/pz/SFW/bin/openssl
:; openssl version
OpenSSL 1.1.1m  14 Dec 2021


Regards.

On 15.02.2022 09:54, Predrag Zecevic wrote:
> It compiles on OpenIndiana (https://www.openindiana.org) as well.
> Since it delivers own OpenSSH copy, I use to install it on separate
> location.
>
> #### http://www.mindrot.org/openssh_snap/openssh-SNAP-20220211.tar.gz
>
> :; autoreconf
> # autoreconf (GNU Autoconf) 2.71
>
> :; echo $CC $CXX
> /usr/gcc/10/bin/gcc /usr/gcc/10/bin/g++
>
> :; echo $PREFIX
> /pz/SFW
>
> :; echo $CFLAGS
> -lstdc++ -m64 -march=native -std=c89 -std=c99
> -D_POSIX_PTHREAD_SEMANTICS -D_XOPEN_SOURCE=600 -D_FILE_OFFSET_BITS=64
> -D__EXTENSIONS__ -I${PREFIX}/include -I${PREFIX}/include/openssl
> -I${PREFIX}/apr/include -I${PREFIX}/include/nghttp3 -I/usr/include
> -I/usr/gnu/include -I/usr/include/readline -I/usr/include/ncurses
> -I/usr/include/idn2
>
> :; ./configure --prefix=${PREFIX}
>        --sysconfdir=${PREFIX}/etc/openssh
>        --with-cflags="${CFLAGS} -DHAVE_MBLEN"
>        --with-kerberos5=${PREFIX}
>        --with-ssl-dir=${PREFIX}
>        --with-zlib=${PREFIX}
>        --with-pam
>        --with-xauth=/usr/bin/xauth
>        --with-libedit
>        --with-mantype=man
>        --with-solaris-projects
>        --with-solaris-privs
>
> ...
> :; gmake
> ...
> :; ./ssh -V
> OpenSSH_8.8p1-snap20220211, OpenSSL 1.1.1m  14 Dec 2021
>
> Many thanks, and best regards.
>

--
Predrag Ze?evi?
predrag.zecevic.1961@googlemail.com

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Wed, 16 Feb 2022 at 01:09, Predrag Zecevic
<predrag.zecevic.1961@googlemail.com> wrote:
>
> Tests are failing:
> :; gmake tests
> ...
> In file included from /pz/SFW/include/openssl/x509.h:30,
> from /pz/SFW/include/openssl/pem.h:17,
> from regress/misc/sk-dummy/sk-dummy.c:48:
> /pz/SFW/include/openssl/sha.h:56:3: error: conflicting types for
> 'SHA256_CTX'
> 56 | } SHA256_CTX;
> | ^~~~~~~~~~

What platform is that? From the paths I'm guessing a Solaris or derivative?

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Wed, 16 Feb 2022 at 00:48, chris <chris@cataclysmal.org> wrote:
[...]
> openssh-SNAP-20220215.tar.gz
> Haiku R1/beta3 hrev55181+63 (x86)
> gcc 11.2.0
[...]
> drop connection #1 from [127.0.0.1]:40281 on [127.0.0.1]:4242 past MaxStartups

This was the symptom we saw on Solaris and derivatives, which was
caused by the privileged sshd not being a process group leader and
thus the grace_alarm_handler fails to clean up the unprivileged
privsep child here:

grace_alarm_handler(int sig)
[...]
if (getpgid(0) == getpid()) {
ssh_signal(SIGTERM, SIG_IGN);
kill(0, SIGTERM);
}

On Solaris this was caused by skipping the setsid() call, but that was
removed in commit b306986, so probably there's another thing causing a
similar symptom. Does Haiku implement the kill(0, ...) behaviour
specified by posix? Does have a killpg? Does it even have process
groups?

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Wed, Feb 16, 2022 at 12:36:56PM +1100, Darren Tucker wrote:
> On Wed, 16 Feb 2022 at 00:48, chris <chris@cataclysmal.org> wrote:
> [...]
> > openssh-SNAP-20220215.tar.gz
> > Haiku R1/beta3 hrev55181+63 (x86)
> > gcc 11.2.0
> [...]
> > drop connection #1 from [127.0.0.1]:40281 on [127.0.0.1]:4242 past MaxStartups
>
> This was the symptom we saw on Solaris and derivatives, which was
> caused by the privileged sshd not being a process group leader and
> thus the grace_alarm_handler fails to clean up the unprivileged
> privsep child here:
>
> grace_alarm_handler(int sig)
> [...]
> if (getpgid(0) == getpid()) {
> ssh_signal(SIGTERM, SIG_IGN);
> kill(0, SIGTERM);
> }
>
> On Solaris this was caused by skipping the setsid() call, but that was
> removed in commit b306986, so probably there's another thing causing a
> similar symptom. Does Haiku implement the kill(0, ...) behaviour
> specified by posix? Does have a killpg? Does it even have process
> groups?



headers/posix/signal.h:242:

int kill(pid_t pid, int _signal);
int killpg(pid_t processGroupID, int _signal);

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Thu, Feb 10, 2022 at 03:18:23PM +1100, Damien Miller wrote:
> Hi,
>
> OpenSSH 8.9p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev@mindrot.org. Security bugs should be reported
> directly to openssh@openssh.com.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Future deprecation notice
> =========================
>
> A near-future release of OpenSSH will switch scp(1) from using the
> legacy scp/rcp protocol to using SFTP by default.
>
> Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
> "scp host:* .") through the remote shell. This has the side effect of
> requiring double quoting of shell meta-characters in file names
> included on scp(1) command-lines, otherwise they could be interpreted
> as shell commands on the remote side.
>
> This creates one area of potential incompatibility: scp(1) when using
> the SFTP protocol no longer requires this finicky and brittle quoting,
> and attempts to use it may cause transfers to fail. We consider the
> removal of the need for double-quoting shell characters in file names
> to be a benefit and do not intend to introduce bug-compatibility for
> legacy scp/rcp in scp(1) when using the SFTP protocol.
>
> Another area of potential incompatibility relates to the use of remote
> paths relative to other user's home directories, for example -
> "scp host:~user/file /tmp". The SFTP protocol has no native way to
> expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
> support a protocol extension "expand-path@openssh.com" to support
> this.
>
> Potentially-incompatible changes
> ================================
>
> * sshd(8), portable OpenSSH only: this release removes in-built
> support for MD5-hashed passwords. If you require these on your
> system then we recommend linking against libxcrypt or similar.
>
> * This release modifies the FIDO security key middleware interface
> and increments SSH_SK_VERSION_MAJOR.
>
> Changes since OpenSSH 8.8
> =========================
>
> This release includes a number of new features.
>
> New features
> ------------
>
> * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
> restricting forwarding and use of keys added to ssh-agent(1)
> A detailed description of the feature is available at
> https://www.openssh.com/agent-restrict.html and the protocol
> extensions are documented in the PROTOCOL and PROTOCOL.agent
> files in the source release.
>
> * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
> ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
> default KEXAlgorithms list (after the ECDH methods but before the
> prime-group DH ones).
>
> * ssh-keygen(1): when downloading resident keys from a FIDO token,
> pass back the user ID that was used when the key was created and
> append it to the filename the key is written to (if it is not the
> default). Avoids keys being clobbered if the user created multiple
> resident keys with the same application string but different user
> IDs.
>
> * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys
> on tokens that provide user verification (UV) on the device itself,
> including biometric keys, avoiding unnecessary PIN prompts.
>
> * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to
> perform matching of principals names against an allowed signers
> file. To be used towards a TOFU model for SSH signatures in git.
>
> * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added
> to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at
> authentication time.
>
> * ssh-keygen(1): allow selection of hash at sshsig signing time
> (either sha512 (default) or sha256).
>
> * ssh(1), sshd(8): read network data directly to the packet input
> buffer instead indirectly via a small stack buffer. Provides a
> modest performance improvement.
>
> * ssh(1), sshd(8): read data directly to the channel input buffer,
> providing a similar modest performance improvement.
>
> * ssh(1): extend the PubkeyAuthentication configuration directive to
> accept yes|no|unbound|host-bound to allow control over one of the
> protocol extensions used to implement agent-restricted keys.
>
> Bugfixes
> --------
>
> * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and
> PubkeyAuthOptions can be used in a Match block. PR#277.
>
> * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512
> exchange hashes
>
> * ssh(1): don't put the TTY into raw mode when SessionType=none,
> avoids ^C being unable to kill such a session. bz3360
>
> * scp(1): fix some corner-case bugs in SFTP-mode handling of
> ~-prefixed paths.
>
> * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to
> select RSA keys when only RSA/SHA2 signature algorithms are
> configured (this is the default case). Previously RSA keys were
> not being considered in the default case.
>
> * ssh-keysign(1): make ssh-keysign use the requested signature
> algorithm and not the default for the key type. Part of unbreaking
> hostbased auth for RSA/SHA2 keys.
>
> * ssh(1): stricter UpdateHostkey signature verification logic on
> the client- side. Require RSA/SHA2 signatures for RSA hostkeys
> except when RSA/SHA1 was explicitly negotiated during initial
> KEX; bz3375
>
> * ssh(1), sshd(8): fix signature algorithm selection logic for
> UpdateHostkeys on the server side. The previous code tried to
> prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some
> cases. This will use RSA/SHA2 signatures for RSA keys if the
> client proposed these algorithms in initial KEX. bz3375
>
> * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2).
> This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1)
> and sftp-server(8), as well as the sshd(8) listen loop and all
> other FD read/writability checks. On platforms with missing or
> broken poll(2)/ppoll(2) syscalls as select(2)-based compat shim is
> available.
>
> * ssh-keygen(1): the "-Y find-principals" command was verifying key
> validity when using ca certs but not with simple key lifetimes
> within the allowed signers file.
>
> * ssh-keygen(1): make sshsig verify-time argument parsing optional
>
> * ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA
> keys (we already did this for RSA keys). Avoids fatal errors for
> PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B
> "cryptoauthlib"; bz#3364
>
> * ssh(1), ssh-agent(1): improve the testing of credentials against
> inserted FIDO: ask the token whether a particular key belongs to
> it in cases where the token supports on-token user-verification
> (e.g. biometrics) rather than just assuming that it will accept it.
>
> Will reduce spurious "Confirm user presence" notifications for key
> handles that relate to FIDO keys that are not currently inserted in at
> least some cases. bz3366
>
> * ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to
> allow for the preceding two ECN bits. bz#3373
>
> * ssh-keygen(1): add missing -O option to usage() for the "-Y sign"
> option.
>
> * ssh-keygen(1): fix a NULL deref when using the find-principals
> function, when matching an allowed_signers line that contains a
> namespace restriction, but no restriction specified on the
> command-line
>
> * ssh-agent(1): fix memleak in process_extension(); oss-fuzz
> issue #42719
>
> * ssh(1): suppress "Connection to xxx closed" messages when LogLevel
> is set to "error" or above. bz3378
>
> * ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing
> compressed packet data. bz3372
>
> * scp(1): when recursively transferring files in SFTP mode, create the
> destination directory if it doesn't already exist to match scp(1) in
> legacy RCP mode behaviour.
>
> * scp(1): many improvements in error message consistency between scp(1)
> in SFTP mode vs legacy RCP mode.
>
> * sshd(8): fix potential race in SIGTERM handling PR#289
>
> * ssh(1), ssh(8): since DSA keys are deprecated, move them to the
> end of the default list of public keys so that they will be tried
> last. PR#295
>
> * ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match
> wildcard principals in allowed_signers files
>
> Portability
> -----------
>
> * ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's
> implementation does not work in a chroot when the kernel does not
> have close_range(2). It tries to read from /proc/self/fd and when
> that fails dies with an assertion of sorts. Instead, call
> close_range(2) directly from our compat code and fall back if
> that fails. bz#3349,
>
> * OS X poll(2) is broken; use compat replacement. For character-
> special devices like /dev/null, Darwin's poll(2) returns POLLNVAL
> when polled with POLLIN. Apparently this is Apple bug 3710161 -
> not public but a websearch will find other OSS projects
> rediscovering it periodically since it was first identified in
> 2005.
>
> * Correct handling of exceptfds/POLLPRI in our select(2)-based
> poll(2)/ppoll(2) compat implementation.
>
> * Cygwin: correct checking of mbstowcs() return value.
>
> * Add a basic SECURITY.md that refers people to the openssh.com
> website.
>
> * Enable additional compiler warnings and toolchain hardening flags,
> including -Wbitwise-instead-of-logical, -Wmisleading-indentation,
> -fzero-call-used-regs and -ftrivial-auto-var-init.
>
> * HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version
> is not reliable.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH_8.8p1-snap20220216, OpenSSL 1.1.1m+quic 14 Dec 2021

Working in FreeBSD 13.0-p7

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b
Do they do as the Word said, or as the world said? -unknown Beware https://mindspring.com
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
Hi Darren,

It is OpenIndiana (Illumos kernel), with self compiled OpenSSL, MIT
Kerberos 5 and zlib.
The rest of packages are from OS.

:; uname -rosv
SunOS 5.11 illumos-da38379730 illumos

So, yes, like Solaris.
OpenSSH behaves good (already using it - although not everything is tested).

I have compiled it myself, since OS version is still using OpenSSL 1.0:
:; /usr/bin/ssh -V
OpenSSH_8.1p1, OpenSSL 1.0.2u  20 Dec 2019


Best regards.

On 15.02.2022 23:01, Darren Tucker wrote:
> On Wed, 16 Feb 2022 at 01:09, Predrag Zecevic
> <predrag.zecevic.1961@googlemail.com> wrote:
>> Tests are failing:
>> :; gmake tests
>> ...
>> In file included from /pz/SFW/include/openssl/x509.h:30,
>> from /pz/SFW/include/openssl/pem.h:17,
>> from regress/misc/sk-dummy/sk-dummy.c:48:
>> /pz/SFW/include/openssl/sha.h:56:3: error: conflicting types for
>> 'SHA256_CTX'
>> 56 | } SHA256_CTX;
>> | ^~~~~~~~~~
> What platform is that? From the paths I'm guessing a Solaris or derivative?
>

--
Predrag Ze?evi?
predrag.zecevic.1961@googlemail.com

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Feb 11 19:54, Corinna Vinschen wrote:
> On Feb 11 22:25, Darren Tucker wrote:
> > On Fri, 11 Feb 2022 at 21:53, Corinna Vinschen <vinschen@redhat.com> wrote:
> >
> > > [...]
> > > I wonder why sk-ecdsa-sha2-nistp256-cert-v01@openssh.com is not in the
> > > above list of cert type offers. What explanation could that have?
> > >
> > [...]
> I've just built OpenSSH without the above flag and it builds and
> packages fine. Thanks for pointing this out! I will certainly build
> with hardening in future.
>
> I also ran the hostkey-agent test again, but yeah, hardening doesn't
> change the result. Still
>
> bad SSH_CONNECTION key type sk-ssh-ed25519-cert-v01@openssh.com
>
> I'm going to run the entire testsuite now, but I don't expect any
> other problem.

I just reproduced this problem on Fedora 35. It's actually a result
of building in a dedicated build dir:

$ uname -a
Linux calimero 5.16.8-200.fc35.x86_64 #1 SMP PREEMPT Tue Feb 8 20:58:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ pwd
/src/openssh/src
$ mkdir ../build
$ cd ../build
$ ../src/configure --with-kerberos5 --with-libedit --with-xauth=/usr/bin/xauth --with-security-key-builtin
[...]
$ make t-exec LTESTS=hostkey-agent
[...]
run test hostkey-agent.sh ...
key type ssh-ed25519
key type ssh-rsa
key type ssh-dss
key type ecdsa-sha2-nistp256
key type ecdsa-sha2-nistp384
key type ecdsa-sha2-nistp521
cert type ssh-ed25519-cert-v01@openssh.com
cert type sk-ssh-ed25519-cert-v01@openssh.com
cert type sk-ssh-ed25519-cert-v01@openssh.com failed
bad SSH_CONNECTION key type sk-ssh-ed25519-cert-v01@openssh.com
cert type ssh-rsa-cert-v01@openssh.com
cert type rsa-sha2-256-cert-v01@openssh.com
cert type rsa-sha2-512-cert-v01@openssh.com
cert type ssh-dss-cert-v01@openssh.com
cert type ecdsa-sha2-nistp256-cert-v01@openssh.com
cert type ecdsa-sha2-nistp384-cert-v01@openssh.com
cert type ecdsa-sha2-nistp521-cert-v01@openssh.com
cert type sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
cert type sk-ecdsa-sha2-nistp256-cert-v01@openssh.com failed
bad SSH_CONNECTION key type sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
failed hostkey agent
make[1]: *** [Makefile:221: t-exec] Error 1
make[1]: Leaving directory '/src/openssh/src/regress'
make: *** [Makefile:727: t-exec] Error 2

Now building in the source dir:

$ uname -a
Linux calimero 5.16.8-200.fc35.x86_64 #1 SMP PREEMPT Tue Feb 8 20:58:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ pwd
/src/openssh/src
$ ./configure --with-kerberos5 --with-libedit --with-xauth=/usr/bin/xauth --with-security-key-builtin
[...]
$ make t-exec LTESTS=hostkey-agent
[...]
run test hostkey-agent.sh ...
key type ssh-ed25519
key type sk-ssh-ed25519@openssh.com
key type ssh-rsa
key type ssh-dss
key type ecdsa-sha2-nistp256
key type ecdsa-sha2-nistp384
key type ecdsa-sha2-nistp521
key type sk-ecdsa-sha2-nistp256@openssh.com
cert type ssh-ed25519-cert-v01@openssh.com
cert type sk-ssh-ed25519-cert-v01@openssh.com
cert type ssh-rsa-cert-v01@openssh.com
cert type rsa-sha2-256-cert-v01@openssh.com
cert type rsa-sha2-512-cert-v01@openssh.com
cert type ssh-dss-cert-v01@openssh.com
cert type ecdsa-sha2-nistp256-cert-v01@openssh.com
cert type ecdsa-sha2-nistp384-cert-v01@openssh.com
cert type ecdsa-sha2-nistp521-cert-v01@openssh.com
cert type sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
ok hostkey agent
make[1]: Leaving directory '/src/openssh/src/regress'
all t-exec passed

So the sk certs fail if builddir != srcdir, independent of the target.


Corinna

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Wed, 16 Feb 2022, Corinna Vinschen wrote:

> So the sk certs fail if builddir != srcdir, independent of the target.

Ah, good catch. It's probably not finding regress/misc/sk-dummy.so.
I can't recreate this on Debian, but I think (thanks to Darren) that
I have a RHish VM around somewhere and I'll try to reproduce it on
that.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Thu, 17 Feb 2022 at 12:36, Damien Miller <djm@mindrot.org> wrote:
>
> On Wed, 16 Feb 2022, Corinna Vinschen wrote:
>
> > So the sk certs fail if builddir != srcdir, independent of the target.
>
> Ah, good catch.

I second that, nice find!

> It's probably not finding regress/misc/sk-dummy.so.
> I can't recreate this on Debian, but I think (thanks to Darren) that
> I have a RHish VM around somewhere and I'll try to reproduce it on
> that.

Try starting from a clean checkout. My guess is that a previous test
run left something (maybe sk-dummy.so) in the top-level directory.
I'm using Fedora 34, but I rarely start from a clean dir.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Thu, 17 Feb 2022, Damien Miller wrote:

> On Wed, 16 Feb 2022, Corinna Vinschen wrote:
>
> > So the sk certs fail if builddir != srcdir, independent of the target.
>
> Ah, good catch. It's probably not finding regress/misc/sk-dummy.so.
> I can't recreate this on Debian, but I think (thanks to Darren) that
> I have a RHish VM around somewhere and I'll try to reproduce it on
> that.

I was able to recreate this on Rocky Linux, this seems to fix it:

diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 15bdd0847..358d8082e 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -576,6 +576,8 @@ elif [ -f "${SRC}/misc/sk-dummy/obj/sk-dummy.so" ] ; then
SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/obj/sk-dummy.so"
elif [ -f "${SRC}/misc/sk-dummy/sk-dummy.so" ] ; then
SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/sk-dummy.so"
+elif [ -f "${OBJ}/misc/sk-dummy/sk-dummy.so" ] ; then
+ SSH_SK_PROVIDER="${OBJ}/misc/sk-dummy/sk-dummy.so"
fi
export SSH_SK_PROVIDER


(I tried just s/SRC/OBJ/ in the second else case, but that breaks Debian)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Thu, 17 Feb 2022 at 13:57, Damien Miller <djm@mindrot.org> wrote:
> I was able to recreate this on Rocky Linux, this seems to fix it:
>
> diff --git a/regress/test-exec.sh b/regress/test-exec.sh
> index 15bdd0847..358d8082e 100644
> --- a/regress/test-exec.sh
> +++ b/regress/test-exec.sh
> @@ -576,6 +576,8 @@ elif [ -f "${SRC}/misc/sk-dummy/obj/sk-dummy.so" ] ; then
> SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/obj/sk-dummy.so"
> elif [ -f "${SRC}/misc/sk-dummy/sk-dummy.so" ] ; then
> SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/sk-dummy.so"
> +elif [ -f "${OBJ}/misc/sk-dummy/sk-dummy.so" ] ; then
> + SSH_SK_PROVIDER="${OBJ}/misc/sk-dummy/sk-dummy.so"
> fi

To me it seems like it should look in ${SRC} last, but ok either way.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Thu, Feb 10, 2022 at 03:18:23PM +1100, Damien Miller wrote:

> * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
> ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
> default KEXAlgorithms list (after the ECDH methods but before the
> prime-group DH ones).

Very happy to see this, thank you! Been using the sntrup* KEMs since
2019.

I tried four machines. First 3 look good, last might need attention.

1. Debian 10 x86_64
gcc 8.3.0
./configure --without-openssl
make
(builds successfully)
make clean && ./configure && make && make tests
[...]
all tests passed


2. Amazon Linux AMI x86_64
gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
./configure && make tests
[...]
all tests passed


3. Ubuntu 18.04.6 LTS x86_64
gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
./configure && make tests
[...]
all tests passed


4. Alpine Linux 3.15.0 x86_64
gcc version 10.3.1 20211027 (Alpine 10.3.1_git20211027)
./configure --without-openssl
make
(builds successfully)
make clean && ./configure
make
(builds successfully)
make tests
[...]
all file-tests passed
[...]
make[1]: Entering directory '/home/codetest/openssh/regress'
run test connect.sh ...
ssh direct connect failed
ssh proxycommand connect failed
failed simple connect
make[1]: *** [Makefile:221: t-exec] Error 1
make[1]: Leaving directory '/home/codetest/openssh/regress'
make: *** [Makefile:727: t-exec] Error 2


Nicolai
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Thu, 17 Feb 2022 at 16:21, Nicolai <nicolai-openssh@chocolatine.org> wrote:
[...]
> make[1]: Entering directory '/home/codetest/openssh/regress'
> run test connect.sh ...
> ssh direct connect failed
> ssh proxycommand connect failed
> failed simple connect

The logs in regress/failed-ssh.log and regress/failed-sshd.log should
provide some insight about what failed.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Feb 17 14:09, Darren Tucker wrote:
> On Thu, 17 Feb 2022 at 13:57, Damien Miller <djm@mindrot.org> wrote:
> > I was able to recreate this on Rocky Linux, this seems to fix it:
> >
> > diff --git a/regress/test-exec.sh b/regress/test-exec.sh
> > index 15bdd0847..358d8082e 100644
> > --- a/regress/test-exec.sh
> > +++ b/regress/test-exec.sh
> > @@ -576,6 +576,8 @@ elif [ -f "${SRC}/misc/sk-dummy/obj/sk-dummy.so" ] ; then
> > SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/obj/sk-dummy.so"
> > elif [ -f "${SRC}/misc/sk-dummy/sk-dummy.so" ] ; then
> > SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/sk-dummy.so"
> > +elif [ -f "${OBJ}/misc/sk-dummy/sk-dummy.so" ] ; then
> > + SSH_SK_PROVIDER="${OBJ}/misc/sk-dummy/sk-dummy.so"
> > fi

This works fine for Cygwin as well, thanks!

> To me it seems like it should look in ${SRC} last, ...

I agree with that. First builddir, then srcdir.


Thanks,
Corinna

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
[.This mail was hold back, awaiting moderator approval, because it
had the "failed-*.log" files attached, so it was too big. I send
it now again, just FTR, this time without the log files attached.]

On Feb 14 17:41, Damien Miller wrote:
> On Fri, 11 Feb 2022, Corinna Vinschen wrote:
>
> > On Feb 10 15:18, Damien Miller wrote:
> > > Hi,
> > >
> > > OpenSSH 8.9p1 is almost ready for release, so we would appreciate testing
> > > on as many platforms and systems as possible. This is a bugfix release.
> >
> > Builds OOTB on Cygwin x86_64, almost all tests pass, except a single
> > test in hostkey-agent:
> >
> > -------------
> > FAIL: cert type sk-ecdsa-sha2-nistp256-cert-v01@openssh.com failed
> > FAIL: bad SSH_CONNECTION key type sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
> > -------------
> >
> > I'm building OPenSSH exactly as if I create a distro build, using the
> > following configuration options:
> >
> > --with-libedit
> > --with-xauth=/usr/bin/xauth
> > --disable-strip
> > --without-hardening
> > --with-security-key-builtin
>
> It's passing for me with similar options (missing --with-libedit and
> --with-security-key-builtin). I'm using:

Hmm, this is puzzeling...

Please note that kerberos support is built in, too. But this happens
automatically, so there's no explicit configure option.

> > CYGWIN_NT-10.0 win10pro 3.2.0(0.340/5/3) 2021-03-29 08:42 x86_64 Cygwin
>
> > debug1: kex: host key algorithm: (no match)
> > Unable to negotiate with UNKNOWN port 65535: no matching host key type found.
> > Their offer:
> > ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-
> > cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,e
> > cdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com
> > ,ecdsa-sha2-nistp521-cert-v01@openssh.com^M
> >
> > I wonder why sk-ecdsa-sha2-nistp256-cert-v01@openssh.com is not in the
> > above list of cert type offers. What explanation could that have?
>
> It looks like the server offer is missing all SK keytypes. What does
> 'grep ENABLE_SK config.h' show? If it is disabled there, then config.log
> might have clues as to why.

Looks good to me:

$ grep ENABLE_SK config.h
#define ENABLE_SK /**/
#define ENABLE_SK_INTERNAL /**/

> I'll try it again on an image with libfido2 just to rule that out, though
> AFAIK it's not in the path for any of this (we use sk-dummy.so in the
> tests).

I attached my failed-*.log files again. Curious: Despite defining
TEST_SSH_UNSAFE_PERMISSIONS=1 in the environment. the failed-sshd.log
file contains WARNING: UNPROTECTED PRIVATE KEY FILE! messages, plus
lines like these:

Unable to load host key "/home/corinna/tmp/openssh/openssh-8.9p0-1.x86_64/build/regress/agent-key.ecdsa-sha2-nistp521.pub": bad permissions

However, these are pub files, not priv files. Is it possible that
the test fails because srcdir != builddir?


Thanks,
Corinna

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Feb 17 10:20, Corinna Vinschen wrote:
> On Feb 17 14:09, Darren Tucker wrote:
> > On Thu, 17 Feb 2022 at 13:57, Damien Miller <djm@mindrot.org> wrote:
> > > I was able to recreate this on Rocky Linux, this seems to fix it:
> > >
> > > diff --git a/regress/test-exec.sh b/regress/test-exec.sh
> > > index 15bdd0847..358d8082e 100644
> > > --- a/regress/test-exec.sh
> > > +++ b/regress/test-exec.sh
> > > @@ -576,6 +576,8 @@ elif [ -f "${SRC}/misc/sk-dummy/obj/sk-dummy.so" ] ; then
> > > SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/obj/sk-dummy.so"
> > > elif [ -f "${SRC}/misc/sk-dummy/sk-dummy.so" ] ; then
> > > SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/sk-dummy.so"
> > > +elif [ -f "${OBJ}/misc/sk-dummy/sk-dummy.so" ] ; then
> > > + SSH_SK_PROVIDER="${OBJ}/misc/sk-dummy/sk-dummy.so"
> > > fi
>
> This works fine for Cygwin as well, thanks!
>
> > To me it seems like it should look in ${SRC} last, ...
>
> I agree with that. First builddir, then srcdir.

Latest master (667fec5d4fe4) plus the patchset from
https://github.com/openssh/openssh-portable/pull/302

Builds on Cygwin and Fedora 35 in a dedicated build dir,
all tests pass. Thanks!


Corinna

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Thu, Feb 17, 2022 at 04:24:45PM +1100, Darren Tucker wrote:

> The logs in regress/failed-ssh.log and regress/failed-sshd.log should
> provide some insight about what failed.

Hope this helps, and quick reminder, this is Alpine Linux 3.15.0 x86_64,
gcc version 10.3.1 20211027 (Alpine 10.3.1_git20211027). I'm not
normally a Linux user and only installed Alpine for the first time a
week ago, so I feel kind of lost on this machine. Sorry I can't be more
informative or helpful.


$ cat failed-ssh.log
trace: direct connect
Executing: /home/codetest/openssh/ssh -F /home/codetest/openssh/regress/ssh_config somehost true
debug3: ssh_connect_direct: entering
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 4242.
debug3: set_sock_tos: set socket 4 IP_TOS 0x48
debug1: Connection established.
debug1: identity file /home/codetest/openssh/regress/ssh-ed25519 type 3
debug1: identity file /home/codetest/openssh/regress/ssh-ed25519-cert type -1
debug1: identity file /home/codetest/openssh/regress/sk-ssh-ed25519@openssh.com type 12
debug1: identity file /home/codetest/openssh/regress/sk-ssh-ed25519@openssh.com-cert type -1
debug1: identity file /home/codetest/openssh/regress/ssh-rsa type 0
debug1: identity file /home/codetest/openssh/regress/ssh-rsa-cert type -1
debug1: identity file /home/codetest/openssh/regress/ssh-dss type 1
debug1: identity file /home/codetest/openssh/regress/ssh-dss-cert type -1
debug1: identity file /home/codetest/openssh/regress/ecdsa-sha2-nistp256 type 2
debug1: identity file /home/codetest/openssh/regress/ecdsa-sha2-nistp256-cert type -1
debug1: identity file /home/codetest/openssh/regress/ecdsa-sha2-nistp384 type 2
debug1: identity file /home/codetest/openssh/regress/ecdsa-sha2-nistp384-cert type -1
debug1: identity file /home/codetest/openssh/regress/ecdsa-sha2-nistp521 type 2
debug1: identity file /home/codetest/openssh/regress/ecdsa-sha2-nistp521-cert type -1
debug1: identity file /home/codetest/openssh/regress/sk-ecdsa-sha2-nistp256@openssh.com type 10
debug1: identity file /home/codetest/openssh/regress/sk-ecdsa-sha2-nistp256@openssh.com-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8
debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000
debug2: fd 4 setting O_NONBLOCK
debug1: Authenticating to 127.0.0.1:4242 as 'codetest'
debug1: using hostkeyalias: localhost-with-alias
debug3: record_hostkey: found key type ED25519 in file /home/codetest/openssh/regress/known_hosts:1
debug3: record_hostkey: found key type ED25519-SK in file /home/codetest/openssh/regress/known_hosts:2
debug3: record_hostkey: found key type RSA in file /home/codetest/openssh/regress/known_hosts:3
debug3: record_hostkey: found key type DSA in file /home/codetest/openssh/regress/known_hosts:4
debug3: record_hostkey: found key type ECDSA in file /home/codetest/openssh/regress/known_hosts:5
debug3: record_hostkey: found key type ECDSA in file /home/codetest/openssh/regress/known_hosts:6
debug3: record_hostkey: found key type ECDSA in file /home/codetest/openssh/regress/known_hosts:7
debug3: record_hostkey: found key type ECDSA-SK in file /home/codetest/openssh/regress/known_hosts:8
debug3: load_hostkeys_file: loaded 8 keys from localhost-with-alias
debug3: record_hostkey: found key type ED25519 in file /home/codetest/openssh/regress/known_hosts:1
debug3: record_hostkey: found key type ED25519-SK in file /home/codetest/openssh/regress/known_hosts:2
debug3: record_hostkey: found key type RSA in file /home/codetest/openssh/regress/known_hosts:3
debug3: record_hostkey: found key type DSA in file /home/codetest/openssh/regress/known_hosts:4
debug3: record_hostkey: found key type ECDSA in file /home/codetest/openssh/regress/known_hosts:5
debug3: record_hostkey: found key type ECDSA in file /home/codetest/openssh/regress/known_hosts:6
debug3: record_hostkey: found key type ECDSA in file /home/codetest/openssh/regress/known_hosts:7
debug3: record_hostkey: found key type ECDSA-SK in file /home/codetest/openssh/regress/known_hosts:8
debug3: load_hostkeys_file: loaded 8 keys from localhost-with-alias
debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
ssh_dispatch_run_fatal: Connection to 127.0.0.1 port 4242: Broken pipe
FAIL: ssh direct connect failed

trace: proxy connect
Executing: /home/codetest/openssh/ssh -F /home/codetest/openssh/regress/ssh_config -o proxycommand /home/codetest/openssh/regress/netcat %h %p somehost true
debug1: Executing proxy command: exec /home/codetest/openssh/regress/netcat 127.0.0.1 4242
debug1: identity file /home/codetest/openssh/regress/ssh-ed25519 type 3
debug1: identity file /home/codetest/openssh/regress/ssh-ed25519-cert type -1
debug1: identity file /home/codetest/openssh/regress/sk-ssh-ed25519@openssh.com type 12
debug1: identity file /home/codetest/openssh/regress/sk-ssh-ed25519@openssh.com-cert type -1
debug1: identity file /home/codetest/openssh/regress/ssh-rsa type 0
debug1: identity file /home/codetest/openssh/regress/ssh-rsa-cert type -1
debug1: identity file /home/codetest/openssh/regress/ssh-dss type 1
debug1: identity file /home/codetest/openssh/regress/ssh-dss-cert type -1
debug1: identity file /home/codetest/openssh/regress/ecdsa-sha2-nistp256 type 2
debug1: identity file /home/codetest/openssh/regress/ecdsa-sha2-nistp256-cert type -1
debug1: identity file /home/codetest/openssh/regress/ecdsa-sha2-nistp384 type 2
debug1: identity file /home/codetest/openssh/regress/ecdsa-sha2-nistp384-cert type -1
debug1: identity file /home/codetest/openssh/regress/ecdsa-sha2-nistp521 type 2
debug1: identity file /home/codetest/openssh/regress/ecdsa-sha2-nistp521-cert type -1
debug1: identity file /home/codetest/openssh/regress/sk-ecdsa-sha2-nistp256@openssh.com type 10
debug1: identity file /home/codetest/openssh/regress/sk-ecdsa-sha2-nistp256@openssh.com-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8
debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000
debug2: fd 6 setting O_NONBLOCK
debug2: fd 5 setting O_NONBLOCK
debug1: Authenticating to 127.0.0.1:4242 as 'codetest'
debug1: using hostkeyalias: localhost-with-alias
debug3: record_hostkey: found key type ED25519 in file /home/codetest/openssh/regress/known_hosts:1
debug3: record_hostkey: found key type ED25519-SK in file /home/codetest/openssh/regress/known_hosts:2
debug3: record_hostkey: found key type RSA in file /home/codetest/openssh/regress/known_hosts:3
debug3: record_hostkey: found key type DSA in file /home/codetest/openssh/regress/known_hosts:4
debug3: record_hostkey: found key type ECDSA in file /home/codetest/openssh/regress/known_hosts:5
debug3: record_hostkey: found key type ECDSA in file /home/codetest/openssh/regress/known_hosts:6
debug3: record_hostkey: found key type ECDSA in file /home/codetest/openssh/regress/known_hosts:7
debug3: record_hostkey: found key type ECDSA-SK in file /home/codetest/openssh/regress/known_hosts:8
debug3: load_hostkeys_file: loaded 8 keys from localhost-with-alias
debug3: record_hostkey: found key type ED25519 in file /home/codetest/openssh/regress/known_hosts:1
debug3: record_hostkey: found key type ED25519-SK in file /home/codetest/openssh/regress/known_hosts:2
debug3: record_hostkey: found key type RSA in file /home/codetest/openssh/regress/known_hosts:3
debug3: record_hostkey: found key type DSA in file /home/codetest/openssh/regress/known_hosts:4
debug3: record_hostkey: found key type ECDSA in file /home/codetest/openssh/regress/known_hosts:5
debug3: record_hostkey: found key type ECDSA in file /home/codetest/openssh/regress/known_hosts:6
debug3: record_hostkey: found key type ECDSA in file /home/codetest/openssh/regress/known_hosts:7
debug3: record_hostkey: found key type ECDSA-SK in file /home/codetest/openssh/regress/known_hosts:8
debug3: load_hostkeys_file: loaded 8 keys from localhost-with-alias
debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
ssh_dispatch_run_fatal: Connection to UNKNOWN port 65535: Broken pipe
FAIL: ssh proxycommand connect failed



$ cat failed-sshd.log
trace: direct connect
debug3: fd 5 is not O_NONBLOCK
debug1: Forked child 13356.
debug3: send_rexec_state: entering fd = 8 config len 945
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug3: oom_adjust_restore
debug1: Set /proc/self/oom_score_adj to 0
debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
debug1: inetd sockets after dupping: 4, 4
Connection from 127.0.0.1 port 46506 on 127.0.0.1 port 4242
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8
debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000
debug2: fd 4 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing rlimit sandbox
debug2: Network child is on pid 13357
debug3: preauth child monitor started
debug3: append_hostkey_type: ssh-rsa key not permitted by HostkeyAlgorithms [preauth]
debug3: append_hostkey_type: ssh-dss key not permitted by HostkeyAlgorithms [preauth]
debug1: list_hostkey_types: ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
ssh_dispatch_run_fatal: Connection from 127.0.0.1 port 46506: Invalid argument [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive: entering
debug1: do_cleanup
debug1: Killing privsep child 13357
FAIL: ssh direct connect failed

trace: proxy connect
debug3: fd 5 is not O_NONBLOCK
debug1: Forked child 13366.
debug3: send_rexec_state: entering fd = 8 config len 945
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug3: oom_adjust_restore
debug1: Set /proc/self/oom_score_adj to 0
debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
debug1: inetd sockets after dupping: 4, 4
Connection from 127.0.0.1 port 46508 on 127.0.0.1 port 4242
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8
debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000
debug2: fd 4 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing rlimit sandbox
debug2: Network child is on pid 13367
debug3: preauth child monitor started
debug3: append_hostkey_type: ssh-rsa key not permitted by HostkeyAlgorithms [preauth]
debug3: append_hostkey_type: ssh-dss key not permitted by HostkeyAlgorithms [preauth]
debug1: list_hostkey_types: ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
ssh_dispatch_run_fatal: Connection from 127.0.0.1 port 46508: Invalid argument [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive: entering
debug1: do_cleanup
debug1: Killing privsep child 13367
FAIL: ssh proxycommand connect failed

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Thu, 17 Feb 2022, Nicolai wrote:

> On Thu, Feb 17, 2022 at 04:24:45PM +1100, Darren Tucker wrote:
>
> > The logs in regress/failed-ssh.log and regress/failed-sshd.log should
> > provide some insight about what failed.
>
> Hope this helps, and quick reminder, this is Alpine Linux 3.15.0 x86_64,
> gcc version 10.3.1 20211027 (Alpine 10.3.1_git20211027). I'm not
> normally a Linux user and only installed Alpine for the first time a
> week ago, so I feel kind of lost on this machine. Sorry I can't be more
> informative or helpful.

[...]

> debug3: send packet: type 30
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> ssh_dispatch_run_fatal: Connection to 127.0.0.1 port 4242: Broken pipe

I'm guessing this is a seccomp sandbox violation. Unfortunately debugging
these can be a bit tricky. There are some instructions at the top of
sandbox-seccomp.c if you want to give it a try but unfortunately the
need some handholding because some change between glibc and the Linux
kernel headers causes them to fail on some systems.

Darren, is there any chance of making an Alpine VM to test against?

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Fri, 18 Feb 2022, Damien Miller wrote:

> need some handholding because some change between glibc and the Linux

Perhaps somewhat importantly, Alpine Linux uses musl-libc by dalias
instead of the GNU moloch.

bye,
//mirabilos
--
Sometimes they [people] care too much: pretty printers [and syntax highligh-
ting, d.A.] mechanically produce pretty output that accentuates irrelevant
detail in the program, which is as sensible as putting all the prepositions
in English text in bold font. -- Rob Pike in "Notes on Programming in C"
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Fri, 18 Feb 2022, Damien Miller wrote:

> Darren, is there any chance of making an Alpine VM to test against?

If it helps, I can reproduce this on Debian, with musl-tools installed.

$ CC=musl-gcc mksh configure --without-openssl --without-zlib
$ make tests
[…]
make[1]: Entering directory '/tmp/openssh/regress'
/tmp/openssh/ssh-keygen -if /tmp/openssh/regress/rsa_ssh2.prv | diff - /tmp/openssh/regress/rsa_openssh.prv
key conversion disabled at compile time
0a1,15
> -----BEGIN RSA PRIVATE KEY-----
> MIICWgIBAAKBgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko
> +dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX87xKR0YzlXTLX+SLtF/ySebS3
> xWPrlfRUDhh03hR5V+8xxvvy9widPYKw/oItwGSueOsEq1LTczCDv2dAjQIDAQAB
> An8nH5VzvHkMbSqJ6eOYDsVwomRvYbH5IEaYl1x6VATITNvAu9kUdQ4NsSpuMc+7
> Jj9gKZvmO1y2YCKc0P/iO+i/eV0L+yQh1Rw18jQZll+12T+LZrKRav03YNvMx0gN
> wqWY48Kt6hv2/N/ebQzKRe79+D0t2cTh92hT7xENFLIBAkEBGnoGKFjAUkJCwO1V
> mzpUqMHpRZVOrqP9hUmPjzNJ5oBPFGe4+h1hoSRFOAzaNuZt8ssbqaLCkzB8bfzj
> qhZqAQJBANZekuUpp8iBLeLSagw5FkcPwPzq6zfExbhvsZXb8Bo/4SflNs4JHXwI
> 7SD9Z8aJLvM4uQ/5M70lblDMQ40i3o0CQQDIJvBYBFL5tlOgakq/O7yi+wt0L5BZ
> 9H79w5rCSAA0IHRoK/qI1urHiHC3f3vbbLk5UStfrqEaND/mm0shyNIBAkBLsYdC
> /ctt5Bc0wUGK4Vl5bBmj9LtrrMJ4FpBpLwj/69BwCuKoK9XKZ0h73p6XHveCEGRg
> PIlFX4MtaoLrwgU9AkBV2k4dgIws+X8YX65EsyyFjnlDqX4x0nSOjQB1msIKfHBr
> dh5XLDBTTCxnKhMJ0Yx/opgOvf09XHBFwaQntR5i
> -----END RSA PRIVATE KEY-----
make[1]: *** [Makefile:149: t1] Error 1
make[1]: Leaving directory '/tmp/openssh/regress'
make: *** [Makefile:727: file-tests] Error 2

At this point, it’s built, and it appears that…

$ make t-exec

… runs the precise test that failed for the OP.

(Why the configure script doesn’t configure the tests so
they run only those that can actually be run without OpenSSL
is beyond me…)

The reason for disabling OpenSSL and libz is that you’d need
versions of them built against musl-libc which isn’t normally
available on glibc-using Debian.

musl is… very opinionated. Its <sys/poll.h> contains a very
annoing #warning (because POSIX has <poll.h> instead) which
I suggest to sudoedit away first.

bye,
//mirabilos
--
15:41?<Lo-lan-do:#fusionforge> Somebody write a testsuite for helloworld :-)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Fri, 18 Feb 2022, Damien Miller wrote:

> these can be a bit tricky. There are some instructions at the top of
> sandbox-seccomp.c if you want to give it a try but unfortunately the

In musl libc, you also have to comment out the…

# include <asm/siginfo.h>

… because such a header is not shipped with it. The compilation works
without, though.

Unfortunately, dalias is very strictly against making it possible to
detect musl at compile time, so wrapping it in #ifdef __GLIBC__ or so.

There are none of the expected messages though :/

But perhaps this strace snippet helps:

write(2, "debug1: inetd sockets after dupp"..., 43debug1: inetd sockets after dupping: 3, 3
) = 43
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
rt_sigaction(SIGALRM, {sa_handler=SIG_DFL, sa_mask=~[RTMIN RT_1 RT_2], sa_flags=SA_RESTORER, sa_restorer=0x7f74765eea48}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGHUP, {sa_handler=SIG_DFL, sa_mask=~[RTMIN RT_1 RT_2], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7f74765eea48}, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTERM, {sa_handler=SIG_DFL, sa_mask=~[RTMIN RT_1 RT_2], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7f74765eea48}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_DFL, sa_mask=~[RTMIN RT_1 RT_2], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7f74765eea48}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGCHLD, {sa_handler=SIG_DFL, sa_mask=~[RTMIN RT_1 RT_2], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7f74765eea48}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=~[RTMIN RT_1 RT_2], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7f74765eea48}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7476566000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7476565000
getpeername(3, {sa_family=AF_INET, sin_port=htons(45850), sin_addr=inet_addr("127.0.0.1")}, [128->16]) = 0
getpeername(3, {sa_family=AF_INET, sin_port=htons(45850), sin_addr=inet_addr("127.0.0.1")}, [128->16]) = 0
getsockname(3, {sa_family=AF_INET, sin_port=htons(4242), sin_addr=inet_addr("127.0.0.1")}, [128->16]) = 0
getsockname(3, {sa_family=AF_INET, sin_port=htons(4242), sin_addr=inet_addr("127.0.0.1")}, [128->16]) = 0
getpeername(3, {sa_family=AF_INET, sin_port=htons(45850), sin_addr=inet_addr("127.0.0.1")}, [128->16]) = 0
getsockopt(3, SOL_IP, IP_OPTIONS, 0x7ffddb068c90, [200->0]) = 0
setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
getsockname(3, {sa_family=AF_INET, sin_port=htons(4242), sin_addr=inet_addr("127.0.0.1")}, [128->16]) = 0
getpid() = 6833
write(2, "Connection from 127.0.0.1 port 4"..., 61Connection from 127.0.0.1 port 45850 on 127.0.0.1 port 4242
) = 61
rt_sigprocmask(SIG_UNBLOCK, [RT_1 RT_2], NULL, 8) = 0
rt_sigaction(SIGALRM, {sa_handler=0x55f8c5084f80, sa_mask=~[RTMIN RT_1 RT_2], sa_flags=SA_RESTORER, sa_restorer=0x7f74765eea48}, {sa_handler=SIG_DFL, sa_mask=~[KILL STOP RTMIN RT_1 RT_2], sa_flags=SA_RESTORER, sa_restorer=0x7f74765eea48}, 8) = 0
write(3, "SSH-2.0-OpenSSH_8.8\r\n", 21) = 21
getpid() = 6833
write(2, "debug1: Local version string SSH"..., 50debug1: Local version string SSH-2.0-OpenSSH_8.8
) = 50
read(3, "S", 1) = 1
read(3, "S", 1) = 1
read(3, "H", 1) = 1
read(3, "-", 1) = 1
read(3, "2", 1) = 1
read(3, ".", 1) = 1
read(3, "0", 1) = 1
read(3, "-", 1) = 1
read(3, "O", 1) = 1
read(3, "p", 1) = 1
read(3, "e", 1) = 1
read(3, "n", 1) = 1
read(3, "S", 1) = 1
read(3, "S", 1) = 1
read(3, "H", 1) = 1
read(3, "_", 1) = 1
read(3, "8", 1) = 1
read(3, ".", 1) = 1
read(3, "8", 1) = 1
read(3, "\r", 1) = 1
read(3, "\n", 1) = 1
getpid() = 6833
write(2, "debug1: Remote protocol version "..., 74debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8
) = 74
getpid() = 6833
write(2, "debug1: compat_banner: match: Op"..., 74debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000
) = 74
fcntl(3, F_GETFL) = 0x2 (flags O_RDWR)
getpid() = 6833
write(2, "debug2: fd 3 setting O_NONBLOCK\r"..., 33debug2: fd 3 setting O_NONBLOCK
) = 33
fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK|O_LARGEFILE) = 0
socketpair(AF_UNIX, SOCK_STREAM, 0, [4, 5]) = 0
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
fcntl(5, F_SETFD, FD_CLOEXEC) = 0
pipe([6, 7]) = 0
fcntl(6, F_SETFD, FD_CLOEXEC) = 0
fcntl(7, F_SETFD, FD_CLOEXEC) = 0
getpid() = 6833
write(2, "debug3: ssh_sandbox_init: prepar"..., 52debug3: ssh_sandbox_init: preparing rlimit sandbox
) = 52
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
rt_sigprocmask(SIG_BLOCK, ~[], ~[KILL STOP RTMIN RT_1 RT_2], 8) = 0
fork() = 6837
rt_sigprocmask(SIG_SETMASK, ~[KILL STOP RTMIN RT_1 RT_2], NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
getpid() = 6833
write(2, "debug2: Network child is on pid "..., 38debug2: Network child is on pid 6837
) = 38
getpid() = 6833
write(2, "debug3: preauth child monitor st"..., 39debug3: preauth child monitor started
) = 39
close(4) = 0
close(7) = 0
poll([{fd=5, events=POLLIN}, {fd=6, events=POLLIN}], 2, -1strace: Process 6837 attached
<unfinished ...>
[pid 6837] gettid() = 6837
[pid 6837] rt_sigprocmask(SIG_SETMASK, ~[KILL STOP RTMIN RT_1 RT_2], NULL, 8) = 0
[pid 6837] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[pid 6837] close(5) = 0
[pid 6837] close(6) = 0
[pid 6837] getrandom("\x85\x8b\x44\xc8\x9b\xc6\x2e\x9f\xcd\x23\x8d\xb5\xb2\xd1\x34\x6a\x49\x21\x1b\x01\x68\xb0\xff\x27\xc2\x99\x9b\xfd\x10\xb1\x88\xcc"..., 40, 0) = 40
[pid 6837] getpid() = 6837
[pid 6837] getrandom("\x79\xb0\x34\x61\x78\x74\xdb\x57\x6f\xda\x0e\x03\xf2\xc1\x20\xf6\x25\x43\xaa\x37\x01\x3e\xd4\x7b\xbe\x9b\xd9\xee\x18\x30\x2e\x9e"..., 40, 0) = 40
[pid 6837] munmap(0x7f747656e000, 20480) = 0
[pid 6837] munmap(0x7f7476569000, 20480) = 0
[pid 6837] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=0, rlim_max=0}, NULL) = 0
[pid 6837] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=0, rlim_max=0}, NULL) = 0
[pid 6837] prlimit64(0, RLIMIT_NPROC, {rlim_cur=0, rlim_max=0}, NULL) = 0
[pid 6837] getpid() = 6837
[pid 6837] write(7, "\0\0\0F\0\0\0\5\0\0\0\0\0\0\0:list_hostkey_typ"..., 74 <unfinished ...>
[pid 6833] <... poll resumed>) = 1 ([{fd=6, revents=POLLIN}])
[pid 6837] <... write resumed>) = 74
[pid 6833] read(6, <unfinished ...>
[pid 6837] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 <unfinished ...>
[pid 6833] <... read resumed>"\0\0\0F", 4) = 4
[pid 6837] <... mmap resumed>) = 0x7f7476572000
[pid 6833] read(6, "\0\0\0\5\0\0\0\0\0\0\0:list_hostkey_types: "..., 70) = 70
[pid 6837] getpid( <unfinished ...>
[pid 6833] write(2, "debug1: list_hostkey_types: ssh-"..., 78 <unfinished ...>
[pid 6837] <... getpid resumed>) = 6837
debug1: list_hostkey_types: ssh-ed25519,sk-ssh-ed25519@openssh.com [preauth]
[pid 6833] <... write resumed>) = 78
[pid 6837] getpid( <unfinished ...>
[pid 6833] poll([{fd=5, events=POLLIN}, {fd=6, events=POLLIN}], 2, -1 <unfinished ...>
[pid 6837] <... getpid resumed>) = 6837
[pid 6837] write(7, "\0\0\0 \0\0\0\7\0\0\0\0\0\0\0\24send packet: typ"..., 36 <unfinished ...>
[pid 6833] <... poll resumed>) = 1 ([{fd=6, revents=POLLIN}])
[pid 6837] <... write resumed>) = 36
[pid 6833] read(6, <unfinished ...>
[pid 6837] getpid( <unfinished ...>
[pid 6833] <... read resumed>"\0\0\0 ", 4) = 4
[pid 6837] <... getpid resumed>) = 6837
[pid 6833] read(6, <unfinished ...>
[pid 6837] write(7, "\0\0\0!\0\0\0\5\0\0\0\0\0\0\0\25SSH2_MSG_KEXINIT"..., 37 <unfinished ...>
[pid 6833] <... read resumed>"\0\0\0\7\0\0\0\0\0\0\0\24send packet: type 20", 32) = 32
[pid 6837] <... write resumed>) = 37
[pid 6833] write(2, "debug3: send packet: type 20 [pr"..., 40 <unfinished ...>
debug3: send packet: type 20 [preauth]
[pid 6837] write(3, "\0\0\2\354\10\24\352\345t\306\f\335\217l1\f\227\252\353\vf\337\0\0\0Qcurve2"..., 752 <unfinished ...>
[pid 6833] <... write resumed>) = 40
[pid 6833] poll([{fd=5, events=POLLIN}, {fd=6, events=POLLIN}], 2, -1 <unfinished ...>
[pid 6837] <... write resumed>) = 752
[pid 6833] <... poll resumed>) = 1 ([{fd=6, revents=POLLIN}])
[pid 6833] read(6, "\0\0\0!", 4) = 4
[pid 6833] read(6, "\0\0\0\5\0\0\0\0\0\0\0\25SSH2_MSG_KEXINIT sen"..., 33) = 33
[pid 6833] write(2, "debug1: SSH2_MSG_KEXINIT sent [p"..., 41debug1: SSH2_MSG_KEXINIT sent [preauth]
) = 41
[pid 6833] poll([{fd=5, events=POLLIN}, {fd=6, events=POLLIN}], 2, -1 <unfinished ...>
[pid 6837] ppoll([{fd=3, events=POLLIN}], 1, NULL, NULL, 8) = -1 EINVAL (Invalid argument)
[pid 6837] getpid() = 6837
[pid 6837] write(7, "\0\0\0Z\0\0\0\3\0\0\0\0\0\0\0Nssh_dispatch_run"..., 94 <unfinished ...>
[pid 6833] <... poll resumed>) = 1 ([{fd=6, revents=POLLIN}])
[pid 6837] <... write resumed>) = 94
[pid 6833] read(6, "\0\0\0Z", 4) = 4
[pid 6833] read(6, "\0\0\0\3\0\0\0\0\0\0\0Nssh_dispatch_run_fat"..., 90) = 90
[pid 6833] write(2, "ssh_dispatch_run_fatal: Connecti"..., 90ssh_dispatch_run_fatal: Connection from 127.0.0.1 port 45850: Invalid argument [preauth]
) = 90
[pid 6833] poll([{fd=5, events=POLLIN}, {fd=6, events=POLLIN}], 2, -1 <unfinished ...>
[pid 6837] getpid() = 6837
[pid 6837] write(7, "\0\0\0\26\0\0\0\5\0\0\0\0\0\0\0\ndo_cleanup", 26 <unfinished ...>
[pid 6833] <... poll resumed>) = 1 ([{fd=6, revents=POLLIN}])
[pid 6837] <... write resumed>) = 26
[pid 6833] read(6, "\0\0\0\26", 4) = 4
[pid 6833] read(6, "\0\0\0\5\0\0\0\0\0\0\0\ndo_cleanup", 22) = 22
[pid 6833] write(2, "debug1: do_cleanup [preauth]\r\n", 30debug1: do_cleanup [preauth]
) = 30
[pid 6833] poll([{fd=5, events=POLLIN}, {fd=6, events=POLLIN}], 2, -1 <unfinished ...>
[pid 6837] exit_group(255) = ?
[pid 6833] <... poll resumed>) = 1 ([{fd=6, revents=POLLHUP}])
[pid 6837] +++ exited with 255 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=6837, si_uid=1000, si_status=255, si_utime=0, si_stime=0} ---
read(6, "", 4) = 0
getpid() = 6833
write(2, "debug1: monitor_read_log: child "..., 47debug1: monitor_read_log: child log fd closed
) = 47
close(6) = 0
poll([{fd=5, events=POLLIN}], 1, -1) = 1 ([{fd=5, revents=POLLIN|POLLHUP}])
getpid() = 6833
write(2, "debug3: mm_request_receive: ente"..., 38debug3: mm_request_receive: entering
) = 38
read(5, "", 4) = 0
getpid() = 6833
write(2, "debug1: do_cleanup\r\n", 20debug1: do_cleanup
) = 20
getpid() = 6833
write(2, "debug1: Killing privsep child 68"..., 36debug1: Killing privsep child 6837
) = 36
kill(6837, SIGKILL) = 0
exit_group(255) = ?
+++ exited with 255 +++


bye,
//mirabilos
--
«MyISAM tables -will- get corrupted eventually. This is a fact of life. »
“mysql is about as much database as ms access” – “MSSQL at least descends
from a database” “it's a rebranded SyBase” “MySQL however was born from a
flatfile and went downhill from there” – “at least jetDB doesn’t claim to
be a database” (#nosec) ??? Please let MySQL and MariaDB finally die!
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
Thorsten Glaser wrote in
<b4e3532-3fef-472-9b92-e59b0a1afad@tarent.de>:
|On Fri, 18 Feb 2022, Damien Miller wrote:
|> these can be a bit tricky. There are some instructions at the top of
|> sandbox-seccomp.c if you want to give it a try but unfortunately the
|
|In musl libc, you also have to comment out the…
|
| # include <asm/siginfo.h>
|
|… because such a header is not shipped with it. The compilation works
|without, though.
|
|Unfortunately, dalias is very strictly against making it possible to
|detect musl at compile time, so wrapping it in #ifdef __GLIBC__ or so.

The TinyC compiler tcc does

#?0|kent:tcc.git$ git grep -i musl master
...
master:configure: --config-uClibc,-musl,-mingw32... enable system specific configurations
master:configure: if test -f "/lib/ld-musl-$cpu.so.1"; then
master:configure: echo "Perhaps you want ./configure --config-musl"
...

--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Fri, 18 Feb 2022, Steffen Nurpmeso wrote:

> The TinyC compiler tcc does
>
> #?0|kent:tcc.git$ git grep -i musl master
> ...
> master:configure: --config-uClibc,-musl,-mingw32... enable system specific configurations
> master:configure: if test -f "/lib/ld-musl-$cpu.so.1"; then
> master:configure: echo "Perhaps you want ./configure --config-musl"

Ouch, completely bogus.

I’ve found one reliable way to detect musl at configure time,
at least for the last couple of years of their releases.

Compile and link a hello-world program, then check whether the
binary contains MUSL_LOCPATH as string.

I’ve managed to not need to rely on that. I believe it’s obvious
why I’m trying to. I *did* find something recently that would
have benefit from musl detection, but it’s just avoiding a bug
in old musl versions, so I’m leaving that to the packager and
document it. (The testsuite also catches it so I’m now urging
people even more to run it.)

bye,
//mirabilos
--
Sometimes they [people] care too much: pretty printers [and syntax highligh-
ting, d.A.] mechanically produce pretty output that accentuates irrelevant
detail in the program, which is as sensible as putting all the prepositions
in English text in bold font. -- Rob Pike in "Notes on Programming in C"
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Fri, Feb 18, 2022 at 12:23:35AM +0100, Thorsten Glaser wrote:
> On Fri, 18 Feb 2022, Damien Miller wrote:
>
> > Darren, is there any chance of making an Alpine VM to test against?
>
> If it helps, I can reproduce this on Debian, with musl-tools installed.

Thanks, that does help. I'll add that to the github CI test configs.

Looks like it's actually poll vs select.

$ autoreconf
$ CC=musl-gcc ./configure --without-openssl --without-zlib --with-cflags=-DBROKEN_POLL

with this patch passes. Might be the pfd.fd=-1 for marking FDs as
unused that's causing it to fail?

[...]

> (Why the configure script doesn't configure the tests so
> they run only those that can actually be run without OpenSSL
> is beyond me???)

Both those tests and the Makefile predate --without-openssl by a
considerable time. Right now regress/Makefile is not processed by
configure and changing that never made it to the top of a to-do list.

diff --git a/configure.ac b/configure.ac
index a22eb444..eb2872c6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -456,6 +456,7 @@ AC_CHECK_HEADERS([ \
sys/mman.h \
sys/label.h \
sys/ndir.h \
+ sys/param.h \
sys/poll.h \
sys/prctl.h \
sys/procctl.h \
diff --git a/openbsd-compat/bsd-poll.c b/openbsd-compat/bsd-poll.c
index f8b427fc..781ee978 100644
--- a/openbsd-compat/bsd-poll.c
+++ b/openbsd-compat/bsd-poll.c
@@ -19,6 +19,9 @@

#include <sys/types.h>
#include <sys/time.h>
+#ifdef HAVE_SYS_PARAM_H
+# include <sys/param.h>
+#endif
#ifdef HAVE_SYS_SELECT_H
# include <sys/select.h>
#endif
diff --git a/openbsd-compat/bsd-poll.h b/openbsd-compat/bsd-poll.h
index fb99b66f..586647ee 100644
--- a/openbsd-compat/bsd-poll.h
+++ b/openbsd-compat/bsd-poll.h
@@ -33,8 +33,7 @@
#include <sys/types.h>
#ifdef HAVE_POLL_H
# include <poll.h>
-#endif
-#ifdef HAVE_SYS_POLL_H
+#elif HAVE_SYS_POLL_H
# include <sys/poll.h>
#endif


--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 8.9 [ In reply to ]
On Fri, 18 Feb 2022 at 09:53, Damien Miller <djm@mindrot.org> wrote:
> Darren, is there any chance of making an Alpine VM to test against?

That would be easy enough, but based on the repro case from Thorsten I
think we'd get sufficient test coverage by adding a MUSL test to the
github CI (which I'll do).

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

1 2 3  View All