Mailing List Archive

Call for testing: openssh-9.1
Hi,

OpenSSH 9.1p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a bugfix release.

Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable OpenSSH is also available via git using the
instructions at http://www.openssh.com/portable.html#cvs
At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
https://github.com/openssh/openssh-portable

Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:

$ ./configure && make tests

Live testing on suitable non-production systems is also appreciated.
Please send reports of success or failure to
openssh-unix-dev@mindrot.org. Security bugs should be reported
directly to openssh@openssh.com.

Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.

Thanks to the many people who contributed to this release.

Potentially-incompatible changes
--------------------------------

* The portable OpenSSH project now signs commits and release tags
using git's recent SSH signature support. The list of developer
signing keys is included in the repository as .git_allowed_signers
and is cross-signed using the PGP key that is still used to sign
release artifacts:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

* ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
are now first-match-wins to match other directives. Previously
if an environment variable was multiply specified the last set
value would have been used. bz3438

* ssh-keygen(8): ssh-keygen -A (generate all default host key types)
will no longer generate DSA keys, as these are insecure and have
not been used by default for some years.

New features
------------

* ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum
RSA key length. Keys below this length will be ignored for user
authentication and for host authentication in sshd(8).

ssh(1) will terminate a connection if the server offers an RSA key
that falls below this limit, as the SSH protocol does not include
the ability to retry a failed key exchange.

* sftp-server(8): add a "users-groups-by-id@openssh.com" extension
request that allows the client to obtain user/group names that
correspond to a set of uids/gids.

* sftp(1): use "users-groups-by-id@openssh.com" sftp-server
extension (when available) to fill in user/group names for
directory listings.

* sftp-server(8): support the "home-directory" extension request
defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps
a bit with the existing "expand-path@openssh.com", but some other
clients support it.

* ssh-keygen(1), sshd(8): allow certificate validity intervals,
sshsig verification times and authorized_keys expiry-time options
to accept dates in the UTC time zone in addition to the default
of interpreting them in the system time zone. YYYYMMDD and
YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed
with a 'Z' character.

Also allow certificate validity intervals to be specified in raw
seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
is intended for use by regress tests and other tools that call
ssh-keygen as part of a CA workflow. bz3468

* sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
"/usr/libexec/sftp-server -el debug3"

* ssh-keygen(1): allow the existing -U (use agent) flag to work
with "-Y sign" operations, where it will be interpreted to require
that the private keys is hosted in an agent; bz3429

Bugfixes
--------

* ssh-keygen(1): implement the "verify-required" certificate option.
This was already documented when support for user-verified FIDO
keys was added, but the ssh-keygen(1) code was missing.

* ssh-agent(1): hook up the restrict_websafe command-line flag;
previously the flag was accepted but never actually used.

* sftp(1): improve filename tab completions: never try to complete
names to non-existent commands, and better match the completion
type (local or remote filename) against the argument position
being completed.

* ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO key
handling, especially relating to keys that request
user-verification. These should reduce the number of unnecessary
PIN prompts for keys that support intrinsic user verification.
GHPR302, GHPR329

* ssh-keygen(1): when enrolling a FIDO resident key, check if a
credential with matching application and user ID strings already
exists and, if so, prompt the user for confirmation before
overwriting the credential. GHPR329

* sshd(8): improve logging of errors when opening authorized_keys
files. bz2042

* ssh(1): avoid multiplexing operations that could cause SIGPIPE from
causing the client to exit early. bz3454

* ssh_config(5), sshd_config(5): clarify that the RekeyLimit
directive applies to both transmitted and received data. GHPR328

* ssh-keygen(1): avoid double fclose() in error path.

* sshd(8): log an error if pipe() fails while accepting a
connection. bz3447

* ssh(1), ssh-keygen(1): fix possible NULL deref when built without
FIDO support. bz3443

* ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage.
GHPR294.

* sshd(8): ensure that authentication passwords are cleared from
memory in error paths. GHPR286

* ssh(1), ssh-agent(1): avoid possibility of notifier code executing
kill(-1). GHPR286

* ssh_config(5): note that the ProxyJump directive also accepts the
same tokens as ProxyCommand. GHPR305.

* scp(1): do not not ftruncate(3) files early when in sftp mode. The
previous behaviour of unconditionally truncating the destination
file would cause "scp ~/foo localhost:foo" and the reverse
"scp localhost:foo ~/foo" to delete all the contents of their
destination. bz3431

* ssh-keygen(1): improve error message when 'ssh-keygen -Y sign' is
unable to load a private key; bz3429

* sftp(1), scp(1): when performing operations that glob(3) a remote
path, ensure that the implicit working directory used to construct
that path escapes glob(3) characters. This prevents glob characters
from being processed in places they shouldn't, e.g. "cd /tmp/a*/",
"get *.txt" should have the get operation treat the path "/tmp/a*"
literally and not attempt to expand it.

* ssh(1), sshd(8): be stricter in which characters will be accepted
in specifying a mask length; allow only 0-9. GHPR278

* ssh-keygen(1): avoid printing hash algorithm twice when dumping a
KRL

* ssh(1), sshd(8): continue running local I/O for open channels
during SSH transport rekeying. This should make ~-escapes work in
the client (e.g. to exit) if the connection happened to have
stalled during a rekey event.

* ssh(1), sshd(8): avoid potential poll() spin during rekeying

* Further hardening for sshbuf internals: disallow "reparenting" a
hierarchical sshbuf and zero the entire buffer if reallocation
fails. GHPR287

Portability
-----------

* ssh(1), ssh-keygen(1), sshd(8): automatically enable the built-in
FIDO security key support if libfido2 is found and usable, unless
--without-security-key-builtin was requested.

* ssh(1), ssh-keygen(1), sshd(8): many fixes to make the WinHello
FIDO device usable on Cygwin. The windows://hello FIDO device will
be automatically used by default on this platform unless requested
otherwise, or when probing resident FIDO credentials (an operation
not currently supported by WinHello).

* Portable OpenSSH: remove workarounds for obsolete and unsupported
versions of OpenSSL libcrypto. In particular, this release removes
fallback support for OpenSSL that lacks AES-CTR or AES-GCM.

Those AES cipher modes were added to OpenSSL prior to the minimum
version currently supported by OpenSSH, so this is not expected to
impact any currently supported configurations.

* sshd(8): fix SANDBOX_SECCOMP_FILTER_DEBUG on current Linux/glibc

* All: resync and clean up internal CSPRNG code.

* scp(1), sftp(1), sftp-server(8): avoid linking these programs with
unnecessary libraries. They are no longer linked against libz and
libcrypto. This may be of benefit to space constrained systems
using any of those components in isolation.

* sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox
architectures.

* configure: remove special casing of crypt(). configure will no
longer search for crypt() in libcrypto, as it was removed from
there years ago. configure will not only search libc and libcrypt.

* configure: refuse to use OpenSSL 3.0.4 due to potential RCE in its
RSA implementation (CVE-2022-2274) on x86_64.

* All: request 1.1x API compatibility for OpenSSL >=3.x; GHPR#322

* ssh(1), ssh-keygen(1), sshd(8): fix a number of missing includes
required by the XMSS code on some platforms.

* sshd(8): cache timezone data in capsicum sandbox.

Reporting Bugs:
===============

- Please read https://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: openssh-9.1 [ In reply to ]
Hi Damien,

I want to report success on OpenIndida OS:

:; ssh -V
OpenSSH_9.1p1-snap20220928, OpenSSL 1.1.1q  5 Jul 2022

Compiled with GCC 10 (with custom OpenSSL and MIT Kerberos-5 compilation)
Tested server and client (briefly, for functionality used to use on
everyday tasks) -- all works fine...

Thanks and regards

On 28.09.2022 02:03, Damien Miller wrote:
> Hi,
>
> OpenSSH 9.1p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev@mindrot.org. Security bugs should be reported
> directly to openssh@openssh.com.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Potentially-incompatible changes
> --------------------------------
>
> * The portable OpenSSH project now signs commits and release tags
> using git's recent SSH signature support. The list of developer
> signing keys is included in the repository as .git_allowed_signers
> and is cross-signed using the PGP key that is still used to sign
> release artifacts:
> https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
>
> * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
> are now first-match-wins to match other directives. Previously
> if an environment variable was multiply specified the last set
> value would have been used. bz3438
>
> * ssh-keygen(8): ssh-keygen -A (generate all default host key types)
> will no longer generate DSA keys, as these are insecure and have
> not been used by default for some years.
>
> New features
> ------------
>
> * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum
> RSA key length. Keys below this length will be ignored for user
> authentication and for host authentication in sshd(8).
>
> ssh(1) will terminate a connection if the server offers an RSA key
> that falls below this limit, as the SSH protocol does not include
> the ability to retry a failed key exchange.
>
> * sftp-server(8): add a "users-groups-by-id@openssh.com" extension
> request that allows the client to obtain user/group names that
> correspond to a set of uids/gids.
>
> * sftp(1): use "users-groups-by-id@openssh.com" sftp-server
> extension (when available) to fill in user/group names for
> directory listings.
>
> * sftp-server(8): support the "home-directory" extension request
> defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps
> a bit with the existing "expand-path@openssh.com", but some other
> clients support it.
>
> * ssh-keygen(1), sshd(8): allow certificate validity intervals,
> sshsig verification times and authorized_keys expiry-time options
> to accept dates in the UTC time zone in addition to the default
> of interpreting them in the system time zone. YYYYMMDD and
> YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed
> with a 'Z' character.
>
> Also allow certificate validity intervals to be specified in raw
> seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
> is intended for use by regress tests and other tools that call
> ssh-keygen as part of a CA workflow. bz3468
>
> * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
> "/usr/libexec/sftp-server -el debug3"
>
> * ssh-keygen(1): allow the existing -U (use agent) flag to work
> with "-Y sign" operations, where it will be interpreted to require
> that the private keys is hosted in an agent; bz3429
>
> Bugfixes
> --------
>
> * ssh-keygen(1): implement the "verify-required" certificate option.
> This was already documented when support for user-verified FIDO
> keys was added, but the ssh-keygen(1) code was missing.
>
> * ssh-agent(1): hook up the restrict_websafe command-line flag;
> previously the flag was accepted but never actually used.
>
> * sftp(1): improve filename tab completions: never try to complete
> names to non-existent commands, and better match the completion
> type (local or remote filename) against the argument position
> being completed.
>
> * ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO key
> handling, especially relating to keys that request
> user-verification. These should reduce the number of unnecessary
> PIN prompts for keys that support intrinsic user verification.
> GHPR302, GHPR329
>
> * ssh-keygen(1): when enrolling a FIDO resident key, check if a
> credential with matching application and user ID strings already
> exists and, if so, prompt the user for confirmation before
> overwriting the credential. GHPR329
>
> * sshd(8): improve logging of errors when opening authorized_keys
> files. bz2042
>
> * ssh(1): avoid multiplexing operations that could cause SIGPIPE from
> causing the client to exit early. bz3454
>
> * ssh_config(5), sshd_config(5): clarify that the RekeyLimit
> directive applies to both transmitted and received data. GHPR328
>
> * ssh-keygen(1): avoid double fclose() in error path.
>
> * sshd(8): log an error if pipe() fails while accepting a
> connection. bz3447
>
> * ssh(1), ssh-keygen(1): fix possible NULL deref when built without
> FIDO support. bz3443
>
> * ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage.
> GHPR294.
>
> * sshd(8): ensure that authentication passwords are cleared from
> memory in error paths. GHPR286
>
> * ssh(1), ssh-agent(1): avoid possibility of notifier code executing
> kill(-1). GHPR286
>
> * ssh_config(5): note that the ProxyJump directive also accepts the
> same tokens as ProxyCommand. GHPR305.
>
> * scp(1): do not not ftruncate(3) files early when in sftp mode. The
> previous behaviour of unconditionally truncating the destination
> file would cause "scp ~/foo localhost:foo" and the reverse
> "scp localhost:foo ~/foo" to delete all the contents of their
> destination. bz3431
>
> * ssh-keygen(1): improve error message when 'ssh-keygen -Y sign' is
> unable to load a private key; bz3429
>
> * sftp(1), scp(1): when performing operations that glob(3) a remote
> path, ensure that the implicit working directory used to construct
> that path escapes glob(3) characters. This prevents glob characters
> from being processed in places they shouldn't, e.g. "cd /tmp/a*/",
> "get *.txt" should have the get operation treat the path "/tmp/a*"
> literally and not attempt to expand it.
>
> * ssh(1), sshd(8): be stricter in which characters will be accepted
> in specifying a mask length; allow only 0-9. GHPR278
>
> * ssh-keygen(1): avoid printing hash algorithm twice when dumping a
> KRL
>
> * ssh(1), sshd(8): continue running local I/O for open channels
> during SSH transport rekeying. This should make ~-escapes work in
> the client (e.g. to exit) if the connection happened to have
> stalled during a rekey event.
>
> * ssh(1), sshd(8): avoid potential poll() spin during rekeying
>
> * Further hardening for sshbuf internals: disallow "reparenting" a
> hierarchical sshbuf and zero the entire buffer if reallocation
> fails. GHPR287
>
> Portability
> -----------
>
> * ssh(1), ssh-keygen(1), sshd(8): automatically enable the built-in
> FIDO security key support if libfido2 is found and usable, unless
> --without-security-key-builtin was requested.
>
> * ssh(1), ssh-keygen(1), sshd(8): many fixes to make the WinHello
> FIDO device usable on Cygwin. The windows://hello FIDO device will
> be automatically used by default on this platform unless requested
> otherwise, or when probing resident FIDO credentials (an operation
> not currently supported by WinHello).
>
> * Portable OpenSSH: remove workarounds for obsolete and unsupported
> versions of OpenSSL libcrypto. In particular, this release removes
> fallback support for OpenSSL that lacks AES-CTR or AES-GCM.
>
> Those AES cipher modes were added to OpenSSL prior to the minimum
> version currently supported by OpenSSH, so this is not expected to
> impact any currently supported configurations.
>
> * sshd(8): fix SANDBOX_SECCOMP_FILTER_DEBUG on current Linux/glibc
>
> * All: resync and clean up internal CSPRNG code.
>
> * scp(1), sftp(1), sftp-server(8): avoid linking these programs with
> unnecessary libraries. They are no longer linked against libz and
> libcrypto. This may be of benefit to space constrained systems
> using any of those components in isolation.
>
> * sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox
> architectures.
>
> * configure: remove special casing of crypt(). configure will no
> longer search for crypt() in libcrypto, as it was removed from
> there years ago. configure will not only search libc and libcrypt.
>
> * configure: refuse to use OpenSSL 3.0.4 due to potential RCE in its
> RSA implementation (CVE-2022-2274) on x86_64.
>
> * All: request 1.1x API compatibility for OpenSSL >=3.x; GHPR#322
>
> * ssh(1), ssh-keygen(1), sshd(8): fix a number of missing includes
> required by the XMSS code on some platforms.
>
> * sshd(8): cache timezone data in capsicum sandbox.
>
> Reporting Bugs:
> ===============
>
> - Please read https://www.openssh.com/report.html
> Security bugs should be reported directly to openssh@openssh.com
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

--
Predrag Ze?evi?
predrag.zecevic.1961@googlemail.com

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
RE: Call for testing: openssh-9.1 [ In reply to ]
Damien Miller on Tuesday, September 27, 2022 8:04 PM wrote:
>Hi,
>OpenSSH 9.1p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a bugfix release.
>Snapshot releases for portable OpenSSH are available from >https://urldefense.com/v3/__http://www.mindrot.org/openssh_snap/__;!!OToaGQ!pwFIR7u2kD0yMvH4QSV6dVI5vt82UjRpT1pGOxKJGVsNa6vRX_BB6jBgXDoret_XwsttY6pXM0yK9Hw$
><skip>
><skip>
>Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply:
> ./configure && make tests
>Live testing on suitable non-production systems is also appreciated.
>Please send reports of success or failure to openssh-unix-dev@mindrot.org. Security bugs should be reported directly to openssh@openssh.com.
><zkip>
>

AIX 7.1 TL5 SP9

For a number of releases since introducing OpenSSH ver. 8, AIX experiencing a problem configuring OpenSSH with static OpenSSL libs ver. 1.1.1.(x).
The "configure" command finishes with error:
./configure --prefix=/usr/local/openssh --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/zlib --without-openssl-header-check --with-cflags=-q64 --with-ldflags=-q64
<skip>
...
checking whether snprintf can declare const char *fmt... yes
checking if getaddrinfo seems to work... yes
checking whether AI_NUMERICSERV is declared... yes
checking if SA_RESTARTed signals interrupt select()... yes
checking for getpgrp... yes
checking if getpgrp accepts zero args... yes
configure: error: *** working libcrypto not found, check config.log

The remedy is to add
--with-libs=-lpthread
argument into "configure" command.

It is not clear how "libpthread" affects "configure" command's ability to locate "libcrypto". It all related to the initial env config.

Looks like it is a sort of misleading info provided by "configure" output by displaying the error with "libcrypto" while in fact "config.log" contains lines with ".pthread" errors just before "libcrypto" error (could it be a 'side' effect of ".pthread" symbols being not found - ?).

Additional info:
cc -qlanglvl=extc99 supports C99-style variadic macros... yes
cc option to enable C99 features... -qlanglvl=extc99
system type... powerpc-ibm-aix7.1.5.0
run the C preprocessor... cc -qlanglvl=extc99 -E

"config.log" contains the following errors:
================================================================
| /* Override any GCC internal prototype to avoid an error.
| Use char because int might match the return type of a GCC
| builtin and then its argument prototype would still apply. */
| char daemon ();
| int
| main (void)
| {
| return daemon ();
| ;
| return 0;
| }
configure:14478: result: no
configure:14490: checking for getpagesize
configure:14490: result: yes
configure:14544: checking whether snprintf correctly terminates long strings
configure:14570: cc -qlanglvl=extc99 -o conftest -g -q64 -I/usr/local/zlib/include -L/usr/local/zlib/lib -q64 conftest.c >&5
configure:14570: $? = 0
configure:14570: ./conftest
configure:14570: $? = 0
configure:14572: result: yes
configure:14592: checking whether snprintf understands %zu
configure:14621: cc -qlanglvl=extc99 -o conftest -g -q64 -I/usr/local/zlib/include -L/usr/local/zlib/lib -q64 conftest.c >&5
configure:14621: $? = 0
configure:14621: ./conftest
configure:14621: $? = 0
configure:14623: result: yes
configure:14643: checking whether vsnprintf returns correct values on overflow
configure:14684: cc -qlanglvl=extc99 -o conftest -g -q64 -I/usr/local/zlib/include -L/usr/local/zlib/lib -q64 conftest.c >&5
configure:14684: $? = 0
configure:14684: ./conftest
configure:14684: $? = 0
configure:14686: result: yes
configure:14708: checking whether snprintf can declare const char *fmt
configure:14726: cc -qlanglvl=extc99 -c -g -q64 -I/usr/local/zlib/include conftest.c >&5
configure:14726: $? = 0
configure:14728: result: yes
configure:14944: checking if getaddrinfo seems to work
configure:15004: cc -qlanglvl=extc99 -o conftest -g -q64 -I/usr/local/zlib/include -L/usr/local/zlib/lib -q64 conftest.c >&5
configure:15004: $? = 0
configure:15004: ./conftest
configure:15004: $? = 0
configure:15007: result: yes
configure:15028: checking whether AI_NUMERICSERV is declared
configure:15028: cc -qlanglvl=extc99 -c -g -q64 -I/usr/local/zlib/include conftest.c >&5
configure:15028: $? = 0
configure:15028: result: yes
configure:15132: checking if SA_RESTARTed signals interrupt select()
configure:15181: cc -qlanglvl=extc99 -o conftest -g -q64 -I/usr/local/zlib/include -L/usr/local/zlib/lib -q64 conftest.c >&5
configure:15181: $? = 0
configure:15181: ./conftest
configure:15181: $? = 0
configure:15183: result: yes
configure:15200: checking for getpgrp
configure:15200: cc -qlanglvl=extc99 -o conftest -g -q64 -I/usr/local/zlib/include -L/usr/local/zlib/lib -q64 conftest.c >&5
configure:15200: $? = 0
configure:15200: result: yes
configure:15205: checking if getpgrp accepts zero args
configure:15218: cc -qlanglvl=extc99 -c -g -q64 -I/usr/local/zlib/include conftest.c >&5
configure:15218: $? = 0
configure:15220: result: yes
configure:15328: cc -qlanglvl=extc99 -o conftest -g -q64 -I/usr/local/openssl/include -I/usr/local/zlib/include -L/usr/local/openssl/lib -L/usr/local/zlib/lib -q64 conftest.c -lcrypto >&5
ld: 0711-317 ERROR: Undefined symbol: .deflate
ld: 0711-317 ERROR: Undefined symbol: .zError
ld: 0711-317 ERROR: Undefined symbol: .deflateInit_
ld: 0711-317 ERROR: Undefined symbol: .inflate
ld: 0711-317 ERROR: Undefined symbol: .inflateInit_
ld: 0711-317 ERROR: Undefined symbol: .inflateEnd
ld: 0711-317 ERROR: Undefined symbol: .deflateEnd
ld: 0711-317 ERROR: Undefined symbol: .pthread_atfork
ld: 0711-317 ERROR: Undefined symbol: .pthread_once
ld: 0711-317 ERROR: Undefined symbol: .pthread_self
ld: 0711-317 ERROR: Undefined symbol: .pthread_key_delete
ld: 0711-317 ERROR: Undefined symbol: .pthread_setspecific
ld: 0711-317 ERROR: Undefined symbol: .pthread_getspecific
ld: 0711-317 ERROR: Undefined symbol: .pthread_key_create
ld: 0711-317 ERROR: Undefined symbol: .pthread_rwlock_unlock
ld: 0711-317 ERROR: Undefined symbol: .pthread_rwlock_wrlock
ld: 0711-317 ERROR: Undefined symbol: .pthread_rwlock_rdlock
ld: 0711-317 ERROR: Undefined symbol: .pthread_rwlock_init
ld: 0711-317 ERROR: Undefined symbol: .pthread_rwlock_destroy
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.
configure:15328: $? = 8
configure: failed program was:
| /* confdefs.h */
<skip>
<skip>
| /* Override any GCC internal prototype to avoid an error.
| Use char because int might match the return type of a GCC
| builtin and then its argument prototype would still apply. */
| char RAND_add ();
| int
| main (void)
| {
| return RAND_add ();
| ;
| return 0;
| }
configure:15332: error: *** working libcrypto not found, check config.log
================================================================

Thanks,
Val Baranov
Val.baranov@duke.edu

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: openssh-9.1 [ In reply to ]
On Wed, Sep 28, 2022 at 10:03:37AM +1000, Damien Miller wrote:

> $ ./configure && make tests

"all tests passed" on Raspberry Pi OS with snapshot 20220930. The binary
made an ssh connection to a server running 9.0.

Nicolai
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: openssh-9.1 [ In reply to ]
20:10, Damien Miller <djm@mindrot.org> wrote:
>
> Hi,
>
> OpenSSH 9.1p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.

On my FreeBSD 13/14ish laptop something's wrong with ./configure -
HAVE_FIDO_DEV_IS_WINHELLO is not getting set in config.h and then
building fails with:

sk-usbhid.c:386:1: error: static declaration of 'fido_dev_is_winhello'
follows non-static declaration
fido_dev_is_winhello(const fido_dev_t *fdev)
^
/usr/local/include/fido.h:220:6: note: previous declaration is here
bool fido_dev_is_winhello(const fido_dev_t *);

config.log shows it being detected correctly though:

configure:16481: checking for fido_dev_is_winhello
configure:16481: cc -o conftest -g -O2 -pipe -Wunknown-warning-option
-Qunused-arguments -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -Wmisleading-indentation
-fno-strict-aliasing -mretpoline -D_FORTIFY_SOURCE=2 -ftrapv
-fno-builtin-memset -fstack-protector-strong -I/usr/local/include
-Wl,-z,retpolineplt -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
-fstack-protector-strong conftest.c -lcrypto -lutil -L/usr/local/lib
-lfido2 >&5
configure:16481: $? = 0
configure:16481: result: yes

I will look into that, but in any case with a straightforward
workaround for that the tests do run. They end up stalling, waiting on
input:
...
run test conch-ciphers.sh ...
conch ciphers: cipher aes256-ctr
emaste@127.0.0.1's password:

I removed conch-ciphers for now, and the tests finish with:
all tests passed

There are also a few FreeBSD changes / issues that are still waiting:
https://marc.info/?l=openssh-unix-dev&m=163034560831808&w=2
https://marc.info/?l=openssh-unix-dev&m=165236928625750&w=2
https://marc.info/?l=openssh-unix-dev&m=165289778115816&w=2
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: openssh-9.1 [ In reply to ]
On Tue, Sep 27, 2022 at 05:03:37PM PDT, Damien Miller wrote:
>Hi,
>
>OpenSSH 9.1p1 is almost ready for release, so we would appreciate testing
>on as many platforms and systems as possible. This is a bugfix release.
>
>Snapshot releases for portable OpenSSH are available from
>http://www.mindrot.org/openssh_snap/
>
>The OpenBSD version is available in CVS HEAD:
>http://www.openbsd.org/anoncvs.html
>
>Portable OpenSSH is also available via git using the
>instructions at http://www.openssh.com/portable.html#cvs
>At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
>https://github.com/openssh/openssh-portable
>
>Running the regression tests supplied with Portable OpenSSH does not
>require installation and is a simply:
>
>$ ./configure && make tests
>
>Live testing on suitable non-production systems is also appreciated.
>Please send reports of success or failure to
>openssh-unix-dev@mindrot.org. Security bugs should be reported
>directly to openssh@openssh.com.
>

All tests pass with git commit b51f3f172d87 on Void Linux (kernel
5.18.19, gcc 10.2.1, glibc 2.32, openssl 1.1.1q).


Zev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: openssh-9.1 [ In reply to ]
On Fri, 30 Sep 2022, Ed Maste wrote:

> 20:10, Damien Miller <djm@mindrot.org> wrote:
> >
> > Hi,
> >
> > OpenSSH 9.1p1 is almost ready for release, so we would appreciate testing
> > on as many platforms and systems as possible. This is a bugfix release.
>
> On my FreeBSD 13/14ish laptop something's wrong with ./configure -
> HAVE_FIDO_DEV_IS_WINHELLO is not getting set in config.h and then
> building fails with:

Are you rerunning autoconf? If so, what version are you using?
(we use 2.71)

> I will look into that, but in any case with a straightforward
> workaround for that the tests do run. They end up stalling, waiting on
> input:
> ...
> run test conch-ciphers.sh ...
> conch ciphers: cipher aes256-ctr
> emaste@127.0.0.1's password:
>
> I removed conch-ciphers for now, and the tests finish with:
> all tests passed

I think these are somewhat dependent on the conch version and also
(sometimes) filesystem permissions.

> There are also a few FreeBSD changes / issues that are still waiting:
> https://marc.info/?l=openssh-unix-dev&m=163034560831808&w=2
> https://marc.info/?l=openssh-unix-dev&m=165236928625750&w=2
> https://marc.info/?l=openssh-unix-dev&m=165289778115816&w=2

I'll take a look, but these are unlikely to make release sorry.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: openssh-9.1 [ In reply to ]
On Fri, 30 Sept 2022 at 02:23, Val Baranov <val.baranov@duke.edu> wrote:
[...]
> For a number of releases since introducing OpenSSH ver. 8, AIX experiencing a problem configuring OpenSSH with static OpenSSL libs ver. 1.1.1.(x).

The thing that changed is that your libcrypto is now built to link
against pthreads whereas previously it was not. It's not a change in
OpenSSH itself.

> Looks like it is a sort of misleading info provided by "configure" output by displaying the error with "libcrypto" while in fact "config.log" contains lines with ".pthread" errors just before "libcrypto" error (could it be a 'side' effect of ".pthread" symbols being not found - ?).
> ld: 0711-317 ERROR: Undefined symbol: .pthread_atfork

This means that the little test program configure tried to build
failed when linking because the pthreads functions were not available
to it. Configure itself does not know why it failed, just that it
failed. That was resolved when you added -lpthreads to LDFLAGS.

As it stands, configure does not know that libcrypto needs pthreads.
The usual way of dealing with this is pkg-config, which reads that
data from .pc files, although OpenSSH does not currently use that for
OpenSSL. You may find there's a libcrypto.pc file in there somewhere
with lines something like:

Libs: -L${libdir} -lcrypto
Libs.private: -lz -ldl -pthread

although you may not, as my understanding is that even modern AIX does
not have pkg-config (certainly the ancient versions I am familiar with
do not).

We should probably tell configure to use pkg-config for OpenSSL, but
that's a non-trivial change (even with the recent simplifications done
with the OpenSSL configure bits), it won't help if you don't have
pkg-config and it'd have to go in early in the next release cycle
anyway.

Is your libcrypto part of the base OS, in /opt/freeware or something else?

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: openssh-9.1 [ In reply to ]
On Sun, 2 Oct 2022 at 04:46, Damien Miller <djm@mindrot.org> wrote:
>
> > On my FreeBSD 13/14ish laptop something's wrong with ./configure -
> > HAVE_FIDO_DEV_IS_WINHELLO is not getting set in config.h and then
> > building fails with:
>
> Are you rerunning autoconf? If so, what version are you using?
> (we use 2.71)

I tried this from a git clone so did run autoconf; I have 2.71
installed. In any case I grabbed the latest snapshot just now and
configure worked fine so it appears to be a local issue.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
RE: Call for testing: openssh-9.1 [ In reply to ]
On Monday, October 3, 2022 5:33 AM
Darren Tucker <dtucker@dtucker.net> wrote:
>On Fri, 30 Sept 2022 at 02:23, Val Baranov <val.baranov@duke.edu> wrote:
>> For a number of releases since introducing OpenSSH ver. 8, AIX experiencing a problem configuring OpenSSH with static OpenSSL libs ver. 1.1.1.(x).
>The thing that changed is that your libcrypto is now built to link against pthreads whereas previously it was not. It's not a change in OpenSSH itself.
>> Looks like it is a sort of misleading info provided by "configure" output by displaying the error with "libcrypto" while in fact "config.log" contains lines with ".pthread" errors just before "libcrypto" error (could it be a 'side' effect of ".pthread" symbols being not found - ?).
>> ld: 0711-317 ERROR: Undefined symbol: .pthread_atfork
>This means that the little test program configure tried to build failed when linking because the pthreads functions were not available to it. Configure itself does not know why >it failed, just that it failed. That was resolved when you added -lpthreads to LDFLAGS.
>As it stands, configure does not know that libcrypto needs pthreads.
>The usual way of dealing with this is pkg-config, which reads that data from .pc files, although OpenSSH does not currently use that for OpenSSL. You may find there's a libcrypto.pc file in there somewhere with lines something like:
>Libs: -L${libdir} -lcrypto
>Libs.private: -lz -ldl -pthread
>although you may not, as my understanding is that even modern AIX does not have pkg-config (certainly the ancient versions I am familiar with do not).
>We should probably tell configure to use pkg-config for OpenSSL, but that's a non-trivial change (even with the recent simplifications done with the OpenSSL configure bits), it won't help if you don't have pkg-config and it'd have to go in early in the next release cycle anyway.
>Is your libcrypto part of the base OS, in /opt/freeware or something else?
"libcrypto" is not a part of OS but is locally built under "/usr/local/openssl".
The information above looks reasonable, because the issue was first discovered upon moving out from OpenSSL 1.0.1 over to 1.1.1 (I can accept that some changes were introduced with ver. 1.1.1).
Another thing found is that, OpenSSH 9.1p "configure" failed anyway with the same "libcrypto" error even if using "-lpthread", thus producing another set of errors but this time related to "zlib":
<...>
configure:15328: cc -qlanglvl=extc99 -o conftest -g -q64 -I/usr/local/openssl/include -I/usr/local/zlib/include -L/usr/local/openssl/lib -L/usr/local/zlib/lib -q64 conftest.c -lcrypto -lpthread >&5
ld: 0711-317 ERROR: Undefined symbol: .deflate
ld: 0711-317 ERROR: Undefined symbol: .zError
ld: 0711-317 ERROR: Undefined symbol: .deflateInit_
ld: 0711-317 ERROR: Undefined symbol: .inflate
ld: 0711-317 ERROR: Undefined symbol: .inflateInit_
ld: 0711-317 ERROR: Undefined symbol: .inflateEnd
ld: 0711-317 ERROR: Undefined symbol: .deflateEnd
So, now "configure" requires
--with-libs='-lpthread -lz'
To finish successfully.
For testing purposes, two sources ver. 8.9p1 and 9.1p1 were configured in the same environment one-by-one in a matter of few minutes.
Ver. 8.9p1 finished successfully while ver. 9.1p1 produced the errors above unless "-lz" option is added - this is a strong evidence (am I wrong?) that, something has changes starting OpenSSH ver. 9.X.

--
Val Baranov (val.baranov at duke.edu

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev