Mailing List Archive

Hello,

I got a failure on configuring the master branch on Fedora 39:

upstream/openssh-portable$ ./configure --disable-dsa
....
checking OpenSSL header version... 30100010 (OpenSSL 3.1.1 30 May 2023)
checking for OpenSSL_version... yes
checking for OpenSSL_version_num... yes
checking OpenSSL library version... configure: error: Unknown/unsupported
OpenSSL version ("30100010 (OpenSSL 3.1.1 30 May 2023)")


On Tue, Mar 5, 2024 at 1:26?AM Damien Miller <djm@mindrot.org> wrote:

>
> Hi,
>
> OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev@mindrot.org. Security bugs should be reported
> directly to openssh@openssh.com.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Future deprecation notice
> =========================
>
> OpenSSH plans to remove support for the DSA signature algorithm in
> early 2025 and compile-time disable it later this year.
>
> DSA, as specified in the SSHv2 protocol, is inherently weak - being
> limited to a 160 bit private key and use of the SHA1 digest. Its
> estimated security level is only 80 bits symmetric equivalent.
>
> OpenSSH has disabled DSA keys by default since 2015 but has retained
> run-time optional support for them. DSA was the only mandatory-to-
> implement algorithm in the SSHv2 RFCs[3], mostly because alternative
> algorithms were encumbered by patents when the SSHv2 protocol was
> specified.
>
> This has not been the case for decades at this point and better
> algorithms are well supported by all actively-maintained SSH
> implementations. We do not consider the costs of maintaining DSA in
> OpenSSH to be justified and hope that removing it from OpenSSH can
> accelerate its wider deprecation in supporting cryptography
> libraries.
>
> This release makes DSA support in OpenSSH compile-time optional,
> defaulting to on. We intend the next release to change the default
> to disable DSA at compile time. The first OpenSSH release of 2025
> will remove DSA support entirely.
>
> Changes since OpenSSH 9.6
> =========================
>
> This release contains mostly bugfixes.
>
> New features
> ------------
>
> * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches
> all open channels and will close all open channels if there is no
> traffic on any of them for the specified interval. This is in
> addition to the existing per-channel timeouts added recently.
>
> This supports situations like having both session and x11
> forwarding channels open where one may be idle for an extended
> period but the other is actively used. The global timeout could
> close both channels when both have been idle for too long.
>
> * All: make DSA key support compile-time optional, defaulting to on.
>
> Bugfixes
> --------
>
> * sshd(8): don't append an unnecessary space to the end of subsystem
> arguments (bz3667)
>
> * ssh(1): fix the multiplexing "channel proxy" mode, broken when
> keystroke timing obfuscation was added. (GHPR#463)
>
> * ssh(1), sshd(8): fix spurious configuration parsing errors when
> options that accept array arguments are overridden (bz3657).
>
> * Many fixes to manual pages and other documentation, including
> GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
>
> * Greatly improve interop testing against PuTTY.
>
> Portability
> -----------
>
> * Improve the error message when the autoconf OpenSSL header check
> fails (bz#3668)
>
> * Improve detection of broken toolchain -fzero-call-used-regs support
> (bz3645).
>
> * Fix regress/misc/fuzz-harness fuzzers and make them compile without
> warnings when using clang16
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>

--
Dmitry Belyavskiy
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Hi Darren,

On Mar 8 10:07, Darren Tucker wrote:
> On Fri, Mar 08, 2024 at 08:53:45AM +1100, Darren Tucker wrote:
> > On Fri, 8 Mar 2024 at 06:59, Corinna Vinschen <vinschen@redhat.com> wrote:
> [...]
> > > Having said that, can this test be changed to be independent of the
> > > user's long shell?
> >
> > Yes we should be able to change to something that invokes
> > ${TEST_SHELL} -c "[whatever]", although it might take a couple of
> > attempts to get the quoting right. Lemme have a try...
>
> I think this should do it, and it turned out to be simpler than I
> thought. Can you confirm it works for you?
>
> Thanks.
>
> Index: dynamic-forward.sh
> ===================================================================
> RCS file: /export/cvs/src/regress/usr.bin/ssh/dynamic-forward.sh,v
> diff -u -p -r1.16 dynamic-forward.sh
> --- dynamic-forward.sh 11 Jan 2023 00:51:27 -0000 1.16
> +++ dynamic-forward.sh 7 Mar 2024 23:03:25 -0000
> @@ -51,9 +51,9 @@ check_socks() {
> for s in 4 5; do
> for h in 127.0.0.1 localhost; do
> trace "testing ssh socks version $s host $h (-$direction)"
> - ${REAL_SSH} -q -F $OBJ/ssh_config \
> - -o "ProxyCommand ${proxycmd}${s} $h $PORT 2>/dev/null" \
> - somehost cat ${DATA} > ${COPY}
> + ${REAL_SSH} -q -F $OBJ/ssh_config -o \
> + "ProxyCommand ${TEST_SHELL} -c '${proxycmd}${s} $h $PORT 2>/dev/null'" \
> + somehost cat ${DATA} > ${COPY}
> r=$?
> if [ "x$expect_success" = "xY" ] ; then
> if [ $r -ne 0 ] ; then

This works nicely. Thanks!


Corinna

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Hi,

/bin/sh can be very different....

Ubuntu 22.04:

:; ls -hal /bin/sh /bin/bash
-rwxr-xr-x 1 root root 1,4M Jan 6 2022 /bin/bash
lrwxrwxrwx 1 root root 4 Mar 23 2022 /bin/sh -> dash

OpenIndiana (old OpenSolaris reincarnation)

:; ls -hal /bin/sh /bin/bash
-r-xr-xr-x 1 root bin 1,4M Jan 25 09:42 /bin/bash
lrwxrwxrwx 1 root root 9 Apr 6 2021 /bin/sh -> i86/ksh93



On 2024-03-07 23:19, Job Snijders wrote:
> On Thu, Mar 07, 2024 at 11:13:50PM +0100, Predrag Ze?evi? wrote:
>> Not all systems have /bin/sh linked to /bin/bash.
>
> Are there systems without /bin/sh? The objective isn't to use 'bash'
> implementation specifically, I believe?
>
> It was pointed out that check_socks() executes in whatever the remote
> side has as shell, so my shebang suggestion has no merit.
>
> Kind regards,
>
> Job

--
Predrag Ze?evi?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Fri, 8 Mar 2024 at 20:26, Dmitry Belyavskiy <dbelyavs@redhat.com> wrote:
> I got a failure on configuring the master branch on Fedora 39:
>
> upstream/openssh-portable$ ./configure --disable-dsa

That should be --disable-dsa-keys

> ....
> checking OpenSSL header version... 30100010 (OpenSSL 3.1.1 30 May 2023)
> checking for OpenSSL_version... yes
> checking for OpenSSL_version_num... yes
> checking OpenSSL library version... configure: error: Unknown/unsupported
> OpenSSL version ("30100010 (OpenSSL 3.1.1 30 May 2023)")

There's no reason that should not should work. Our github tests
include a version in that series:
https://github.com/openssh/openssh-portable/actions/runs/8185080777/job/22380713906

I am able to build against that exact OpenSSL version:

$ ./configure --with-ssl-dir=/opt/openssl/3.1.1
--with-rpath=-Wl,-rpath, --disable-dsa-keys | grep -i openssl
checking whether OpenSSL will be used for cryptography... yes
checking for openssl... /opt/openssl/3.1.1/bin/openssl
checking for openssl/opensslv.h... yes
checking OpenSSL header version... 30100010 (OpenSSL 3.1.1 30 May 2023)
checking for OpenSSL_version... yes
checking for OpenSSL_version_num... yes
checking OpenSSL library version... 30100010 (OpenSSL 3.1.1 30 May 2023)
checking whether OpenSSL's headers match the library... yes
checking if programs using OpenSSL functions will link... yes
checking for OpenSSL_add_all_algorithms... no
checking whether OpenSSL_add_all_algorithms is declared... yes
[...]
$ make [...]
$ ./ssh -V
OpenSSH_9.6p1, OpenSSL 3.1.1 30 May 2023

You'll probably need to dig into config.log to see exactly why that
configure test fails. Do you have local mods to either OpenSSH or
OpenSSL?

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Fri, Mar 8, 2024 at 12:53?PM Darren Tucker <dtucker@dtucker.net> wrote:

> On Fri, 8 Mar 2024 at 20:26, Dmitry Belyavskiy <dbelyavs@redhat.com>
> wrote:
> > I got a failure on configuring the master branch on Fedora 39:
> >
> > upstream/openssh-portable$ ./configure --disable-dsa
>
> That should be --disable-dsa-keys
>
> > ....
> > checking OpenSSL header version... 30100010 (OpenSSL 3.1.1 30 May 2023)
> > checking for OpenSSL_version... yes
> > checking for OpenSSL_version_num... yes
> > checking OpenSSL library version... configure: error: Unknown/unsupported
> > OpenSSL version ("30100010 (OpenSSL 3.1.1 30 May 2023)")
>
> There's no reason that should not should work. Our github tests
> include a version in that series:
>
> https://github.com/openssh/openssh-portable/actions/runs/8185080777/job/22380713906
>
> I am able to build against that exact OpenSSL version:
>
> $ ./configure --with-ssl-dir=/opt/openssl/3.1.1
> --with-rpath=-Wl,-rpath, --disable-dsa-keys | grep -i openssl
> checking whether OpenSSL will be used for cryptography... yes
> checking for openssl... /opt/openssl/3.1.1/bin/openssl
> checking for openssl/opensslv.h... yes
> checking OpenSSL header version... 30100010 (OpenSSL 3.1.1 30 May 2023)
> checking for OpenSSL_version... yes
> checking for OpenSSL_version_num... yes
> checking OpenSSL library version... 30100010 (OpenSSL 3.1.1 30 May 2023)
> checking whether OpenSSL's headers match the library... yes
> checking if programs using OpenSSL functions will link... yes
> checking for OpenSSL_add_all_algorithms... no
> checking whether OpenSSL_add_all_algorithms is declared... yes
> [...]
> $ make [...]
> $ ./ssh -V
> OpenSSH_9.6p1, OpenSSL 3.1.1 30 May 2023
>
> You'll probably need to dig into config.log to see exactly why that
> configure test fails. Do you have local mods to either OpenSSH or
> OpenSSL?
>

Sorry for disturbing you. Invocation of autoreconf did the trick.

--
Dmitry Belyavskiy
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Fri, 8 Mar 2024 at 20:53, Corinna Vinschen <vinschen@redhat.com> wrote:
[...]
> This works nicely. Thanks!

Thanks for confirming. I just committed it.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

This is what I ususally seeing on FreeBSD.

Running FreeBSD 14.0-p5

run test conch-ciphers.sh ...
conch ciphers: cipher aes256-ctr
cmp: EOF on /usr/source/openssh-SNAP-20240309/regress/copy
tar: Failed to set default locale
corrupted copy
conch ciphers: cipher aes256-cbc
cmp: EOF on /usr/source/openssh-SNAP-20240309/regress/copy
tar: Failed to set default locale
corrupted copy
conch ciphers: cipher aes192-ctr
cmp: EOF on /usr/source/openssh-SNAP-20240309/regress/copy
tar: Failed to set default locale
corrupted copy
conch ciphers: cipher aes192-cbc
cmp: EOF on /usr/source/openssh-SNAP-20240309/regress/copy
tar: Failed to set default locale
corrupted copy
conch ciphers: cipher aes128-ctr
cmp: EOF on /usr/source/openssh-SNAP-20240309/regress/copy
tar: Failed to set default locale
corrupted copy
conch ciphers: cipher aes128-cbc
cmp: EOF on /usr/source/openssh-SNAP-20240309/regress/copy
tar: Failed to set default locale
corrupted copy
conch ciphers: cipher cast128-cbc
cmp: EOF on /usr/source/openssh-SNAP-20240309/regress/copy
tar: Failed to set default locale
corrupted copy
conch ciphers: cipher blowfish
cmp: EOF on /usr/source/openssh-SNAP-20240309/regress/copy
tar: Failed to set default locale
corrupted copy
conch ciphers: cipher 3des-cbc
cmp: EOF on /usr/source/openssh-SNAP-20240309/regress/copy
tar: Failed to set default locale
corrupted copy
failed conch ciphers
*** Error code 1

Stop.
make[1]: stopped in /usr/source/openssh-SNAP-20240309/regress
*** Error code 1

What do you need from me?


--
Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be seen
What worth the power of law that won't stop lawlessness? -unknown
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Sat, 9 Mar 2024 at 04:32, The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
> This is what I ususally seeing on FreeBSD.
> Running FreeBSD 14.0-p5
>
> run test conch-ciphers.sh ...
> conch ciphers: cipher aes256-ctr

Do you actually have Conch installed and if so what version?

There should be some failed-{ssh,sshd}.log files in regress
corresponding to the failed tests. You can also run

make t-exec LTESTS=conch-ciphers TEST_SSH_FAIL_FATAL=yes

to run just that test, and stop immediately after the first failure,
which will keep the log volume down and might make it a bit easier to
inspect
.
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Sat, Mar 09, 2024 at 07:41:24AM +1100, Darren Tucker wrote:
> On Sat, 9 Mar 2024 at 04:32, The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
> > This is what I ususally seeing on FreeBSD.
> > Running FreeBSD 14.0-p5
> >
> > run test conch-ciphers.sh ...
> > conch ciphers: cipher aes256-ctr
>
> Do you actually have Conch installed and if so what version?
>
> There should be some failed-{ssh,sshd}.log files in regress
> corresponding to the failed tests. You can also run
>
> make t-exec LTESTS=conch-ciphers TEST_SSH_FAIL_FATAL=yes
>
> to run just that test, and stop immediately after the first failure,
> which will keep the log volume down and might make it a bit easier to
> inspect
> .

Result

run test conch-ciphers.sh ...
conch ciphers: cipher aes256-ctr
cmp: EOF on /usr/source/openssh-SNAP-20240309/regress/copy
tar: Failed to set default locale
corrupted copy
*** Error code 1

Stop.
make[1]: stopped in /usr/source/openssh-SNAP-20240309/regress
*** Error code 1

Stop.
make: stopped in /usr/source/openssh-SNAP-20240309


> --
> Darren Tucker (dtucker at dtucker.net)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

--
Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be seen
What worth the power of law that won't stop lawlessness? -unknown
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Sat, Mar 9, 2024, 09:22 The Doctor <doctor@doctor.nl2k.ab.ca> wrote:

> On Sat, Mar 09, 2024 at 07:41:24AM +1100, Darren Tucker wrote:
> > On Sat, 9 Mar 2024 at 04:32, The Doctor <doctor@doctor.nl2k.ab.ca>
> wrote:
> > > This is what I ususally seeing on FreeBSD.
> > > Running FreeBSD 14.0-p5
> > >
> > > run test conch-ciphers.sh ...
> > > conch ciphers: cipher aes256-ctr
> >
> > Do you actually have Conch installed and if so what version?
> >


You didn't answer these.

>
> > There should be some failed-{ssh,sshd}.log files in regress
>


What's in these logfiles?

> corresponding to the failed tests. You can also run
> >
> > make t-exec LTESTS=conch-ciphers TEST_SSH_FAIL_FATAL=yes
> >
> > to run just that test, and stop immediately after the first failure,
> > which will keep the log volume down and might make it a bit easier to
> > inspect
> > .
>
> Result
>
> run test conch-ciphers.sh ...
> conch ciphers: cipher aes256-ctr
> cmp: EOF on /usr/source/openssh-SNAP-20240309/regress/copy
> tar: Failed to set default locale
> corrupted copy
> *** Error code 1
>
> Stop.
> make[1]: stopped in /usr/source/openssh-SNAP-20240309/regress
> *** Error code 1
>
> Stop.
> make: stopped in /usr/source/openssh-SNAP-20240309
>
>
> > --
> > Darren Tucker (dtucker at dtucker.net)
> > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
> > Good judgement comes with experience. Unfortunately, the experience
> > usually comes from bad judgement.
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev@mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
> --
> Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca
> Yahweh, King & country!Never Satan President Republic!Beware AntiChrist
> rising!
> Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be
> seen
> What worth the power of law that won't stop lawlessness? -unknown
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Sat, Mar 09, 2024 at 09:33:25AM +1100, Darren Tucker wrote:
> On Sat, Mar 9, 2024, 09:22 The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
>
> > On Sat, Mar 09, 2024 at 07:41:24AM +1100, Darren Tucker wrote:
> > > On Sat, 9 Mar 2024 at 04:32, The Doctor <doctor@doctor.nl2k.ab.ca>
> > wrote:
> > > > This is what I ususally seeing on FreeBSD.
> > > > Running FreeBSD 14.0-p5
> > > >
> > > > run test conch-ciphers.sh ...
> > > > conch ciphers: cipher aes256-ctr
> > >
> > > Do you actually have Conch installed and if so what version?
> > >
>
>
> You didn't answer these.
>
> >
> > > There should be some failed-{ssh,sshd}.log files in regress
> >
>
>
> What's in these logfiles?
>

I am trying to find these.

> > corresponding to the failed tests. You can also run
> > >
> > > make t-exec LTESTS=conch-ciphers TEST_SSH_FAIL_FATAL=yes
> > >
> > > to run just that test, and stop immediately after the first failure,
> > > which will keep the log volume down and might make it a bit easier to
> > > inspect
> > > .
> >
> > Result
> >
> > run test conch-ciphers.sh ...
> > conch ciphers: cipher aes256-ctr
> > cmp: EOF on /usr/source/openssh-SNAP-20240309/regress/copy
> > tar: Failed to set default locale
> > corrupted copy
> > *** Error code 1
> >
> > Stop.
> > make[1]: stopped in /usr/source/openssh-SNAP-20240309/regress
> > *** Error code 1
> >
> > Stop.
> > make: stopped in /usr/source/openssh-SNAP-20240309
> >
> >
> > > --
> > > Darren Tucker (dtucker at dtucker.net)
> > > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
> > > Good judgement comes with experience. Unfortunately, the experience
> > > usually comes from bad judgement.
> > > _______________________________________________
> > > openssh-unix-dev mailing list
> > > openssh-unix-dev@mindrot.org
> > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
> > --
> > Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca
> > Yahweh, King & country!Never Satan President Republic!Beware AntiChrist
> > rising!
> > Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be
> > seen
> > What worth the power of law that won't stop lawlessness? -unknown
> >
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

--
Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be seen
What worth the power of law that won't stop lawlessness? -unknown
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Sat, Mar 09, 2024 at 09:33:25AM +1100, Darren Tucker wrote:
> On Sat, Mar 9, 2024, 09:22 The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
>
> > On Sat, Mar 09, 2024 at 07:41:24AM +1100, Darren Tucker wrote:
> > > On Sat, 9 Mar 2024 at 04:32, The Doctor <doctor@doctor.nl2k.ab.ca>
> > wrote:
> > > > This is what I ususally seeing on FreeBSD.
> > > > Running FreeBSD 14.0-p5
> > > >
> > > > run test conch-ciphers.sh ...
> > > > conch ciphers: cipher aes256-ctr
> > >
> > > Do you actually have Conch installed and if so what version?
> > >
>
>
> You didn't answer these.
>
> >
> > > There should be some failed-{ssh,sshd}.log files in regress
> >
>
>
> What's in these logfiles?
>

From messages

Mar 8 01:07:40 doctor sshd[71003]: fatal: Timeout before authentication for 58.57.207.138 port 46265
Mar 8 01:12:35 doctor sshd[71521]: fatal: Timeout before authentication for 36.41.185.216 port 53986
Mar 8 01:13:03 doctor sshd[71575]: fatal: Timeout before authentication for 101.43.93.18 port 47808
Mar 8 01:13:12 doctor sshd[71583]: fatal: Timeout before authentication for 153.0.195.71 port 53932
Mar 8 01:15:15 doctor sshd[71786]: fatal: Timeout before authentication for 114.117.236.3 port 41820
Mar 8 01:16:00 doctor sshd[71878]: fatal: Timeout before authentication for 101.34.204.158 port 48708
Mar 8 01:16:17 doctor sshd[71897]: fatal: Timeout before authentication for 120.48.17.127 port 52440
Mar 8 01:16:49 doctor sshd[71946]: fatal: Timeout before authentication for 219.147.74.48 port 58578
Mar 8 01:22:32 doctor sshd[72760]: fatal: Timeout before authentication for 49.234.134.238 port 39560
Mar 8 01:23:43 doctor sshd[72886]: fatal: Timeout before authentication for 49.234.134.238 port 50184
Mar 8 01:24:56 doctor sshd[73031]: fatal: Timeout before authentication for 49.234.134.238 port 60792
Mar 8 01:26:06 doctor sshd[73187]: fatal: Timeout before authentication for 49.234.134.238 port 43196
Mar 8 01:26:58 doctor sshd[73289]: fatal: Timeout before authentication for 111.230.245.205 port 53354
Mar 8 02:03:26 doctor sshd[77693]: fatal: Timeout before authentication for 119.91.78.12 port 38172
Mar 8 03:35:18 doctor sshd[91662]: fatal: Timeout before authentication for 104.250.34.67 port 37782
Mar 8 03:47:29 doctor sshd[96301]: error: maximum authentication attempts exceeded for root from 14.40.53.60 port 58554 ssh2 [preauth]
Mar 8 03:47:33 doctor sshd[96313]: error: maximum authentication attempts exceeded for root from 14.40.53.60 port 58932 ssh2 [preauth]
Mar 8 03:47:44 doctor sshd[96360]: error: maximum authentication attempts exceeded for invalid user admin from 14.40.53.60 port 60028 ssh2 [preauth]
Mar 8 03:47:49 doctor sshd[96380]: error: maximum authentication attempts exceeded for invalid user admin from 14.40.53.60 port 60466 ssh2 [preauth]
Mar 8 03:47:57 doctor sshd[96410]: error: maximum authentication attempts exceeded for invalid user oracle from 14.40.53.60 port 33070 ssh2 [preauth]
Mar 8 03:48:02 doctor sshd[96428]: error: maximum authentication attempts exceeded for invalid user oracle from 14.40.53.60 port 33478 ssh2 [preauth]
Mar 8 03:48:10 doctor sshd[96475]: error: maximum authentication attempts exceeded for invalid user usuario from 14.40.53.60 port 34350 ssh2 [preauth]
Mar 8 03:48:14 doctor sshd[96479]: error: maximum authentication attempts exceeded for invalid user usuario from 14.40.53.60 port 34754 ssh2 [preauth]
Mar 8 03:48:23 doctor sshd[96490]: error: maximum authentication attempts exceeded for test from 14.40.53.60 port 35736 ssh2 [preauth]
Mar 8 03:48:28 doctor sshd[96500]: error: maximum authentication attempts exceeded for test from 14.40.53.60 port 36094 ssh2 [preauth]
Mar 8 05:03:24 doctor sshd[5471]: fatal: Timeout before authentication for 218.92.0.24 port 60370
Mar 8 05:15:01 doctor sshd[7062]: error: kex_exchange_identification: read: Connection reset by peer
Mar 8 06:04:10 doctor sshd[12187]: fatal: Timeout before authentication for 218.92.0.24 port 63164
Mar 8 06:43:44 doctor sshd[16074]: fatal: Timeout before authentication for 36.139.22.88 port 60986
Mar 8 06:44:26 doctor sshd[16161]: fatal: Timeout before authentication for 175.178.103.43 port 37968
Mar 8 08:58:26 doctor sshd[96701]: fatal: Timeout before authentication for 218.92.0.24 port 27704
Mar 8 09:20:04 doctor sshd[59518]: fatal: Timeout before authentication for 106.75.229.174 port 43502
Mar 8 09:37:20 doctor sshd[99019]: error: maximum authentication attempts exceeded for root from 45.155.145.137 port 33464 ssh2 [preauth]
Mar 8 11:41:02 doctor sshd[81468]: error: kex_exchange_identification: read: Connection reset by peer
Mar 8 11:41:24 doctor sshd[81279]: fatal: Timeout before authentication for 122.114.180.211 port 57064
Mar 8 11:42:47 doctor sshd[81440]: fatal: Timeout before authentication for 49.234.186.85 port 51436
Mar 8 11:43:11 doctor sshd[81714]: error: kex_exchange_identification: read: Connection reset by peer
Mar 8 11:44:32 doctor sshd[81614]: fatal: Timeout before authentication for 182.42.81.174 port 35666
Mar 8 11:45:22 doctor sshd[81731]: fatal: Timeout before authentication for 182.42.81.174 port 41956
Mar 8 11:46:07 doctor sshd[81787]: fatal: Timeout before authentication for 182.42.81.174 port 48246
Mar 8 11:46:55 doctor sshd[81840]: fatal: Timeout before authentication for 182.42.81.174 port 54538
Mar 8 11:47:43 doctor sshd[81910]: fatal: Timeout before authentication for 182.42.81.174 port 60826
Mar 8 11:49:16 doctor sshd[82051]: fatal: Timeout before authentication for 182.42.81.174 port 45172
Mar 8 11:50:49 doctor sshd[82196]: fatal: Timeout before authentication for 182.42.81.174 port 57748
Mar 8 11:52:21 doctor sshd[82361]: fatal: Timeout before authentication for 182.42.81.174 port 42092
Mar 8 11:53:52 doctor sshd[82500]: fatal: Timeout before authentication for 182.42.81.174 port 54662
Mar 8 11:57:34 doctor sshd[82841]: fatal: Timeout before authentication for 182.42.81.174 port 57862
Mar 8 12:04:39 doctor sshd[83734]: error: kex_exchange_identification: read: Connection reset by peer
Mar 8 12:09:24 doctor sshd[83999]: fatal: Timeout before authentication for 182.42.81.174 port 51782
Mar 8 12:24:25 doctor sshd[85571]: error: kex_exchange_identification: read: Connection reset by peer
Mar 8 12:28:37 doctor sshd[85742]: fatal: Timeout before authentication for 124.41.240.56 port 55279
Mar 8 13:19:31 doctor sshd[22755]: fatal: Timeout before authentication for 218.92.0.24 port 36633
Mar 8 13:38:29 doctor sshd[60238]: fatal: Timeout before authentication for 218.92.0.24 port 62487
Mar 8 13:39:39 doctor sshd[60310]: fatal: Timeout before authentication for 218.92.0.24 port 30582
Mar 8 13:41:09 doctor sshd[60474]: fatal: Timeout before authentication for 218.92.0.24 port 22027
Mar 8 13:41:13 doctor sshd[60478]: fatal: Timeout before authentication for 218.92.0.24 port 55024
Mar 8 13:48:39 doctor sshd[61286]: fatal: Timeout before authentication for 117.72.9.0 port 57954
Mar 8 14:05:44 doctor sshd[64807]: fatal: Timeout before authentication for 117.50.210.148 port 35174
Mar 8 14:11:16 doctor sshd[65313]: fatal: Timeout before authentication for 124.222.233.110 port 39724
Mar 8 14:15:39 doctor sshd[65764]: fatal: Timeout before authentication for 117.50.210.148 port 44704
Mar 8 14:17:11 doctor sshd[65996]: fatal: Timeout before authentication for 117.50.210.148 port 57776
Mar 8 14:17:57 doctor sshd[66061]: fatal: Timeout before authentication for 117.50.210.148 port 64302
Mar 8 14:18:48 doctor sshd[66163]: fatal: Timeout before authentication for 117.50.210.148 port 15866
Mar 8 14:19:33 doctor sshd[66232]: fatal: Timeout before authentication for 117.50.210.148 port 22512
Mar 8 14:20:18 doctor sshd[66318]: fatal: Timeout before authentication for 117.50.210.148 port 28944
Mar 8 14:21:07 doctor sshd[66409]: fatal: Timeout before authentication for 117.50.210.148 port 35606
Mar 8 14:21:52 doctor sshd[66479]: fatal: Timeout before authentication for 117.50.210.148 port 42044
Mar 8 14:29:33 doctor sshd[67295]: fatal: Timeout before authentication for 218.92.0.59 port 33180
Mar 8 14:33:41 doctor sshd[67878]: fatal: Timeout before authentication for 116.98.167.204 port 53516
Mar 8 15:38:37 doctor sshd[86286]: fatal: Timeout before authentication for 218.92.0.40 port 13312
Mar 8 15:38:39 doctor sshd[86292]: fatal: Timeout before authentication for 110.42.196.140 port 60604
Mar 8 15:48:10 doctor sshd[88167]: fatal: Timeout before authentication for 101.91.242.210 port 42764
Mar 8 15:49:58 doctor sshd[88296]: fatal: Timeout before authentication for 101.126.66.128 port 37296
Mar 8 15:50:49 doctor sshd[88412]: fatal: Timeout before authentication for 101.126.66.128 port 35964
Mar 8 15:51:33 doctor sshd[88491]: fatal: Timeout before authentication for 101.126.66.128 port 33722
Mar 8 15:52:20 doctor sshd[88581]: fatal: Timeout before authentication for 101.126.66.128 port 40792
Mar 8 15:53:04 doctor sshd[88637]: fatal: Timeout before authentication for 101.126.66.128 port 37248
Mar 8 15:54:08 doctor sshd[88872]: error: kex_exchange_identification: read: Connection reset by peer
Mar 8 16:14:46 doctor sshd[91111]: error: kex_exchange_identification: read: Connection reset by peer
Mar 8 16:39:43 doctor sshd[95874]: fatal: Timeout before authentication for 218.92.0.24 port 34378
Mar 8 16:39:49 doctor sshd[95886]: fatal: Timeout before authentication for 218.92.0.24 port 62980
Mar 8 16:40:40 doctor sshd[96002]: fatal: Timeout before authentication for 218.92.0.24 port 34623


> > corresponding to the failed tests. You can also run
> > >
> > > make t-exec LTESTS=conch-ciphers TEST_SSH_FAIL_FATAL=yes
> > >
> > > to run just that test, and stop immediately after the first failure,
> > > which will keep the log volume down and might make it a bit easier to
> > > inspect
> > > .
> >
> > Result
> >
> > run test conch-ciphers.sh ...
> > conch ciphers: cipher aes256-ctr
> > cmp: EOF on /usr/source/openssh-SNAP-20240309/regress/copy
> > tar: Failed to set default locale
> > corrupted copy
> > *** Error code 1
> >
> > Stop.
> > make[1]: stopped in /usr/source/openssh-SNAP-20240309/regress
> > *** Error code 1
> >
> > Stop.
> > make: stopped in /usr/source/openssh-SNAP-20240309
> >
> >
> > > --
> > > Darren Tucker (dtucker at dtucker.net)
> > > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
> > > Good judgement comes with experience. Unfortunately, the experience
> > > usually comes from bad judgement.
> > > _______________________________________________
> > > openssh-unix-dev mailing list
> > > openssh-unix-dev@mindrot.org
> > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
> > --
> > Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca
> > Yahweh, King & country!Never Satan President Republic!Beware AntiChrist
> > rising!
> > Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be
> > seen
> > What worth the power of law that won't stop lawlessness? -unknown
> >
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

--
Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be seen
What worth the power of law that won't stop lawlessness? -unknown
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Sat, 9 Mar 2024 at 10:47, The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
[...]
> > What's in these logfiles?
>
> From messages

Those are from your currently installed sshd and are not relevant to
the test failures. What I meant by my previous comment is that the
log files from the regress tests will be in regress/failed-ssh.log and
regress/failed-sshd.log in your build directory.

If you don't have Conch installed (which it sounds like you don't)
then the Conch interop tests should not be running at all. You should
see this in configure when it looks for it:

$ ./configure | grep conch
checking for conch... no

If that's what you see then I'm not sure why it's trying those tests,
but you can skip that and see if there are any other failures:

$ make tests SKIP_LTESTS=conch-ciphers

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Darren Tucker wrote:
> [0] https://pubs.opengroup.org/onlinepubs/009695399/utilities/sh.html
> """
> Applications should note that the standard PATH to the shell cannot be
> assumed to be either /bin/sh or /usr/bin/sh, and should be determined
> by interrogation of the PATH returned by getconf PATH , ensuring that
> the returned pathname is an absolute pathname and not a shell
> built-in.
> """

This issue and the recent non-bsd distro file system locate thrashes
has me now seeing "#!/usr/bin/env sh" which when I saw that the first
time had me cringing but now I am writing that myself to work around
the problem. And then of course I am using only portable shell
features so it does not matter which shell I get from that family.

As to avoiding the user's login shell which might be anything I have
for a long time been doing this when I don't need stdin. (Standard
input is used by the here-doc.)

ssh example.com /usr/bin/env sh <<EOF
echo one "t w o" three
EOF

And then quoting is simplified because stdin only goes through one
layer of shell interpretation.

Bob
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Sat, 9 Mar 2024 at 13:19, Bob Proulx <bob@proulx.com> wrote:
[...]
> This issue and the recent non-bsd distro file system locate thrashes
> has me now seeing "#!/usr/bin/env sh" which when I saw that the first
> time had me cringing but now I am writing that myself to work around
> the problem. And then of course I am using only portable shell
> features so it does not matter which shell I get from that family.
>
> As to avoiding the user's login shell [...]

You're not completely avoiding it (for example, if it has them, its
non-interactive startup scripts will still run) but you are avoiding
its command line parsing.

> ssh example.com /usr/bin/env sh <<EOF
> echo one "t w o" three
> EOF
>
> And then quoting is simplified because stdin only goes through one
> layer of shell interpretation.

Is there any guarantee that env is at /usr/bin/env? I don't see any
mention in https://pubs.opengroup.org/onlinepubs/9699919799/utilities/env.html

I've done a similar thing with the here doc for the same reasons
(although I used /bin/sh), but for this example is there any reason
you could not omit the env and just do "ssh example.com sh <<EOF ..."
?

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Sat, Mar 09, 2024 at 01:08:00PM +1100, Darren Tucker wrote:
> On Sat, 9 Mar 2024 at 10:47, The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
> [...]
> > > What's in these logfiles?
> >
> > From messages
>
> Those are from your currently installed sshd and are not relevant to
> the test failures. What I meant by my previous comment is that the
> log files from the regress tests will be in regress/failed-ssh.log and
> regress/failed-sshd.log in your build directory.
>
> If you don't have Conch installed (which it sounds like you don't)
> then the Conch interop tests should not be running at all. You should
> see this in configure when it looks for it:
>
> $ ./configure | grep conch
> checking for conch... no
>

egrep conch config.log
configure:25834: checking for conch
configure:25857: found /usr/local/bin/conch
configure:25869: result: /usr/local/bin/conch
ac_cv_path_CONCH=/usr/local/bin/conch
CONCH='/usr/local/bin/conch'
root@doctor:/usr/source/openssh-SNAP-20240309 # whereis conch
conch: /usr/local/bin/conch


> If that's what you see then I'm not sure why it's trying those tests,
> but you can skip that and see if there are any other failures:
>
> $ make tests SKIP_LTESTS=conch-ciphers
>

Did not skip the conch tests!

Also,


> --
> Darren Tucker (dtucker at dtucker.net)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

--
Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be seen
What worth the power of law that won't stop lawlessness? -unknown
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On 05/03/2024 01:24, Damien Miller wrote:
>
> Hi,
>
> OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
>
Running the testsuite on Solaris 9 I see this:
set -xe ; if /export/home/tgc/buildpkg/openssh/src/openssh-git/ssh -Q
key | grep -q ^ssh-rsa ; then \
/export/home/tgc/buildpkg/openssh/src/openssh-git/ssh-keygen
-if
/export/home/tgc/buildpkg/openssh/src/openssh-git/regress/rsa_ssh2.prv |
diff - /export/home/tgc/buildpkg/openssh/src
/openssh-git/regress/rsa_openssh.prv ; \
tr '\n' '\r'
</export/home/tgc/buildpkg/openssh/src/openssh-git/regress/rsa_ssh2.prv
>
/export/home/tgc/buildpkg/openssh/src/openssh-git/regress/rsa_ssh2_cr.prv
; \
/export/home/tgc/buildpkg/openssh/src/openssh-git/ssh-keygen
-if
/export/home/tgc/buildpkg/openssh/src/openssh-git/regress/rsa_ssh2_cr.prv
| diff - /export/home/tgc/buildpkg/openssh/
src/openssh-git/regress/rsa_openssh.prv ; \
awk '{print $0 "\r"}'
/export/home/tgc/buildpkg/openssh/src/openssh-git/regress/rsa_ssh2.prv >
/export/home/tgc/buildpkg/openssh/src/openssh-git/regress/rsa_ssh2_crnl.prv
; \
/export/home/tgc/buildpkg/openssh/src/openssh-git/ssh-keygen
-if
/export/home/tgc/buildpkg/openssh/src/openssh-git/regress/rsa_ssh2_crnl.prv
| diff - /export/home/tgc/buildpkg/openss
h/src/openssh-git/regress/rsa_openssh.prv ; \
fi
+ /export/home/tgc/buildpkg/openssh/src/openssh-git/ssh -Q key
+ grep -q
Usage: grep [OPTION]... PATTERN [FILE]...
Try 'grep --help' for more information.
+ ssh-rsa
/bin/sh: ssh-rsa: not found

and the same for ssh-dss.

The issue is that /bin/sh is sensitive to the ^ character. It either
needs to be escaped or the string quoted.

-tgc

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Sat, 9 Mar 2024, Tom G. Christensen wrote:

[snip]
> Running the testsuite on Solaris 9 I see this:
[snip]
> /export/home/tgc/buildpkg/openssh/src/openssh-git/ssh-keygen -if
> /export/home/tgc/buildpkg/openssh/src/openssh-git/regress/rsa_ssh2_crnl.prv |
> diff - /export/home/tgc/buildpkg/openss
> h/src/openssh-git/regress/rsa_openssh.prv ; \
> fi
> + /export/home/tgc/buildpkg/openssh/src/openssh-git/ssh -Q key
> + grep -q
> Usage: grep [OPTION]... PATTERN [FILE]...
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
On Solaris, /usr/bin/grep does not understand the -q option.
Better to have your PATH pick up /usr/xpg4/bin/grep which does.

> Try 'grep --help' for more information.
> + ssh-rsa
> /bin/sh: ssh-rsa: not found
>
> and the same for ssh-dss.
>
> The issue is that /bin/sh is sensitive to the ^ character. It either needs to
> be escaped or the string quoted.
>

--
Tim Rice Multitalents
tim@multitalents.net


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On 09/03/2024 20:37, Thorsten Glaser wrote:
> On Sat, 9 Mar 2024, Tom G. Christensen wrote:
>
>> Running the testsuite on Solaris 9 I see this:
>
>> The issue is that /bin/sh is sensitive to the ^ character. It either
>
> Solaris 9 /bin/sh is not POSIX-conformant, best to run
> those build scripts with /usr/xpg4/bin/sh or the Korn
> shell.
>

I know but SHELL is not being set in regress/Makefile so make falls back
on /bin/sh to run shell commands.
I can manually add SHELL=/bin/bash to regress/Makefile and have it work
but I don't think I should have to.

-tgc
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On 09/03/2024 20:19, Tim Rice wrote:
> On Solaris, /usr/bin/grep does not understand the -q option.
> Better to have your PATH pick up /usr/xpg4/bin/grep which does.
>

I have GNU grep in my path so that is not a problem.

-tgc

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Sat, 9 Mar 2024, Tom G. Christensen wrote:

> On 05/03/2024 01:24, Damien Miller wrote:
> >
> > Hi,
> >
> > OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing
> > on as many platforms and systems as possible. This is a bugfix release.
> >
> Running the testsuite on Solaris 9 I see this:

[snip]

> + ssh-rsa
> /bin/sh: ssh-rsa: not found
>
> and the same for ssh-dss.
>
> The issue is that /bin/sh is sensitive to the ^ character. It either needs to
> be escaped or the string quoted.

Thanks, I just committed this to fix it.


diff --git a/regress/Makefile b/regress/Makefile
index 8628ddd28..c9a495f6f 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -156,7 +156,7 @@ TEST_SSH_SSHKEYGEN?=ssh-keygen
CPPFLAGS=-I..

t1:
- set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-rsa ; then \
+ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \
${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv ; \
tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv ; \
${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_cr.prv | diff - ${.CURDIR}/rsa_openssh.prv ; \
@@ -165,31 +165,31 @@ t1:
fi

t2:
- set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-rsa ; then \
+ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \
cat ${.CURDIR}/rsa_openssh.prv > $(OBJ)/t2.out ; \
chmod 600 $(OBJ)/t2.out ; \
${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t2.out | diff - ${.CURDIR}/rsa_openssh.pub ; \
fi

t3:
- set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-rsa ; then \
+ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \
${TEST_SSH_SSHKEYGEN} -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/t3.out ; \
${TEST_SSH_SSHKEYGEN} -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub ; \
fi

t4:
- set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-rsa ; then \
+ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \
${TEST_SSH_SSHKEYGEN} -E md5 -lf ${.CURDIR}/rsa_openssh.pub |\
awk '{print $$2}' | diff - ${.CURDIR}/t4.ok ; \
fi

t5:
- set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-rsa ; then \
+ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \
${TEST_SSH_SSHKEYGEN} -Bf ${.CURDIR}/rsa_openssh.pub |\
awk '{print $$2}' | diff - ${.CURDIR}/t5.ok ; \
fi
t6:
- set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-dss ; then \
+ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-dss" ; then \
${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1 ; \
${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.pub > $(OBJ)/t6.out2 ; \
chmod 600 $(OBJ)/t6.out1 ; \
@@ -197,23 +197,23 @@ t6:
fi

$(OBJ)/t7.out:
- set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-dss ; then \
+ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-dss" ; then \
${TEST_SSH_SSHKEYGEN} -q -t rsa -N '' -f $@ ; \
fi

t7: $(OBJ)/t7.out
- set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-dss ; then \
+ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-dss" ; then \
${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t7.out > /dev/null ; \
${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t7.out > /dev/null ; \
fi

$(OBJ)/t8.out:
- set -xe ; if ssh -Q key | grep -q ^ssh-dss ; then \
+ set -xe ; if ssh -Q key | grep -q "^ssh-dss" ; then \
${TEST_SSH_SSHKEYGEN} -q -t dsa -N '' -f $@ ; \
fi

t8: $(OBJ)/t8.out
- set -xe ; if ssh -Q key | grep -q ^ssh-dss ; then \
+ set -xe ; if ssh -Q key | grep -q "^ssh-dss" ; then \
${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t8.out > /dev/null ; \
${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t8.out > /dev/null ; \
fi
@@ -237,7 +237,7 @@ t10: $(OBJ)/t10.out
${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t10.out > /dev/null

t11:
- set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-dss ; then \
+ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-dss" ; then \
${TEST_SSH_SSHKEYGEN} -E sha256 -lf ${.CURDIR}/rsa_openssh.pub |\
awk '{print $$2}' | diff - ${.CURDIR}/t11.ok ; \
fi
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Fri, 8 Mar 2024 at 11:56, Predrag Ze?evi?
<predrag.zecevic.1961@googlemail.com> wrote:
>
> Hi,
>
> /bin/sh can be very different....
>
> Ubuntu 22.04:
>
> :; ls -hal /bin/sh /bin/bash
> -rwxr-xr-x 1 root root 1,4M Jan 6 2022 /bin/bash
> lrwxrwxrwx 1 root root 4 Mar 23 2022 /bin/sh -> dash
>
> OpenIndiana (old OpenSolaris reincarnation)
>
> :; ls -hal /bin/sh /bin/bash
> -r-xr-xr-x 1 root bin 1,4M Jan 25 09:42 /bin/bash
> lrwxrwxrwx 1 root root 9 Apr 6 2021 /bin/sh -> i86/ksh93

That was the ksh93-integration project, to modernize /sbin/sh+/bin/sh
in Solaris 11 to a POSIX shell. dash doesn't had all required
features, bash was too big and slow, so they went for the original
Korn Shell (1993 spec), aka ksh93.
for OpenSSH it is basically like bash in POSIX mode, fully standard compliant.

Ced
--
Cedric Blancher <cedric.blancher@gmail.com>
[https://plus.google.com/u/0/+CedricBlancher/]
Institute Pasteur
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On 3/10/24 12:26 AM, Damien Miller wrote:

> $(OBJ)/t8.out:
> - set -xe ; if ssh -Q key | grep -q ^ssh-dss ; then \
> + set -xe ; if ssh -Q key | grep -q "^ssh-dss" ; then \
> ${TEST_SSH_SSHKEYGEN} -q -t dsa -N '' -f $@ ; \
> fi
>
> t8: $(OBJ)/t8.out
> - set -xe ; if ssh -Q key | grep -q ^ssh-dss ; then \
> + set -xe ; if ssh -Q key | grep -q "^ssh-dss" ; then \
> ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t8.out > /dev/null ; \
> ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t8.out > /dev/null ; \
> fi

Shouldn't the "if ssh" test be "if ${TEST_SSH_SSH}"?

Chris
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev