[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 git...@kalvdans.no-ip.org changed: What|Removed |Added CC||git...@kalvdans.no-ip.org -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #30 from Michal Koutný --- (In reply to Damien Miller from comment #28) > Good catch about the sighup restart no longer running in a signal > handler. (In reply to Damien Miller from comment #13) > ... > It it also signal-handler safe, which is not the case for the originally > proposed diffs. The original diff (comment 10) already put the notification in sighup_restart() not in sighup_handler(), i.e. still the same place where platform_pre_restart() is called now, not a signal handler context AFAICS. platform_* hooks look like the appropriate places for these calls. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Damien Miller changed: What|Removed |Added Attachment #3805||ok?(dtuc...@dtucker.net) Flags|| -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 Damien Miller changed: What|Removed |Added Attachment #3807|0 |1 is obsolete|| --- Comment #3 from Damien Miller --- Created attachment 3808 --> https://bugzilla.mindrot.org/attachment.cgi?id=3808&action=edit correct diff -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 Damien Miller changed: What|Removed |Added Attachment #3806|0 |1 is obsolete|| --- Comment #2 from Damien Miller --- Created attachment 3807 --> https://bugzilla.mindrot.org/attachment.cgi?id=3807&action=edit correct diff oops, that was an older version of the change. Use this. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 Damien Miller changed: What|Removed |Added CC||d...@mindrot.org --- Comment #1 from Damien Miller --- Created attachment 3806 --> https://bugzilla.mindrot.org/attachment.cgi?id=3806&action=edit check expected key type and CA algorithm earlier On the one hand it feels a bit like trying to fight the last battle, but on the other it is a meaningful attack surface reduction. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #29 from Luca Boccassi --- (In reply to Damien Miller from comment #28) > Created attachment 3805 [details] > simplified further > > Good catch about the sighup restart no longer running in a signal > handler. > > We can simplify further if we make ssh_systemd_notify() accept a > format string. We also have code to get the CLOCK_MONOTONIC timer > that we can reuse. Looks good to me, tested on Debian testing as before, works as expected. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Damien Miller changed: What|Removed |Added Attachment #3798|0 |1 is obsolete|| Attachment #3804|0 |1 is obsolete|| --- Comment #28 from Damien Miller --- Created attachment 3805 --> https://bugzilla.mindrot.org/attachment.cgi?id=3805&action=edit simplified further Good catch about the sighup restart no longer running in a signal handler. We can simplify further if we make ssh_systemd_notify() accept a format string. We also have code to get the CLOCK_MONOTONIC timer that we can reuse. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Luca Boccassi changed: What|Removed |Added Attachment #3802|0 |1 is obsolete|| --- Comment #27 from Luca Boccassi --- Created attachment 3804 --> https://bugzilla.mindrot.org/attachment.cgi?id=3804&action=edit standalone notify and timestamp patch > That's more tricky as the reload is called from signal handler context and we > can't use snprint() there to format the usec part of the message. We'd have > to refactor how sshd manages SIGHUP restarts. > > That would make some other things easier, but it's still a bigger change. I went back and had a look at this, and unless I am missing something the reloading message is not being sent from the signal handler? The handler is sighup_handler which just sets a boolean and returns, following the usual pattern: https://anongit.mindrot.org/openssh.git/tree/sshd.c#n298 but the notification message is sent from the platform_pre_restart() hook, which is called from the main context from the main loop via sighup_restart(): https://anongit.mindrot.org/openssh.git/tree/sshd.c#n304 This already does some logging, which uses format strings. Also platform_pre_restart() already calls oom_adjust_restore() which also uses format strings. So I went ahead and did the necessary modifications in the latest version, which also simplified the message handling as it can log unconditionally now, and added the timestamp too. I've tested this and seems to work just fine on Debian testing, I can change ssh.service to Type=notify-reload and reloading works just fine, including the state transitions. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3673] -fzero-call-used-regs=used detection fails on Linux m68k with GCC 13
https://bugzilla.mindrot.org/show_bug.cgi?id=3673 --- Comment #3 from Colin Watson --- Created attachment 3803 --> https://bugzilla.mindrot.org/attachment.cgi?id=3803&action=edit Add Autoconf cache variables for OSSH_CHECK_*FLAG_* How about this? Briefly tested, but it seems to do the job. For example: $ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no [...] checking if cc supports compile flag -ftrapv and linking succeeds... yes checking if cc supports compile flag -fzero-call-used-regs=used and linking succeeds... (cached) no checking if cc supports compile flag -ftrivial-auto-var-init=zero... yes -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3674] Tracking bug for OpenSSH 9.8
https://bugzilla.mindrot.org/show_bug.cgi?id=3674 Bug 3674 depends on bug 3673, which changed state. Bug 3673 Summary: -fzero-call-used-regs=used detection fails on Linux m68k with GCC 13 https://bugzilla.mindrot.org/show_bug.cgi?id=3673 What|Removed |Added Status|RESOLVED|REOPENED Resolution|FIXED |--- -- You are receiving this mail because: You are watching the assignee of the bug. You are watching the reporter of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3673] -fzero-call-used-regs=used detection fails on Linux m68k with GCC 13
https://bugzilla.mindrot.org/show_bug.cgi?id=3673 Colin Watson changed: What|Removed |Added Resolution|FIXED |--- Status|RESOLVED|REOPENED --- Comment #2 from Colin Watson --- Frustratingly, this patch somehow managed to regress behaviour on Debian ppc64el (see https://buildd.debian.org/status/fetch.php?pkg=openssh&arch=ppc64el&ver=1%3A9.7p1-3&stamp=1711920599&file=log; also compare https://bugzilla.mindrot.org/show_bug.cgi?id=3645). I can run test code on this architecture, but I have no idea how adding this extra code to this check made the check somehow pass on ppc64el when it should have failed. I don't suppose this check could be wrapped in AC_CACHE_CHECK somehow? Then, rather than bothering you with extra portability checks that nobody really seems to understand, I could just brute-force it by passing ac_cv_whatever=no to configure on the relevant architectures. I don't really want to take up a bunch of your time figuring this nonsense out ... -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #26 from Colin Watson --- Either version of Luca's patch looks fine to me. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3670] [ssh-agent] 100% CPU spin in cleanup_handler signal handler
https://bugzilla.mindrot.org/show_bug.cgi?id=3670 Jessie changed: What|Removed |Added CC||mia.lyo...@gmail.com -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3673] -fzero-call-used-regs=used detection fails on Linux m68k with GCC 13
https://bugzilla.mindrot.org/show_bug.cgi?id=3673 Jessie changed: What|Removed |Added CC||mia.lyo...@gmail.com -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 Benjamin Gilbert changed: What|Removed |Added CC||bgilb...@backtick.net -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3531] Ssh will not exit when it receives SIGTERM before calling poll in client_wait_until_can_do_something until some events happen.
https://bugzilla.mindrot.org/show_bug.cgi?id=3531 Tõivo Leedjärv changed: What|Removed |Added CC||toi...@gmail.com --- Comment #9 from Tõivo Leedjärv --- It seems to me that the patch may contain a bug (also the same in the similar patch in serverloop.c). Instead of sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) should it not be sigprocmask(SIG_SETMASK, &osigset, NULL) to restore the previous mask? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Luca Boccassi changed: What|Removed |Added Attachment #3801|0 |1 is obsolete|| --- Comment #25 from Luca Boccassi --- Created attachment 3802 --> https://bugzilla.mindrot.org/attachment.cgi?id=3802&action=edit standalone notify patch Thinking about it, given there's no external dependency and the runtime behaviour is a no-op unless the NOTIFY_SOCKET env var is set (which is only set by systemd or systemd-compatible managers), I don't think the new autoconf option is needed? There's no downside to always including the implementation when building on Linux, like it's done with the OOM adjustments. New revision of the patch attached does just that. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #24 from Luca Boccassi --- Created attachment 3801 --> https://bugzilla.mindrot.org/attachment.cgi?id=3801&action=edit standalone notify patch The attached patch fixes the issue by creating a platform_post_listen() hook, as suggested by Colin. Tested in a Debian testing VM, seems to do the right thing, including on reloading. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 fe...@eckhofer.com changed: What|Removed |Added CC||fe...@eckhofer.com -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #23 from Luca Boccassi --- (In reply to Colin Watson from comment #20) > Actually, I noticed a slight race here. You're sending the > readiness notification from platform_pre_listen; but, as the name > implies, this is called _before_ the server has started listening. > The point of the readiness protocol is that the notification is only > sent once the server is ready to accept connections. > > The notification should be moved to after the listen sockets are > bound. Yes, good catch, this should be fixed as it's important to avoid races that the notification is delivered after everything is up and running and ready to process requests. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #22 from Luca Boccassi --- (In reply to Colin Watson from comment #21) > (In reply to Luca Boccassi from comment #19) > > Mmmh hang on I don't think that should be the case. The > > MONOTONIC_USEC is for the Type=notify-reload workflow, that > > automatically hooks sighup to the service, and is newer. But > > RELOADING=1 -> READY=1 by itself should work with the older workflow > > where you manually specify an ExecReload=kill -HUP $MAINPID in the > > unit. > > Ah, you may be right. I was just going by looking at the code and > hadn't actually tested removing RELOADING=1. Probably best to leave > it in then. I have tested the packages you published and the reloading notification is working: Mar 31 14:34:28 localhost systemd[1]: ssh.service: Trying to enqueue job ssh.service/reload/replace Mar 31 14:34:28 localhost systemd[1]: ssh.service: Installed new job ssh.service/reload as 1333 Mar 31 14:34:28 localhost systemd[1]: ssh.service: Enqueued job ssh.service/reload as 1333 Mar 31 14:34:28 localhost systemd[1]: ssh.service: Will spawn child (service_enter_reload): /usr/sbin/sshd Mar 31 14:34:28 localhost systemd[1]: ssh.service: About to execute: /usr/sbin/sshd -t Mar 31 14:34:28 localhost (sshd)[3824]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy Mar 31 14:34:28 localhost systemd[1]: ssh.service: Forked /usr/sbin/sshd as 3824 (without CLONE_INTO_CGROUP) Mar 31 14:34:28 localhost systemd[1]: ssh.service: Changed running -> reload Mar 31 14:34:28 localhost systemd[1]: Reloading ssh.service - OpenBSD Secure Shell server... Mar 31 14:34:28 localhost (sshd)[3824]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy Mar 31 14:34:28 localhost systemd[1]: ssh.service: Child 3824 belongs to ssh.service. Mar 31 14:34:28 localhost systemd[1]: ssh.service: Control process exited, code=exited, status=0/SUCCESS (success) Mar 31 14:34:28 localhost systemd[1]: ssh.service: Running next control command for state reload. Mar 31 14:34:28 localhost systemd[1]: ssh.service: Will spawn child (service_run_next_control): /bin/kill Mar 31 14:34:28 localhost systemd[1]: ssh.service: About to execute: /bin/kill -HUP "\$MAINPID" Mar 31 14:34:28 localhost (kill)[3826]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy Mar 31 14:34:28 localhost systemd[1]: ssh.service: Forked /bin/kill as 3826 (without CLONE_INTO_CGROUP) Mar 31 14:34:28 localhost (kill)[3826]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy Mar 31 14:34:28 localhost sshd[3812]: Received SIGHUP; restarting. Mar 31 14:34:28 localhost systemd[1]: ssh.service: Got notification message from PID 3812 (RELOADING=1) Mar 31 14:34:28 localhost systemd[1]: ssh.service: Child 3826 belongs to ssh.service. Mar 31 14:34:28 localhost systemd[1]: ssh.service: Control process exited, code=exited, status=0/SUCCESS (success) Mar 31 14:34:28 localhost systemd[1]: ssh.service: Got final SIGCHLD for state reload. Mar 31 14:34:28 localhost systemd[1]: ssh.service: Changed reload -> reload-notify Mar 31 14:34:28 localhost systemd[1]: ssh.service: Got notification message from PID 3812 (READY=1) Mar 31 14:34:28 localhost systemd[1]: ssh.service: Changed reload-notify -> running Mar 31 14:34:28 localhost systemd[1]: ssh.service: Job 1333 ssh.service/reload finished, result=done Mar 31 14:34:28 localhost systemd[1]: Reloaded ssh.service - OpenBSD Secure Shell server. Mar 31 14:34:28 localhost sshd[3812]: Server listening on 0.0.0.0 port 22. Mar 31 14:34:28 localhost sshd[3812]: Server listening on :: port 22. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #21 from Colin Watson --- (In reply to Luca Boccassi from comment #19) > Mmmh hang on I don't think that should be the case. The > MONOTONIC_USEC is for the Type=notify-reload workflow, that > automatically hooks sighup to the service, and is newer. But > RELOADING=1 -> READY=1 by itself should work with the older workflow > where you manually specify an ExecReload=kill -HUP $MAINPID in the > unit. Ah, you may be right. I was just going by looking at the code and hadn't actually tested removing RELOADING=1. Probably best to leave it in then. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #20 from Colin Watson --- Actually, I noticed a slight race here. You're sending the readiness notification from platform_pre_listen; but, as the name implies, this is called _before_ the server has started listening. The point of the readiness protocol is that the notification is only sent once the server is ready to accept connections. The notification should be moved to after the listen sockets are bound. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #19 from Luca Boccassi --- (In reply to Colin Watson from comment #18) > I've done some testing and this does seem to basically work. > > The one thing I'd point out is following on from Luca's comment: > RELOADING=1 is ignored if you don't also send MONOTONIC_USEC=. So > if you're not going to send that (and I understand the reasons), you > might as well not bother sending RELOADING=1 either; we'll just have > to stick with Type=notify rather than Type=notify-reload for now, > which wouldn't be a regression. Mmmh hang on I don't think that should be the case. The MONOTONIC_USEC is for the Type=notify-reload workflow, that automatically hooks sighup to the service, and is newer. But RELOADING=1 -> READY=1 by itself should work with the older workflow where you manually specify an ExecReload=kill -HUP $MAINPID in the unit. Let me get your packages and test this. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #18 from Colin Watson --- I've done some testing and this does seem to basically work. The one thing I'd point out is following on from Luca's comment: RELOADING=1 is ignored if you don't also send MONOTONIC_USEC=. So if you're not going to send that (and I understand the reasons), you might as well not bother sending RELOADING=1 either; we'll just have to stick with Type=notify rather than Type=notify-reload for now, which wouldn't be a regression. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3655] Default ObscureKeystrokeTiming makes X forwarding really slow
https://bugzilla.mindrot.org/show_bug.cgi?id=3655 --- Comment #2 from Andreas Gustafsson --- Created attachment 3800 --> https://bugzilla.mindrot.org/attachment.cgi?id=3800&action=edit Test program that performs 1000 round-trip X11 requests -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3655] Default ObscureKeystrokeTiming makes X forwarding really slow
https://bugzilla.mindrot.org/show_bug.cgi?id=3655 Andreas Gustafsson changed: What|Removed |Added CC||g...@araneus.fi --- Comment #1 from Andreas Gustafsson --- I am also affected by this bug. An X11 application suddenly became slow to the point of unusability, and it took quite a lot of detective work to determine that the cause was neither the application itself nor the X server but ssh. To help quantify the worst-case slowdown, I am attaching a test program that makes 1000 round-trip requests to the X server. Running it via the ssh included in macOS Sonoma 14.4.1 (OpenSSH_9.6p1) shows: $ ssh -X -oObscureKeystrokeTiming=no localhost $ time ./test real0m0.120s user0m0.007s sys 0m0.018s $ exit $ ssh -X localhost $ time ./test real0m24.095s user0m0.018s sys 0m0.066s That's a slowdown by a factor of 200. -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 Ismail Donmez changed: What|Removed |Added CC||ism...@i10z.com -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #17 from Colin Watson --- I don't see any problems from eyeballing the patch. I've pushed a version of the Debian packaging with this (and consequent modifications; we also have a socket activation patch from Ubuntu, but reworking that to avoid libsystemd wasn't too hard) to https://salsa.debian.org/ssh-team/openssh/-/tree/without-libsystemd, though so far I've only checked that it passes the regression tests. https://salsa.debian.org/ssh-team/openssh/-/jobs/5521815 has .debs for people who feel comfortable installing things from random CI jobs. Obviously I don't recommend installing those on production, but it's probably OK to do so in a container/VM. I'll look more once I've had some sleep. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 Bertrand Jacquin changed: What|Removed |Added CC||bertr...@jacquin.bzh -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3676] New: Redirect conch stdin from /dev/zero rather than requiring a controlling terminal
https://bugzilla.mindrot.org/show_bug.cgi?id=3676 Bug ID: 3676 Summary: Redirect conch stdin from /dev/zero rather than requiring a controlling terminal Product: Portable OpenSSH Version: -current Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Regression tests Assignee: unassigned-b...@mindrot.org Reporter: cjwat...@debian.org Created attachment 3799 --> https://bugzilla.mindrot.org/attachment.cgi?id=3799&action=edit regress: Redirect conch stdin from /dev/zero The new controlling-terminal requirement in regress/conch-ciphers.sh is somewhat inconvenient. I know that in theory wrapping the regression tests in something like script(1) should be fine, but in practice I haven't been able to get this to work properly in Debian's autopkgtest framework where we run the regression tests automatically; when I tried the result was that all the output of the regression tests was hidden from stdout and only showed up in autopkgtest's separate log file, but only when running in CI jobs on salsa.debian.org and not locally, which was extremely weird. I could probably figure this out if I spent long enough debugging it, but a tiny patch to avoid the requirement in the first place seems like a more sensible use of time. Would you consider the attached patch? -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 Luke Simmons changed: What|Removed |Added CC||luke5...@live.com -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 Sam James changed: What|Removed |Added CC||s...@gentoo.org -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] New: CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 Bug ID: 3675 Summary: CASignatureAlgorithms should be verified before verifying signatures Product: Portable OpenSSH Version: 9.7p1 Hardware: Other OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-b...@mindrot.org Reporter: and...@anarazel.de Hi, The code injected in CVE-2024-3094 causes RSA_public_decrypt to be redirected to a payload. This is not reachable for normal pubkey authentication without 1) the key algorithm being of a permitted type 2) knowing at least the signature of a pubkey in authorized_keys etc However, certificates are verified before such checks: userauth_pubkey() -> sshkey_from_blob() -> sshkey_from_blob_internal() -> cert_parse() -> sshkey_verify(key->cert->signature_key) -> ssh_rsa_verify() (or others, depending on cert type) -> openssh_RSA_verify() -> RSA_public_decrypt() The signature algorithm *is* subsequently checked, but of course RSA_public_decrypt has already been called by that point. Outside of CVE-2024-3094, which is not openssh's reponsibility, that is not a correctness issue. But doing verification of signatures with algorithms that are disabled still seems fairly suboptimal, increasing the amount of code reachable without having any valid access. Looks to me that an equivalent to checking in authorized_keys can't be done before the verification, but checking CASignatureAlgorithms seems entirely possible. It might also be worth rejecting certificates without any validation if the sshd is not configured to use CA based auth. Regards, Andres -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Richard W.M. Jones changed: What|Removed |Added CC||rjo...@redhat.com -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Arkadiusz Miśkiewicz changed: What|Removed |Added CC||ar...@maven.pl -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #16 from Damien Miller --- (In reply to Luca Boccassi from comment #14) > While there, it would be really nice if the RELOADING=1 message also > included MONOTONIC_USEC= (CLOCK_MONOTONIC in usec as a > decimal string), which is used for accurate synchronization. IE, > write a string like "RELOADING=1\nMONOTONIC_USEC=1234...". This will > enable the unit to be of Type=notify-reload which adds some nice > features. That's more tricky as the reload is called from signal handler context and we can't use snprint() there to format the usec part of the message. We'd have to refactor how sshd manages SIGHUP restarts. That would make some other things easier, but it's still a bigger change. Anyway, if some of the distro people on this bug can report on whether the patch is okay, then we can move forward with this and finesse it later. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3649] Control sockets do not connect anymore (after updating OpenSSH)
https://bugzilla.mindrot.org/show_bug.cgi?id=3649 --- Comment #11 from wolfgang.liessm...@web.de --- Yes, it's still forking into background, even when starting the master process with -f and ControlPersist=no: $ rm -f socket.tmp $ ssh -vvv -MNf -o ControlPersist=no -S socket.tmp host1 [...] debug1: forking to background $ ls -l socket.tmp [...] Control socket connect(socket.tmp): Connection refused -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #15 from Damien Miller --- I think the READY=1 will be sent implicitly after sshd restarts -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Sam James changed: What|Removed |Added CC||s...@gentoo.org -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Luca Boccassi changed: What|Removed |Added CC||luca.bocca...@gmail.com --- Comment #14 from Luca Boccassi --- Thanks for working on that, will be great to have native support for the readiness protocol. One review comment: unless I'm missing it because it's handled outside of the patch context, after a RELOADING=1, when the reload operation is complete, a READY=1 needs to be sent too: https://www.freedesktop.org/software/systemd/man/latest/sd_notify.html#RELOADING=1 While there, it would be really nice if the RELOADING=1 message also included MONOTONIC_USEC= (CLOCK_MONOTONIC in usec as a decimal string), which is used for accurate synchronization. IE, write a string like "RELOADING=1\nMONOTONIC_USEC=1234...". This will enable the unit to be of Type=notify-reload which adds some nice features. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Damien Miller changed: What|Removed |Added Attachment #2896|0 |1 is obsolete|| Attachment #2950|0 |1 is obsolete|| Attachment #3099|0 |1 is obsolete|| --- Comment #13 from Damien Miller --- Created attachment 3798 --> https://bugzilla.mindrot.org/attachment.cgi?id=3798&action=edit standalone systemd notifications This implements the equivalent of sd_notify() without bringing in the rest of systemd bloat. It it also signal-handler safe, which is not the case for the originally proposed diffs. Lightly tested. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3674] Tracking bug for OpenSSH 9.8
https://bugzilla.mindrot.org/show_bug.cgi?id=3674 Darren Tucker changed: What|Removed |Added Depends on||3671 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3671 [Bug 3671] Improve PuTTY version detection -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3674] Tracking bug for OpenSSH 9.8
https://bugzilla.mindrot.org/show_bug.cgi?id=3674 Bug 3674 depends on bug 3671, which changed state. Bug 3671 Summary: Improve PuTTY version detection https://bugzilla.mindrot.org/show_bug.cgi?id=3671 What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching the assignee of the bug. You are watching the reporter of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3671] Improve PuTTY version detection
https://bugzilla.mindrot.org/show_bug.cgi?id=3671 Darren Tucker changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED CC||dtuc...@dtucker.net Blocks||3674 --- Comment #2 from Darren Tucker --- Thanks. Have applied upstream, should appear in Portable soon and will be in the 9.8 release. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3668] OpenSSL version header not found
https://bugzilla.mindrot.org/show_bug.cgi?id=3668 Darren Tucker changed: What|Removed |Added Resolution|--- |WORKSFORME Status|NEW |RESOLVED --- Comment #10 from Darren Tucker --- Your comment#8 indicates the problem you reported has been resolved. Please reopen if that is not the case. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3674] Tracking bug for OpenSSH 9.8
https://bugzilla.mindrot.org/show_bug.cgi?id=3674 Darren Tucker changed: What|Removed |Added Depends on||3673 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3673 [Bug 3673] -fzero-call-used-regs=used detection fails on Linux m68k with GCC 13 -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3674] Tracking bug for OpenSSH 9.8
https://bugzilla.mindrot.org/show_bug.cgi?id=3674 Bug 3674 depends on bug 3673, which changed state. Bug 3673 Summary: -fzero-call-used-regs=used detection fails on Linux m68k with GCC 13 https://bugzilla.mindrot.org/show_bug.cgi?id=3673 What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3673] -fzero-call-used-regs=used detection fails on Linux m68k with GCC 13
https://bugzilla.mindrot.org/show_bug.cgi?id=3673 Darren Tucker changed: What|Removed |Added Blocks||3674 Resolution|--- |FIXED CC||dtuc...@dtucker.net Status|NEW |RESOLVED --- Comment #1 from Darren Tucker --- Patch applied (both master and 9.7 branch) so it will be in the next release. Thanks for the report. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3531] Ssh will not exit when it receives SIGTERM before calling poll in client_wait_until_can_do_something until some events happen.
https://bugzilla.mindrot.org/show_bug.cgi?id=3531 Darren Tucker changed: What|Removed |Added Blocks|3651| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3512] net-misc/openssh-9.1_p1: stopped accepting connections after upgrade to sys-libs/glibc-2.36 (fatal: ssh_sandbox_violation: unexpected system call)
https://bugzilla.mindrot.org/show_bug.cgi?id=3512 Darren Tucker changed: What|Removed |Added Blocks|3651| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3449] LocalForward doesn't support ~/path syntax for UNIX sockets
https://bugzilla.mindrot.org/show_bug.cgi?id=3449 Darren Tucker changed: What|Removed |Added Blocks|3651| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3367] ssh-keyscan with non-22 port does not hash correct host
https://bugzilla.mindrot.org/show_bug.cgi?id=3367 Darren Tucker changed: What|Removed |Added Blocks|3651| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3289] Patch fixing the issues found by coverity scan
https://bugzilla.mindrot.org/show_bug.cgi?id=3289 Darren Tucker changed: What|Removed |Added Blocks|3651| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Darren Tucker changed: What|Removed |Added Blocks|3651| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2687] Coverity scan fixes
https://bugzilla.mindrot.org/show_bug.cgi?id=2687 Darren Tucker changed: What|Removed |Added Blocks|3651| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1768] scp: wrong error message when destination directory ends with a slash and is missing
https://bugzilla.mindrot.org/show_bug.cgi?id=1768 Darren Tucker changed: What|Removed |Added Blocks|3651| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1153] DISPLAY should be set form the connected IP, not the hostname
https://bugzilla.mindrot.org/show_bug.cgi?id=1153 Darren Tucker changed: What|Removed |Added Blocks|3651| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3651] tracking bug for openssh-9.7
https://bugzilla.mindrot.org/show_bug.cgi?id=3651 Darren Tucker changed: What|Removed |Added Depends on|1153, 1768, 2687, 3210, | |3289, 3367, 3449, 3512, | |3531| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=1153 [Bug 1153] DISPLAY should be set form the connected IP, not the hostname https://bugzilla.mindrot.org/show_bug.cgi?id=1768 [Bug 1768] scp: wrong error message when destination directory ends with a slash and is missing https://bugzilla.mindrot.org/show_bug.cgi?id=2687 [Bug 2687] Coverity scan fixes https://bugzilla.mindrot.org/show_bug.cgi?id=3210 [Bug 3210] Confusing errors when pam_acct_mgmt() fails https://bugzilla.mindrot.org/show_bug.cgi?id=3289 [Bug 3289] Patch fixing the issues found by coverity scan https://bugzilla.mindrot.org/show_bug.cgi?id=3367 [Bug 3367] ssh-keyscan with non-22 port does not hash correct host https://bugzilla.mindrot.org/show_bug.cgi?id=3449 [Bug 3449] LocalForward doesn't support ~/path syntax for UNIX sockets https://bugzilla.mindrot.org/show_bug.cgi?id=3512 [Bug 3512] net-misc/openssh-9.1_p1: stopped accepting connections after upgrade to sys-libs/glibc-2.36 (fatal: ssh_sandbox_violation: unexpected system call) https://bugzilla.mindrot.org/show_bug.cgi?id=3531 [Bug 3531] Ssh will not exit when it receives SIGTERM before calling poll in client_wait_until_can_do_something until some events happen. -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3651] tracking bug for openssh-9.7
https://bugzilla.mindrot.org/show_bug.cgi?id=3651 Darren Tucker changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED CC||dtuc...@dtucker.net --- Comment #1 from Darren Tucker --- OpenSSH 9.7 was released March 11, 2024 https://www.openssh.com/releasenotes.html#9.7p1 Remaining open bugs retargetted to 9.8 (bug#3674). -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. You are watching the reporter of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3674] Tracking bug for OpenSSH 9.8
https://bugzilla.mindrot.org/show_bug.cgi?id=3674 Darren Tucker changed: What|Removed |Added Keywords||meta -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3531] Ssh will not exit when it receives SIGTERM before calling poll in client_wait_until_can_do_something until some events happen.
https://bugzilla.mindrot.org/show_bug.cgi?id=3531 Darren Tucker changed: What|Removed |Added Blocks||3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3512] net-misc/openssh-9.1_p1: stopped accepting connections after upgrade to sys-libs/glibc-2.36 (fatal: ssh_sandbox_violation: unexpected system call)
https://bugzilla.mindrot.org/show_bug.cgi?id=3512 Darren Tucker changed: What|Removed |Added Blocks||3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3449] LocalForward doesn't support ~/path syntax for UNIX sockets
https://bugzilla.mindrot.org/show_bug.cgi?id=3449 Darren Tucker changed: What|Removed |Added Blocks||3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3367] ssh-keyscan with non-22 port does not hash correct host
https://bugzilla.mindrot.org/show_bug.cgi?id=3367 Darren Tucker changed: What|Removed |Added Blocks||3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3289] Patch fixing the issues found by coverity scan
https://bugzilla.mindrot.org/show_bug.cgi?id=3289 Darren Tucker changed: What|Removed |Added Blocks||3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Darren Tucker changed: What|Removed |Added Blocks||3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2687] Coverity scan fixes
https://bugzilla.mindrot.org/show_bug.cgi?id=2687 Darren Tucker changed: What|Removed |Added Blocks||3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1768] scp: wrong error message when destination directory ends with a slash and is missing
https://bugzilla.mindrot.org/show_bug.cgi?id=1768 Darren Tucker changed: What|Removed |Added Blocks||3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1153] DISPLAY should be set form the connected IP, not the hostname
https://bugzilla.mindrot.org/show_bug.cgi?id=1153 Darren Tucker changed: What|Removed |Added Blocks||3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3674] New: Tracking bug for OpenSSH 9.8
https://bugzilla.mindrot.org/show_bug.cgi?id=3674 Bug ID: 3674 Summary: Tracking bug for OpenSSH 9.8 Product: Portable OpenSSH Version: -current Hardware: Other OS: All Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-b...@mindrot.org Reporter: dtuc...@dtucker.net Depends on: 1153, 1768, 2687, 3210, 3289, 3367, 3449, 3512, 3531 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=1153 [Bug 1153] DISPLAY should be set form the connected IP, not the hostname https://bugzilla.mindrot.org/show_bug.cgi?id=1768 [Bug 1768] scp: wrong error message when destination directory ends with a slash and is missing https://bugzilla.mindrot.org/show_bug.cgi?id=2687 [Bug 2687] Coverity scan fixes https://bugzilla.mindrot.org/show_bug.cgi?id=3210 [Bug 3210] Confusing errors when pam_acct_mgmt() fails https://bugzilla.mindrot.org/show_bug.cgi?id=3289 [Bug 3289] Patch fixing the issues found by coverity scan https://bugzilla.mindrot.org/show_bug.cgi?id=3367 [Bug 3367] ssh-keyscan with non-22 port does not hash correct host https://bugzilla.mindrot.org/show_bug.cgi?id=3449 [Bug 3449] LocalForward doesn't support ~/path syntax for UNIX sockets https://bugzilla.mindrot.org/show_bug.cgi?id=3512 [Bug 3512] net-misc/openssh-9.1_p1: stopped accepting connections after upgrade to sys-libs/glibc-2.36 (fatal: ssh_sandbox_violation: unexpected system call) https://bugzilla.mindrot.org/show_bug.cgi?id=3531 [Bug 3531] Ssh will not exit when it receives SIGTERM before calling poll in client_wait_until_can_do_something until some events happen. -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3673] New: -fzero-call-used-regs=used detection fails on Linux m68k with GCC 13
https://bugzilla.mindrot.org/show_bug.cgi?id=3673 Bug ID: 3673 Summary: -fzero-call-used-regs=used detection fails on Linux m68k with GCC 13 Product: Portable OpenSSH Version: 9.7p1 Hardware: 68k URL: https://bugs.debian.org/1067243 OS: Linux Status: NEW Severity: normal Priority: P5 Component: Build system Assignee: unassigned-b...@mindrot.org Reporter: cjwat...@debian.org Created attachment 3797 --> https://bugzilla.mindrot.org/attachment.cgi?id=3797&action=edit Extend -fzero-call-used-regs check to catch m68k gcc bug Thorsten Glaser reported that there's an ICE in GCC 13 on Linux m68k (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110934) that's missed by the autoconf machinery to detect whether -fzero-call-used-regs=used is usable. The attached patch beefs up the autoconf check a bit more so that it notices this. -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3672] New: Include sshd_config.d/*.conf
https://bugzilla.mindrot.org/show_bug.cgi?id=3672 Bug ID: 3672 Summary: Include sshd_config.d/*.conf Product: Portable OpenSSH Version: 9.6p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-b...@mindrot.org Reporter: enrico.sch...@sigma-chemnitz.de Created attachment 3796 --> https://bugzilla.mindrot.org/attachment.cgi?id=3796&action=edit patch To ease system administration and setup, allow configuration by adding files in directories. This avoids patching upstream maintained configuration templates (ssh_config + sshd_config) and helps to document changes. This mechanism in this patch is used already by major Linux distributions (Fedora, Debian). It adds | Include /etc/ssh/ssh_config.d/*.conf resp. | Include /etc/ssh/sshd_config.d/*.conf to the client and server configuration files. -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3671] Improve PuTTY version detection
https://bugzilla.mindrot.org/show_bug.cgi?id=3671 Colin Watson changed: What|Removed |Added Attachment #3794|0 |1 is obsolete|| --- Comment #1 from Colin Watson --- Created attachment 3795 --> https://bugzilla.mindrot.org/attachment.cgi?id=3795&action=edit Improve PuTTY version detection Oops, the previous patch had bogus tests. -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3671] New: Improve PuTTY version detection
https://bugzilla.mindrot.org/show_bug.cgi?id=3671 Bug ID: 3671 Summary: Improve PuTTY version detection Product: Portable OpenSSH Version: -current Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: Regression tests Assignee: unassigned-b...@mindrot.org Reporter: cjwat...@debian.org Created attachment 3794 --> https://bugzilla.mindrot.org/attachment.cgi?id=3794&action=edit Improve PuTTY version detection The PuTTY version detection in the regression tests assumes that the major version is always 0, which doesn't seem totally warranted. (This bug is really against 9.7p1, but Bugzilla's version field doesn't permit that yet. I guess -current will do.) -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3648] ssh client blocks itself by leaving unix domain socket alive after user
https://bugzilla.mindrot.org/show_bug.cgi?id=3648 --- Comment #3 from Hadmut Danisch --- Apparently, yes, partly, thanks. It seems to work for LocalForward, but not for RemoteForward. The option exists in the sshd_config man page, so I guess this must be set on the server side as well in order to make it work for RemoteForward, but that doesn't help in that particular use case, since users do not have admin rights on the remote machine. Didn't see that option, and I do know about other long-time-experienced admins with the same problem, who didn't see this either. Maybe a hint in the LocalForward and RemoteForward sections of man page for ssh_config would be useful. But what sense does it make to leave the socket in the filesystem, if ssh will never ever again be able to reuse it, it just keeps ssh from working again? What's that good for? I'd see two modes of operation: - either leave the socket intact, but be able to reuse it with subsequent ssh sessions, which might make sense for other client programs using it, - or remove it and create a new one for every ssh connection. but the current default mode of ssh does not seem to be working and thus not seem to make sense. (BTW: Did you see my e-mail to the mailing list about XDG_RUNTIME_DIR environment variable on the server side?) regards -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3651] tracking bug for openssh-9.7
https://bugzilla.mindrot.org/show_bug.cgi?id=3651 Damien Miller changed: What|Removed |Added Depends on||3670 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3670 [Bug 3670] [ssh-agent] 100% CPU spin in cleanup_handler signal handler -- You are receiving this mail because: You are watching the assignee of the bug. You are watching the reporter of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3651] tracking bug for openssh-9.7
https://bugzilla.mindrot.org/show_bug.cgi?id=3651 Bug 3651 depends on bug 3670, which changed state. Bug 3670 Summary: [ssh-agent] 100% CPU spin in cleanup_handler signal handler https://bugzilla.mindrot.org/show_bug.cgi?id=3670 What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3670] [ssh-agent] 100% CPU spin in cleanup_handler signal handler
https://bugzilla.mindrot.org/show_bug.cgi?id=3670 Damien Miller changed: What|Removed |Added Status|ASSIGNED|RESOLVED Blocks||3651 Resolution|--- |FIXED --- Comment #4 from Damien Miller --- Committed as a6a740a4948d and will be in the OpenSSH 9.7 release, due next week Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3670] [ssh-agent] 100% CPU spin in cleanup_handler signal handler
https://bugzilla.mindrot.org/show_bug.cgi?id=3670 Darren Tucker changed: What|Removed |Added Attachment #3793|ok?(dtuc...@dtucker.net)|ok+ Flags|| -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3670] [ssh-agent] 100% CPU spin in cleanup_handler signal handler
https://bugzilla.mindrot.org/show_bug.cgi?id=3670 --- Comment #3 from Ben Hamilton --- Yep, that works fine too! -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3670] [ssh-agent] 100% CPU spin in cleanup_handler signal handler
https://bugzilla.mindrot.org/show_bug.cgi?id=3670 Damien Miller changed: What|Removed |Added CC||d...@mindrot.org, ||dtuc...@dtucker.net Assignee|unassigned-b...@mindrot.org |d...@mindrot.org Attachment #3793||ok?(dtuc...@dtucker.net) Flags|| --- Comment #2 from Damien Miller --- Created attachment 3793 --> https://bugzilla.mindrot.org/attachment.cgi?id=3793&action=edit use ppoll and flag in signal handler alternately, we could just use a flag in a signal handler and check it via ppoll. We use this approach for most other mainloops that can be interrupted -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3670] [ssh-agent] 100% CPU spin in cleanup_handler signal handler
https://bugzilla.mindrot.org/show_bug.cgi?id=3670 Ben Hamilton changed: What|Removed |Added Status|NEW |ASSIGNED --- Comment #1 from Ben Hamilton --- Sent PR to fix: https://github.com/openssh/openssh-portable/pull/468 -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3670] New: [ssh-agent] 100% CPU spin in cleanup_handler signal handler
https://bugzilla.mindrot.org/show_bug.cgi?id=3670 Bug ID: 3670 Summary: [ssh-agent] 100% CPU spin in cleanup_handler signal handler Product: Portable OpenSSH Version: 9.6p1 Hardware: amd64 OS: Mac OS X Status: NEW Severity: enhancement Priority: P5 Component: ssh-agent Assignee: unassigned-b...@mindrot.org Reporter: benhamil...@google.com On macOS 13.3, I got the following 100% CPU spin in `ssh-agent`'s `cleanup_handler()`: ``` 8438 _sigtramp (in libsystem_platform.dylib) + 29 [0x7ff819a3e5ed] 8438 cleanup_handler (in ssh-agent) + 9 [0x10d0c5429] 8438 cleanup_socket (in ssh-agent) + 81 [0x10d0c3d11] 8438 sshlog (in ssh-agent) + 116 [0x10d0f3504] 8438 sshlogv (in ssh-agent) + 127 [0x10d0f35af] 8438 snprintf (in libsystem_c.dylib) + 156 [0x7ff8198c60d4] 8438 vsnprintf_l (in libsystem_c.dylib) + 41 [0x7ff8198c6020] 8438 _vsnprintf (in libsystem_c.dylib) + 256 [0x7ff8198e87ce] 8438 __vfprintf (in libsystem_c.dylib) + 113 [0x7ff8198b9ef7] 8438 localeconv_l (in libsystem_c.dylib) + 52 [0x7ff8198be2f4] 8438 _os_unfair_lock_lock_slow (in libsystem_platform.dylib) + 258 [0x7ff819a3cb67] 8438 _os_unfair_lock_recursive_abort (in libsystem_platform.dylib) + 23 [0x7ff819a4237b] ``` The issue is that all work performed from inside a signal handler must be async-signal safe. It cannot obtain mutexes or talk to any global https://man7.org/linux/man-pages/man7/signal-safety.7.html In particular, `snprintf()` invoked by `sshlog()` in `cleanup_socket()` is not async-signal safe. To fix this, `cleanup_socket()` should: 1) Set a global boolean to true 2) Signal a file descriptor which the main `ssh-agent` `poll()` loop can use to wake up Then, the main `poll()` loop can check if that boolean is set to true, and if so, clean up and exit. -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3648] ssh client blocks itself by leaving unix domain socket alive after user
https://bugzilla.mindrot.org/show_bug.cgi?id=3648 Damien Miller changed: What|Removed |Added CC||d...@mindrot.org --- Comment #2 from Damien Miller --- Does the StreamLocalBindUnlink do what you want? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3648] ssh client blocks itself by leaving unix domain socket alive after user
https://bugzilla.mindrot.org/show_bug.cgi?id=3648 --- Comment #1 from Hadmut Danisch --- Any response? -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3669] Defensics warning results
https://bugzilla.mindrot.org/show_bug.cgi?id=3669 Damien Miller changed: What|Removed |Added CC||d...@mindrot.org --- Comment #1 from Damien Miller --- It's hard to interpret this report without understanding what their success criteria are. They don't seem to be contained in the report itself. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3669] New: Defensics warning results
https://bugzilla.mindrot.org/show_bug.cgi?id=3669 Bug ID: 3669 Summary: Defensics warning results Product: Portable OpenSSH Version: 8.9p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-b...@mindrot.org Reporter: nikige...@gmail.com Created attachment 3792 --> https://bugzilla.mindrot.org/attachment.cgi?id=3792&action=edit SSHv2 Server Test Suite report from Defensics tool I got SSHv2 server test suite report from test team that were using Synopsys Defensics tool. I wonder if openssh community performs tests using this tool? Do you think attached report gives information about any potential problem not known in the community? -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3666] sshd crash
https://bugzilla.mindrot.org/show_bug.cgi?id=3666 --- Comment #12 from Damien Miller --- The traceback says where the program terminated, but not *why*. Was it a SIGSEGV, a SIGBUS or something else? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3651] tracking bug for openssh-9.7
https://bugzilla.mindrot.org/show_bug.cgi?id=3651 Damien Miller changed: What|Removed |Added Depends on||3657 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3657 [Bug 3657] AuthenticationMethods any apparently not possible after previous non-any assignment -- You are receiving this mail because: You are watching the assignee of the bug. You are watching the reporter of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3651] tracking bug for openssh-9.7
https://bugzilla.mindrot.org/show_bug.cgi?id=3651 Bug 3651 depends on bug 3657, which changed state. Bug 3657 Summary: AuthenticationMethods any apparently not possible after previous non-any assignment https://bugzilla.mindrot.org/show_bug.cgi?id=3657 What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3657] AuthenticationMethods any apparently not possible after previous non-any assignment
https://bugzilla.mindrot.org/show_bug.cgi?id=3657 Damien Miller changed: What|Removed |Added Resolution|--- |FIXED Blocks||3651 Status|NEW |RESOLVED --- Comment #2 from Damien Miller --- This has been committed and will be in OpenSSH 9.7, due in a couple of weeks. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3542] Allow to redirect stderr only even with tty
https://bugzilla.mindrot.org/show_bug.cgi?id=3542 butir...@gmail.com changed: What|Removed |Added CC||butir...@gmail.com -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1734] IPv6 address in port forward options (-L) requires square brackets
https://bugzilla.mindrot.org/show_bug.cgi?id=1734 Marc Herbert changed: What|Removed |Added CC||marc.herbert+mindrot@gmail. ||com --- Comment #6 from Marc Herbert --- Note "ssh [::1]" still does not work. https://bugzilla.mindrot.org/show_bug.cgi?id=1602 (2009) (ssh://[127.0.0.1] works!) -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1602] ssh: doesn't handle IPv6 addresses with brackets
https://bugzilla.mindrot.org/show_bug.cgi?id=1602 --- Comment #10 from Marc Herbert --- Still failing: ssh -V OpenSSH_9.6p1, OpenSSL 3.2.1 30 Jan 2024 ssh ::1# OK ssh [::1] # Could not resolve hostname [::1] ssh ssh://[127.0.0.1] # Woks!? ssh ssh://[::1]# prints usage message Ridiculously inconsistent. PS: port numbers like [::1]:22 and [127.0.0.1]:22 make no difference. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3667] Trailing space is added when parsing Subsystem in sshd_config
https://bugzilla.mindrot.org/show_bug.cgi?id=3667 Damien Miller changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #3 from Damien Miller --- Fixed in commit ee6d932acb and will be in openssh-9.7 - thanks! -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3668] OpenSSL version header not found
https://bugzilla.mindrot.org/show_bug.cgi?id=3668 --- Comment #9 from Darren Tucker --- (In reply to fatcharly from comment #6) > Hi, > before I compile the open ssl with "make install", I do a "make > test", and this takes long but its all ok. > > So, I run this: > > ./configure --with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath, yes. > and send you the log again ? Nope, if it works (which based on comment#8, it did) then all you need to do now is run "make" and if that succeeds then you're good to go. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3668] OpenSSL version header not found
https://bugzilla.mindrot.org/show_bug.cgi?id=3668 --- Comment #8 from fatcha...@gmx.de --- Result of: ./configure --with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath, OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: doc PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no libedit support: no libldns support: no Solaris process contract support: no Solaris project support: no Solaris privilege support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: none PKCS#11 support: yes U2F/FIDO support: yes Host: i686-pc-linux-gnu Compiler: cc -std=gnu99 Compiler flags: -g -O2 -pipe -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -Wno-un used-parameter -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE Preprocessor flags: -I/opt/openssl/include -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DOPENSSL_API_COMPAT=0x1010 L Linker flags: -L/opt/openssl/lib -Wl,-rpath,/opt/openssl/lib -Wl,-z,retpolineplt -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstac k-protector-all -pie Libraries: -lresolv -lrt -ldl -lutil +for channels: -lcrypto -lz +for sshd: -lcrypt -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3668] OpenSSL version header not found
https://bugzilla.mindrot.org/show_bug.cgi?id=3668 --- Comment #7 from fatcha...@gmx.de --- I just checked to be sure: [root@pia opt]# find /opt/openssl -name libcrypto.so.3 /opt/openssl/lib/libcrypto.so.3 It's where it is supposed to be. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs