[Bug 3662] Provide chrooted sftp users dedicated session log without /dev/log unix socket in users chroot jail (that does not work when chroot jail is shared between multiple sftp servers e.g. via NFS
https://bugzilla.mindrot.org/show_bug.cgi?id=3662 jason.na...@protonmail.com changed: What|Removed |Added CC||jason.na...@protonmail.com -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2048] Make chrooted sftp more user friendly using bind mount (solution suggested)
https://bugzilla.mindrot.org/show_bug.cgi?id=2048 jason.na...@protonmail.com changed: What|Removed |Added CC||jason.na...@protonmail.com -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3684] New: regress/key-options.sh: update future key expiry date to far in the future
https://bugzilla.mindrot.org/show_bug.cgi?id=3684 Bug ID: 3684 Summary: regress/key-options.sh: update future key expiry date to far in the future Product: Portable OpenSSH Version: -current Hardware: All OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Regression tests Assignee: unassigned-b...@mindrot.org Reporter: alex.kana...@gmail.com This allows testing Y2038 with system time set to after that (i.e.2040), so that actual Y2038 issues can be exposed, and not masked by key expiry time errors. Proposed patch: https://github.com/openssh/openssh-portable/pull/425 -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3683] Enable log_path configuration from ssh_config
https://bugzilla.mindrot.org/show_bug.cgi?id=3683 --- Comment #1 from Bryon --- Mailing List: https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-April/041312.html -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3683] New: Enable log_path configuration from ssh_config
https://bugzilla.mindrot.org/show_bug.cgi?id=3683 Bug ID: 3683 Summary: Enable log_path configuration from ssh_config Product: Portable OpenSSH Version: 9.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-b...@mindrot.org Reporter: br...@fryer.io ssh_config lacks the ability to set the same configuration option available from the cli with "-E log_file". Pull request: https://github.com/openssh/openssh-portable/pull/491 -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3682] incorrectly thinks that -fzero-call-used-regs should work
https://bugzilla.mindrot.org/show_bug.cgi?id=3682 --- Comment #2 from Tadhg McDonald-Jensen --- arm-linux-gnueabihf-gcc (GCC) 11.3.0 I'm using GNU guix, if you are on another distro you can use the script from here to get the guix command: https://guix.gnu.org/manual/en/html_node/Installation.html > guix build -K --target=arm-linux-gnueabihf openssh > cd /tmp/guix-build-openssh-9.7p1.drv-0 > guix shell -D openssh > source ./environment-variables > cd openssh-9.7p1/ > make channels.o The `guix build` reproduces the error, the rest of the commands go to the failed build directory (which is saved by the -K argument, the `0` at the end is auto-incremented if building multiple times) and reproduce the error in a development friendly environment. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3682] incorrectly thinks that -fzero-call-used-regs should work
https://bugzilla.mindrot.org/show_bug.cgi?id=3682 Darren Tucker changed: What|Removed |Added CC||dtuc...@dtucker.net --- Comment #1 from Darren Tucker --- Which distro and compiler version are you using? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3682] incorrectly thinks that -fzero-call-used-regs should work
https://bugzilla.mindrot.org/show_bug.cgi?id=3682 Tadhg McDonald-Jensen changed: What|Removed |Added CC||tadhgmis...@gmail.com -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3682] New: incorrectly thinks that -fzero-call-used-regs should work
https://bugzilla.mindrot.org/show_bug.cgi?id=3682 Bug ID: 3682 Summary: incorrectly thinks that -fzero-call-used-regs should work Product: Portable OpenSSH Version: 9.7p1 Hardware: ARM OS: Linux Status: NEW Severity: normal Priority: P5 Component: Build system Assignee: unassigned-b...@mindrot.org Reporter: tadhgmis...@gmail.com When I run `./configure --host=arm-linux-gnueabihf` it gives this indication in the output: > checking if gcc supports compile flag -fzero-call-used-regs=used and linking > succeeds... yes However when I then run `make channels.o` it fails saying this. (same with sshkey.o and a few others) > channels.c: In function ‘channel_connect_ctx_free’: > channels.c:4666:1: sorry, unimplemented: ‘-fzero-call-used-regs’ not > supported on this target I suspect this is an issue with the current test script, most of the files compile fine. But as is I am unable to compile openssh for arm systems without manually removing that flag. (or check from the configure script) -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3681] SSH Agent Certificate Not Recognized with 'IdentitiesOnly' Configured
https://bugzilla.mindrot.org/show_bug.cgi?id=3681 --- Comment #1 from AlexpFR --- Edit: Read ls ~/.ssh/ not ls ~/.ssh/config -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3681] New: SSH Agent Certificate Not Recognized with 'IdentitiesOnly' Configured
https://bugzilla.mindrot.org/show_bug.cgi?id=3681 Bug ID: 3681 Summary: SSH Agent Certificate Not Recognized with 'IdentitiesOnly' Configured Product: Portable OpenSSH Version: 9.7p1 Hardware: All OS: All Status: NEW Severity: trivial Priority: P5 Component: ssh Assignee: unassigned-b...@mindrot.org Reporter: cont...@alexandre-petit.fr Created attachment 3812 --> https://bugzilla.mindrot.org/attachment.cgi?id=3812=edit git diff for fix exemple (sshconnect2.c) The certificate present in the SSH agent is not added to the keys to be tested when 'IdentitiesOnly yes' is configured in the ~/.ssh/config file. $ cat ~/.ssh/config Host exemple.org IdentityFile ~/.ssh/id_ed25519.pub IdentitiesOnly Yes $ ssh-add -l 256 SHA256: (ED25519) 256 SHA256: (ED25519-CERT) $ ls ~/.ssh/config configid_ed25519.pub With the same configuration, 'ssh' defaults to looking for a certificate in ~/.ssh/id_ed25519.pub-cert:: $ ssh -vvv u...@exemple.org debug1: identity file ~/.ssh/id_ed25519.pub type 3 debug1: identity file ~/.ssh/id_ed25519.pub-cert type -1 I believe the expected behavior should also include searching for the certificate in the agent. I have attempted a very simple and unpretentious fix. The .diff file is attached. The certificate is added from the agent with 'IdentitiesOnly Yes'. The code is redundant, but it works. Yet another inconsistency: 'ssh-keygen' generates certificates in the form id_ed25519-cert.pub, whereas "ssh" searches for id_ed25519.pub-cert. -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3680] Wrong destination in case of dropbear server
https://bugzilla.mindrot.org/show_bug.cgi?id=3680 Darren Tucker changed: What|Removed |Added CC||dtuc...@dtucker.net --- Comment #1 from Darren Tucker --- This was fixed in 9.4p1 in this commit: https://github.com/openssh/openssh-portable/commit/bdcaf7939029433635d63aade8f9ac762aca2bbe Author: Darren Tucker Date: Wed May 10 18:50:46 2023 +1000 Special case OpenWrt instead of Dropbear. OpenWrt overrides the location of authorized_keys for root. Currently we assume that all Dropbear installations behave this way, which is not the case. Check for OpenWrt and root user before using that location instead of assuming that for all Dropbear servers. Prompted by Github PR#250. SSH-Copy-ID-Upstream: 0e1f5d443a9967483c33945793107ae3f3e4af2d -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3680] New: Wrong destination in case of dropbear server
https://bugzilla.mindrot.org/show_bug.cgi?id=3680 Bug ID: 3680 Summary: Wrong destination in case of dropbear server Product: Portable OpenSSH Version: 8.9p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh-copy-id Assignee: unassigned-b...@mindrot.org Reporter: vlebe...@scaleway.com ssh-copy-id add public key to /etc/dropbear/authorized_keys This is wrong place. As mentionned here: https://linux.die.net/man/8/dropbear The correct place is $HOME/.ssh/authorized_keys. -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1169] Enhancement request to support subnet configurations for Host configuration directive
https://bugzilla.mindrot.org/show_bug.cgi?id=1169 main.ha...@gmail.com changed: What|Removed |Added CC||main.ha...@gmail.com -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3355] no-touch-required flag not restored from hardware token
https://bugzilla.mindrot.org/show_bug.cgi?id=3355 Merritt Krakowitzer changed: What|Removed |Added CC||merr...@krakowitzer.com --- Comment #11 from Merritt Krakowitzer --- Is there any possibility for this to be included in newer releases? I have managed to patch 9.2p1 and verified that both ssh-add and ssh-keygen work as described. However the patches are no longer valid on the latest release (9.7p1). Thanks in advance if this is possible. I would prefer to be able rely on an upstream release rather than roll my own. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3439] identify password prompts
https://bugzilla.mindrot.org/show_bug.cgi?id=3439 Christoph Anton Mitterer changed: What|Removed |Added CC||cales...@scientia.org --- Comment #5 from Christoph Anton Mitterer --- I've stumbled over this while writing my #3679 (https://bugzilla.mindrot.org/show_bug.cgi?id=3679). If I understand comment 2 correctly, than in both cases (password and keyboard-interactive) ssh always prefixes the prompt with user@host (just once with () around), which may then be followed by any server provided string, right? Wouldn't it perhaps make sense to: - make sure that every line of the server's prompt, as printed on the terminal, (assuming it may contain newlines and/or very long lines) is prefixed with that (user@host) - but just for displaying purposes, not for what goes int argv[1] of ASKPASS. - perhaps even colourise the server's portion of the prompt My idea is that a server could e.g. provide a very long single line prompt or a multi line prompt effectively causing something like this: (true-user@true-host) This is the server's prompt and he's writing a lot of bla bla which no one is interested in. Actually I've seen such servers in the wild. But a rogue e.g. jump server could now do this and print a second faked SSH-like prompt: (user@host) OTP: Here, an intermediate rogue server might try to trick the user into revealing the passphrase or OTP for some completely different server. Not the most severe attack... but still, we've recently seen how powerful social engineering can be. Cheers, Chris. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3679] New: SSH_ASKPASS program also used for non-password queries
https://bugzilla.mindrot.org/show_bug.cgi?id=3679 Bug ID: 3679 Summary: SSH_ASKPASS program also used for non-password queries Product: Portable OpenSSH Version: 9.7p1 Hardware: Other OS: All Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-b...@mindrot.org Reporter: cales...@scientia.org Hey. I noted the following behaviour, which may or may not be desired, but seems at least undocumented. When using SSH_ASKPASS/SSH_ASKPASS_REQUIRE, ssh doesn't only invoke the SSH_ASKPASS when actually querying a passphrase, but also e.g. at least when asking whether the fingerprint is correct or not. (The authenticity of host … Are you sure you want to continue connecting (yes/no/[fingerprint])?) That's not really clear from the sshd(1) manpage, which says "If ssh needs a passphrase...". I was thinking whether this could be abused in some way, but I guess not. The only problem I see is that the askpass program cannot easily know whether it's now being used for a passphrase (in which case it probably disables character echoing) or a normal query (where chars should be echoed). And detecting that via some regexp (the fingerprint prompt is actually given as argv[1] in the program) is also rather ugly. Think it would be nice to have the information that SSH_ASKPASS is also used for such prompts. And perhaps a simple way for the programs to determine what's currently being queried? Cheers, Chris. -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3678] New: ssh "Failed to add the host to the list of known hosts" in "~/.ssh/known_hosts.d/" yet also can read ~/.ssh/known_hosts file
https://bugzilla.mindrot.org/show_bug.cgi?id=3678 Bug ID: 3678 Summary: ssh "Failed to add the host to the list of known hosts" in "~/.ssh/known_hosts.d/" yet also can read ~/.ssh/known_hosts file Product: Portable OpenSSH Version: 9.2p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-b...@mindrot.org Reporter: p...@chiltern.org.uk I have to Debian servers, one running OpenSSH_9.2p1 Debian-2+deb12u2 and one running OpenSSH_8.4p1 Debian-5+deb11u3. I need to ssh between them from time to time. Having not done this since doing debian distrobution updates I was getting unknown host messages, which is odd because I can still ssh into both machines from another computer (running OpenSSH_7.9p1, LibreSSL 2.7.3) without any issue or any warnings about unknown hosts The authenticity of host '#' can't be established. ECDSA key fingerprint is SHA256:. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Failed to add the host to the list of known hosts (/home/#/.ssh/known_hosts.d/host1). I other than a different host name and fingerprint I get exactly the same error on both debian servers In both cases I can login fine, but since known host is never saved so know checking of impersonation can happen. I've tried manually adding the host key to ~/.ssh/known_hosts file: host1 ecdsa-sha2-nistp256 ##... But it still can't find it. Yet it I manually generate a figureprint using "ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub" it matches... So there isn't any impersonation going on, just ssh can't read old known_hosts file, and can't create it's new known_host.d folder or files within The folder ~/.ssh/known_hosts.d/ didn't exist on either server, so I've tried creating it on one, but ssh still didn't seem to about able to create the key file, even after checking permission and folder ownership (with just ls -lh): -rw-r--r-- 1 user user 888 May 5 2021 known_hosts drw-r--r-- 1 user user 38 Apr 9 16:51 known_hosts.d I then manually created file that ssh was trying to create using nano, which I could only then save if using root permissions. What is very odd is that you can see this file without root permissions: user@host2:~/.ssh$ ls -lh ./known_hosts.d/ ls: cannot access './known_hosts.d/host1': Permission denied total 0 -? ? ? ? ?? host1 peter@debianThinkCentre:~/.ssh$ sudo ls -lh ./known_hosts.d/ [sudo] password for user: total 4.0K -rw-r--r-- 1 user user 1 Apr 9 16:51 host1 This would explain why ssh can't create the file, but it's beyond me why this permissions issue exists. I search other bug on here for "~/.ssh/known_hosts.d/" and only one came up which didn't seem relevent. I've spend a few hours today search internet more widely for anything about ~/.ssh/known_hosts.d/ and all of the documentation and guidance all seems to talk of known_hosts file and nothing of known_hosts.d folder. I notice this was only introduced in v8.4 which is I guess why machine running OpenSSH_7.9p1 which I mostly use as ssh client doesn't have the same issue. This seems like there might be a bug to me, but it might be some quirk of this configuation/setup which lack of documentation of known_hosts.d folder make hard to unpick. Advice would be much appreciated if this isn't a bug. Happy to try more things or share more infomation helpful. - The only other think I think relevent to flag is that on both machines I've got file in /etc/ssh/sshd_config.d/ with the following: "AllowUsers ... Ciphers aes128-ctr,aes192-ctr,aes256-ctr HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 Macs hmac-sha2-256,hmac-sha2-512" However commenting this out seems to make no difference. -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3677] Proper excaping for ssh remote command line
https://bugzilla.mindrot.org/show_bug.cgi?id=3677 Darren Tucker changed: What|Removed |Added CC||dtuc...@dtucker.net --- Comment #1 from Darren Tucker --- (In reply to Daniel from comment #0) > ssh me@myserver echo a 'b " c' d If you don't need stdin, you can work around some of your examples by specifying the shell you want and feeding the command via a here doc: $ ssh localhost /bin/sh < I think it's easy to implement an escaping engine in the ssh client It's not. It's probably not even possible. Even if it was, modifying the sent command behind the user's back is dubious. In the ssh spec, the "exec" channel request has a single command string: https://datatracker.ietf.org/doc/html/rfc4254#section-6.5 and while you might be able to do it for *a* shell, you don't know what the user's shell is at the other end. Does your escaping work with zsh? csh? tcsh? fish? You don't even know if the other end is attached to a vaguely POSIX-like environment. Does your escaping work with Windows? VMS? z/OS? NonStop? Cisco routers? A random appliance? To do what you're describing in a supportable way, it'd probably need to be an "execv" protocol extension. This has been discussed in the past (eg https://marc.info/?l=openssh-unix-dev=110195952412587=2) but it also has many potential problems: how do you handle fallback when the extension is not supported? Do you require a full path to the executable? if not, where do you get $PATH since the shell usually sets it? and other environment variables? These limitations (and probably others) limit the potential utility of this approach too. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3677] New: Proper excaping for ssh remote command line
https://bugzilla.mindrot.org/show_bug.cgi?id=3677 Bug ID: 3677 Summary: Proper excaping for ssh remote command line Product: Portable OpenSSH Version: 8.9p1 Hardware: amd64 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-b...@mindrot.org Reporter: sshbug24.10.hac...@recursor.net If the remote command line contains arguments, it seems that these arguments are merged to a single string command. ACTUAL SITUATION: > ssh me@myserver echo a "b c" d -vvv: debug1: Sending command: echo aaa b c d < a b c d > ssh me@myserver echo a 'b " c' d -vvv: debug1: Sending command: echo aaa b " c d < bash: -c: line 1: unexpected EOF while looking for matching `"' < bash: -c: line 2: syntax error: unexpected end of file > ssh me@myserver echo a "b ' c" d -vvv: debug1: Sending command: echo aaa b ' c d < bash: -c: line 1: unexpected EOF while looking for matching `'' < bash: -c: line 2: syntax error: unexpected end of file EXPECTED: > ssh me@myserver echo a "b c" d -vvv: Sending command: echo aaa 'b c' d < a b c d (space is preserved) > ssh me@myserver echo a 'b " c' d -vvv: Sending command: echo aaa 'b " c' d -vvv: or: Sending command: echo aaa "b \" c" d < a b " c d (any character is preserved, no character/combination can break out of the argument) > ssh me@myserver echo a "b ' c" d -vvv: Sending command: echo aaa 'b '"'"' c' d -vvv: or: Sending command: echo aaa "b ' c" d < a b ' c d (same) ADVANCED EXAMPLE: > $ a="this ; echo or that" > $ ssh me@myserver echo the string is "$a" < the string is this < or that expected: < the string is this ; echo or that imagine if the string is: > $ aDONTTRY="this ; rm -rf /" here we are also entering the topic of possible injection of malicious code DETAILS: In today's times, users just expect that _all_ commands can correctly handle arguments, at least in pure linux/unix environments. I think it's easy to implement an escaping engine in the ssh client which can handle even the most complex strings and transform them into a single-string command with correct escaping. The harder part is probably the transition: some users might have written workarounds around this and will fail if this changes. Maybe we need an option to enable/disable the new behaviour, but I would recommend it as a default, for security reasons. See also this post at stackexchange: https://unix.stackexchange.com/questions/397400/does-ssh-really-fail-correctly-escaping-remote-commands?noredirect=1#comment1478787_397400 -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #34 from Luca Boccassi --- (In reply to Damien Miller from comment #33) > Committed as 08f579231cd38 and will be in OpenSSH-9.8, due around > June/July. Thank you! -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3613] Unable to sign using certificates and PKCS#11
https://bugzilla.mindrot.org/show_bug.cgi?id=3613 --- Comment #18 from aim@orbit.online --- Yes!! Thank you Damien. This works perfectly! I only just now had the extra time to get back to it. I can confirm that I am now able to sign a peer PKCS#11 pubkey with a CA PKCS#11 key, use the resulting certificate and the peer PKCS#11 key to sign a file, and then verify that the file has been signed by the peer and that the peer is trusted through a "cert-authority" in the allow signers file. I have attached a Dockerfile and a test script which functionally tests everything and also demos how it all works together. It can be run with `docker run --rm $(docker build -q .)`. The "Good "file" signature for Peer with RSA-CERT key SHA256:..." is what to look for in the logs. Again, thank you for your hard work Damien, in a corporate context we can now do short lived ssh-certs for git commit signing and pushing while the key itself can reside on a e.g. a YubiKey or a TPM. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3613] Unable to sign using certificates and PKCS#11
https://bugzilla.mindrot.org/show_bug.cgi?id=3613 --- Comment #17 from aim@orbit.online --- Created attachment 3811 --> https://bugzilla.mindrot.org/attachment.cgi?id=3811=edit Dockerfile -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3613] Unable to sign using certificates and PKCS#11
https://bugzilla.mindrot.org/show_bug.cgi?id=3613 --- Comment #16 from aim@orbit.online --- Created attachment 3810 --> https://bugzilla.mindrot.org/attachment.cgi?id=3810=edit test-pkcs11-cert-sign.sh -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 --- Comment #4 from Andres Freund --- > On the one hand it feels a bit like trying to fight the last battle, but on > the other it is a meaningful attack surface reduction. Agreed on both points. Thanks for the quick writing of the patch! I don't know the openssh codebase well, so my ability to provide review is limited. I think there might still be one path "unprotected" after this. userauth_hostbased() uses sshkey_from_blob() and a) checks options.hostbased_accepted_algos afterwards b) uses sshkey_from_blob(), not sshkey_from_blob_expect_type(), with a subsequent check of the certificate type Another thing I noticed is that it might end up being a bit harder to debug some of the error paths after the change, due to going from specific error messages to more generic error codes. OTOH, it seems unlikely that these paths are encountered outside of attacks. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Damien Miller changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #33 from Damien Miller --- Committed as 08f579231cd38 and will be in OpenSSH-9.8, due around June/July. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #32 from Damien Miller --- Comment on attachment 3809 --> https://bugzilla.mindrot.org/attachment.cgi?id=3809 standalone notify and timestamp patch This looks fine to me. I'll commit it. Thanks for you help! -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Damien Miller changed: What|Removed |Added Attachment #3805|ok?(dtuc...@dtucker.net)| Flags|| Attachment #3805|0 |1 is obsolete|| -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #31 from Luca Boccassi --- Created attachment 3809 --> https://bugzilla.mindrot.org/attachment.cgi?id=3809=edit standalone notify and timestamp patch One more change, to support abstract namespace sockets (for containers) as per protocol defined at https://www.freedesktop.org/software/systemd/man/devel/sd_notify.html#Notes -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 git...@kalvdans.no-ip.org changed: What|Removed |Added CC||git...@kalvdans.no-ip.org -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #30 from Michal Koutný --- (In reply to Damien Miller from comment #28) > Good catch about the sighup restart no longer running in a signal > handler. (In reply to Damien Miller from comment #13) > ... > It it also signal-handler safe, which is not the case for the originally > proposed diffs. The original diff (comment 10) already put the notification in sighup_restart() not in sighup_handler(), i.e. still the same place where platform_pre_restart() is called now, not a signal handler context AFAICS. platform_* hooks look like the appropriate places for these calls. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Damien Miller changed: What|Removed |Added Attachment #3805||ok?(dtuc...@dtucker.net) Flags|| -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 Damien Miller changed: What|Removed |Added Attachment #3807|0 |1 is obsolete|| --- Comment #3 from Damien Miller --- Created attachment 3808 --> https://bugzilla.mindrot.org/attachment.cgi?id=3808=edit correct diff -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 Damien Miller changed: What|Removed |Added Attachment #3806|0 |1 is obsolete|| --- Comment #2 from Damien Miller --- Created attachment 3807 --> https://bugzilla.mindrot.org/attachment.cgi?id=3807=edit correct diff oops, that was an older version of the change. Use this. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 Damien Miller changed: What|Removed |Added CC||d...@mindrot.org --- Comment #1 from Damien Miller --- Created attachment 3806 --> https://bugzilla.mindrot.org/attachment.cgi?id=3806=edit check expected key type and CA algorithm earlier On the one hand it feels a bit like trying to fight the last battle, but on the other it is a meaningful attack surface reduction. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #29 from Luca Boccassi --- (In reply to Damien Miller from comment #28) > Created attachment 3805 [details] > simplified further > > Good catch about the sighup restart no longer running in a signal > handler. > > We can simplify further if we make ssh_systemd_notify() accept a > format string. We also have code to get the CLOCK_MONOTONIC timer > that we can reuse. Looks good to me, tested on Debian testing as before, works as expected. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Damien Miller changed: What|Removed |Added Attachment #3798|0 |1 is obsolete|| Attachment #3804|0 |1 is obsolete|| --- Comment #28 from Damien Miller --- Created attachment 3805 --> https://bugzilla.mindrot.org/attachment.cgi?id=3805=edit simplified further Good catch about the sighup restart no longer running in a signal handler. We can simplify further if we make ssh_systemd_notify() accept a format string. We also have code to get the CLOCK_MONOTONIC timer that we can reuse. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Luca Boccassi changed: What|Removed |Added Attachment #3802|0 |1 is obsolete|| --- Comment #27 from Luca Boccassi --- Created attachment 3804 --> https://bugzilla.mindrot.org/attachment.cgi?id=3804=edit standalone notify and timestamp patch > That's more tricky as the reload is called from signal handler context and we > can't use snprint() there to format the usec part of the message. We'd have > to refactor how sshd manages SIGHUP restarts. > > That would make some other things easier, but it's still a bigger change. I went back and had a look at this, and unless I am missing something the reloading message is not being sent from the signal handler? The handler is sighup_handler which just sets a boolean and returns, following the usual pattern: https://anongit.mindrot.org/openssh.git/tree/sshd.c#n298 but the notification message is sent from the platform_pre_restart() hook, which is called from the main context from the main loop via sighup_restart(): https://anongit.mindrot.org/openssh.git/tree/sshd.c#n304 This already does some logging, which uses format strings. Also platform_pre_restart() already calls oom_adjust_restore() which also uses format strings. So I went ahead and did the necessary modifications in the latest version, which also simplified the message handling as it can log unconditionally now, and added the timestamp too. I've tested this and seems to work just fine on Debian testing, I can change ssh.service to Type=notify-reload and reloading works just fine, including the state transitions. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3673] -fzero-call-used-regs=used detection fails on Linux m68k with GCC 13
https://bugzilla.mindrot.org/show_bug.cgi?id=3673 --- Comment #3 from Colin Watson --- Created attachment 3803 --> https://bugzilla.mindrot.org/attachment.cgi?id=3803=edit Add Autoconf cache variables for OSSH_CHECK_*FLAG_* How about this? Briefly tested, but it seems to do the job. For example: $ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no [...] checking if cc supports compile flag -ftrapv and linking succeeds... yes checking if cc supports compile flag -fzero-call-used-regs=used and linking succeeds... (cached) no checking if cc supports compile flag -ftrivial-auto-var-init=zero... yes -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3674] Tracking bug for OpenSSH 9.8
https://bugzilla.mindrot.org/show_bug.cgi?id=3674 Bug 3674 depends on bug 3673, which changed state. Bug 3673 Summary: -fzero-call-used-regs=used detection fails on Linux m68k with GCC 13 https://bugzilla.mindrot.org/show_bug.cgi?id=3673 What|Removed |Added Status|RESOLVED|REOPENED Resolution|FIXED |--- -- You are receiving this mail because: You are watching the assignee of the bug. You are watching the reporter of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3673] -fzero-call-used-regs=used detection fails on Linux m68k with GCC 13
https://bugzilla.mindrot.org/show_bug.cgi?id=3673 Colin Watson changed: What|Removed |Added Resolution|FIXED |--- Status|RESOLVED|REOPENED --- Comment #2 from Colin Watson --- Frustratingly, this patch somehow managed to regress behaviour on Debian ppc64el (see https://buildd.debian.org/status/fetch.php?pkg=openssh=ppc64el=1%3A9.7p1-3=1711920599=log; also compare https://bugzilla.mindrot.org/show_bug.cgi?id=3645). I can run test code on this architecture, but I have no idea how adding this extra code to this check made the check somehow pass on ppc64el when it should have failed. I don't suppose this check could be wrapped in AC_CACHE_CHECK somehow? Then, rather than bothering you with extra portability checks that nobody really seems to understand, I could just brute-force it by passing ac_cv_whatever=no to configure on the relevant architectures. I don't really want to take up a bunch of your time figuring this nonsense out ... -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #26 from Colin Watson --- Either version of Luca's patch looks fine to me. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3670] [ssh-agent] 100% CPU spin in cleanup_handler signal handler
https://bugzilla.mindrot.org/show_bug.cgi?id=3670 Jessie changed: What|Removed |Added CC||mia.lyo...@gmail.com -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3673] -fzero-call-used-regs=used detection fails on Linux m68k with GCC 13
https://bugzilla.mindrot.org/show_bug.cgi?id=3673 Jessie changed: What|Removed |Added CC||mia.lyo...@gmail.com -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 Benjamin Gilbert changed: What|Removed |Added CC||bgilb...@backtick.net -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3531] Ssh will not exit when it receives SIGTERM before calling poll in client_wait_until_can_do_something until some events happen.
https://bugzilla.mindrot.org/show_bug.cgi?id=3531 Tõivo Leedjärv changed: What|Removed |Added CC||toi...@gmail.com --- Comment #9 from Tõivo Leedjärv --- It seems to me that the patch may contain a bug (also the same in the similar patch in serverloop.c). Instead of sigprocmask(SIG_UNBLOCK, , ) should it not be sigprocmask(SIG_SETMASK, , NULL) to restore the previous mask? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Luca Boccassi changed: What|Removed |Added Attachment #3801|0 |1 is obsolete|| --- Comment #25 from Luca Boccassi --- Created attachment 3802 --> https://bugzilla.mindrot.org/attachment.cgi?id=3802=edit standalone notify patch Thinking about it, given there's no external dependency and the runtime behaviour is a no-op unless the NOTIFY_SOCKET env var is set (which is only set by systemd or systemd-compatible managers), I don't think the new autoconf option is needed? There's no downside to always including the implementation when building on Linux, like it's done with the OOM adjustments. New revision of the patch attached does just that. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #24 from Luca Boccassi --- Created attachment 3801 --> https://bugzilla.mindrot.org/attachment.cgi?id=3801=edit standalone notify patch The attached patch fixes the issue by creating a platform_post_listen() hook, as suggested by Colin. Tested in a Debian testing VM, seems to do the right thing, including on reloading. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 fe...@eckhofer.com changed: What|Removed |Added CC||fe...@eckhofer.com -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #23 from Luca Boccassi --- (In reply to Colin Watson from comment #20) > Actually, I noticed a slight race here. You're sending the > readiness notification from platform_pre_listen; but, as the name > implies, this is called _before_ the server has started listening. > The point of the readiness protocol is that the notification is only > sent once the server is ready to accept connections. > > The notification should be moved to after the listen sockets are > bound. Yes, good catch, this should be fixed as it's important to avoid races that the notification is delivered after everything is up and running and ready to process requests. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #22 from Luca Boccassi --- (In reply to Colin Watson from comment #21) > (In reply to Luca Boccassi from comment #19) > > Mmmh hang on I don't think that should be the case. The > > MONOTONIC_USEC is for the Type=notify-reload workflow, that > > automatically hooks sighup to the service, and is newer. But > > RELOADING=1 -> READY=1 by itself should work with the older workflow > > where you manually specify an ExecReload=kill -HUP $MAINPID in the > > unit. > > Ah, you may be right. I was just going by looking at the code and > hadn't actually tested removing RELOADING=1. Probably best to leave > it in then. I have tested the packages you published and the reloading notification is working: Mar 31 14:34:28 localhost systemd[1]: ssh.service: Trying to enqueue job ssh.service/reload/replace Mar 31 14:34:28 localhost systemd[1]: ssh.service: Installed new job ssh.service/reload as 1333 Mar 31 14:34:28 localhost systemd[1]: ssh.service: Enqueued job ssh.service/reload as 1333 Mar 31 14:34:28 localhost systemd[1]: ssh.service: Will spawn child (service_enter_reload): /usr/sbin/sshd Mar 31 14:34:28 localhost systemd[1]: ssh.service: About to execute: /usr/sbin/sshd -t Mar 31 14:34:28 localhost (sshd)[3824]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy Mar 31 14:34:28 localhost systemd[1]: ssh.service: Forked /usr/sbin/sshd as 3824 (without CLONE_INTO_CGROUP) Mar 31 14:34:28 localhost systemd[1]: ssh.service: Changed running -> reload Mar 31 14:34:28 localhost systemd[1]: Reloading ssh.service - OpenBSD Secure Shell server... Mar 31 14:34:28 localhost (sshd)[3824]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy Mar 31 14:34:28 localhost systemd[1]: ssh.service: Child 3824 belongs to ssh.service. Mar 31 14:34:28 localhost systemd[1]: ssh.service: Control process exited, code=exited, status=0/SUCCESS (success) Mar 31 14:34:28 localhost systemd[1]: ssh.service: Running next control command for state reload. Mar 31 14:34:28 localhost systemd[1]: ssh.service: Will spawn child (service_run_next_control): /bin/kill Mar 31 14:34:28 localhost systemd[1]: ssh.service: About to execute: /bin/kill -HUP "\$MAINPID" Mar 31 14:34:28 localhost (kill)[3826]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy Mar 31 14:34:28 localhost systemd[1]: ssh.service: Forked /bin/kill as 3826 (without CLONE_INTO_CGROUP) Mar 31 14:34:28 localhost (kill)[3826]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy Mar 31 14:34:28 localhost sshd[3812]: Received SIGHUP; restarting. Mar 31 14:34:28 localhost systemd[1]: ssh.service: Got notification message from PID 3812 (RELOADING=1) Mar 31 14:34:28 localhost systemd[1]: ssh.service: Child 3826 belongs to ssh.service. Mar 31 14:34:28 localhost systemd[1]: ssh.service: Control process exited, code=exited, status=0/SUCCESS (success) Mar 31 14:34:28 localhost systemd[1]: ssh.service: Got final SIGCHLD for state reload. Mar 31 14:34:28 localhost systemd[1]: ssh.service: Changed reload -> reload-notify Mar 31 14:34:28 localhost systemd[1]: ssh.service: Got notification message from PID 3812 (READY=1) Mar 31 14:34:28 localhost systemd[1]: ssh.service: Changed reload-notify -> running Mar 31 14:34:28 localhost systemd[1]: ssh.service: Job 1333 ssh.service/reload finished, result=done Mar 31 14:34:28 localhost systemd[1]: Reloaded ssh.service - OpenBSD Secure Shell server. Mar 31 14:34:28 localhost sshd[3812]: Server listening on 0.0.0.0 port 22. Mar 31 14:34:28 localhost sshd[3812]: Server listening on :: port 22. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #21 from Colin Watson --- (In reply to Luca Boccassi from comment #19) > Mmmh hang on I don't think that should be the case. The > MONOTONIC_USEC is for the Type=notify-reload workflow, that > automatically hooks sighup to the service, and is newer. But > RELOADING=1 -> READY=1 by itself should work with the older workflow > where you manually specify an ExecReload=kill -HUP $MAINPID in the > unit. Ah, you may be right. I was just going by looking at the code and hadn't actually tested removing RELOADING=1. Probably best to leave it in then. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #20 from Colin Watson --- Actually, I noticed a slight race here. You're sending the readiness notification from platform_pre_listen; but, as the name implies, this is called _before_ the server has started listening. The point of the readiness protocol is that the notification is only sent once the server is ready to accept connections. The notification should be moved to after the listen sockets are bound. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #19 from Luca Boccassi --- (In reply to Colin Watson from comment #18) > I've done some testing and this does seem to basically work. > > The one thing I'd point out is following on from Luca's comment: > RELOADING=1 is ignored if you don't also send MONOTONIC_USEC=. So > if you're not going to send that (and I understand the reasons), you > might as well not bother sending RELOADING=1 either; we'll just have > to stick with Type=notify rather than Type=notify-reload for now, > which wouldn't be a regression. Mmmh hang on I don't think that should be the case. The MONOTONIC_USEC is for the Type=notify-reload workflow, that automatically hooks sighup to the service, and is newer. But RELOADING=1 -> READY=1 by itself should work with the older workflow where you manually specify an ExecReload=kill -HUP $MAINPID in the unit. Let me get your packages and test this. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #18 from Colin Watson --- I've done some testing and this does seem to basically work. The one thing I'd point out is following on from Luca's comment: RELOADING=1 is ignored if you don't also send MONOTONIC_USEC=. So if you're not going to send that (and I understand the reasons), you might as well not bother sending RELOADING=1 either; we'll just have to stick with Type=notify rather than Type=notify-reload for now, which wouldn't be a regression. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3655] Default ObscureKeystrokeTiming makes X forwarding really slow
https://bugzilla.mindrot.org/show_bug.cgi?id=3655 --- Comment #2 from Andreas Gustafsson --- Created attachment 3800 --> https://bugzilla.mindrot.org/attachment.cgi?id=3800=edit Test program that performs 1000 round-trip X11 requests -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3655] Default ObscureKeystrokeTiming makes X forwarding really slow
https://bugzilla.mindrot.org/show_bug.cgi?id=3655 Andreas Gustafsson changed: What|Removed |Added CC||g...@araneus.fi --- Comment #1 from Andreas Gustafsson --- I am also affected by this bug. An X11 application suddenly became slow to the point of unusability, and it took quite a lot of detective work to determine that the cause was neither the application itself nor the X server but ssh. To help quantify the worst-case slowdown, I am attaching a test program that makes 1000 round-trip requests to the X server. Running it via the ssh included in macOS Sonoma 14.4.1 (OpenSSH_9.6p1) shows: $ ssh -X -oObscureKeystrokeTiming=no localhost $ time ./test real0m0.120s user0m0.007s sys 0m0.018s $ exit $ ssh -X localhost $ time ./test real0m24.095s user0m0.018s sys 0m0.066s That's a slowdown by a factor of 200. -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 Ismail Donmez changed: What|Removed |Added CC||ism...@i10z.com -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #17 from Colin Watson --- I don't see any problems from eyeballing the patch. I've pushed a version of the Debian packaging with this (and consequent modifications; we also have a socket activation patch from Ubuntu, but reworking that to avoid libsystemd wasn't too hard) to https://salsa.debian.org/ssh-team/openssh/-/tree/without-libsystemd, though so far I've only checked that it passes the regression tests. https://salsa.debian.org/ssh-team/openssh/-/jobs/5521815 has .debs for people who feel comfortable installing things from random CI jobs. Obviously I don't recommend installing those on production, but it's probably OK to do so in a container/VM. I'll look more once I've had some sleep. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 Bertrand Jacquin changed: What|Removed |Added CC||bertr...@jacquin.bzh -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3676] New: Redirect conch stdin from /dev/zero rather than requiring a controlling terminal
https://bugzilla.mindrot.org/show_bug.cgi?id=3676 Bug ID: 3676 Summary: Redirect conch stdin from /dev/zero rather than requiring a controlling terminal Product: Portable OpenSSH Version: -current Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Regression tests Assignee: unassigned-b...@mindrot.org Reporter: cjwat...@debian.org Created attachment 3799 --> https://bugzilla.mindrot.org/attachment.cgi?id=3799=edit regress: Redirect conch stdin from /dev/zero The new controlling-terminal requirement in regress/conch-ciphers.sh is somewhat inconvenient. I know that in theory wrapping the regression tests in something like script(1) should be fine, but in practice I haven't been able to get this to work properly in Debian's autopkgtest framework where we run the regression tests automatically; when I tried the result was that all the output of the regression tests was hidden from stdout and only showed up in autopkgtest's separate log file, but only when running in CI jobs on salsa.debian.org and not locally, which was extremely weird. I could probably figure this out if I spent long enough debugging it, but a tiny patch to avoid the requirement in the first place seems like a more sensible use of time. Would you consider the attached patch? -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 Luke Simmons changed: What|Removed |Added CC||luke5...@live.com -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 Sam James changed: What|Removed |Added CC||s...@gentoo.org -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3675] New: CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675 Bug ID: 3675 Summary: CASignatureAlgorithms should be verified before verifying signatures Product: Portable OpenSSH Version: 9.7p1 Hardware: Other OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-b...@mindrot.org Reporter: and...@anarazel.de Hi, The code injected in CVE-2024-3094 causes RSA_public_decrypt to be redirected to a payload. This is not reachable for normal pubkey authentication without 1) the key algorithm being of a permitted type 2) knowing at least the signature of a pubkey in authorized_keys etc However, certificates are verified before such checks: userauth_pubkey() -> sshkey_from_blob() -> sshkey_from_blob_internal() -> cert_parse() -> sshkey_verify(key->cert->signature_key) -> ssh_rsa_verify() (or others, depending on cert type) -> openssh_RSA_verify() -> RSA_public_decrypt() The signature algorithm *is* subsequently checked, but of course RSA_public_decrypt has already been called by that point. Outside of CVE-2024-3094, which is not openssh's reponsibility, that is not a correctness issue. But doing verification of signatures with algorithms that are disabled still seems fairly suboptimal, increasing the amount of code reachable without having any valid access. Looks to me that an equivalent to checking in authorized_keys can't be done before the verification, but checking CASignatureAlgorithms seems entirely possible. It might also be worth rejecting certificates without any validation if the sshd is not configured to use CA based auth. Regards, Andres -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Richard W.M. Jones changed: What|Removed |Added CC||rjo...@redhat.com -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Arkadiusz Miśkiewicz changed: What|Removed |Added CC||ar...@maven.pl -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #16 from Damien Miller --- (In reply to Luca Boccassi from comment #14) > While there, it would be really nice if the RELOADING=1 message also > included MONOTONIC_USEC= (CLOCK_MONOTONIC in usec as a > decimal string), which is used for accurate synchronization. IE, > write a string like "RELOADING=1\nMONOTONIC_USEC=1234...". This will > enable the unit to be of Type=notify-reload which adds some nice > features. That's more tricky as the reload is called from signal handler context and we can't use snprint() there to format the usec part of the message. We'd have to refactor how sshd manages SIGHUP restarts. That would make some other things easier, but it's still a bigger change. Anyway, if some of the distro people on this bug can report on whether the patch is okay, then we can move forward with this and finesse it later. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3649] Control sockets do not connect anymore (after updating OpenSSH)
https://bugzilla.mindrot.org/show_bug.cgi?id=3649 --- Comment #11 from wolfgang.liessm...@web.de --- Yes, it's still forking into background, even when starting the master process with -f and ControlPersist=no: $ rm -f socket.tmp $ ssh -vvv -MNf -o ControlPersist=no -S socket.tmp host1 [...] debug1: forking to background $ ls -l socket.tmp [...] Control socket connect(socket.tmp): Connection refused -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 --- Comment #15 from Damien Miller --- I think the READY=1 will be sent implicitly after sshd restarts -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Sam James changed: What|Removed |Added CC||s...@gentoo.org -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Luca Boccassi changed: What|Removed |Added CC||luca.bocca...@gmail.com --- Comment #14 from Luca Boccassi --- Thanks for working on that, will be great to have native support for the readiness protocol. One review comment: unless I'm missing it because it's handled outside of the patch context, after a RELOADING=1, when the reload operation is complete, a READY=1 needs to be sent too: https://www.freedesktop.org/software/systemd/man/latest/sd_notify.html#RELOADING=1 While there, it would be really nice if the RELOADING=1 message also included MONOTONIC_USEC= (CLOCK_MONOTONIC in usec as a decimal string), which is used for accurate synchronization. IE, write a string like "RELOADING=1\nMONOTONIC_USEC=1234...". This will enable the unit to be of Type=notify-reload which adds some nice features. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2641] Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Damien Miller changed: What|Removed |Added Attachment #2896|0 |1 is obsolete|| Attachment #2950|0 |1 is obsolete|| Attachment #3099|0 |1 is obsolete|| --- Comment #13 from Damien Miller --- Created attachment 3798 --> https://bugzilla.mindrot.org/attachment.cgi?id=3798=edit standalone systemd notifications This implements the equivalent of sd_notify() without bringing in the rest of systemd bloat. It it also signal-handler safe, which is not the case for the originally proposed diffs. Lightly tested. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3674] Tracking bug for OpenSSH 9.8
https://bugzilla.mindrot.org/show_bug.cgi?id=3674 Darren Tucker changed: What|Removed |Added Depends on||3671 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3671 [Bug 3671] Improve PuTTY version detection -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3674] Tracking bug for OpenSSH 9.8
https://bugzilla.mindrot.org/show_bug.cgi?id=3674 Bug 3674 depends on bug 3671, which changed state. Bug 3671 Summary: Improve PuTTY version detection https://bugzilla.mindrot.org/show_bug.cgi?id=3671 What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching the assignee of the bug. You are watching the reporter of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3671] Improve PuTTY version detection
https://bugzilla.mindrot.org/show_bug.cgi?id=3671 Darren Tucker changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED CC||dtuc...@dtucker.net Blocks||3674 --- Comment #2 from Darren Tucker --- Thanks. Have applied upstream, should appear in Portable soon and will be in the 9.8 release. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3668] OpenSSL version header not found
https://bugzilla.mindrot.org/show_bug.cgi?id=3668 Darren Tucker changed: What|Removed |Added Resolution|--- |WORKSFORME Status|NEW |RESOLVED --- Comment #10 from Darren Tucker --- Your comment#8 indicates the problem you reported has been resolved. Please reopen if that is not the case. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3674] Tracking bug for OpenSSH 9.8
https://bugzilla.mindrot.org/show_bug.cgi?id=3674 Darren Tucker changed: What|Removed |Added Depends on||3673 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3673 [Bug 3673] -fzero-call-used-regs=used detection fails on Linux m68k with GCC 13 -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3674] Tracking bug for OpenSSH 9.8
https://bugzilla.mindrot.org/show_bug.cgi?id=3674 Bug 3674 depends on bug 3673, which changed state. Bug 3673 Summary: -fzero-call-used-regs=used detection fails on Linux m68k with GCC 13 https://bugzilla.mindrot.org/show_bug.cgi?id=3673 What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3673] -fzero-call-used-regs=used detection fails on Linux m68k with GCC 13
https://bugzilla.mindrot.org/show_bug.cgi?id=3673 Darren Tucker changed: What|Removed |Added Blocks||3674 Resolution|--- |FIXED CC||dtuc...@dtucker.net Status|NEW |RESOLVED --- Comment #1 from Darren Tucker --- Patch applied (both master and 9.7 branch) so it will be in the next release. Thanks for the report. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3531] Ssh will not exit when it receives SIGTERM before calling poll in client_wait_until_can_do_something until some events happen.
https://bugzilla.mindrot.org/show_bug.cgi?id=3531 Darren Tucker changed: What|Removed |Added Blocks|3651| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3512] net-misc/openssh-9.1_p1: stopped accepting connections after upgrade to sys-libs/glibc-2.36 (fatal: ssh_sandbox_violation: unexpected system call)
https://bugzilla.mindrot.org/show_bug.cgi?id=3512 Darren Tucker changed: What|Removed |Added Blocks|3651| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3449] LocalForward doesn't support ~/path syntax for UNIX sockets
https://bugzilla.mindrot.org/show_bug.cgi?id=3449 Darren Tucker changed: What|Removed |Added Blocks|3651| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3367] ssh-keyscan with non-22 port does not hash correct host
https://bugzilla.mindrot.org/show_bug.cgi?id=3367 Darren Tucker changed: What|Removed |Added Blocks|3651| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3289] Patch fixing the issues found by coverity scan
https://bugzilla.mindrot.org/show_bug.cgi?id=3289 Darren Tucker changed: What|Removed |Added Blocks|3651| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Darren Tucker changed: What|Removed |Added Blocks|3651| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2687] Coverity scan fixes
https://bugzilla.mindrot.org/show_bug.cgi?id=2687 Darren Tucker changed: What|Removed |Added Blocks|3651| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1768] scp: wrong error message when destination directory ends with a slash and is missing
https://bugzilla.mindrot.org/show_bug.cgi?id=1768 Darren Tucker changed: What|Removed |Added Blocks|3651| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1153] DISPLAY should be set form the connected IP, not the hostname
https://bugzilla.mindrot.org/show_bug.cgi?id=1153 Darren Tucker changed: What|Removed |Added Blocks|3651| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3651] tracking bug for openssh-9.7
https://bugzilla.mindrot.org/show_bug.cgi?id=3651 Darren Tucker changed: What|Removed |Added Depends on|1153, 1768, 2687, 3210, | |3289, 3367, 3449, 3512, | |3531| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=1153 [Bug 1153] DISPLAY should be set form the connected IP, not the hostname https://bugzilla.mindrot.org/show_bug.cgi?id=1768 [Bug 1768] scp: wrong error message when destination directory ends with a slash and is missing https://bugzilla.mindrot.org/show_bug.cgi?id=2687 [Bug 2687] Coverity scan fixes https://bugzilla.mindrot.org/show_bug.cgi?id=3210 [Bug 3210] Confusing errors when pam_acct_mgmt() fails https://bugzilla.mindrot.org/show_bug.cgi?id=3289 [Bug 3289] Patch fixing the issues found by coverity scan https://bugzilla.mindrot.org/show_bug.cgi?id=3367 [Bug 3367] ssh-keyscan with non-22 port does not hash correct host https://bugzilla.mindrot.org/show_bug.cgi?id=3449 [Bug 3449] LocalForward doesn't support ~/path syntax for UNIX sockets https://bugzilla.mindrot.org/show_bug.cgi?id=3512 [Bug 3512] net-misc/openssh-9.1_p1: stopped accepting connections after upgrade to sys-libs/glibc-2.36 (fatal: ssh_sandbox_violation: unexpected system call) https://bugzilla.mindrot.org/show_bug.cgi?id=3531 [Bug 3531] Ssh will not exit when it receives SIGTERM before calling poll in client_wait_until_can_do_something until some events happen. -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3651] tracking bug for openssh-9.7
https://bugzilla.mindrot.org/show_bug.cgi?id=3651 Darren Tucker changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED CC||dtuc...@dtucker.net --- Comment #1 from Darren Tucker --- OpenSSH 9.7 was released March 11, 2024 https://www.openssh.com/releasenotes.html#9.7p1 Remaining open bugs retargetted to 9.8 (bug#3674). -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. You are watching the reporter of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3674] Tracking bug for OpenSSH 9.8
https://bugzilla.mindrot.org/show_bug.cgi?id=3674 Darren Tucker changed: What|Removed |Added Keywords||meta -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3531] Ssh will not exit when it receives SIGTERM before calling poll in client_wait_until_can_do_something until some events happen.
https://bugzilla.mindrot.org/show_bug.cgi?id=3531 Darren Tucker changed: What|Removed |Added Blocks||3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3512] net-misc/openssh-9.1_p1: stopped accepting connections after upgrade to sys-libs/glibc-2.36 (fatal: ssh_sandbox_violation: unexpected system call)
https://bugzilla.mindrot.org/show_bug.cgi?id=3512 Darren Tucker changed: What|Removed |Added Blocks||3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3449] LocalForward doesn't support ~/path syntax for UNIX sockets
https://bugzilla.mindrot.org/show_bug.cgi?id=3449 Darren Tucker changed: What|Removed |Added Blocks||3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3367] ssh-keyscan with non-22 port does not hash correct host
https://bugzilla.mindrot.org/show_bug.cgi?id=3367 Darren Tucker changed: What|Removed |Added Blocks||3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3289] Patch fixing the issues found by coverity scan
https://bugzilla.mindrot.org/show_bug.cgi?id=3289 Darren Tucker changed: What|Removed |Added Blocks||3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Darren Tucker changed: What|Removed |Added Blocks||3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2687] Coverity scan fixes
https://bugzilla.mindrot.org/show_bug.cgi?id=2687 Darren Tucker changed: What|Removed |Added Blocks||3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1768] scp: wrong error message when destination directory ends with a slash and is missing
https://bugzilla.mindrot.org/show_bug.cgi?id=1768 Darren Tucker changed: What|Removed |Added Blocks||3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1153] DISPLAY should be set form the connected IP, not the hostname
https://bugzilla.mindrot.org/show_bug.cgi?id=1153 Darren Tucker changed: What|Removed |Added Blocks||3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
