mirror of
https://github.com/opnsense/src.git
synced 2026-06-04 14:26:03 -04:00
802386cd37
Highlights from the release notes are reproduced below. Bug fixes and
improvements that were previously merged into FreeBSD have been elided.
See the upstream release notes for full details of the 9.9p1 release
(https://www.openssh.com/releasenotes.html).
---
Future deprecation notice
=========================
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025.
Potentially-incompatible changes
--------------------------------
* ssh(1): remove support for pre-authentication compression.
* ssh(1), sshd(8): processing of the arguments to the "Match"
configuration directive now follows more shell-like rules for
quoted strings, including allowing nested quotes and \-escaped
characters.
New features
------------
* ssh(1), sshd(8): add support for a new hybrid post-quantum key
exchange based on the FIPS 203 Module-Lattice Key Enapsulation
mechanism (ML-KEM) combined with X25519 ECDH as described by
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
This algorithm "mlkem768x25519-sha256" is available by default.
* ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
included in core dump files for most of their lifespans. This is
in addition to pre-existing controls in ssh-agent(1) and sshd(8)
that prevented coredumps. This feature is supported on OpenBSD,
Linux and FreeBSD.
* All: convert key handling to use the libcrypto EVP_PKEY API, with
the exception of DSA.
Bugfixes
--------
* sshd(8): do not apply authorized_keys options when signature
verification fails. Prevents more restrictive key options being
incorrectly applied to subsequent keys in authorized_keys. bz3733
* ssh-keygen(1): include pathname in some of ssh-keygen's passphrase
prompts. Helps the user know what's going on when ssh-keygen is
invoked via other tools. Requested in GHPR503
* ssh(1), ssh-add(1): make parsing user@host consistently look for
the last '@' in the string rather than the first. This makes it
possible to more consistently use usernames that contain '@'
characters.
* ssh(1), sshd(8): be more strict in parsing key type names. Only
allow short names (e.g "rsa") in user-interface code and require
full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725
* ssh-keygen(1): clarify that ed25519 is the default key type
generated and clarify that rsa-sha2-512 is the default signature
scheme when RSA is in use. GHPR505
---
Reviewed by: jlduran (build infrastructure)
Reviewed by: cy (build infrastructure)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48947
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| misc | ||
| unittests | ||
| addrmatch.sh | ||
| agent-getpeereid.sh | ||
| agent-pkcs11-cert.sh | ||
| agent-pkcs11-restrict.sh | ||
| agent-pkcs11.sh | ||
| agent-ptrace.sh | ||
| agent-restrict.sh | ||
| agent-subprocess.sh | ||
| agent-timeout.sh | ||
| agent.sh | ||
| allow-deny-users.sh | ||
| authinfo.sh | ||
| banner.sh | ||
| broken-pipe.sh | ||
| brokenkeys.sh | ||
| cert-file.sh | ||
| cert-hostkey.sh | ||
| cert-userkey.sh | ||
| cfginclude.sh | ||
| cfgmatch.sh | ||
| cfgmatchlisten.sh | ||
| cfgparse.sh | ||
| channel-timeout.sh | ||
| check-perm.c | ||
| cipher-speed.sh | ||
| conch-ciphers.sh | ||
| connect-privsep.sh | ||
| connect-uri.sh | ||
| connect.sh | ||
| connection-timeout.sh | ||
| dhgex.sh | ||
| dropbear-ciphers.sh | ||
| dropbear-kex.sh | ||
| dsa_ssh2.prv | ||
| dsa_ssh2.pub | ||
| dynamic-forward.sh | ||
| ed25519_openssh.prv | ||
| ed25519_openssh.pub | ||
| envpass.sh | ||
| exit-status-signal.sh | ||
| exit-status.sh | ||
| forcecommand.sh | ||
| forward-control.sh | ||
| forwarding.sh | ||
| host-expand.sh | ||
| hostbased.sh | ||
| hostkey-agent.sh | ||
| hostkey-rotate.sh | ||
| integrity.sh | ||
| kextype.sh | ||
| key-options.sh | ||
| keygen-change.sh | ||
| keygen-comment.sh | ||
| keygen-convert.sh | ||
| keygen-knownhosts.sh | ||
| keygen-moduli.sh | ||
| keygen-sshfp.sh | ||
| keys-command.sh | ||
| keyscan.sh | ||
| keytype.sh | ||
| knownhosts-command.sh | ||
| knownhosts.sh | ||
| krl.sh | ||
| limit-keytype.sh | ||
| localcommand.sh | ||
| login-timeout.sh | ||
| Makefile | ||
| match-subsystem.sh | ||
| mkdtemp.c | ||
| modpipe.c | ||
| moduli.in | ||
| multiplex.sh | ||
| multipubkey.sh | ||
| netcat.c | ||
| penalty-expire.sh | ||
| penalty.sh | ||
| percent.sh | ||
| portnum.sh | ||
| principals-command.sh | ||
| proto-mismatch.sh | ||
| proto-version.sh | ||
| proxy-connect.sh | ||
| putty-ciphers.sh | ||
| putty-kex.sh | ||
| putty-transfer.sh | ||
| README.regress | ||
| reconfigure.sh | ||
| reexec.sh | ||
| rekey.sh | ||
| rsa_openssh.prv | ||
| rsa_openssh.pub | ||
| rsa_ssh2.prv | ||
| scp-ssh-wrapper.sh | ||
| scp-uri.sh | ||
| scp.sh | ||
| scp3.sh | ||
| servcfginclude.sh | ||
| setuid-allowed.c | ||
| sftp-badcmds.sh | ||
| sftp-batch.sh | ||
| sftp-chroot.sh | ||
| sftp-cmds.sh | ||
| sftp-glob.sh | ||
| sftp-perm.sh | ||
| sftp-uri.sh | ||
| sftp.sh | ||
| ssh-com-client.sh | ||
| ssh-com-keygen.sh | ||
| ssh-com-sftp.sh | ||
| ssh-com.sh | ||
| ssh2putty.sh | ||
| sshcfgparse.sh | ||
| sshfp-connect.sh | ||
| sshsig.sh | ||
| stderr-after-eof.sh | ||
| stderr-data.sh | ||
| t4.ok | ||
| t5.ok | ||
| t11.ok | ||
| test-exec.sh | ||
| timestamp.c | ||
| transfer.sh | ||
| try-ciphers.sh | ||
| valgrind-unit.sh | ||
| yes-head.sh | ||
Overview.
$ ./configure && make tests
You'll see some progress info. A failure will cause either the make to
abort or the driver script to report a "FATAL" failure.
The test consists of 2 parts. The first is the file-based tests which is
driven by the Makefile, and the second is a set of network or proxycommand
based tests, which are driven by a driver script (test-exec.sh) which is
called multiple times by the Makefile.
Failures in the first part will cause the Makefile to return an error.
Failures in the second part will print a "FATAL" message for the failed
test and continue.
OpenBSD has a system-wide regression test suite. OpenSSH Portable's test
suite is based on OpenBSD's with modifications.
Environment variables.
SKIP_UNIT: Skip unit tests.
SUDO: path to sudo/doas command, if desired. Note that some systems
(notably systems using PAM) require sudo to execute some tests.
LTESTS: Whitespace separated list of tests (filenames without the .sh
extension) to run.
SKIP_LTESTS: Whitespace separated list of tests to skip.
OBJ: used by test scripts to access build dir.
TEST_SHELL: shell used for running the test scripts.
TEST_SSH_FAIL_FATAL: set to "yes" to make any failure abort the test
currently in progress.
TEST_SSH_PORT: TCP port to be used for the listening tests.
TEST_SSH_QUIET: set to "yes" to suppress non-fatal output.
TEST_SSH_SSHD_CONFOPTS: Configuration directives to be added to sshd_config
before running each test.
TEST_SSH_SSH_CONFOPTS: Configuration directives to be added to
ssh_config before running each test.
TEST_SSH_TRACE: set to "yes" for verbose output from tests
TEST_SSH_x: path to "ssh" command under test, where x is one of
SSH, SSHD, SSHAGENT, SSHADD, SSHKEYGEN, SSHKEYSCAN, SFTP or
SFTPSERVER
USE_VALGRIND: Run the tests under valgrind memory checker.
Individual tests.
You can run an individual test from the top-level Makefile, eg:
$ make tests LTESTS=agent-timeout
If you need to manipulate the environment more you can invoke test-exec.sh
directly if you set up the path to find the binaries under test and the
test scripts themselves, for example:
$ cd regress
$ PATH=`pwd`/..:$PATH:. TEST_SHELL=/bin/sh sh test-exec.sh `pwd` \
agent-timeout.sh
ok agent timeout test
Files.
test-exec.sh: the main test driver. Sets environment, creates config files
and keys and runs the specified test.
At the time of writing, the individual tests are:
connect.sh: simple connect
proxy-connect.sh: proxy connect
connect-privsep.sh: proxy connect with privsep
connect-uri.sh: uri connect
proto-version.sh: sshd version with different protocol combinations
proto-mismatch.sh: protocol version mismatch
exit-status.sh: remote exit status
envpass.sh: environment passing
transfer.sh: transfer data
banner.sh: banner
rekey.sh: rekey
stderr-data.sh: stderr data transfer
stderr-after-eof.sh: stderr data after eof
broken-pipe.sh: broken pipe test
try-ciphers.sh: try ciphers
yes-head.sh: yes pipe head
login-timeout.sh: connect after login grace timeout
agent.sh: simple connect via agent
agent-getpeereid.sh: disallow agent attach from other uid
agent-timeout.sh: agent timeout test
agent-ptrace.sh: disallow agent ptrace attach
keyscan.sh: keyscan
keygen-change.sh: change passphrase for key
keygen-convert.sh: convert keys
keygen-moduli.sh: keygen moduli
key-options.sh: key options
scp.sh: scp
scp-uri.sh: scp-uri
sftp.sh: basic sftp put/get
sftp-chroot.sh: sftp in chroot
sftp-cmds.sh: sftp command
sftp-badcmds.sh: sftp invalid commands
sftp-batch.sh: sftp batchfile
sftp-glob.sh: sftp glob
sftp-perm.sh: sftp permissions
sftp-uri.sh: sftp-uri
ssh-com-client.sh: connect with ssh.com client
ssh-com-keygen.sh: ssh.com key import
ssh-com-sftp.sh: basic sftp put/get with ssh.com server
ssh-com.sh: connect to ssh.com server
reconfigure.sh: simple connect after reconfigure
dynamic-forward.sh: dynamic forwarding
forwarding.sh: local and remote forwarding
multiplex.sh: connection multiplexing
reexec.sh: reexec tests
brokenkeys.sh: broken keys
sshcfgparse.sh: ssh config parse
cfgparse.sh: sshd config parse
cfgmatch.sh: sshd_config match
cfgmatchlisten.sh: sshd_config matchlisten
addrmatch.sh: address match
localcommand.sh: localcommand
forcecommand.sh: forced command
portnum.sh: port number parsing
keytype.sh: login with different key types
kextype.sh: login with different key exchange algorithms
cert-hostkey.sh certified host keys
cert-userkey.sh: certified user keys
host-expand.sh: expand %h and %n
keys-command.sh: authorized keys from command
forward-control.sh: sshd control of local and remote forwarding
integrity.sh: integrity
krl.sh: key revocation lists
multipubkey.sh: multiple pubkey
limit-keytype.sh: restrict pubkey type
hostkey-agent.sh: hostkey agent
keygen-knownhosts.sh: ssh-keygen known_hosts
hostkey-rotate.sh: hostkey rotate
principals-command.sh: authorized principals command
cert-file.sh: ssh with certificates
cfginclude.sh: config include
allow-deny-users.sh: AllowUsers/DenyUsers
authinfo.sh: authinfo
Problems?
Run the failing test with shell tracing (-x) turned on:
$ PATH=`pwd`/..:$PATH:. sh -x test-exec.sh `pwd` agent-timeout.sh
Failed tests can be difficult to diagnose. Suggestions:
- run the individual test via ./test-exec.sh `pwd` [testname]
- set LogLevel to VERBOSE in test-exec.sh and enable syslogging of
auth.debug (eg to /var/log/authlog).
Known Issues.
- Similarly, if you do not have "scp" in your system's $PATH then the
multiplex scp tests will fail (since the system's shell startup scripts
will determine where the shell started by sshd will look for scp).
- Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head
test to fail. The old behaviour can be restored by setting (and
exporting) _POSIX2_VERSION=199209 before running the tests.