mirror of
https://github.com/opnsense/src.git
synced 2026-02-18 18:20:26 -05:00
ff2fd01609
Highlights from the release notes are reproduced below. Some security and bug fixes were previously merged into FreeBSD and have been elided. See the upstream release notes for full details (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101 New features ------------ * sshd(8): sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys. Portability ----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479 --- Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48914 (cherry picked from commit 0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e) (cherry picked from commit b4bb480ae9294d7e4b375f0ead9ae57517c79ef3) (cherry picked from commit e95979047aec384852102cf8bb1d55278ea77eeb) (cherry picked from commit dcb4ae528d357f34e4a4b4882c2757c67c98e395) Approved by: re (accelerated MFC)
373 lines
11 KiB
Bash
Executable file
373 lines
11 KiB
Bash
Executable file
#!/bin/sh
|
|
#
|
|
# usage: configs vmname test_config (or '' for default)
|
|
#
|
|
# Sets the following variables:
|
|
# CONFIGFLAGS options to ./configure
|
|
# SSHD_CONFOPTS sshd_config options
|
|
# TEST_TARGET make target used when testing. defaults to "tests".
|
|
# LTESTS
|
|
|
|
config=$1
|
|
if [ "$config" = "" ]; then
|
|
config="default"
|
|
fi
|
|
|
|
unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
|
|
|
|
TEST_TARGET="tests compat-tests"
|
|
LTESTS=""
|
|
SKIP_LTESTS=""
|
|
SUDO=sudo # run with sudo by default
|
|
TEST_SSH_UNSAFE_PERMISSIONS=1
|
|
# Stop on first test failure to minimize logs
|
|
TEST_SSH_FAIL_FATAL=yes
|
|
|
|
CONFIGFLAGS=""
|
|
LIBCRYPTOFLAGS=""
|
|
|
|
case "$config" in
|
|
default|sol64)
|
|
;;
|
|
c89)
|
|
# If we don't have LLONG_MAX, configure will figure out that it can
|
|
# get it by setting -std=gnu99, at which point we won't be testing
|
|
# C89 any more. To avoid this, feed it in via CFLAGS.
|
|
llong_max=`gcc -E -dM - </dev/null | \
|
|
awk '$2=="__LONG_LONG_MAX__"{print $3}'`
|
|
CPPFLAGS="-DLLONG_MAX=${llong_max}"
|
|
|
|
CC="gcc"
|
|
CFLAGS="-Wall -std=c89 -pedantic -Werror=vla"
|
|
CONFIGFLAGS="--without-zlib"
|
|
LIBCRYPTOFLAGS="--without-openssl"
|
|
TEST_TARGET=t-exec
|
|
;;
|
|
cygwin-release)
|
|
# See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD
|
|
CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin"
|
|
CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip"
|
|
;;
|
|
clang-12-Werror)
|
|
CC="clang-12"
|
|
# clang's implicit-fallthrough requires that the code be annotated with
|
|
# __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */
|
|
CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter"
|
|
CONFIGFLAGS="--with-pam --with-Werror"
|
|
;;
|
|
*-sanitize-*)
|
|
case "$config" in
|
|
gcc-*)
|
|
CC=gcc
|
|
;;
|
|
clang-*)
|
|
# Find the newest available version of clang
|
|
for i in `seq 10 99`; do
|
|
clang="`which clang-$i 2>/dev/null`"
|
|
[ -x "$clang" ] && CC="$clang"
|
|
done
|
|
;;
|
|
esac
|
|
# Put Sanitizer logs in regress dir.
|
|
SANLOGS=`pwd`/regress
|
|
# - We replace chroot with chdir so that the sanitizer in the preauth
|
|
# privsep process can read /proc.
|
|
# - clang does not recognizes explicit_bzero so we use bzero
|
|
# (see https://github.com/google/sanitizers/issues/1507
|
|
# - openssl and zlib trip ASAN.
|
|
# - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow.
|
|
case "$config" in
|
|
*-sanitize-address)
|
|
CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
|
|
LDFLAGS="-fsanitize=address"
|
|
CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"'
|
|
CONFIGFLAGS=""
|
|
TEST_TARGET="t-exec"
|
|
;;
|
|
clang-sanitize-memory)
|
|
CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer"
|
|
LDFLAGS="-fsanitize=memory"
|
|
CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"'
|
|
CONFIGFLAGS="--without-zlib --without-shadow"
|
|
LIBCRYPTOFLAGS="--without-openssl"
|
|
TEST_TARGET="t-exec"
|
|
;;
|
|
*-sanitize-undefined)
|
|
CFLAGS="-fsanitize=undefined"
|
|
LDFLAGS="-fsanitize=undefined"
|
|
;;
|
|
*)
|
|
echo unknown sanitize option;
|
|
exit 1;;
|
|
esac
|
|
features="--disable-security-key --disable-pkcs11"
|
|
hardening="--without-sandbox --without-hardening --without-stackprotect"
|
|
privsep="--with-privsep-user=root"
|
|
CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep"
|
|
# Because we hobble chroot we can't test it.
|
|
SKIP_LTESTS=sftp-chroot
|
|
;;
|
|
gcc-11-Werror)
|
|
CC="gcc-11"
|
|
# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
|
|
# -Wunused-result ignores (void) so is not useful. See
|
|
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425
|
|
CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result"
|
|
CONFIGFLAGS="--with-pam --with-Werror"
|
|
;;
|
|
gcc-12-Werror)
|
|
CC="gcc-12"
|
|
# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
|
|
# -Wunused-result ignores (void) so is not useful. See
|
|
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425
|
|
CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result"
|
|
CONFIGFLAGS="--with-pam --with-Werror"
|
|
;;
|
|
clang*|gcc*)
|
|
CC="$config"
|
|
;;
|
|
kitchensink)
|
|
CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
|
|
CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
|
|
CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG"
|
|
;;
|
|
hardenedmalloc)
|
|
CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
|
|
;;
|
|
tcmalloc)
|
|
CONFIGFLAGS="--with-ldflags=-ltcmalloc"
|
|
;;
|
|
krb5|heimdal)
|
|
CONFIGFLAGS="--with-kerberos5"
|
|
;;
|
|
libedit)
|
|
CONFIGFLAGS="--with-libedit"
|
|
;;
|
|
musl)
|
|
CC="musl-gcc"
|
|
CONFIGFLAGS="--without-zlib"
|
|
LIBCRYPTOFLAGS="--without-openssl"
|
|
TEST_TARGET="t-exec"
|
|
;;
|
|
pam-krb5)
|
|
CONFIGFLAGS="--with-pam --with-kerberos5"
|
|
SSHD_CONFOPTS="UsePam yes"
|
|
;;
|
|
*pam)
|
|
CONFIGFLAGS="--with-pam"
|
|
SSHD_CONFOPTS="UsePam yes"
|
|
;;
|
|
boringssl)
|
|
CONFIGFLAGS="--disable-pkcs11"
|
|
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/boringssl --with-rpath=-Wl,-rpath,"
|
|
;;
|
|
libressl-*)
|
|
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
|
|
;;
|
|
putty-*)
|
|
CONFIGFLAGS="--with-plink=/usr/local/bin/plink --with-puttygen=/usr/local/bin/puttygen"
|
|
# We don't need to rerun the regular tests, just the interop ones.
|
|
TEST_TARGET=interop-tests
|
|
;;
|
|
openssl-*)
|
|
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
|
|
# OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec
|
|
# fallback. See https://bugzilla.mindrot.org/show_bug.cgi?id=3483
|
|
if [ "$config" = "openssl-1.1.1" ]; then
|
|
SKIP_LTESTS="reexec"
|
|
fi
|
|
;;
|
|
selinux)
|
|
CONFIGFLAGS="--with-selinux"
|
|
;;
|
|
sk)
|
|
CONFIGFLAGS="--with-security-key-builtin"
|
|
;;
|
|
without-openssl)
|
|
LIBCRYPTOFLAGS="--without-openssl"
|
|
TEST_TARGET=t-exec
|
|
;;
|
|
valgrind-[1-5]|valgrind-unit)
|
|
# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
|
|
CONFIGFLAGS="--without-sandbox --without-hardening"
|
|
CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
|
|
TEST_TARGET="t-exec USE_VALGRIND=1"
|
|
TEST_SSH_ELAPSED_TIMES=1
|
|
export TEST_SSH_ELAPSED_TIMES
|
|
# Valgrind slows things down enough that the agent timeout test
|
|
# won't reliably pass, and the unit tests run longer than allowed
|
|
# by github so split into separate tests.
|
|
tests2="integrity try-ciphers"
|
|
tests3="krl forward-control sshsig agent-restrict kextype sftp"
|
|
tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
|
|
tests5="rekey"
|
|
case "$config" in
|
|
valgrind-1)
|
|
# All tests except agent-timeout (which is flaky under valgrind),
|
|
# connection-timeout (which doesn't work since it's so slow)
|
|
# and hostbased (since valgrind won't let ssh exec keysign).
|
|
# Slow ones are run separately to increase parallelism.
|
|
SKIP_LTESTS="agent-timeout connection-timeout hostbased"
|
|
SKIP_LTESTS="$SKIP_LTESTS penalty-expire"
|
|
SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}"
|
|
;;
|
|
valgrind-2)
|
|
LTESTS="${tests2}"
|
|
;;
|
|
valgrind-3)
|
|
LTESTS="${tests3}"
|
|
;;
|
|
valgrind-4)
|
|
LTESTS="${tests4}"
|
|
;;
|
|
valgrind-5)
|
|
LTESTS="${tests5}"
|
|
;;
|
|
valgrind-unit)
|
|
TEST_TARGET="unit USE_VALGRIND=1"
|
|
;;
|
|
esac
|
|
;;
|
|
zlib-develop)
|
|
INSTALL_ZLIB=develop
|
|
CONFIGFLAGS="--with-zlib=/opt/zlib --with-rpath=-Wl,-rpath,"
|
|
;;
|
|
*)
|
|
echo "Unknown configuration $config"
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
# The Solaris 64bit targets are special since they need a non-flag arg.
|
|
case "$config" in
|
|
sol64*)
|
|
CONFIGFLAGS="--target=x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}"
|
|
LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64 --with-rpath=-Wl,-rpath,"
|
|
;;
|
|
esac
|
|
|
|
case "${TARGET_HOST}" in
|
|
aix*)
|
|
CONFIGFLAGS="--disable-security-key"
|
|
LIBCRYPTOFLAGS="--without-openssl"
|
|
# These are slow real or virtual machines so skip the slowest tests
|
|
# (which tend to be thw ones that transfer lots of data) so that the
|
|
# test run does not time out.
|
|
# The agent-restrict test fails due to some quoting issue when run
|
|
# with sh or ksh so specify bash for now.
|
|
TEST_TARGET="t-exec unit TEST_SHELL=bash"
|
|
SKIP_LTESTS="rekey sftp"
|
|
;;
|
|
debian-riscv64)
|
|
# This machine is fairly slow, so skip the unit tests.
|
|
TEST_TARGET="t-exec"
|
|
;;
|
|
dfly58*|dfly60*)
|
|
# scp 3-way connection hangs on these so skip until sorted.
|
|
SKIP_LTESTS=scp3
|
|
;;
|
|
fbsd6)
|
|
# Native linker is not great with PIC so OpenSSL is built w/out.
|
|
CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
|
|
;;
|
|
hurd)
|
|
SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
|
|
;;
|
|
minix3)
|
|
CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
|
|
# Unix domain sockets don't work quite like we expect, so also
|
|
# disable FD passing (and thus multiplexing).
|
|
CONFIGFLAGS="${CONFIGFLAGS} --disable-fd-passing"
|
|
LIBCRYPTOFLAGS="--without-openssl"
|
|
|
|
# Minix does not have a loopback interface so we have to skip any
|
|
# test that relies on one.
|
|
# Also, Minix seems to be very limited in the number of select()
|
|
# calls that can be operating concurrently, so prune additional tests for that.
|
|
T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse
|
|
connect connect-uri dynamic-forward exit-status forwarding
|
|
forward-control
|
|
hostkey-agent key-options keyscan knownhosts-command login-timeout
|
|
reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
|
|
sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
|
|
transfer penalty penalty-expire"
|
|
SKIP_LTESTS="$(echo $T)"
|
|
TEST_TARGET=t-exec
|
|
SUDO=""
|
|
;;
|
|
nbsd4)
|
|
# System compiler will ICE on some files with fstack-protector
|
|
# SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy
|
|
CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
|
|
;;
|
|
openwrt-*)
|
|
CONFIGFLAGS="${CONFIGFLAGS} --without-zlib"
|
|
LIBCRYPTOFLAGS="--without-openssl"
|
|
TEST_TARGET="t-exec"
|
|
;;
|
|
sol10|sol11)
|
|
# sol10 VM is 32bit and the unit tests are slow.
|
|
# sol11 has 4 test configs so skip unit tests to speed up.
|
|
TEST_TARGET="tests SKIP_UNIT=1"
|
|
;;
|
|
win10)
|
|
# No sudo on Windows.
|
|
SUDO=""
|
|
;;
|
|
esac
|
|
|
|
host=`./config.guess`
|
|
case "$host" in
|
|
*cygwin)
|
|
SUDO=""
|
|
# Don't run compat tests on cygwin as they don't currently compile.
|
|
TEST_TARGET="tests"
|
|
;;
|
|
*-darwin*)
|
|
# Unless specified otherwise, build without OpenSSL on Mac OS since
|
|
# modern versions don't ship with libcrypto.
|
|
LIBCRYPTOFLAGS="--without-openssl"
|
|
TEST_TARGET=t-exec
|
|
|
|
# On some OS X runners we can't write to /var/empty.
|
|
CONFIGFLAGS="${CONFIGFLAGS} --with-privsep-path=/usr/local/empty"
|
|
|
|
case "$host" in
|
|
*-darwin22.*)
|
|
# sudo -S nobody doesn't work on macos 13 for some reason.
|
|
SKIP_LTESTS="agent-getpeereid" ;;
|
|
esac
|
|
;;
|
|
esac
|
|
|
|
# Unless specifically configured, search for a suitable version of OpenSSL,
|
|
# otherwise build without it.
|
|
if [ -z "${LIBCRYPTOFLAGS}" ]; then
|
|
LIBCRYPTOFLAGS="--without-openssl"
|
|
# last-match
|
|
for i in /usr /usr/local /usr/local/ssl /usr/local/opt/openssl; do
|
|
ver="none"
|
|
if [ -x ${i}/bin/openssl ]; then
|
|
ver="$(${i}/bin/openssl version)"
|
|
fi
|
|
case "$ver" in
|
|
none) ;;
|
|
"OpenSSL 0."*|"OpenSSL 1.0."*|"OpenSSL 1.1.0"*) ;;
|
|
"LibreSSL 2."*|"LibreSSL 3.0."*) ;;
|
|
*) LIBCRYPTOFLAGS="--with-ssl-dir=${i}" ;;
|
|
esac
|
|
done
|
|
if [ "${LIBCRYPTOFLAGS}" = "--without-openssl" ]; then
|
|
TEST_TARGET="t-exec"
|
|
fi
|
|
fi
|
|
|
|
CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}"
|
|
|
|
if [ -x "$(which plink 2>/dev/null)" ]; then
|
|
REGRESS_INTEROP_PUTTY=yes
|
|
export REGRESS_INTEROP_PUTTY
|
|
fi
|
|
|
|
export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
|
|
export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL
|