f374ba41f5
Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation |
||
---|---|---|
.. | ||
misc | ||
unittests | ||
addrmatch.sh | ||
agent-getpeereid.sh | ||
agent-pkcs11.sh | ||
agent-ptrace.sh | ||
agent-restrict.sh | ||
agent-subprocess.sh | ||
agent-timeout.sh | ||
agent.sh | ||
allow-deny-users.sh | ||
authinfo.sh | ||
banner.sh | ||
broken-pipe.sh | ||
brokenkeys.sh | ||
cert-file.sh | ||
cert-hostkey.sh | ||
cert-userkey.sh | ||
cfginclude.sh | ||
cfgmatch.sh | ||
cfgmatchlisten.sh | ||
cfgparse.sh | ||
channel-timeout.sh | ||
check-perm.c | ||
cipher-speed.sh | ||
conch-ciphers.sh | ||
connect-privsep.sh | ||
connect-uri.sh | ||
connect.sh | ||
connection-timeout.sh | ||
dhgex.sh | ||
dsa_ssh2.prv | ||
dsa_ssh2.pub | ||
dynamic-forward.sh | ||
ed25519_openssh.prv | ||
ed25519_openssh.pub | ||
envpass.sh | ||
exit-status-signal.sh | ||
exit-status.sh | ||
forcecommand.sh | ||
forward-control.sh | ||
forwarding.sh | ||
host-expand.sh | ||
hostbased.sh | ||
hostkey-agent.sh | ||
hostkey-rotate.sh | ||
integrity.sh | ||
kextype.sh | ||
key-options.sh | ||
keygen-change.sh | ||
keygen-comment.sh | ||
keygen-convert.sh | ||
keygen-knownhosts.sh | ||
keygen-moduli.sh | ||
keygen-sshfp.sh | ||
keys-command.sh | ||
keyscan.sh | ||
keytype.sh | ||
knownhosts-command.sh | ||
knownhosts.sh | ||
krl.sh | ||
limit-keytype.sh | ||
localcommand.sh | ||
login-timeout.sh | ||
Makefile | ||
mkdtemp.c | ||
modpipe.c | ||
moduli.in | ||
multiplex.sh | ||
multipubkey.sh | ||
netcat.c | ||
percent.sh | ||
portnum.sh | ||
principals-command.sh | ||
proto-mismatch.sh | ||
proto-version.sh | ||
proxy-connect.sh | ||
putty-ciphers.sh | ||
putty-kex.sh | ||
putty-transfer.sh | ||
README.regress | ||
reconfigure.sh | ||
reexec.sh | ||
rekey.sh | ||
rsa_openssh.prv | ||
rsa_openssh.pub | ||
rsa_ssh2.prv | ||
scp3.sh | ||
scp-ssh-wrapper.sh | ||
scp-uri.sh | ||
scp.sh | ||
servcfginclude.sh | ||
setuid-allowed.c | ||
sftp-badcmds.sh | ||
sftp-batch.sh | ||
sftp-chroot.sh | ||
sftp-cmds.sh | ||
sftp-glob.sh | ||
sftp-perm.sh | ||
sftp-uri.sh | ||
sftp.sh | ||
ssh2putty.sh | ||
ssh-com-client.sh | ||
ssh-com-keygen.sh | ||
ssh-com-sftp.sh | ||
ssh-com.sh | ||
sshcfgparse.sh | ||
sshd-log-wrapper.sh | ||
sshfp-connect.sh | ||
sshsig.sh | ||
stderr-after-eof.sh | ||
stderr-data.sh | ||
t4.ok | ||
t5.ok | ||
t11.ok | ||
test-exec.sh | ||
transfer.sh | ||
try-ciphers.sh | ||
valgrind-unit.sh | ||
yes-head.sh |
Overview. $ ./configure && make tests You'll see some progress info. A failure will cause either the make to abort or the driver script to report a "FATAL" failure. The test consists of 2 parts. The first is the file-based tests which is driven by the Makefile, and the second is a set of network or proxycommand based tests, which are driven by a driver script (test-exec.sh) which is called multiple times by the Makefile. Failures in the first part will cause the Makefile to return an error. Failures in the second part will print a "FATAL" message for the failed test and continue. OpenBSD has a system-wide regression test suite. OpenSSH Portable's test suite is based on OpenBSD's with modifications. Environment variables. SKIP_UNIT: Skip unit tests. SUDO: path to sudo/doas command, if desired. Note that some systems (notably systems using PAM) require sudo to execute some tests. LTESTS: Whitespace separated list of tests (filenames without the .sh extension) to run. SKIP_LTESTS: Whitespace separated list of tests to skip. OBJ: used by test scripts to access build dir. TEST_SHELL: shell used for running the test scripts. TEST_SSH_FAIL_FATAL: set to "yes" to make any failure abort the test currently in progress. TEST_SSH_PORT: TCP port to be used for the listening tests. TEST_SSH_QUIET: set to "yes" to suppress non-fatal output. TEST_SSH_SSHD_CONFOPTS: Configuration directives to be added to sshd_config before running each test. TEST_SSH_SSH_CONFOPTS: Configuration directives to be added to ssh_config before running each test. TEST_SSH_TRACE: set to "yes" for verbose output from tests TEST_SSH_x: path to "ssh" command under test, where x is one of SSH, SSHD, SSHAGENT, SSHADD, SSHKEYGEN, SSHKEYSCAN, SFTP or SFTPSERVER USE_VALGRIND: Run the tests under valgrind memory checker. Individual tests. You can run an individual test from the top-level Makefile, eg: $ make tests LTESTS=agent-timeout If you need to manipulate the environment more you can invoke test-exec.sh directly if you set up the path to find the binaries under test and the test scripts themselves, for example: $ cd regress $ PATH=`pwd`/..:$PATH:. TEST_SHELL=/bin/sh sh test-exec.sh `pwd` \ agent-timeout.sh ok agent timeout test Files. test-exec.sh: the main test driver. Sets environment, creates config files and keys and runs the specified test. At the time of writing, the individual tests are: connect.sh: simple connect proxy-connect.sh: proxy connect connect-privsep.sh: proxy connect with privsep connect-uri.sh: uri connect proto-version.sh: sshd version with different protocol combinations proto-mismatch.sh: protocol version mismatch exit-status.sh: remote exit status envpass.sh: environment passing transfer.sh: transfer data banner.sh: banner rekey.sh: rekey stderr-data.sh: stderr data transfer stderr-after-eof.sh: stderr data after eof broken-pipe.sh: broken pipe test try-ciphers.sh: try ciphers yes-head.sh: yes pipe head login-timeout.sh: connect after login grace timeout agent.sh: simple connect via agent agent-getpeereid.sh: disallow agent attach from other uid agent-timeout.sh: agent timeout test agent-ptrace.sh: disallow agent ptrace attach keyscan.sh: keyscan keygen-change.sh: change passphrase for key keygen-convert.sh: convert keys keygen-moduli.sh: keygen moduli key-options.sh: key options scp.sh: scp scp-uri.sh: scp-uri sftp.sh: basic sftp put/get sftp-chroot.sh: sftp in chroot sftp-cmds.sh: sftp command sftp-badcmds.sh: sftp invalid commands sftp-batch.sh: sftp batchfile sftp-glob.sh: sftp glob sftp-perm.sh: sftp permissions sftp-uri.sh: sftp-uri ssh-com-client.sh: connect with ssh.com client ssh-com-keygen.sh: ssh.com key import ssh-com-sftp.sh: basic sftp put/get with ssh.com server ssh-com.sh: connect to ssh.com server reconfigure.sh: simple connect after reconfigure dynamic-forward.sh: dynamic forwarding forwarding.sh: local and remote forwarding multiplex.sh: connection multiplexing reexec.sh: reexec tests brokenkeys.sh: broken keys sshcfgparse.sh: ssh config parse cfgparse.sh: sshd config parse cfgmatch.sh: sshd_config match cfgmatchlisten.sh: sshd_config matchlisten addrmatch.sh: address match localcommand.sh: localcommand forcecommand.sh: forced command portnum.sh: port number parsing keytype.sh: login with different key types kextype.sh: login with different key exchange algorithms cert-hostkey.sh certified host keys cert-userkey.sh: certified user keys host-expand.sh: expand %h and %n keys-command.sh: authorized keys from command forward-control.sh: sshd control of local and remote forwarding integrity.sh: integrity krl.sh: key revocation lists multipubkey.sh: multiple pubkey limit-keytype.sh: restrict pubkey type hostkey-agent.sh: hostkey agent keygen-knownhosts.sh: ssh-keygen known_hosts hostkey-rotate.sh: hostkey rotate principals-command.sh: authorized principals command cert-file.sh: ssh with certificates cfginclude.sh: config include allow-deny-users.sh: AllowUsers/DenyUsers authinfo.sh: authinfo Problems? Run the failing test with shell tracing (-x) turned on: $ PATH=`pwd`/..:$PATH:. sh -x test-exec.sh `pwd` agent-timeout.sh Failed tests can be difficult to diagnose. Suggestions: - run the individual test via ./test-exec.sh `pwd` [testname] - set LogLevel to VERBOSE in test-exec.sh and enable syslogging of auth.debug (eg to /var/log/authlog). Known Issues. - Similarly, if you do not have "scp" in your system's $PATH then the multiplex scp tests will fail (since the system's shell startup scripts will determine where the shell started by sshd will look for scp). - Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head test to fail. The old behaviour can be restored by setting (and exporting) _POSIX2_VERSION=199209 before running the tests.