Release notes are available at https://www.openssh.com/txt/release-9.2
OpenSSH 9.2 contains fixes for two security problems and a memory safety
problem. The memory safety problem is not believed to be exploitable.
These fixes have already been committed to OpenSSH 9.1 in FreeBSD.
Some other notable items from the release notes:
* ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
controls whether the client-side ~C escape sequence that provides a
command-line is available. Among other things, the ~C command-line
could be used to add additional port-forwards at runtime.
* sshd(8): add support for channel inactivity timeouts via a new
sshd_config(5) ChannelTimeout directive. This allows channels that
have not seen traffic in a configurable interval to be
automatically closed. Different timeouts may be applied to session,
X11, agent and TCP forwarding channels.
* sshd(8): add a sshd_config UnusedConnectionTimeout option to
terminate client connections that have no open channels for a
length of time. This complements the ChannelTimeout option above.
* sshd(8): add a -V (version) option to sshd like the ssh client has.
* scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
allow control over some SFTP protocol parameters: the copy buffer
length and the number of in-flight requests, both of which are used
during upload/download. Previously these could be controlled in
sftp(1) only. This makes them available in both SFTP protocol
clients using the same option character sequence.
* ssh-keyscan(1): allow scanning of complete CIDR address ranges,
e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then
it will be expanded to all possible addresses in the range
including the all-0s and all-1s addresses. bz#976
* ssh(1): support dynamic remote port forwarding in escape
command-line's -R processing. bz#3499
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Overview.
$ ./configure && make tests
You'll see some progress info. A failure will cause either the make to
abort or the driver script to report a "FATAL" failure.
The test consists of 2 parts. The first is the file-based tests which is
driven by the Makefile, and the second is a set of network or proxycommand
based tests, which are driven by a driver script (test-exec.sh) which is
called multiple times by the Makefile.
Failures in the first part will cause the Makefile to return an error.
Failures in the second part will print a "FATAL" message for the failed
test and continue.
OpenBSD has a system-wide regression test suite. OpenSSH Portable's test
suite is based on OpenBSD's with modifications.
Environment variables.
SKIP_UNIT: Skip unit tests.
SUDO: path to sudo/doas command, if desired. Note that some systems
(notably systems using PAM) require sudo to execute some tests.
LTESTS: Whitespace separated list of tests (filenames without the .sh
extension) to run.
SKIP_LTESTS: Whitespace separated list of tests to skip.
OBJ: used by test scripts to access build dir.
TEST_SHELL: shell used for running the test scripts.
TEST_SSH_FAIL_FATAL: set to "yes" to make any failure abort the test
currently in progress.
TEST_SSH_PORT: TCP port to be used for the listening tests.
TEST_SSH_QUIET: set to "yes" to suppress non-fatal output.
TEST_SSH_SSHD_CONFOPTS: Configuration directives to be added to sshd_config
before running each test.
TEST_SSH_SSH_CONFOPTS: Configuration directives to be added to
ssh_config before running each test.
TEST_SSH_TRACE: set to "yes" for verbose output from tests
TEST_SSH_x: path to "ssh" command under test, where x is one of
SSH, SSHD, SSHAGENT, SSHADD, SSHKEYGEN, SSHKEYSCAN, SFTP or
SFTPSERVER
USE_VALGRIND: Run the tests under valgrind memory checker.
Individual tests.
You can run an individual test from the top-level Makefile, eg:
$ make tests LTESTS=agent-timeout
If you need to manipulate the environment more you can invoke test-exec.sh
directly if you set up the path to find the binaries under test and the
test scripts themselves, for example:
$ cd regress
$ PATH=`pwd`/..:$PATH:. TEST_SHELL=/bin/sh sh test-exec.sh `pwd` \
agent-timeout.sh
ok agent timeout test
Files.
test-exec.sh: the main test driver. Sets environment, creates config files
and keys and runs the specified test.
At the time of writing, the individual tests are:
connect.sh: simple connect
proxy-connect.sh: proxy connect
connect-privsep.sh: proxy connect with privsep
connect-uri.sh: uri connect
proto-version.sh: sshd version with different protocol combinations
proto-mismatch.sh: protocol version mismatch
exit-status.sh: remote exit status
envpass.sh: environment passing
transfer.sh: transfer data
banner.sh: banner
rekey.sh: rekey
stderr-data.sh: stderr data transfer
stderr-after-eof.sh: stderr data after eof
broken-pipe.sh: broken pipe test
try-ciphers.sh: try ciphers
yes-head.sh: yes pipe head
login-timeout.sh: connect after login grace timeout
agent.sh: simple connect via agent
agent-getpeereid.sh: disallow agent attach from other uid
agent-timeout.sh: agent timeout test
agent-ptrace.sh: disallow agent ptrace attach
keyscan.sh: keyscan
keygen-change.sh: change passphrase for key
keygen-convert.sh: convert keys
keygen-moduli.sh: keygen moduli
key-options.sh: key options
scp.sh: scp
scp-uri.sh: scp-uri
sftp.sh: basic sftp put/get
sftp-chroot.sh: sftp in chroot
sftp-cmds.sh: sftp command
sftp-badcmds.sh: sftp invalid commands
sftp-batch.sh: sftp batchfile
sftp-glob.sh: sftp glob
sftp-perm.sh: sftp permissions
sftp-uri.sh: sftp-uri
ssh-com-client.sh: connect with ssh.com client
ssh-com-keygen.sh: ssh.com key import
ssh-com-sftp.sh: basic sftp put/get with ssh.com server
ssh-com.sh: connect to ssh.com server
reconfigure.sh: simple connect after reconfigure
dynamic-forward.sh: dynamic forwarding
forwarding.sh: local and remote forwarding
multiplex.sh: connection multiplexing
reexec.sh: reexec tests
brokenkeys.sh: broken keys
sshcfgparse.sh: ssh config parse
cfgparse.sh: sshd config parse
cfgmatch.sh: sshd_config match
cfgmatchlisten.sh: sshd_config matchlisten
addrmatch.sh: address match
localcommand.sh: localcommand
forcecommand.sh: forced command
portnum.sh: port number parsing
keytype.sh: login with different key types
kextype.sh: login with different key exchange algorithms
cert-hostkey.sh certified host keys
cert-userkey.sh: certified user keys
host-expand.sh: expand %h and %n
keys-command.sh: authorized keys from command
forward-control.sh: sshd control of local and remote forwarding
integrity.sh: integrity
krl.sh: key revocation lists
multipubkey.sh: multiple pubkey
limit-keytype.sh: restrict pubkey type
hostkey-agent.sh: hostkey agent
keygen-knownhosts.sh: ssh-keygen known_hosts
hostkey-rotate.sh: hostkey rotate
principals-command.sh: authorized principals command
cert-file.sh: ssh with certificates
cfginclude.sh: config include
allow-deny-users.sh: AllowUsers/DenyUsers
authinfo.sh: authinfo
Problems?
Run the failing test with shell tracing (-x) turned on:
$ PATH=`pwd`/..:$PATH:. sh -x test-exec.sh `pwd` agent-timeout.sh
Failed tests can be difficult to diagnose. Suggestions:
- run the individual test via ./test-exec.sh `pwd` [testname]
- set LogLevel to VERBOSE in test-exec.sh and enable syslogging of
auth.debug (eg to /var/log/authlog).
Known Issues.
- Similarly, if you do not have "scp" in your system's $PATH then the
multiplex scp tests will fail (since the system's shell startup scripts
will determine where the shell started by sshd will look for scp).
- Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head
test to fail. The old behaviour can be restored by setting (and
exporting) _POSIX2_VERSION=199209 before running the tests.
f374ba41f5