Skip to content

Dev minor #141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 369 commits into from
Oct 23, 2025
Merged

Dev minor #141

merged 369 commits into from
Oct 23, 2025

Conversation

@rapier1
Copy link
Owner

@rapier1 rapier1 commented Oct 21, 2025

This is a PR to master that follows PR 139. This has a couple fo changes to the CI tests but nothing beyond that.

daztucker and others added 30 commits June 17, 2025 21:48
@daztucker
Update obsd tests to use current images.
5f761cd
@djmdjm
upstream: fix leak on error path; Coverity CID 481976
ad38ec5 
OpenBSD-Commit-ID: 963dba2c804e2fd8efea2256092899874d0dbc7b
@djmdjm
upstream: whitespace
b360f3a 
OpenBSD-Commit-ID: 6e96814bcf70d0edbb0749ec61cc4fd8707f286d
@djmdjm
upstream: better debug diagnostics when loading keys. Will now list
5ba8391 
key fingerprint and algorithm (not just algorithm number) as well as making
it explicit which keys didn't load.

OpenBSD-Commit-ID: ee3e77a0271ab502e653922c6d161b1e091f8fee
@djmdjm
upstream: make "Match !final" not trigger a 2nd pass ssh_config
688fa02 
parsing pass (unless hostname canonicalisation or a separate "Match final"
does). bz3843

ok dtucker@

OpenBSD-Commit-ID: ce82b6034828888f0f3f1c812e08f5e87400d802
@djmdjm @daztucker
upstream: add RCS ID
57fb460 
OpenBSD-Regress-ID: 6e30094e3bf0a1c65efb75c67a87093304a3e619
@daztucker
upstream: Add simple test for password auth. Requires some setup
838d5ec 
so does not run by default.

OpenBSD-Regress-ID: d5ded47a266b031fc91f99882f07161ab6d1bb70
@daztucker
upstream: Add simple regression test for dropbear as a server.
bcfe734 
OpenBSD-Regress-ID: 7abe1f6607d0cd49839918aade8f135d2462d389
@daztucker
Enable password tests on Github ephemeral VMs.
8a9384d
@daztucker
Move env to where it (hopefully) belongs.
d32614b
@daztucker
Move env again.
223a1be
@daztucker
Fix env again.
700205b
@daztucker
Encrypt temporary password we're setting.
0b17d56 
Now that we want to actually use the random password for tests, we need
to correctly encrypt it, instead of just setting it to a random string
that's not the "locked" value.
@daztucker
upstream: Check dropbear server version for required features.
83d3ffc 
Dropbear added the '-D' flag in version 2025.87.  We need that for the
dropbear-server test, so skip on older versions.

OpenBSD-Regress-ID: 9db0b84edd54d3c00ab17db1dc6d62af4644c550
@daztucker
upstream: Add shebang path to askpass script. Required for exec on
b28e91a 
some platforms (musl, probably others).

OpenBSD-Regress-ID: 35cdeed12ae701afcb812f800c04d817325cd22a
@djmdjm
wrap some autoconf macros in AC_CACHE_CHECK
29cf521 
This allows skipping/overriding the OSSH_CHECK_CFLAG_COMPILE and
OSSH_CHECK_CFLAG_LINK macros used to discover supported compiler
or linker flags. E.g.

  $ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no
  [...]
  checking if cc supports compile flag -ftrapv and linking succeeds... yes
  checking if cc supports compile flag -fzero-call-used-regs=used and linking succeeds... (cached) no
  checking if cc supports compile flag -ftrivial-auto-var-init=zero... yes

Patch from Colin Watson, ok dtucker@
@djmdjm
upstream: mux: fix incorrect return value check in local forward
fd10cea 
cancellation

channel_cancel_lport_listener() returns 1 on success and 0 on failure.
The previous code incorrectly checked for `== -1`, a value the function
never returns, so failure was not detected and the "port not found"
error message was never shown when cancelling dynamic or local port
forwards.

From: Boris Tonofa <[email protected]>

OpenBSD-Commit-ID: 3e9d2252a4d0bd318d4f25e2b518afb44acea170
@djmdjm
upstream: the messaging layer between sshd-session and sshd-auth had a
0cf38d7 
maximum message size of 256KB. Some people apparently have configurations
larger than this and would hit this limit.

Worse, there was no good logging that could help diagnose what was
going wrong.

So this bumps the maximum message size to 4MB and implements an early
check (usable via the sshd -t test mode) that will report it to the
user where it is hopefully more visible.

bz3808, reported by Dmitry Belyavskiy, ok dtucker@

OpenBSD-Commit-ID: 69c303fb68cbd1a4735936835d67a71e7b57f63b
@djmdjm
upstream: add a regress test for configurations > 256KB
007b69f 
mostly by Dmitry Belyavskiy

OpenBSD-Regress-ID: fcedb249e4cf2447e078a839877f99730ee79024
@daztucker
Add include for gssapi definitions.
c971f3d 
Patch from dbelyavs at redhat.com via bz#3846.
@djmdjm
upstream: Fix mistracking of MaxStartups process exits in some
eddd1d2 
situations. At worst, this can cause all MaxStartups slots to fill and sshd
to refuse new connections.

Diagnosis by xnor; ok dtucker@

OpenBSD-Commit-ID: 10273033055552557196730f898ed6308b36a78d
@djmdjm
more diagnostics when getgrouplist fails
1052fa6
@djmdjm
upstream: add a "Match Group NoSuchGroup" to exercise groupaccess.c
f01a899 
OpenBSD-Regress-ID: 7ff58e6f0eb21eb9064dd0cfa78c3b6f34b5f713
@djmdjm
let ga_init() fail gracefully if getgrouplist does
f9dc519 
Apparently getgrouplist() can fail on OSX for when passed a non-existent
group name. Other platforms seem to return a group list consisting of
the numeric gid passed to the function.

This makes ga_init() handle this failure case gracefully, where it will
return success but with an empty group list array.

bz3848; ok dtucker@
@jtojnar @djmdjm
Add gnome-ssh-askpass4 for GNOME 40+
e6805e2 
GTK 3 has been in maintenance mode for a while now, and it is on the road
to being abandoned. As a result, the dialogue looks out of place on modern
systems.

We could port it to GTK 4 but without the program being registered as an
application (i.e. having a .desktop file), GNOME Shell would ask for
permission to grab input every time.

Let’s instead use the GNOME Shell’s native prompt through the unstable
Gcr API.
@djmdjm
upstream: Add missing inter-library dependencies to LDADD and
defc806 
DPADD. ok tb@ deraadt@

OpenBSD-Commit-ID: a05e13a7e2c0b65bb4b47184fef731243431c6ff
@djmdjm
upstream: add a ssh_config RefuseConnection option that, when
40fb2dc 
encountered while processing an active section in a configuration file,
terminates ssh(1) with an error message that contains the argument to the
option.

This may be useful for expressing reminders or warnings in config
files, for example:

Match host foo
       RefuseConnection "foo is deprecated, use splork instead"

ok djg

OpenBSD-Commit-ID: 5b0072fcd08ad3932ab21e27bbaa66b008d44237
@daztucker
Remove DEBUG_ACTIONS variable.
259c66a 
If needed it can be set in github if needed.
@djmdjm
upstream: Help OpenSSH's PKCS#11 support kick its meth habit.
a8c0e5c 
The PKCS#11 code in OpenSSH used the libcrypto public key method API
(e.g. the delightfully named RSA_meth_free()) to delegate signing
operations to external keys. This had one advantage - that it was
basically transparent to callers, but also had a big disadvantage -
that we'd manually have to track the method implementations, their
state and their relationships to the underlying PKCS#11 objects.

This rips this out and replaces it with explicit delegation to
PKCS#11 code for externally hosted keys via the ssh-pkcs11-helper
subprocess. This is very similar to how we handle FIDO keys in
OpenSSH (i.e. via ssh-sk-helper). All we need to track now is a
much simpler mapping of public key -> helper subprocess.

Kicking our libcrypto meth dependency also makes it much easier
to support Ed25519 keys in PKCS#11, which will happen in a subsequent
commit.

feedback / ok tb@

OpenBSD-Commit-ID: a5a1eaf57971cf15e0cdc5a513e313541c8a35f0
@djmdjm
upstream: factor out encoding of a raw ed25519 signature into its
1641ab8 
ssh form into a separate function

OpenBSD-Commit-ID: 3711c6d6b52dde0bd1f17884da5cddb8716f1b64
rapier1 and others added 24 commits October 6, 2025 11:29
@rapier1
Remove compiled man pages
5720469
@djmdjm
upstream: don't reuse c->isatty for signalling that the remote channel
beae06f 
has a tty attached as this causes side effects, e.g. in channel_handle_rfd().
bz3872

ok markus@

OpenBSD-Commit-ID: 4cd8a9f641498ca6089442e59bad0fd3dcbe85f8
@daztucker
Add clock_gettime compat shim.
52411f1 
This fixes the build on macOS prior to 10.12 Sierra, since it does not
have it.  Found and tested by Sevan Janiyan.
@daztucker
Add 10.1 branch to ci-status page.
33b6371
@daztucker
Don't copy native host keys for hostbased test.
0bd6649 
Some github runners (notably macos-14) seem to have host keys where
public and private do not match, so generate our own keys for testing
purposes.
@DaanDeMeyer @daztucker
Only set PAM_RHOST if the remote host is not "UNKNOWN"
8aa1383 
When using sshd's -i option with stdio that is not a AF_INET/AF_INET6
socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then
set as the value of PAM_RHOST, causing pam to try to do a reverse DNS
query of "UNKNOWN", which times out multiple times, causing a
substantial slowdown when logging in.

To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN".
@daztucker
Add fcntl.h to includes.
c97b931 
From FreeBSD via bz#3874: "This was previously included due to nested
includes in Heimdal's headers.  Without this, the build fails with an
error due to redefining AT_FDCWD."
@daztucker
Use calloc for sshkeys if mmap is not supported.
8d57083 
Based on Github PR#597 from Mike Frysinger, any bugs added by me.
@daztucker
Check HAVE_MMAP too now that configure sets it.
b937061
@daztucker
Fix header name and move return outside of ifdef.
bcf7c05 
Fixes from Mike Frysinger via Github PR#597.
@djmdjm
complete PKCS#11 stubs and move to ssh-pkcs11.c
af17ae6 
Should unbreak --disable-pkcs11 builds
@djmdjm
some fixes to p11_setup
684f2ce 
1. Use the ssh-keygen under test and not the one in $PATH
2. Include a test PKCS#11 operation to ensure that the P11 stack is
   working correctly.

Previously, it was possible for p11_setup to return success on
configurations with PKCS#11 support disabled.
@djmdjm
link ssh-keygen directly against ssh-pkcs11.c
e490135 
Matches what OpenBSD does and fixes ssh-keygen regression in
certifying keys using a CA key hosted via ssh-agent (bz3877)
@djmdjm
upstream: fix crash at exit (visible via ssh-keygen -D) when
ea9af29 
multiple keys loaded. ok markus deraadt dtucker

OpenBSD-Commit-ID: baa9763ec69d162108dafd962792ec5610ff45c9
@djmdjm
upstream: openssh-10.2
ecd65a4 
The only change since 10.1 is the channels.c fix

OpenBSD-Commit-ID: 5eebeb0db14c694efd4ee96b5f16112e3e5d5ba9
@djmdjm
update versions
1d2676f
@djmdjm
depend
2d8a388
@djmdjm
autogenerated files for release
d01efaa
@rapier1
Merge of 10.1P2.
71ba7c6 
No conflicts in the code. Only conflict is in the Changelog.
I'll force this commit and then rebuild the Changelog with
our log data.
@rapier1
Updated Changelog
270aaba
@rapier1
Updated version to 18.8.0
21826c5
@rapier1
Trtying to streamline the CI testing
11ac5cb
@rapier1
Turns out that I can just disable the workflows from github
9985e7c
@rapier1
Added DynamicWindow branch to CI tests
8d12770
@rapier1 rapier1 requested a review from dorrellmw October 21, 2025 18:39
@rapier1 rapier1 added the Release New Release label Oct 21, 2025
dorrellmw
dorrellmw approved these changes Oct 23, 2025
View reviewed changes
Copy link
Collaborator

@dorrellmw dorrellmw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved.

@rapier1 rapier1 merged commit d4efde7 into master Oct 23, 2025
79 of 158 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dorrellmw dorrellmw dorrellmw approved these changes

Assignees

@rapier1 rapier1

@dorrellmw dorrellmw

Labels

Release New Release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.