From 440ef75890c282e75534689cd4e0d3938279b8e0 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Fri, 14 Jun 2019 11:57:15 +0100 Subject: Fix interop tests for recent regress changes A recent regress change (2a9b3a2ce411d16cda9c79ab713c55f65b0ec257 in portable) broke the PuTTY and Twisted Conch interop tests, because the key they want to use is now called ssh-rsa rather than rsa. Fix them. Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=3020 Last-Update: 2019-06-14 Patch-Name: fix-interop-tests.patch --- regress/Makefile | 5 +++-- regress/conch-ciphers.sh | 2 +- regress/test-exec.sh | 10 +++++----- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/regress/Makefile b/regress/Makefile index 925edf71a..781400fd0 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -113,8 +113,9 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \ rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ - sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ - ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ + sftp-server.sh sftp.log ssh-log-wrapper.sh \ + ssh-rsa_oldfmt \ + ssh.log ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \ sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \ sshd_proxy_orig t10.out t10.out.pub t12.out t12.out.pub \ diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh index 199d863a0..51e3b705f 100644 --- a/regress/conch-ciphers.sh +++ b/regress/conch-ciphers.sh @@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \ rm -f ${COPY} # XXX the 2nd "cat" seems to be needed because of buggy FD handling # in conch - ${CONCH} --identity $OBJ/rsa --port $PORT --user $USER -e none \ + ${CONCH} --identity $OBJ/ssh-rsa --port $PORT --user $USER -e none \ --known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \ 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY} if [ $? -ne 0 ]; then diff --git a/regress/test-exec.sh b/regress/test-exec.sh index b8e2009de..efde6a173 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -527,13 +527,13 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then >> $OBJ/authorized_keys_$USER # Convert rsa2 host key to PuTTY format - cp $OBJ/rsa $OBJ/rsa_oldfmt - ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/rsa_oldfmt >/dev/null - ${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/rsa_oldfmt > \ + cp $OBJ/ssh-rsa $OBJ/ssh-rsa_oldfmt + ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/ssh-rsa_oldfmt >/dev/null + ${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/ssh-rsa_oldfmt > \ ${OBJ}/.putty/sshhostkeys - ${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/rsa_oldfmt >> \ + ${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/ssh-rsa_oldfmt >> \ ${OBJ}/.putty/sshhostkeys - rm -f $OBJ/rsa_oldfmt + rm -f $OBJ/ssh-rsa_oldfmt # Setup proxied session mkdir -p ${OBJ}/.putty/sessions -- cgit v1.2.3 From 715b72009450c3448de10729817687c53554efb2 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Thu, 30 Aug 2018 00:58:56 +0100 Subject: Work around conch interoperability failure Twisted Conch fails to read private keys in the new format (https://twistedmatrix.com/trac/ticket/9515). Work around this until it can be fixed in Twisted. Forwarded: not-needed Last-Update: 2019-06-14 Patch-Name: conch-old-privkey-format.patch --- regress/Makefile | 2 +- regress/conch-ciphers.sh | 2 +- regress/test-exec.sh | 12 ++++++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/regress/Makefile b/regress/Makefile index 781400fd0..491a3a46a 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -114,7 +114,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ sftp-server.sh sftp.log ssh-log-wrapper.sh \ - ssh-rsa_oldfmt \ + ssh-rsa_oldfmt ssh-rsa_oldfmt.pub \ ssh.log ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \ sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \ diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh index 51e3b705f..fa24552b0 100644 --- a/regress/conch-ciphers.sh +++ b/regress/conch-ciphers.sh @@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \ rm -f ${COPY} # XXX the 2nd "cat" seems to be needed because of buggy FD handling # in conch - ${CONCH} --identity $OBJ/ssh-rsa --port $PORT --user $USER -e none \ + ${CONCH} --identity $OBJ/ssh-rsa_oldfmt --port $PORT --user $USER -e none \ --known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \ 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY} if [ $? -ne 0 ]; then diff --git a/regress/test-exec.sh b/regress/test-exec.sh index efde6a173..83c7d02e6 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -500,6 +500,18 @@ REGRESS_INTEROP_CONCH=no if test -x "$CONCH" ; then REGRESS_INTEROP_CONCH=yes fi +case "$SCRIPT" in +*conch*) ;; +*) REGRESS_INTEROP_CONCH=no +esac + +if test "$REGRESS_INTEROP_CONCH" = "yes" ; then + # Convert rsa key to old format to work around + # https://twistedmatrix.com/trac/ticket/9515 + cp $OBJ/ssh-rsa $OBJ/ssh-rsa_oldfmt + cp $OBJ/ssh-rsa.pub $OBJ/ssh-rsa_oldfmt.pub + ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/ssh-rsa_oldfmt >/dev/null +fi # If PuTTY is present and we are running a PuTTY test, prepare keys and # configuration -- cgit v1.2.3 From 907bd73e8b0d031a96a0f800c0f6cef03ff1fcc4 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 8 Apr 2019 10:46:29 +0100 Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for" This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379. The IPQoS default changes have some unfortunate interactions with iptables (see https://bugs.debian.org/923880) and VMware, so I'm temporarily reverting them until those have been fixed. Bug-Debian: https://bugs.debian.org/923879 Bug-Debian: https://bugs.debian.org/926229 Bug-Ubuntu: https://bugs.launchpad.net/1822370 Last-Update: 2019-04-08 Patch-Name: revert-ipqos-defaults.patch --- readconf.c | 4 ++-- servconf.c | 4 ++-- ssh_config.5 | 6 ++---- sshd_config.5 | 6 ++---- 4 files changed, 8 insertions(+), 12 deletions(-) diff --git a/readconf.c b/readconf.c index f35bde6e6..2ba312441 100644 --- a/readconf.c +++ b/readconf.c @@ -2165,9 +2165,9 @@ fill_default_options(Options * options) if (options->visual_host_key == -1) options->visual_host_key = 0; if (options->ip_qos_interactive == -1) - options->ip_qos_interactive = IPTOS_DSCP_AF21; + options->ip_qos_interactive = IPTOS_LOWDELAY; if (options->ip_qos_bulk == -1) - options->ip_qos_bulk = IPTOS_DSCP_CS1; + options->ip_qos_bulk = IPTOS_THROUGHPUT; if (options->request_tty == -1) options->request_tty = REQUEST_TTY_AUTO; if (options->proxy_use_fdpass == -1) diff --git a/servconf.c b/servconf.c index 8d2bced52..365e6ff1e 100644 --- a/servconf.c +++ b/servconf.c @@ -423,9 +423,9 @@ fill_default_server_options(ServerOptions *options) if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; if (options->ip_qos_interactive == -1) - options->ip_qos_interactive = IPTOS_DSCP_AF21; + options->ip_qos_interactive = IPTOS_LOWDELAY; if (options->ip_qos_bulk == -1) - options->ip_qos_bulk = IPTOS_DSCP_CS1; + options->ip_qos_bulk = IPTOS_THROUGHPUT; if (options->version_addendum == NULL) options->version_addendum = xstrdup(""); if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) diff --git a/ssh_config.5 b/ssh_config.5 index a27631ae9..a9f6d906f 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -1098,11 +1098,9 @@ If one argument is specified, it is used as the packet class unconditionally. If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is -.Cm af21 -(Low-Latency Data) +.Cm lowdelay for interactive sessions and -.Cm cs1 -(Lower Effort) +.Cm throughput for non-interactive sessions. .It Cm KbdInteractiveAuthentication Specifies whether to use keyboard-interactive authentication. diff --git a/sshd_config.5 b/sshd_config.5 index c0c4ebd66..e5380f5dc 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -886,11 +886,9 @@ If one argument is specified, it is used as the packet class unconditionally. If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is -.Cm af21 -(Low-Latency Data) +.Cm lowdelay for interactive sessions and -.Cm cs1 -(Lower Effort) +.Cm throughput for non-interactive sessions. .It Cm KbdInteractiveAuthentication Specifies whether to allow keyboard-interactive authentication. -- cgit v1.2.3 From 0c3b0631695be33f711eda233bfee3dab77d405c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 7 Jun 2019 23:47:37 +1000 Subject: Update utimensat test. POSIX specifies that when given a symlink, AT_SYMLINK_NOFOLLOW should update the symlink and not the destination. The compat code doesn't have a way to do this, so where possible it fails instead of following a symlink when explicitly asked not to. Instead of checking for an explicit failure, check that it does not update the destination, which both the real and compat implementations should honour. Inspired by github pull req #125 from chutzpah at gentoo.org. Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=182898192d4b720e4faeafd5b39c2cfb3b92aa21 Last-Update: 2019-06-09 Patch-Name: fix-utimensat-test.patch --- openbsd-compat/regress/utimensattest.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/openbsd-compat/regress/utimensattest.c b/openbsd-compat/regress/utimensattest.c index a7bc7634b..b29cef2f1 100644 --- a/openbsd-compat/regress/utimensattest.c +++ b/openbsd-compat/regress/utimensattest.c @@ -83,14 +83,28 @@ main(void) fail("mtim.tv_nsec", 45678000, sb.st_mtim.tv_nsec); #endif + /* + * POSIX specifies that when given a symlink, AT_SYMLINK_NOFOLLOW + * should update the symlink and not the destination. The compat + * code doesn't have a way to do this, so where possible it fails + * with ENOSYS instead of following a symlink when explicitly asked + * not to. Here we just test that it does not update the destination. + */ if (rename(TMPFILE, TMPFILE2) == -1) fail("rename", 0, 0); if (symlink(TMPFILE2, TMPFILE) == -1) fail("symlink", 0, 0); + ts[0].tv_sec = 11223344; + ts[1].tv_sec = 55667788; + (void)utimensat(AT_FDCWD, TMPFILE, ts, AT_SYMLINK_NOFOLLOW); + if (stat(TMPFILE2, &sb) == -1) + fail("stat", 0, 0 ); + if (sb.st_atime == 11223344) + fail("utimensat symlink st_atime", 0, 0 ); + if (sb.st_mtime == 55667788) + fail("utimensat symlink st_mtime", 0, 0 ); - if (utimensat(AT_FDCWD, TMPFILE, ts, AT_SYMLINK_NOFOLLOW) != -1) - fail("utimensat followed symlink", 0, 0); - + /* Clean up */ if (!(unlink(TMPFILE) == 0 && unlink(TMPFILE2) == 0)) fail("unlink", 0, 0); exit(0); -- cgit v1.2.3