Discussion:
Test Status OpenSSH 7.1 P2 on HPE NSE
(too old to reply)
Randall S. Becker
2016-02-09 21:08:49 UTC
Permalink
Hi All,

Just reporting in on how testing has gone. After reducing obs to 32k max and
banners to a max of 10000, plus some minor platform changes - root is not 0,
for example, all normal tests have passed except for:

multiplex - hangs at the end of this output. We had a similar issue that
single reads of data were not working in dd but that does not seem to be the
case in this test suite.
test connection multiplexing: envpass
environment not found
test connection multiplexing: transfer
Binary files /home/git/openssh-portable/regress/data and
/home/git/openssh-portable/regress/copy differ
ssh -Sctl: corrupted copy of /home/git/openssh-portable/regress/data
Binary files /home/git/openssh-portable/regress/data and
/home/git/openssh-portable/regress/copy differ
ssh -S ctl: corrupted copy of
/home/git/openssh-portable/regress/data
keys-command (nothing really apparent that I can find in the logs)
AuthorizedKeysCommand with arguments
connect failed
AuthorizedKeysCommand without arguments
connect failed
integrity (a sample... pretty much all of the tests do this)
test integrity: hmac-sha1 @2900
unexpected error mac hmac-sha1 at 2900: Bytes per second: sent
40854.2, received 34836.9.
principals-command (a sample. Every 3 to 5 executions fail. Nothing apparent
the logs as to why. Could this be a timing issue on recycling ports?).
authorized principals command: privsep yes empty
authorized_principals
authorized principals command: privsep yes wrong
authorized_principals
authorized principals command: privsep yes correct
authorized_principals
ssh cert connect failed

The build did not use any pthreads, and used c89. Unfortunately, the logs
were not particularly helpful identifying why there were issues. I am not
sure we can deploy the code at this stage, although it does work for the
most of the pretty normal things I need to do. Anyone have any advice?

Cheers,
Randall
-- Brief whoami: NonStop&UNIX developer since approximately
UNIX(421664400)/NonStop(211288444200000000)
-- In my real life, I talk too much.
Randall S. Becker
2016-02-09 22:41:20 UTC
Permalink
On Wed, Feb 10, 2016 at 8:08 AM, Randall S. Becker
Post by Randall S. Becker
Hi All,
Just reporting in on how testing has gone. After reducing obs to 32k
max and banners to a max of 10000, plus some minor platform changes -
Did you need to make any code changes? If so, what?
I only changed regress/transfer.sh:
- for s in 10 100 1k 32k 64k 128k 256k; do
+ for s in 10 100 1k 32k ; do
and regress/banner.sh
-for s in 0 10 100 1000 10000 100000 ; do
+for s in 0 10 100 1000 10000 ; do
Post by Randall S. Becker
multiplex - hangs at the end of this output. We had a similar issue
that single reads of data were not working in dd but that does not
seem to be the case in this test suite.
test connection multiplexing: envpass
environment not found
test connection multiplexing: transfer
Binary files /home/git/openssh-portable/regress/data and
/home/git/openssh-portable/regress/copy differ
ssh -Sctl: corrupted copy of /home/git/openssh-portable/regress/data
Binary files /home/git/openssh-portable/regress/data and
/home/git/openssh-portable/regress/copy differ
These tests are for ControlMaster and requires descriptor passing over Unix
domain sockets to work. Does you platform have that?
It does, however I think there are setup requirements on the sockets that are not covered and are different on the platform. If you could point me at the setup code, I can check it and/or make it work.
[...]
Post by Randall S. Becker
AuthorizedKeysCommand with arguments
connect failed
AuthorizedKeysCommand without arguments
connect failed
These ones might be port reuse or race conditions. the failed-ssh.log and
failed-sshd.log should say why the connect failed.
I will post this as a separate thread.
Post by Randall S. Becker
integrity (a sample... pretty much all of the tests do this)
unexpected error mac hmac-sha1 at 2900: Bytes per second: sent
40854.2, received 34836.9.
principals-command (a sample. Every 3 to 5 executions fail. Nothing
apparent the logs as to why. Could this be a timing issue on recycling
ports?).
The integrity test failures aren't due to TCP port recycling because they run
sshd via a proxycommand and does not depend on TCP ports. It does
depend somewhat on what ciphers and macs are offered because those
banners affect how many bytes are on the wire before the encrypted traffic
starts. These lists of ciphers are macs are in the debug logs which you are yet
to share.
Post by Randall S. Becker
authorized principals command: privsep yes empty
authorized_principals
authorized principals command: privsep yes wrong
authorized_principals
authorized principals command: privsep yes correct
authorized_principals
ssh cert connect failed
I will gather up the logs and share them as a separate thread. I assume plain text is ok.
Post by Randall S. Becker
The build did not use any pthreads, and used c89. Unfortunately, the
logs were not particularly helpful identifying why there were issues.
You keep saying that but don't show them. We might be able to make
something out of them if we can see them.
Will share later today or tomorrow ($DAYJOB calls). Thanks Darren.

Cheers,
Randall
Darren Tucker
2016-02-09 22:28:12 UTC
Permalink
On Wed, Feb 10, 2016 at 8:08 AM, Randall S. Becker
Post by Randall S. Becker
Hi All,
Just reporting in on how testing has gone. After reducing obs to 32k max and
banners to a max of 10000, plus some minor platform changes - root is not 0,
Did you need to make any code changes? If so, what?
Post by Randall S. Becker
multiplex - hangs at the end of this output. We had a similar issue that
single reads of data were not working in dd but that does not seem to be the
case in this test suite.
test connection multiplexing: envpass
environment not found
test connection multiplexing: transfer
Binary files /home/git/openssh-portable/regress/data and
/home/git/openssh-portable/regress/copy differ
ssh -Sctl: corrupted copy of /home/git/openssh-portable/regress/data
Binary files /home/git/openssh-portable/regress/data and
/home/git/openssh-portable/regress/copy differ
These tests are for ControlMaster and requires descriptor passing over
Unix domain sockets to work. Does you platform have that?

[...]
Post by Randall S. Becker
AuthorizedKeysCommand with arguments
connect failed
AuthorizedKeysCommand without arguments
connect failed
These ones might be port reuse or race conditions. the failed-ssh.log
and failed-sshd.log should say why the connect failed.
Post by Randall S. Becker
integrity (a sample... pretty much all of the tests do this)
unexpected error mac hmac-sha1 at 2900: Bytes per second: sent
40854.2, received 34836.9.
principals-command (a sample. Every 3 to 5 executions fail. Nothing apparent
the logs as to why. Could this be a timing issue on recycling ports?).
The integrity test failures aren't due to TCP port recycling because
they run sshd via a proxycommand and does not depend on TCP ports. It
does depend somewhat on what ciphers and macs are offered because
those banners affect how many bytes are on the wire before the
encrypted traffic starts. These lists of ciphers are macs are in the
debug logs which you are yet to share.
Post by Randall S. Becker
authorized principals command: privsep yes empty
authorized_principals
authorized principals command: privsep yes wrong
authorized_principals
authorized principals command: privsep yes correct
authorized_principals
ssh cert connect failed
The build did not use any pthreads, and used c89. Unfortunately, the logs
were not particularly helpful identifying why there were issues.
You keep saying that but don't show them. We might be able to make
something out of them if we can see them.
Post by Randall S. Becker
I am not
sure we can deploy the code at this stage, although it does work for the
most of the pretty normal things I need to do. Anyone have any advice?
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Darren Tucker
2016-02-09 22:55:55 UTC
Permalink
On Wed, Feb 10, 2016 at 9:41 AM, Randall S. Becker
[...]
Post by Randall S. Becker
These tests are for ControlMaster and requires descriptor passing over Unix
domain sockets to work. Does you platform have that?
It does, however I think there are setup requirements on the sockets that are
not covered and are different on the platform. If you could point me at the
setup code, I can check it and/or make it work.
The listener is misc.c:unix_listener(). The code for actually sending
the descriptor
is in monitor_fdpass.c:mm_send_fd(). Grepping for control_path should show all
of the places where it's potentially touched.

[...]
Post by Randall S. Becker
I will gather up the logs and share them as a separate thread. I assume plain text is ok.
Thanks. Text is fine.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Loading...