Hi Damien,
Built and tested on current Cygwin 2.4.1 x86_64. Builds OOTB, all tests
pass.


Thanks,
Corinna

When using connection multiplexing, I sometimes set ConnectionAttempts
to 0 in order to avoid opening a new connection when the remote side
refuses to create new sessions after the top defined by MaxSessions is
reached.

Having a way to avoid that fall-back behavior is important when writing
automation scripts. Otherwise, authentication prompts may appear at any
time, and scripts would have to cope with it.

[...]
Debian unstable i386 and Ubuntu 16.04 (development branch) amd64; all
tests passed on both. I noticed a warning in my Debian environment
which might be worth cleaning up:

packet.c: In function ‘ssh_packet_need_rekeying’:
packet.c:1068:48: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
state->rekey_time + state->rekey_interval <= monotime())
^

Thanks,

So far I hit one memory leak in HostKey signing code (see attached
patch). There might be more that were not hit in our use case.

Regards,

Of course there should have been `alg` instead of `sig` in the patch.

Otherwise all the tests passes (without downstream patches) on recent
Fedora 23.

Hi there,

Would it be possible to cover also ssh-copy-id with recent fixes in this
release? The accepted patches went to the Philip Hands repo so far:
http://git.hands.com/?p=ssh-copy-id.git;

Regards,

Just tested this on the old BSD/OS machine

works with openssl 1.0.2X

Openssl 1.1.X issues

cipher.h in openssl 1.1 needs to read

struct sshcipher;
struct sshcipher_ctx {
int plaintext;
int encrypt;
struct evp_cipher_ctx_st *evp;
struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
struct aesctr_ctx ac_ctx; /* XXX union with evp? */
const struct sshcipher *cipher;
};


I am running into issues with sshkey.c


gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sshkey.c -o sshkey.o
sshkey.c: In function `fingerprint_b64':
sshkey.c:936: warning: implicit declaration of function `strlcpy'
sshkey.c:937: warning: implicit declaration of function `strlcat'
sshkey.c: In function `sshkey_ecdsa_key_to_nid':
sshkey.c:1574: warning: `eg' might be used uninitialized in this function
sshkey.c: In function `sshkey_private_to_blob2':
sshkey.c:3026: warning: `keylen' might be used uninitialized in this function
sshkey.c:3026: warning: `ivlen' might be used uninitialized in this function
sshkey.c: In function `sshkey_parse_private_pem_fileblob':
sshkey.c:3787: dereferencing pointer to incomplete type
sshkey.c:3802: dereferencing pointer to incomplete type
sshkey.c:3814: dereferencing pointer to incomplete type

line 3787

if (pk->type == EVP_PKEY_RSA &&

line 3802

} else if (pk->type == EVP_PKEY_DSA &&

line 3814

} else if (pk->type == EVP_PKEY_EC &&

Now

EVP_PKEY *pk = NULL;

and

/usr/contrib/include/openssl/ossl_typ.h:typedef struct evp_pkey_st EVP_PKEY;

Any issue?

fixed - thanks

Done - thanks.

-d

Thanks for testing.

OpenSSH won't work with OpenSSL until someone ports it and writes
compat shims to make it work with both OpenSSL 1.0.x and 1.1.x. The
1.1.x series breaks source compatibility by making a heap of structures
opaque, including EVP_PKEY which is causing your compile problems in
sshkey.c

Porting is a fair bit of work, since at least some of the the newly-
opaque structs have not previously had accessor functions available, so
I have no intention of starting the effort until 1.1.x is at least in
beta (no point in wasting time on a moving target). It would help if
OpenSSL publish more detailed migration information than is currently
present in https://www.openssl.org/news/openssl-1.1.0-notes.html -
including a full list of things that have been made opaque and some
links to the accessor functions for things that were previously only
reachable directly.

-d

The Solaris privilege code breaks building on Solaris 10. If
you let configure just do its thing, you get the following error
when compiling:

"sandbox-solaris.c", line 22: #error: "--with-solaris-privs must be used
with the Solaris sandbox"

So, I did add "--with-solaris-privs" to the command line for
configure, but then I got the following error messages:

Undefined first referenced
symbol in file
priv_basicset openbsd-compat//libopenbsd-compat.a(port-solaris.o)
ld: fatal: symbol referencing errors. No output written to ssh

The function priv_basicset doesn't appear to exist on Solaris 10.

If I set --with-sandbox=none, the compile and "make tests" succeed
(except for the SUDO test, since sudo isn't in the path, and it
wouldn't work without munging the config anyway).

Hi Damien,
Great :-)

BTW would you like me to submit an explicit bug report when doing
similar updates in future?

I commented on, and assigned to myself, most of the bugs shown here:

https://bugzilla.mindrot.org/buglist.cgi?quicksearch=ssh-copy-id

Most of those can be closed now. Should I just go ahead and close them?

Cheers, Phil.

Hi,
According to bdcb7:sshd_config.5, UsePrivilegeSeparation is set to
"sandbox" by default.
But default in servconf.c is PRIVSEP_NOSANDBOX.

I suppose, we should sync servconf.c and sshd_config with documentation:

--- a/servconf.c
+++ b/servconf.c
@@ -362,7 +362,7 @@ fill_default_server_options(ServerOptions *options)

/* Turn privilege separation on by default */
if (use_privsep == -1)
- use_privsep = PRIVSEP_NOSANDBOX;
+ use_privsep = PRIVSEP_ON;

#define CLEAR_ON_NONE(v) \
do { \
--- a/sshd_config
+++ b/sshd_config
@@ -107,7 +107,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
-UsePrivilegeSeparation sandbox # Default for new installations.
+#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0

Sorry, I haven't been paying too much attention here, but I'm having
repeated failures when I tried this morning.

NetBSD-current:
test_sshkey: ..................................[1] Segmentation fault
(core dumped) ${V} /home/htodd...
*** Error code 139

NetBSD-7:
test_hostkeys:
regress/unittests/hostkeys/test_iterate.c:163 test #1 "hostkeys_iterate all with key parse"
ASSERT_INT_EQ(sshkey_load_public( test_data_file(expected[i].key_file), &expected[i].l.key, NULL), 0) failed:
sshkey_load_public( test_data_file(expected[i].key_file), &expected[i].l.key, NULL) = -24
0 = 0
[1] Abort trap (core dumped) ${V} /home/htodd...
*** Error code 134

MacOS whatever it is that's current El Capitan:
checking OpenSSL header version... not found
configure: error: OpenSSL version header not found.

On Wed, Feb 17, 2016 at 1:24 AM, Philip Hands <***@hands.com> wrote:
[...]
Without speaking for Damien, IMO given that it's in contrib, if you're
maintaining it then I'm happy to get changes at whatever pace suits
you.
Any that have been fixed in the import, yes please set the "Blocks"
field to V_7_2 (so we pick it up in the release tracking bug) then
close it.

Building V_7_1_P1-189-g5ac712d on Solaris 2.6 fails:
make[1]: Entering directory
`/export/home/tgc/buildpkg/openssh/src/openssh-git/openbsd-compat'
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -Wno-pointer-sign -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all
-I. -I.. -I. -I./.. -I/usr/tgcware/include -DHAVE_CONFIG_H -c bsd-asprintf.c
bsd-asprintf.c:50:13: error: macro "va_start" requires 2 arguments, but
only 1 given
bsd-asprintf.c: In function 'vasprintf':
bsd-asprintf.c:50: error: 'va_start' undeclared (first use in this function)
bsd-asprintf.c:50: error: (Each undeclared identifier is reported only once
bsd-asprintf.c:50: error: for each function it appears in.)
make[1]: *** [bsd-asprintf.o] Error 1
make[1]: Leaving directory
`/export/home/tgc/buildpkg/openssh/src/openssh-git/openbsd-compat'
make: *** [openbsd-compat/libopenbsd-compat.a] Error 2

I removed the call to va_start just to see if there would be any other
errors lurking and there is:
gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o
sshconnect1.o sshconnect2.o mux.o -L. -Lopenbsd-compat/
-R/usr/tgcware/lib -L/usr/tgcware/lib -Wl,-z,now -fstack-protector-all
-lssh -lopenbsd-compat -lcrypto -lposix4 -ldl -lresolv -lz -lsocket
ld: warning: symbol `umac_ctx' has differing sizes:
(file ./libssh.a(umac.o) value=0x5ec; file
./libssh.a(umac128.o) value=0x684);
./libssh.a(umac128.o) definition taken
Undefined first referenced
symbol in file
gethostbyname
openbsd-compat//libopenbsd-compat.a(fake-rfc2553.o) (symbol belongs to
implicit dependency /usr/lib/libnsl.so.1)
gethostbyaddr
openbsd-compat//libopenbsd-compat.a(fake-rfc2553.o) (symbol belongs to
implicit dependency /usr/lib/libnsl.so.1)
ld: fatal: Symbol referencing errors. No output written to ssh
collect2: ld returned 1 exit status
make: *** [ssh] Error 1

It looks like the check for yp_match previously ensured that -lnsl was
added.

-tgc

On Tue, Feb 16, 2016 at 10:42:37PM +0100, Tom G. Christensen wrote:
[...]
I think this should fix this problem after applying and running
autoreconf to rebuild configure. I'll look at the other problems
shortly.

diff --git a/configure.ac b/configure.ac
index 0b399ce..b4c0aaa 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1314,8 +1314,10 @@ AC_SEARCH_LIBS([openpty], [util bsd])
AC_SEARCH_LIBS([updwtmp], [util bsd])
AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])

-# On some platforms, inet_ntop may be found in libresolv or libnsl.
+# On some platforms, inet_ntop and gethostbyname may be found in libresolv
+# or libnsl.
AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
+AC_SEARCH_LIBS([gethostbyname], [resolv nsl])

AC_FUNC_STRFTIME

I think it's a problem with this commit:
https://anongit.mindrot.org/openssh.git/commit/openbsd-compat/bsd-asprintf.c?id=0f754e29dd3760fc0b172c1220f18b753fb0957e

Author: Damien Miller <***@mindrot.org>
Date: Fri Oct 16 10:53:14 2015 +1100

need va_copy before va_start


diff --git a/openbsd-compat/bsd-asprintf.c b/openbsd-compat/bsd-asprintf.c
index db57acc..d393dfc 100644
--- a/openbsd-compat/bsd-asprintf.c
+++ b/openbsd-compat/bsd-asprintf.c
@@ -47,7 +47,7 @@ vasprintf(char **str, const char *fmt, va_list ap)
char *string, *newstr;
size_t len;

- va_start(ap);
+ va_start(ap, fmt);
VA_COPY(ap2, ap);
if ((string = malloc(INIT_SZ)) == NULL)
goto fail;

On Wed, Feb 17, 2016 at 9:22 AM, Darren Tucker <***@zip.com.au> wrote:
[...]
Actually that's not right either: "error: 'va_start' used in function
with fixed args"

I think the entire original commit is wrong and should be reverted:
https://anongit.mindrot.org/openssh.git/commit/openbsd-compat/bsd-asprintf.c?id=0f754e29dd3760fc0b172c1220f18b753fb0957e

Could you please try this patch? It adds priv_basicset to the test for
whether or not we have usable solaris privs support. Note that you will
need to run "autoreconf" after applying the patch to rebuild configure.

Thanks.

diff --git a/configure.ac b/configure.ac
index b4c0aaa..5b50b9e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -897,8 +897,10 @@ mips-sony-bsd|mips-sony-newsos4)
AC_MSG_RESULT([no])
fi
AC_CHECK_FUNC([setppriv],
- [ AC_CHECK_HEADERS([priv.h], [
- SOLARIS_PRIVS="yes"
+ AC_CHECK_FUNC([priv_basicset],
+ [ AC_CHECK_HEADERS([priv.h], [
+ SOLARIS_PRIVS="yes"
+ ])
])
])
AC_ARG_WITH([solaris-contracts],

The patch appears to get getting mangled somewhere along the way -- would
you please resend it as some sort of an attachment? Even uuencoding it
would
be fine :-).

did it produce a core dump? if so, could you feed it to gdb and get a
backtrace?
I just installed NetBSD 7.0 on a VM ("7.0 NetBSD 7.0
(GENERIC.201509250726Z) amd64") tp try to reproduce this however the
tests passed. What architecture is this, and have any changes been
made to the system (eg, patches applied)?

Attached. Also uploaded at
https://www.dtucker.net/tmp/openssh-solaris-priv.patch if that doesn't
work.

[...]
"file core" will usually tell you. from the output, it's probably
regress/unittests/sshkey/test_sshkey.

I have the dump but I don't have the executable file (or at least I'm
not sure which one it is.)

Never mind, I'm being stupid. Here's the backtrace:

Core was generated by `test_sshkey'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000000000041273e in cert_parse (key=0x7f7ff7b120c0, certbuf=0x7f7ff7b16200, b=0x7f7ff7b161b0) at sshkey.c:1896
1896 key->cert->principals[key->cert->nprincipals++] = principal;
(gdb) bt
#0 0x000000000041273e in cert_parse (key=0x7f7ff7b120c0, certbuf=0x7f7ff7b16200, b=0x7f7ff7b161b0) at sshkey.c:1896
#1 sshkey_from_blob_internal (b=***@entry=0x7f7ff7b161b0, keyp=***@entry=0x7f7fffff9030, allow_cert=***@entry=1)
at sshkey.c:2116
#2 0x000000000041291c in sshkey_from_blob (blob=<optimized out>, blen=***@entry=422, keyp=***@entry=0x7f7fffff9030)
at sshkey.c:2147
#3 0x0000000000412a75 in sshkey_read (ret=***@entry=0x7f7ff7b12080, cpp=***@entry=0x7f7fffff9090) at sshkey.c:1302
#4 0x0000000000415f5a in sshkey_try_load_public (k=***@entry=0x7f7ff7b12080,
filename=0x7f7ff7b16070 "/home/htodd/openssh-portable/regress/unittests/sshkey/testdata/rsa_1-cert.pub",
commentp=***@entry=0x0) at authfile.c:314
#5 0x0000000000416712 in sshkey_load_cert (filename=<optimized out>, keyp=***@entry=0x7f7fffffd140) at authfile.c:419
#6 0x0000000000409f9d in sshkey_tests () at regress/unittests/sshkey/test_sshkey.c:527
#7 0x0000000000405d81 in tests () at regress/unittests/sshkey/tests.c:24
#8 0x000000000042cc4d in main (argc=3, argv=0x7f7fffffd250) at regress/unittests/test_helper/test_helper.c:162

No need - I'll add it to our release checklist.
Yes, please mark them as blocking V_7_2 before you close them though.

Thanks!

-d

I think this should fix it. It would be good if someone with recent Solaris/
Illumos that does have the fine-grained privilege support could test it too.

diff --git a/configure.ac b/configure.ac
index b4c0aaa..f614edf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -896,11 +896,8 @@ mips-sony-bsd|mips-sony-newsos4)
else
AC_MSG_RESULT([no])
fi
- AC_CHECK_FUNC([setppriv],
- [ AC_CHECK_HEADERS([priv.h], [
- SOLARIS_PRIVS="yes"
- ])
- ])
+ AC_CHECK_FUNC([setppriv])
+ AC_CHECK_HEADERS([priv.h])
AC_ARG_WITH([solaris-contracts],
[ --with-solaris-contracts Enable Solaris process contracts (experimental)],
[
@@ -925,7 +922,9 @@ mips-sony-bsd|mips-sony-newsos4)
[ --with-solaris-privs Enable Solaris/Illumos privileges (experimental)],
[
AC_MSG_CHECKING([for Solaris/Illumos privilege support])
- if test "x$SOLARIS_PRIVS" = "xyes" ; then
+ if test "x$ac_cv_func_setppriv" = "xyes" -a \
+ "x$ac_cv_header_priv_h" = "xyes" ; then
+ SOLARIS_PRIVS=yes
AC_MSG_RESULT([found])
AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
[Define to disable UID restoration test])

thanks; done

Could you do a "print *key->cert" to see what is going wrong here?

Thanks,
Damien

Thanks, but nothing appears wrong there. How about
"print key->cert->principals[0]" - though I'm not sure how it could get
to this point without reallocarray() returning a bad pointer.

-d

(gdb) print *key->cert
$1 = {certblob = 0x7f7ff7b162a0, type = 2, serial = 5, key_id = 0x7f7ff7b18090 "julius", nprincipals = 1,
principals = 0xfffffffff7b180a0, valid_after = 915145200, valid_before = 1293836400, critical = 0x7f7ff7b162f0,
extensions = 0x7f7ff7b16340, signature_key = 0x0}

Yeah:

(gdb) print key->cert->principals[0]
Cannot access memory at address 0xfffffffff7b180a0

Confirmed.

Using V_7_1_P1-196-gc5c3f32 the build completes.

-tgc

The problem that I was having with the patch was caused by the
creaky old versions of autoconf and automake that I was using.
It appears to work fine using the current versions of the above.
It builds fine without setting --with-sandbox=none, and it passes
the "make tests" test as well.

This patch still causes privilege separation sandbox style to be
set to solaris on Solaris 10.

Never mind -- I forgot to run autoreconf. It does indeed work correctly on
Solaris 8.

And in another "oh duh" moment, I think this dumped core on two different
machines and I sent you the bt from the wrong machine. Here's the one
from NetBSD-7.

#0 0x00007f7ff630e55a in _lwp_kill () from /usr/lib/libc.so.12
(gdb) bt
#0 0x00007f7ff630e55a in _lwp_kill () from /usr/lib/libc.so.12
#1 0x00007f7ff630e1e5 in abort () at /usr/src/lib/libc/stdlib/abort.c:74
#2 0x0000000000429992 in test_die () at regress/unittests/test_helper/test_helper.c:290
#3 0x0000000000406b0a in assert_int (file=***@entry=0x42a188 "regress/unittests/hostkeys/test_iterate.c", line=***@entry=163,
a1=***@entry=0x42a1e0 "sshkey_load_public( test_data_file(expected[i].key_file), &expected[i].l.key, NULL)",
a2=***@entry=0x42d2cf "0", aa1=-24, aa2=***@entry=0, pred=***@entry=TEST_EQ) at regress/unittests/test_helper/test_helper.c:419
#4 0x0000000000405783 in prepare_expected (n=61, expected=0x652060 <expected_full>)
at regress/unittests/hostkeys/test_iterate.c:161
#5 0x0000000000405823 in test_iterate () at regress/unittests/hostkeys/test_iterate.c:980
#6 0x0000000000405259 in tests () at regress/unittests/hostkeys/tests.c:14
#7 0x0000000000429b7d in main (argc=3, argv=0x7f7fffffd0c8) at regress/unittests/test_helper/test_helper.c:162
(gdb) print *key->cert
No symbol "key" in current context.

Solaris 10 has setppriv, but does not have priv_basicset. To work on
Solaris 10, the call would need to be replaced with the equivalent set
of explicitly listed privs:

"Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY,
PRIV_FILE_READ, PRIV_FILE_WRITE, PRIV_PROC_INFO, PRIV_PROC_SESSION,
PRIV_NET_ACCESS, PRIV_PROC_FORK, and PRIV_PROC_EXEC are considered
"basic" privileges. These are privileges that used to be always avail-
able to unprivileged processes. By default, processes still have the
basic privileges."

Of course that's the Sol 11 man page excerpt. Sol 10 doesn't have
PRIV_FILE_{READ,WRITE}, but otherwise the basic privs are the same.

I'd be more that willing to try this out on Solaris 10.

I'm seeing a hang in the testsuite on Solaris:
run test transfer.sh ...
transfer data: proto 1
<hangs here>

I've tested on 2.6, 7 and 9, x86 only for now.

I bisected it on Solaris 2.6 and the culprit is:
19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a

Reverting it gets rid of the hang and the testsuite runs to completion
with no errors.

I've inserted the logs from Solaris 9/x86 below.

-tgc


failed-regress.log:
trace: proto 1 dd-size 10
FATAL:

trace: proto 1 dd-size 10
FATAL:
FAIL:

failed-ssh.log:
trace: proto 1 dd-size 10
FATAL:

trace: proto 1 dd-size 10
FATAL:
FAIL:

failed-sshd.log:
trace: proto 1 dd-size 10
debug1: inetd sockets after dupping: 5, 6
Connection from UNKNOWN port 65535 on UNKNOWN port 65535
debug1: Client protocol version 1.5; client software version OpenSSH_7.1
debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-1.99-OpenSSH_7.1
Generating 1024 bit RSA key.
RSA key generation complete.
debug2: fd 5 setting O_NONBLOCK
debug2: fd 6 setting O_NONBLOCK
debug2: Network child is on pid 27122
debug3: preauth child monitor started
debug1: Sent 1024 bit server key and 2048 bit host key. [preauth]
debug1: Encryption type: 3des [preauth]
debug3: mm_request_send entering: type 32 [preauth]
debug3: mm_request_receive_expect entering: type 33 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 32
debug3: mm_request_send entering: type 33
debug2: monitor_read: 32 used once, disabling now
debug3: mm_ssh1_session_id entering [preauth]
debug3: mm_request_send entering: type 34 [preauth]
debug1: Received session key; encryption turned on. [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 34
debug3: mm_answer_sessid entering
debug2: monitor_read: 34 used once, disabling now
debug3: mm_getpwnamallow entering [preauth]
debug3: mm_request_send entering: type 8 [preauth]
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect entering: type 9 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 8
debug3: mm_answer_pwnamallow
debug2: parse_server_config: config reprocess config len 555
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 9
debug2: monitor_read: 8 used once, disabling now
debug1: Attempting authentication for tgc. [preauth]
debug3: mm_auth_rsa_key_allowed entering [preauth]
debug3: mm_request_send entering: type 36 [preauth]
debug3: mm_request_receive_expect entering: type 37 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 36
debug3: mm_answer_rsa_keyallowed entering
debug1: temporarily_use_uid: 500/500 (e=500/500)
debug1: trying public RSA key file
/export/home/tgc/buildpkg/openssh/src/openssh-git/regress/authorized_keys_tgc
debug1: fd 9 clearing O_NONBLOCK
debug1:
/export/home/tgc/buildpkg/openssh/src/openssh-git/regress/authorized_keys_tgc,
line 1: non ssh1 key syntax
debug1: matching key found: file
/export/home/tgc/buildpkg/openssh/src/openssh-git/regress/authorized_keys_tgc,
line 2 RSA1 SHA256:T373CbnNP2xxI+dYn8iGW/IUdoGB0RyZQd+TEhFbz3k
debug1: restore_uid: (unprivileged)
debug3: mm_request_send entering: type 37
Failed rsa for tgc from UNKNOWN port 65535 ssh1
debug3: mm_auth_rsa_generate_challenge entering [preauth]
debug3: mm_request_send entering: type 38 [preauth]
debug3: mm_request_receive_expect entering: type 39 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 38
debug3: mm_answer_rsa_challenge entering
debug3: mm_answer_rsa_challenge sending reply
debug3: mm_request_send entering: type 39
debug2: monitor_read: 38 used once, disabling now
debug3: mm_auth_rsa_verify_response entering [preauth]
debug3: mm_request_send entering: type 40 [preauth]
debug3: mm_request_receive_expect entering: type 41 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 40
debug3: mm_answer_rsa_response entering
debug3: mm_request_send entering: type 41
debug2: monitor_read: 40 used once, disabling now
Accepted rsa for tgc from UNKNOWN port 65535 ssh1
debug1: monitor_child_preauth: tgc has been authenticated by privileged
process
debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect entering: type 26
debug3: mm_request_receive entering
debug3: mm_get_keystate: GOT new keys
debug3: mm_request_send entering: type 26 [preauth]
debug3: mm_send_keystate: Finished sending state [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_share_sync: Share sync
debug3: mm_share_sync: Share sync end
debug3: monitor_apply_keystate: packet_set_state
debug1: ssh_packet_set_postauth: called
debug3: ssh_packet_set_state: done
debug2: session_new: allocate (allocated 0 max 10)
debug3: session_unused: session id 0 unused
debug1: session_new: session 0
debug1: Exec command 'cat >
/export/home/tgc/buildpkg/openssh/src/openssh-git/regress/copy'
Starting session: command for tgc from UNKNOWN port 65535 id 0
User child is on pid 27123
debug1: Entering interactive session.
debug2: fd 8 setting O_NONBLOCK
debug2: fd 10 setting O_NONBLOCK
debug2: fd 12 setting O_NONBLOCK
debug2: fd 7 setting O_NONBLOCK
debug2: fd 11 setting O_NONBLOCK
debug1: server_init_dispatch_13
debug1: server_init_dispatch_15
debug3: mm_request_receive entering
debug1: do_cleanup
FATAL:
FAIL:

The prior art in other apps on the system seems to suggest that
priv_str_to_set is a better fallback if priv_basicset is not available.

I've attached a patch that seems to build and work on Illumos in both
modes (using priv_basicset and using priv_str_to_set). Would you mind
trying it on Solaris 10 for me? I did write this keeping Solaris 10 in
mind originally, but apparently I missed the lack of priv_basicset. Sorry.

I think it's this:

test_hostkeys:
regress/unittests/hostkeys/test_iterate.c:163 test #1 "hostkeys_iterate all with key parse"
ASSERT_INT_EQ(sshkey_load_public( test_data_file(expected[i].key_file), &expected[i].l.key, NULL), 0) failed:
sshkey_load_public( test_data_file(expected[i].key_file), &expected[i].l.key, NULL) = -24
0 = 0
[1] Abort trap (core dumped) ${V} /home/htodd...
*** Error code 134

Also at

https://us-east.manta.joyent.com/arekinath/public/openssh-wip-fix-for-sol10-privs.patch

If you are having trouble getting the patch out of the email.

Also, as for Damien's patch, you will want to regenerate configure etc.
This doesn't go on top of his suggestion (I don't want to just disable
this new code for Solaris 10 if possible, it would be better to fix it
up so that you can have sandbox support as well)

I need to make these error messages more user-friendly :(

-24 is SSH_ERR_SYSTEM_ERROR, so it's likely failing to find/load the
key for some reason. I'll make a patch to improve the error message,
but in the meantime you could probably figure out the exact failure
using ktrace/ktruss/strace and/or digging errno out of the core file.

-d

Thanks for the analysis. I think this fixes it.

diff --git a/packet.c b/packet.c
index 7ddebeb..6755e74 100644
--- a/packet.c
+++ b/packet.c
@@ -263,8 +263,8 @@ ssh_alloc_session_state(void)
int
ssh_packet_is_rekeying(struct ssh *ssh)
{
- return ssh->state->rekeying ||
- (ssh->kex != NULL && ssh->kex->done == 0);
+ return compat20 &&
+ (ssh->state->rekeying || (ssh->kex != NULL && ssh->kex->done == 0));
}

/*

I don't have any Solaris systems around to test, so I'm pretty much flying
blind. I'd love to be able to ship something that works for both 10 and 11
though, so if you are both able to come up with a patch including the
autoconf gunk that works then I'll get it committed.

-d

This one is failing a test assetion - there should be some more useful
output available from the test itself.

-d

Probably not, if you ktrace or similar you need only look for the
last failing syscall (probably open) before the output of the error
message.

-d

Do I have to fish the actual invocation of test_hostkeys from somewhere
too?

Sadly I'm hitting a different autoconf bug :-(

carson:sol10dev 0 SOL$ grep CPPFLAGS config.log
$ ./configure CPPFLAGS=-I/usr/sfw/include LDFLAGS=-L/usr/sfw/lib/64
-R/usr/sfw/lib/64 -L/usr/sfw/lib/64 -R/usr/sfw/lib/64
ac_cv_env_CPPFLAGS_set=set
ac_cv_env_CPPFLAGS_value=-I/usr/sfw/include
CPPFLAGS='-I/usr/sfw/include'

Wed Feb 17 15:00:13 ~/openssh-git
carson:sol10dev 0 SOL$ grep CPPFLAGS config.status
S["CPPFLAGS"]=""

ARRGH!

More stupidity on my part. A "make distclean" fixed things on my
NetBSD-7 box. Unfortunately, the test crashed NetBSD-current.

OK, on NetBSD-current:

test_sshbuf: ................................................................................................... 100 tests ok
test_sshkey: ..................................[1] Segmentation fault (core dumped) ${V} /home/htodd...
*** Error code 139

Stop.

...

Core was generated by `test_sshkey'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000000000041273e in cert_parse (key=0x7f7ff7b120c0, certbuf=0x7f7ff7b16200, b=0x7f7ff7b161b0) at sshkey.c:1896
1896 key->cert->principals[key->cert->nprincipals++] = principal;
(gdb) bt
#0 0x000000000041273e in cert_parse (key=0x7f7ff7b120c0, certbuf=0x7f7ff7b16200, b=0x7f7ff7b161b0) at sshkey.c:1896
#1 sshkey_from_blob_internal (b=***@entry=0x7f7ff7b161b0, keyp=***@entry=0x7f7fffff9040, allow_cert=***@entry=1)
at sshkey.c:2116
#2 0x000000000041291c in sshkey_from_blob (blob=<optimized out>, blen=***@entry=422, keyp=***@entry=0x7f7fffff9040)
at sshkey.c:2147
#3 0x0000000000412a75 in sshkey_read (ret=***@entry=0x7f7ff7b12080, cpp=***@entry=0x7f7fffff90a0) at sshkey.c:1302
#4 0x0000000000415f5a in sshkey_try_load_public (k=***@entry=0x7f7ff7b12080,
filename=0x7f7ff7b16070 "/home/htodd/openssh-portable/regress/unittests/sshkey/testdata/rsa_1-cert.pub",
commentp=***@entry=0x0) at authfile.c:314
#5 0x0000000000416712 in sshkey_load_cert (filename=<optimized out>, keyp=***@entry=0x7f7fffffd150) at authfile.c:419
#6 0x0000000000409f9b in sshkey_tests () at regress/unittests/sshkey/test_sshkey.c:527
#7 0x0000000000405d81 in tests () at regress/unittests/sshkey/tests.c:24
#8 0x000000000042cc4d in main (argc=3, argv=0x7f7fffffd258) at regress/unittests/test_helper/test_helper.c:162

I do have a SPARC I can blow the dust off and test with so I'll take a
look at this one.

After a quick look at the patch, I'm wondering if it could be
simplified by adding an implementation of priv_basicset inside #ifndef
HAVE_PRIV_BASICSET and doing away with the inline ifdefs?

I've got operational SPARC systems that I can test on, so that's
not a problem, but we're running only Solaris 10 at this point,
nothing any older, and most of it can't run Solaris 11 either.

Alex Wilson: my problem with patches turned out to be a problem
with an old version of autoconf, such that autoreconf was
hosing things up.

On Thu, Feb 18, 2016 at 10:22 AM, Darren Tucker <***@zip.com.au> wrote:
[...]
After a read of the man pages it seems that priv_str_to_set allocates
and priv_basicset doesn't so it's not a drop in replacement, however
factoring the basicset code out still seems to be cleaner, eg
(completely untested):

diff --git a/configure.ac b/configure.ac
index b4c0aaa..d910f53 100644
--- a/configure.ac
+++ b/configure.ac
@@ -898,6 +898,7 @@ mips-sony-bsd|mips-sony-newsos4)
fi
AC_CHECK_FUNC([setppriv],
[ AC_CHECK_HEADERS([priv.h], [
+ AC_CHECK_FUNCS([priv_basicset])
SOLARIS_PRIVS="yes"
])
])
diff --git a/openbsd-compat/port-solaris.c b/openbsd-compat/port-solaris.c
index 962cd16..4a42a36 100644
--- a/openbsd-compat/port-solaris.c
+++ b/openbsd-compat/port-solaris.c
@@ -233,6 +233,22 @@ solaris_set_default_project(struct passwd *pw)
# include <priv.h>
# endif

+priv_set_t *
+solaris_basic_privset(void)
+{
+ priv_set_t *pset;
+
+#ifdef HAVE_PRIV_BASICSET
+ if ((pset = priv_allocset()) == NULL)
+ fatal("priv_allocset: %s", strerror(errno));
+ priv_basicset(pset);
+#else
+ if ((pset = priv_str_to_set("basic", ",", NULL)) == NULL)
+ fatal("priv_str_to_set: %s", strerror(errno));
+#endif
+ return pset;
+}
+
void
solaris_drop_privs_pinfo_net_fork_exec(void)
{
@@ -254,11 +270,9 @@ solaris_drop_privs_pinfo_net_fork_exec(void)
* etc etc).
*/

- if ((pset = priv_allocset()) == NULL ||
- (npset = priv_allocset()) == NULL)
+ if ((pset = priv_allocset()) == NULL)
fatal("priv_allocset: %s", strerror(errno));
-
- priv_basicset(npset);
+ npset = solaris_basic_privset();

if (priv_addset(npset, PRIV_FILE_CHOWN) != 0 ||
priv_addset(npset, PRIV_FILE_DAC_READ) != 0 ||
@@ -294,11 +308,8 @@ solaris_drop_privs_root_pinfo_net(void)
{
priv_set_t *pset = NULL;

- if ((pset = priv_allocset()) == NULL)
- fatal("priv_allocset: %s", strerror(errno));
-
/* Start with "basic" and drop everything we don't need. */
- priv_basicset(pset);
+ pset = solaris_basic_privset();

if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
@@ -319,11 +330,9 @@ solaris_drop_privs_root_pinfo_net_exec(void)
{
priv_set_t *pset = NULL;

- if ((pset = priv_allocset()) == NULL)
- fatal("priv_allocset: %s", strerror(errno));

/* Start with "basic" and drop everything we don't need. */
- priv_basicset(pset);
+ pset = solaris_basic_privset();

if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
diff --git a/openbsd-compat/port-solaris.h b/openbsd-compat/port-solaris.h
index b077e18..3a41ea8 100644
--- a/openbsd-compat/port-solaris.h
+++ b/openbsd-compat/port-solaris.h
@@ -26,8 +26,11 @@ void solaris_contract_pre_fork(void);
void solaris_contract_post_fork_child(void);
void solaris_contract_post_fork_parent(pid_t pid);
void solaris_set_default_project(struct passwd *);
+# ifdef USE_SOLARIS_PRIVS
+priv_set_t *solaris_basic_privset(void);
void solaris_drop_privs_pinfo_net_fork_exec(void);
void solaris_drop_privs_root_pinfo_net(void);
void solaris_drop_privs_root_pinfo_net_exec(void);
+# endif /* USE_SOLARIS_PRIVS */

#endif
diff --git a/sandbox-solaris.c b/sandbox-solaris.c
index 98714e1..8e81c2b 100644
--- a/sandbox-solaris.c
+++ b/sandbox-solaris.c
@@ -48,16 +48,15 @@ ssh_sandbox_init(struct monitor *monitor)
struct ssh_sandbox *box = NULL;

box = xcalloc(1, sizeof(*box));
- box->pset = priv_allocset();
+
+ /* Start with "basic" and drop everything we don't need. */
+ box->pset = solaris_basic_privset();

if (box->pset == NULL) {
free(box);
return NULL;
}

- /* Start with "basic" and drop everything we don't need. */
- priv_basicset(box->pset);
-
/* Drop everything except the ability to use already-opened files */
if (priv_delset(box->pset, PRIV_FILE_LINK_ANY) != 0 ||
priv_delset(box->pset, PRIV_NET_ACCESS) != 0 ||

That patch looks nicer to me, too. It compiles on S10 and Illumos, but I
haven't fully tested it yet (the S10 box I found currently has a broken
OpenSSL which I'm trying to figure out)

For older S10 I've also had to add this patch (below), since it seems
PRIV_NET_ACCESS is also a newer addition (it came in sometime in the
osol era apparently)




diff --git a/openbsd-compat/port-solaris.c b/openbsd-compat/port-solaris.c
index 4a42a36..40285b7 100644
--- a/openbsd-compat/port-solaris.c
+++ b/openbsd-compat/port-solaris.c
@@ -282,13 +282,17 @@ solaris_drop_privs_pinfo_net_fork_exec(void)
fatal("priv_addset: %s", strerror(errno));

if (priv_delset(npset, PRIV_FILE_LINK_ANY) != 0 ||
- priv_delset(npset, PRIV_NET_ACCESS) != 0 ||
priv_delset(npset, PRIV_PROC_EXEC) != 0 ||
priv_delset(npset, PRIV_PROC_FORK) != 0 ||
priv_delset(npset, PRIV_PROC_INFO) != 0 ||
priv_delset(npset, PRIV_PROC_SESSION) != 0)
fatal("priv_delset: %s", strerror(errno));

+# if defined(PRIV_NET_ACCESS)
+ if (priv_delset(npset, PRIV_NET_ACCESS) != 0)
+ fatal("priv_delset: %s", strerror(errno));
+# endif
+
if (getppriv(PRIV_PERMITTED, pset) != 0)
fatal("getppriv: %s", strerror(errno));

@@ -312,11 +316,15 @@ solaris_drop_privs_root_pinfo_net(void)
pset = solaris_basic_privset();

if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
- priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
priv_delset(pset, PRIV_PROC_INFO) != 0 ||
priv_delset(pset, PRIV_PROC_SESSION) != 0)
fatal("priv_delset: %s", strerror(errno));

+# if defined(PRIV_NET_ACCESS)
+ if (priv_delset(pset, PRIV_NET_ACCESS) != 0)
+ fatal("priv_delset: %s", strerror(errno));
+# endif
+
if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
@@ -335,12 +343,16 @@ solaris_drop_privs_root_pinfo_net_exec(void)
pset = solaris_basic_privset();

if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
- priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
priv_delset(pset, PRIV_PROC_EXEC) != 0 ||
priv_delset(pset, PRIV_PROC_INFO) != 0 ||
priv_delset(pset, PRIV_PROC_SESSION) != 0)
fatal("priv_delset: %s", strerror(errno));

+# if defined(PRIV_NET_ACCESS)
+ if (priv_delset(pset, PRIV_NET_ACCESS) != 0)
+ fatal("priv_delset: %s", strerror(errno));
+# endif
+
if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
diff --git a/sandbox-solaris.c b/sandbox-solaris.c
index 8e81c2b..a1506d6 100644
--- a/sandbox-solaris.c
+++ b/sandbox-solaris.c
@@ -59,7 +59,6 @@ ssh_sandbox_init(struct monitor *monitor)

/* Drop everything except the ability to use already-opened files */
if (priv_delset(box->pset, PRIV_FILE_LINK_ANY) != 0 ||
- priv_delset(box->pset, PRIV_NET_ACCESS) != 0 ||
priv_delset(box->pset, PRIV_PROC_EXEC) != 0 ||
priv_delset(box->pset, PRIV_PROC_FORK) != 0 ||
priv_delset(box->pset, PRIV_PROC_INFO) != 0 ||
@@ -67,7 +66,12 @@ ssh_sandbox_init(struct monitor *monitor)
free(box);
return NULL;
}
-
+# if defined(PRIV_NET_ACCESS)
+ if (priv_delset(box->pset, PRIV_NET_ACCESS) != 0) {
+ free(box);
+ return NULL;
+ }
+# endif
/* These may not be available on older Solaris-es */
# if defined(PRIV_FILE_READ) && defined(PRIV_FILE_WRITE)
if (priv_delset(box->pset, PRIV_FILE_READ) != 0 ||

On Wed, Feb 17, 2016 at 04:20:36PM -0800, Alex Wilson wrote:
[...]
[...]
Since this is logically part of the "delete these privs" code above, I
actually prefer inlining these.

I also changed solaris_basic_privset to return NULL on failure which
allows sandbox failures to be non-fatal (matching current behaviour;
I'm not sure if that's sensible or not). Diff is untested.

I considered changing solaris_basic_privset to
solaris_restricted_privset and doing the priv removals in common code
there. This is less overall code, but it means the set of privileges in
effect is not immediately obvious so I'm not sure that's a win. Maybe
something for later (ie after release :-) consideration.

diff --git a/configure.ac b/configure.ac
index b4c0aaa..d910f53 100644
--- a/configure.ac
+++ b/configure.ac
@@ -898,6 +898,7 @@ mips-sony-bsd|mips-sony-newsos4)
fi
AC_CHECK_FUNC([setppriv],
[ AC_CHECK_HEADERS([priv.h], [
+ AC_CHECK_FUNCS([priv_basicset])
SOLARIS_PRIVS="yes"
])
])
diff --git a/openbsd-compat/port-solaris.c b/openbsd-compat/port-solaris.c
index 962cd16..e36e412 100644
--- a/openbsd-compat/port-solaris.c
+++ b/openbsd-compat/port-solaris.c
@@ -233,6 +233,26 @@ solaris_set_default_project(struct passwd *pw)
# include <priv.h>
# endif

+priv_set_t *
+solaris_basic_privset(void)
+{
+ priv_set_t *pset;
+
+#ifdef HAVE_PRIV_BASICSET
+ if ((pset = priv_allocset()) == NULL) {
+ error("priv_allocset: %s", strerror(errno));
+ return NULL;
+ }
+ priv_basicset(pset);
+#else
+ if ((pset = priv_str_to_set("basic", ",", NULL)) == NULL) {
+ error("priv_str_to_set: %s", strerror(errno));
+ return NULL;
+ }
+#endif
+ return pset;
+}
+
void
solaris_drop_privs_pinfo_net_fork_exec(void)
{
@@ -254,11 +274,10 @@ solaris_drop_privs_pinfo_net_fork_exec(void)
* etc etc).
*/

- if ((pset = priv_allocset()) == NULL ||
- (npset = priv_allocset()) == NULL)
+ if ((pset = priv_allocset()) == NULL)
fatal("priv_allocset: %s", strerror(errno));
-
- priv_basicset(npset);
+ if ((npset = solaris_basic_privset()) == NULL)
+ fatal("solaris_basic_privset: %s", strerror(errno));

if (priv_addset(npset, PRIV_FILE_CHOWN) != 0 ||
priv_addset(npset, PRIV_FILE_DAC_READ) != 0 ||
@@ -268,7 +287,9 @@ solaris_drop_privs_pinfo_net_fork_exec(void)
fatal("priv_addset: %s", strerror(errno));

if (priv_delset(npset, PRIV_FILE_LINK_ANY) != 0 ||
+#ifdef PRIV_NET_ACCESS
priv_delset(npset, PRIV_NET_ACCESS) != 0 ||
+#endif
priv_delset(npset, PRIV_PROC_EXEC) != 0 ||
priv_delset(npset, PRIV_PROC_FORK) != 0 ||
priv_delset(npset, PRIV_PROC_INFO) != 0 ||
@@ -294,14 +315,14 @@ solaris_drop_privs_root_pinfo_net(void)
{
priv_set_t *pset = NULL;

- if ((pset = priv_allocset()) == NULL)
- fatal("priv_allocset: %s", strerror(errno));
-
/* Start with "basic" and drop everything we don't need. */
- priv_basicset(pset);
+ if ((pset = solaris_basic_privset()) == NULL)
+ fatal("solaris_basic_privset: %s", strerror(errno));

if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
+#ifdef PRIV_NET_ACCESS
priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
+#endif
priv_delset(pset, PRIV_PROC_INFO) != 0 ||
priv_delset(pset, PRIV_PROC_SESSION) != 0)
fatal("priv_delset: %s", strerror(errno));
@@ -319,14 +340,15 @@ solaris_drop_privs_root_pinfo_net_exec(void)
{
priv_set_t *pset = NULL;

- if ((pset = priv_allocset()) == NULL)
- fatal("priv_allocset: %s", strerror(errno));

/* Start with "basic" and drop everything we don't need. */
- priv_basicset(pset);
+ if ((pset = solaris_basic_privset()) == NULL)
+ fatal("solaris_basic_privset: %s", strerror(errno));

if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
+#ifdef PRIV_NET_ACCESS
priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
+#endif
priv_delset(pset, PRIV_PROC_EXEC) != 0 ||
priv_delset(pset, PRIV_PROC_INFO) != 0 ||
priv_delset(pset, PRIV_PROC_SESSION) != 0)
diff --git a/openbsd-compat/port-solaris.h b/openbsd-compat/port-solaris.h
index b077e18..3a41ea8 100644
--- a/openbsd-compat/port-solaris.h
+++ b/openbsd-compat/port-solaris.h
@@ -26,8 +26,11 @@ void solaris_contract_pre_fork(void);
void solaris_contract_post_fork_child(void);
void solaris_contract_post_fork_parent(pid_t pid);
void solaris_set_default_project(struct passwd *);
+# ifdef USE_SOLARIS_PRIVS
+priv_set_t *solaris_basic_privset(void);
void solaris_drop_privs_pinfo_net_fork_exec(void);
void solaris_drop_privs_root_pinfo_net(void);
void solaris_drop_privs_root_pinfo_net_exec(void);
+# endif /* USE_SOLARIS_PRIVS */

#endif
diff --git a/sandbox-solaris.c b/sandbox-solaris.c
index 98714e1..343a010 100644
--- a/sandbox-solaris.c
+++ b/sandbox-solaris.c
@@ -48,19 +48,20 @@ ssh_sandbox_init(struct monitor *monitor)
struct ssh_sandbox *box = NULL;

box = xcalloc(1, sizeof(*box));
- box->pset = priv_allocset();
+
+ /* Start with "basic" and drop everything we don't need. */
+ box->pset = solaris_basic_privset();

if (box->pset == NULL) {
free(box);
return NULL;
}

- /* Start with "basic" and drop everything we don't need. */
- priv_basicset(box->pset);
-
/* Drop everything except the ability to use already-opened files */
if (priv_delset(box->pset, PRIV_FILE_LINK_ANY) != 0 ||
+#ifdef PRIV_NET_ACCESS
priv_delset(box->pset, PRIV_NET_ACCESS) != 0 ||
+#endif
priv_delset(box->pset, PRIV_PROC_EXEC) != 0 ||
priv_delset(box->pset, PRIV_PROC_FORK) != 0 ||
priv_delset(box->pset, PRIV_PROC_INFO) != 0 ||

I was being an idiot - configure was bombing out & I didn't notice (boy
that openssl version error message is loooooong...)

With Mr. Wilson's patch, I still get:

"sandbox-solaris.c", line 22: #error: "--with-solaris-privs must be used
with the Solaris sandbox"

Because:

$ fgrep SOLARIS config.h
#define SANDBOX_SOLARIS 1
/* #undef USE_SOLARIS_PRIVS */
/* #undef USE_SOLARIS_PROCESS_CONTRACTS */
/* #undef USE_SOLARIS_PROJECTS */

If I "fix" it by passing "--with-solaris-privs" to configure, all tests
pass without SUDO being set. If I set SUDO then agent.sh fails:

trace: agent forwarding
FAIL: agent fwd proto 2 failed (exit code 255)

Is there a sane way to run just one test script? LTESTS can't be
overridden AFAIK...

On Thu, Feb 18, 2016 at 12:43 PM, Carson Gaspar <***@taltos.org> wrote:
[...]
make t-exec LTESTS=testname

where testname is the name of the specific test script without the .sh
extension.

The actual error isn't captured in any logs, but scrollback is my friend:

run test agent.sh ...
sudo: no tty present and no askpass program specified
agent fwd proto 2 failed (exit code 255)
failed simple agent test

Nope, that runs all of them :-(

But "make t-exec SUDO=sudo MAKE='make LTESTS=agent'" works. Or "make
t-exec SUDO=sudo LTESTS=agent MAKE='make -e'". I guess your make
defaults to Env Vars overriding assignments. How odd ;-)

What is agent.sh doing that's trying to invoke sudo with no tty? The
failure is easily repeatable, and I doubt it's Solaris specific...

Damien posted the (probable) fix for this a while upthread.

I've rolled it into the WIP patch from Alex Wilson. I think this should
fix both.

diff --git a/configure.ac b/configure.ac
index b4c0aaa..e36b049 100644
--- a/configure.ac
+++ b/configure.ac
@@ -896,11 +896,9 @@ mips-sony-bsd|mips-sony-newsos4)
else
AC_MSG_RESULT([no])
fi
- AC_CHECK_FUNC([setppriv],
- [ AC_CHECK_HEADERS([priv.h], [
- SOLARIS_PRIVS="yes"
- ])
- ])
+ AC_CHECK_FUNCS([setppriv])
+ AC_CHECK_FUNCS([priv_basicset])
+ AC_CHECK_HEADERS([priv.h])
AC_ARG_WITH([solaris-contracts],
[ --with-solaris-contracts Enable Solaris process contracts (experimental)],
[
@@ -925,7 +923,9 @@ mips-sony-bsd|mips-sony-newsos4)
[ --with-solaris-privs Enable Solaris/Illumos privileges (experimental)],
[
AC_MSG_CHECKING([for Solaris/Illumos privilege support])
- if test "x$SOLARIS_PRIVS" = "xyes" ; then
+ if test "x$ac_cv_func_setppriv" = "xyes" -a \
+ "x$ac_cv_header_priv_h" = "xyes" ; then
+ SOLARIS_PRIVS=yes
AC_MSG_RESULT([found])
AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
[Define to disable UID restoration test])
diff --git a/openbsd-compat/port-solaris.c b/openbsd-compat/port-solaris.c
index 962cd16..e36e412 100644
--- a/openbsd-compat/port-solaris.c
+++ b/openbsd-compat/port-solaris.c
@@ -233,6 +233,26 @@ solaris_set_default_project(struct passwd *pw)
# include <priv.h>
# endif

+priv_set_t *
+solaris_basic_privset(void)
+{
+ priv_set_t *pset;
+
+#ifdef HAVE_PRIV_BASICSET
+ if ((pset = priv_allocset()) == NULL) {
+ error("priv_allocset: %s", strerror(errno));
+ return NULL;
+ }
+ priv_basicset(pset);
+#else
+ if ((pset = priv_str_to_set("basic", ",", NULL)) == NULL) {
+ error("priv_str_to_set: %s", strerror(errno));
+ return NULL;
+ }
+#endif
+ return pset;
+}
+
void
solaris_drop_privs_pinfo_net_fork_exec(void)
{
@@ -254,11 +274,10 @@ solaris_drop_privs_pinfo_net_fork_exec(void)
* etc etc).
*/

- if ((pset = priv_allocset()) == NULL ||
- (npset = priv_allocset()) == NULL)
+ if ((pset = priv_allocset()) == NULL)
fatal("priv_allocset: %s", strerror(errno));
-
- priv_basicset(npset);
+ if ((npset = solaris_basic_privset()) == NULL)
+ fatal("solaris_basic_privset: %s", strerror(errno));

if (priv_addset(npset, PRIV_FILE_CHOWN) != 0 ||
priv_addset(npset, PRIV_FILE_DAC_READ) != 0 ||
@@ -268,7 +287,9 @@ solaris_drop_privs_pinfo_net_fork_exec(void)
fatal("priv_addset: %s", strerror(errno));

if (priv_delset(npset, PRIV_FILE_LINK_ANY) != 0 ||
+#ifdef PRIV_NET_ACCESS
priv_delset(npset, PRIV_NET_ACCESS) != 0 ||
+#endif
priv_delset(npset, PRIV_PROC_EXEC) != 0 ||
priv_delset(npset, PRIV_PROC_FORK) != 0 ||
priv_delset(npset, PRIV_PROC_INFO) != 0 ||
@@ -294,14 +315,14 @@ solaris_drop_privs_root_pinfo_net(void)
{
priv_set_t *pset = NULL;

- if ((pset = priv_allocset()) == NULL)
- fatal("priv_allocset: %s", strerror(errno));
-
/* Start with "basic" and drop everything we don't need. */
- priv_basicset(pset);
+ if ((pset = solaris_basic_privset()) == NULL)
+ fatal("solaris_basic_privset: %s", strerror(errno));

if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
+#ifdef PRIV_NET_ACCESS
priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
+#endif
priv_delset(pset, PRIV_PROC_INFO) != 0 ||
priv_delset(pset, PRIV_PROC_SESSION) != 0)
fatal("priv_delset: %s", strerror(errno));
@@ -319,14 +340,15 @@ solaris_drop_privs_root_pinfo_net_exec(void)
{
priv_set_t *pset = NULL;

- if ((pset = priv_allocset()) == NULL)
- fatal("priv_allocset: %s", strerror(errno));

/* Start with "basic" and drop everything we don't need. */
- priv_basicset(pset);
+ if ((pset = solaris_basic_privset()) == NULL)
+ fatal("solaris_basic_privset: %s", strerror(errno));

if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
+#ifdef PRIV_NET_ACCESS
priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
+#endif
priv_delset(pset, PRIV_PROC_EXEC) != 0 ||
priv_delset(pset, PRIV_PROC_INFO) != 0 ||
priv_delset(pset, PRIV_PROC_SESSION) != 0)
diff --git a/openbsd-compat/port-solaris.h b/openbsd-compat/port-solaris.h
index b077e18..3a41ea8 100644
--- a/openbsd-compat/port-solaris.h
+++ b/openbsd-compat/port-solaris.h
@@ -26,8 +26,11 @@ void solaris_contract_pre_fork(void);
void solaris_contract_post_fork_child(void);
void solaris_contract_post_fork_parent(pid_t pid);
void solaris_set_default_project(struct passwd *);
+# ifdef USE_SOLARIS_PRIVS
+priv_set_t *solaris_basic_privset(void);
void solaris_drop_privs_pinfo_net_fork_exec(void);
void solaris_drop_privs_root_pinfo_net(void);
void solaris_drop_privs_root_pinfo_net_exec(void);
+# endif /* USE_SOLARIS_PRIVS */

#endif
diff --git a/sandbox-solaris.c b/sandbox-solaris.c
index 98714e1..343a010 100644
--- a/sandbox-solaris.c
+++ b/sandbox-solaris.c
@@ -48,19 +48,20 @@ ssh_sandbox_init(struct monitor *monitor)
struct ssh_sandbox *box = NULL;

box = xcalloc(1, sizeof(*box));
- box->pset = priv_allocset();
+
+ /* Start with "basic" and drop everything we don't need. */
+ box->pset = solaris_basic_privset();

if (box->pset == NULL) {
free(box);
return NULL;
}

- /* Start with "basic" and drop everything we don't need. */
- priv_basicset(box->pset);
-
/* Drop everything except the ability to use already-opened files */
if (priv_delset(box->pset, PRIV_FILE_LINK_ANY) != 0 ||
+#ifdef PRIV_NET_ACCESS
priv_delset(box->pset, PRIV_NET_ACCESS) != 0 ||
+#endif
priv_delset(box->pset, PRIV_PROC_EXEC) != 0 ||
priv_delset(box->pset, PRIV_PROC_FORK) != 0 ||
priv_delset(box->pset, PRIV_PROC_INFO) != 0 ||

On Thu, Feb 18, 2016 at 1:07 PM, Carson Gaspar <***@taltos.org> wrote:
[...]
I think you've got sudo configured to prompt for a password, but the
regression test is trying to use if from a context where there's no
tty.

Possible solutions:
- if you have the sudo credential caching enabled without
tty_tickets, you could run "sudo whoami" or something to prepopulate
the cache.
- temporarily add NOPASSWD: to the sudo config for the user running the test.

On Thu, Feb 18, 2016 at 1:14 PM, Carson Gaspar <***@taltos.org> wrote:
[...]
err, ok then.
When SUDO is set, test-exec runs sshd as root. I'm not sure which
specific thing it's complaining about, though. You could try putting
"set -x" in test-exec.sh and see what it's doing around the time of
the error. My guess is that it's when ssh is trying to run sshd as a
proxycommand:

[...[] proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh
${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy

Some tests like agent-ptrace use sudo specifically for things like
setting permissions bits but that doesn't look like it in your case.

<snip patch>

Confirmed. Testsuite runs to completion with no errors.

-tgc

The actual failure is in:

++ /home/carson/openssh-git/regress/ssh-log-wrapper.sh -A -2 -F
/home/carson/openssh-git/regress/ssh_proxy somehost
'/home/carson/openssh-git/regress/ssh-log-wrapper.sh -2 -F
/home/carson/openssh-git/regress/ssh_proxy somehost exit 52'
sudo: no tty present and no askpass program specified

My sudo has tty tickets enabled, so I had to go the NOPASSWD route :-(

Once I did, all tests pass on Sol 10.

On Fri, Feb 19, 2016 at 7:20 AM, Carson Gaspar <***@taltos.org> wrote:
[...]
Thanks! I was able to get my sparc up and running and also build and
test on Solaris 8 & 10. I just committed the fixes
(https://anongit.mindrot.org/openssh.git/commit/?id=907091acb188b1057d50c2158f74c3ecf1c2302b)
so AFAIK -current should be good on Solaris now. If this isn't the
case, please let me know.

I usually use:

make LTESTS=agent SKIP_UNIT=1 tests

Question:

Why does make test do this:


Script started on Fri Feb 19 17:00:06 2016
doctor.nl2k.ab.ca//usr/source/openssh-7.2rc2/openssh-portable-master$ make test
doctor.nl2k.ab.ca//usr/source/openssh-7.2rc2/openssh-portable-master$ make test
make: don't know how to make test. Stop
doctor.nl2k.ab.ca//usr/source/openssh-7.2rc2/openssh-portable-master$ make test
s
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
[ -d `pwd`/regress/unittests ] || mkdir -p `pwd`/regress/unittests
[ -d `pwd`/regress/unittests/test_helper ] || mkdir -p `pwd`/regress/unittests/test_helper
[ -d `pwd`/regress/unittests/sshbuf ] || mkdir -p `pwd`/regress/unittests/sshbuf
[ -d `pwd`/regress/unittests/sshkey ] || mkdir -p `pwd`/regress/unittests/sshkey
[ -d `pwd`/regress/unittests/bitmap ] || mkdir -p `pwd`/regress/unittests/bitmap
[ -d `pwd`/regress/unittests/hostkeys ] || mkdir -p `pwd`/regress/unittests/hostkeys
[ -d `pwd`/regress/unittests/kex ] || mkdir -p `pwd`/regress/unittests/kex
[ -f `pwd`/regress/Makefile ] || ln -s `cd . && pwd`/regress/Makefile `pwd`/regress/Makefile
(cd openbsd-compat && make)
/usr/bin/gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
/usr/bin/gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o audit.o audit-bsm.o audit-linux.o platform.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o sftp-server.o sftp-common.o sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o sandbox-solaris.o -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
/usr/bin/gcc -o ssh-add ssh-add.o -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
/usr/bin/gcc -o ssh-keygen ssh-keygen.o -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
/usr/bin/gcc -o ssh-keyscan ssh-keyscan.o -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lssh -lcrypto -ldl -lutil -lz
/usr/bin/gcc -o ssh-keysign ssh-keysign.o readconf.o -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
/usr/bin/gcc -o ssh-pkcs11-helper ssh-pkcs11-helper.o ssh-pkcs11.o -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
/usr/bin/gcc -o ssh-agent ssh-agent.o ssh-pkcs11-client.o -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
/usr/bin/gcc -o scp scp.o progressmeter.o bufaux.o -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
/usr/bin/gcc -o sftp-server sftp-server.o sftp-common.o sftp-server-main.o -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
/usr/bin/gcc -o sftp progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -o regress/modpipe ./regress/modpipe.c -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -o regress/setuid-allowed ./regress/setuid-allowed.c -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -o regress/netcat ./regress/netcat.c -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
regress/netcat.c: In function `main':
regress/netcat.c:358: warning: implicit declaration of function `strlcpy'
regress/netcat.c: In function `unix_bind':
regress/netcat.c:568: warning: comparison between signed and unsigned
regress/netcat.c: In function `unix_connect':
regress/netcat.c:604: warning: comparison between signed and unsigned
regress/netcat.c: In function `decode_addrport':
regress/netcat.c:1436: warning: comparison between signed and unsigned
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/tests.c -o regress/unittests/sshbuf/tests.o
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf.c -o regress/unittests/sshbuf/test_sshbuf.o
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_getput_basic.c -o regress/unittests/sshbuf/test_sshbuf_getput_basic.o
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_getput_crypto.c -o regress/unittests/sshbuf/test_sshbuf_getput_crypto.o
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_misc.c -o regress/unittests/sshbuf/test_sshbuf_misc.o
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_fuzz.c -o regress/unittests/sshbuf/test_sshbuf_fuzz.o
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c -o regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_fixed.c -o regress/unittests/sshbuf/test_sshbuf_fixed.o
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/test_helper/test_helper.c -o regress/unittests/test_helper/test_helper.o
regress/unittests/test_helper/test_helper.c: In function `test_data_file':
regress/unittests/test_helper/test_helper.c:177: warning: implicit declaration of function `strlcpy'
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/test_helper/fuzz.c -o regress/unittests/test_helper/fuzz.o
ar rv regress/unittests/test_helper/libtest_helper.a regress/unittests/test_helper/test_helper.o regress/unittests/test_helper/fuzz.o
a - regress/unittests/test_helper/test_helper.o
a - regress/unittests/test_helper/fuzz.o
ranlib regress/unittests/test_helper/libtest_helper.a
/usr/bin/gcc -o regress/unittests/sshbuf/test_sshbuf -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack regress/unittests/sshbuf/tests.o regress/unittests/sshbuf/test_sshbuf.o regress/unittests/sshbuf/test_sshbuf_getput_basic.o regress/unittests/sshbuf/test_sshbuf_getput_crypto.o regress/unittests/sshbuf/test_sshbuf_misc.o regress/unittests/sshbuf/test_sshbuf_fuzz.o regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o regress/unittests/sshbuf/test_sshbuf_fixed.o regress/unittests/test_helper/libtest_helper.a -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/test_fuzz.c -o regress/unittests/sshkey/test_fuzz.o
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/tests.c -o regress/unittests/sshkey/tests.o
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/common.c -o regress/unittests/sshkey/common.o
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/test_file.c -o regress/unittests/sshkey/test_file.o
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/sshkey/test_sshkey.c -o regress/unittests/sshkey/test_sshkey.o
/usr/bin/gcc -o regress/unittests/sshkey/test_sshkey -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack regress/unittests/sshkey/test_fuzz.o regress/unittests/sshkey/tests.o regress/unittests/sshkey/common.o regress/unittests/sshkey/test_file.o regress/unittests/sshkey/test_sshkey.o regress/unittests/test_helper/libtest_helper.a -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/bitmap/tests.c -o regress/unittests/bitmap/tests.o
/usr/bin/gcc -o regress/unittests/bitmap/test_bitmap -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack regress/unittests/bitmap/tests.o regress/unittests/test_helper/libtest_helper.a -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/hostkeys/tests.c -o regress/unittests/hostkeys/tests.o
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/hostkeys/test_iterate.c -o regress/unittests/hostkeys/test_iterate.o
/usr/bin/gcc -o regress/unittests/hostkeys/test_hostkeys -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack regress/unittests/hostkeys/tests.o regress/unittests/hostkeys/test_iterate.o regress/unittests/test_helper/libtest_helper.a -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/kex/tests.c -o regress/unittests/kex/tests.o
/usr/bin/gcc -g -O2 -Wall -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c regress/unittests/kex/test_kex.c -o regress/unittests/kex/test_kex.o
/usr/bin/gcc -o regress/unittests/kex/test_kex -L. -Lopenbsd-compat/ -L/usr/contrib//lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack regress/unittests/kex/tests.o regress/unittests/kex/test_kex.o regress/unittests/test_helper/libtest_helper.a -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz
BUILDDIR=`pwd`; TEST_SSH_SCP="${BUILDDIR}/scp"; TEST_SSH_SSH="${BUILDDIR}/ssh"; TEST_SSH_SSHD="${BUILDDIR}/sshd"; TEST_SSH_SSHAGENT="${BUILDDIR}/ssh-agent"; TEST_SSH_SSHADD="${BUILDDIR}/ssh-add"; TEST_SSH_SSHKEYGEN="${BUILDDIR}/ssh-keygen"; TEST_SSH_SSHPKCS11HELPER="${BUILDDIR}/ssh-pkcs11-helper"; TEST_SSH_SSHKEYSCAN="${BUILDDIR}/ssh-keyscan"; TEST_SSH_SFTP="${BUILDDIR}/sftp"; TEST_SSH_SFTPSERVER="${BUILDDIR}/sftp-server"; TEST_SSH_PLINK="plink"; TEST_SSH_PUTTYGEN="puttygen"; TEST_SSH_CONCH="conch"; TEST_SSH_IPV6="yes" ; TEST_SSH_ECC="yes" ; cd ./regress || exit $?; make .OBJDIR="${BUILDDIR}/regress" .CURDIR="`pwd`" BUILDDIR="${BUILDDIR}" OBJ="${BUILDDIR}/regress/" PATH="${BUILDDIR}:${PATH}" TEST_ENV=MALLOC_OPTIONS="" TEST_SSH_SCP="${TEST_SSH_SCP}" TEST_SSH_SSH="${TEST_SSH_SSH}" TEST_SSH_SSHD="${TEST_SSH_SSHD}" TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}" TEST_SSH_SSHADD="${TEST_SSH_SSHADD}" TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" TEST_SSH_SSHPKC!
S11HELPER
="${TEST_SSH_SSHPKCS11HELPER}" TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" TEST_SSH_SFTP="${TEST_SSH_SFTP}" TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}" TEST_SSH_PLINK="${TEST_SSH_PLINK}" TEST_SSH_PUTTYGEN="${TEST_SSH_PUTTYGEN}" TEST_SSH_CONCH="${TEST_SSH_CONCH}" TEST_SSH_IPV6="${TEST_SSH_IPV6}" TEST_SSH_ECC="${TEST_SSH_ECC}" TEST_SHELL="sh" EXEEXT="" tests && echo all tests passed
test "x" = "x" || mkdir -p /usr/source/openssh-7.2rc2/openssh-portable-master/regress//valgrind-out
set -e ; if test -z "" ; then V="" ; test "x" = "x" || V=/usr/source/openssh-7.2rc2/openssh-portable-master/regress/valgrind-unit.sh ; $V /usr/source/openssh-7.2rc2/openssh-portable-master/regress/unittests/sshbuf/test_sshbuf ; $V /usr/source/openssh-7.2rc2/openssh-portable-master/regress/unittests/sshkey/test_sshkey -d /usr/source/openssh-7.2rc2/openssh-portable-master/regress/unittests/sshkey/testdata ; $V /usr/source/openssh-7.2rc2/openssh-portable-master/regress/unittests/bitmap/test_bitmap ; $V /usr/source/openssh-7.2rc2/openssh-portable-master/regress/unittests/kex/test_kex ; $V /usr/source/openssh-7.2rc2/openssh-portable-master/regress/unittests/hostkeys/test_hostkeys -d /usr/source/openssh-7.2rc2/openssh-portable-master/regress/unittests/hostkeys/testdata ; fi
test_sshbuf: ................................................................................................... 100 tests ok
test_sshkey: ........................................................................................... 91 tests ok
test_bitmap: .. 2 tests ok
test_kex: ................................................................................................................................................................................................................................................................................................................................................................ 352 tests ok
test_hostkeys: .................. 18 tests ok
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -if /usr/source/openssh-7.2rc2/openssh-portable-master/regress/rsa_ssh2.prv | diff - /usr/source/openssh-7.2rc2/openssh-portable-master/regress/rsa_openssh.prv
tr '\n' '\r' </usr/source/openssh-7.2rc2/openssh-portable-master/regress/rsa_ssh2.prv > /usr/source/openssh-7.2rc2/openssh-portable-master/regress/rsa_ssh2_cr.prv
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -if /usr/source/openssh-7.2rc2/openssh-portable-master/regress/rsa_ssh2_cr.prv | diff - /usr/source/openssh-7.2rc2/openssh-portable-master/regress/rsa_openssh.prv
awk '{print $0 "\r"}' /usr/source/openssh-7.2rc2/openssh-portable-master/regress/rsa_ssh2.prv > /usr/source/openssh-7.2rc2/openssh-portable-master/regress/rsa_ssh2_crnl.prv
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -if /usr/source/openssh-7.2rc2/openssh-portable-master/regress/rsa_ssh2_crnl.prv | diff - /usr/source/openssh-7.2rc2/openssh-portable-master/regress/rsa_openssh.prv
cat /usr/source/openssh-7.2rc2/openssh-portable-master/regress/rsa_openssh.prv > /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t2.out
chmod 600 /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t2.out
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -yf /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t2.out | diff - /usr/source/openssh-7.2rc2/openssh-portable-master/regress/rsa_openssh.pub
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -ef /usr/source/openssh-7.2rc2/openssh-portable-master/regress/rsa_openssh.pub >/usr/source/openssh-7.2rc2/openssh-portable-master/regress//t3.out
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -if /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t3.out | diff - /usr/source/openssh-7.2rc2/openssh-portable-master/regress/rsa_openssh.pub
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -E md5 -lf /usr/source/openssh-7.2rc2/openssh-portable-master/regress/rsa_openssh.pub | awk '{print $2}' | diff - /usr/source/openssh-7.2rc2/openssh-portable-master/regress/t4.ok
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -Bf /usr/source/openssh-7.2rc2/openssh-portable-master/regress/rsa_openssh.pub | awk '{print $2}' | diff - /usr/source/openssh-7.2rc2/openssh-portable-master/regress/t5.ok
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -if /usr/source/openssh-7.2rc2/openssh-portable-master/regress/dsa_ssh2.prv > /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t6.out1
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -if /usr/source/openssh-7.2rc2/openssh-portable-master/regress/dsa_ssh2.pub > /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t6.out2
chmod 600 /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t6.out1
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -yf /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t6.out1 | diff - /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t6.out2
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -q -t rsa -N '' -f /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t7.out
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -lf /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t7.out > /dev/null
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -Bf /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t7.out > /dev/null
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -q -t dsa -N '' -f /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t8.out
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -lf /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t8.out > /dev/null
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -Bf /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t8.out > /dev/null
test "yes" != yes || /usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -q -t ecdsa -N '' -f /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t9.out
test "yes" != yes || /usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -lf /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t9.out > /dev/null
test "yes" != yes || /usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -Bf /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t9.out > /dev/null
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -q -t ed25519 -N '' -f /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t10.out
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -lf /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t10.out > /dev/null
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -Bf /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t10.out > /dev/null
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -E sha256 -lf /usr/source/openssh-7.2rc2/openssh-portable-master/regress/rsa_openssh.pub | awk '{print $2}' | diff - /usr/source/openssh-7.2rc2/openssh-portable-master/regress/t11.ok
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -q -t ed25519 -N '' -C 'test-comment-1234' -f /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t12.out
/usr/source/openssh-7.2rc2/openssh-portable-master/ssh-keygen -lf /usr/source/openssh-7.2rc2/openssh-portable-master/regress//t12.out.pub | grep test-comment-1234 >/dev/null
run test connect.sh ...
tset: standard error: Operation not supported
5:27PM up 1 day, 2:57, 1 user, load averages: 4.84, 4.41, 5.99
USER TTY FROM LOGIN@ IDLE WHAT
doctor p0 ts1p19.nl2k.ab.c Fri12PM 27 script
Filesystem Type Size Used Avail Use% Mounted on
/dev/sd0a ufs 3.9G 1.7G 2.1G 45% /
/dev/sd0h ufs 88G 41G 44G 49% /usr
/dev/sd0g ufs 88G 33G 52G 39% /var
/dev/sd0f ufs 88G 57G 28G 68% /usr/home
mfs:27 mfs 992M 4.2M 939M 1% /tmp
Delete is backspace
/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
ok simple connect
run test proxy-connect.sh ...
test: syntax error
test: syntax error
plain username protocol 2 privsep=no comp=no
tset: standard error: Operation not supported
/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 2 privsep=no comp=no: 5:27PM up 1 day, 2:57, 1 user, load averages: 4.84, 4.41, 5.99
USER TTY FROM LOGIN@ IDLE WHAT
doctor p0 ts1p19.nl2k.ab.c Fri12PM 27 script
Filesystem Type Size Used Avail Use% Mounted on
/dev/sd0a ufs 3.9G 1.7G 2.1G 45% /
/dev/sd0h ufs 88G 41G 44G 49% /usr
/dev/sd0g ufs 88G 33G 52G 39% /var
/dev/sd0f ufs 88G 57G 28G 68% /usr/home
mfs:27 mfs 992M 4.2M 939M 1% /tmp
Delete is backspace
UNKNOWN 65535 UNKNOWN 65535
plain username protocol 2 privsep=no comp=yes
tset: standard error: Operation not supported
/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 2 privsep=no comp=yes: 5:27PM up 1 day, 2:57, 1 user, load averages: 4.61, 4.37, 5.97
USER TTY FROM LOGIN@ IDLE WHAT
doctor p0 ts1p19.nl2k.ab.c Fri12PM 27 script
Filesystem Type Size Used Avail Use% Mounted on
/dev/sd0a ufs 3.9G 1.7G 2.1G 45% /
/dev/sd0h ufs 88G 41G 44G 49% /usr
/dev/sd0g ufs 88G 33G 52G 39% /var
/dev/sd0f ufs 88G 57G 28G 68% /usr/home
mfs:27 mfs 992M 4.2M 939M 1% /tmp
Delete is backspace
UNKNOWN 65535 UNKNOWN 65535
plain username protocol 2 privsep=yes comp=no
tset: standard error: Operation not supported
/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 2 privsep=yes comp=no: 5:27PM up 1 day, 2:57, 1 user, load averages: 4.61, 4.37, 5.97
USER TTY FROM LOGIN@ IDLE WHAT
doctor p0 ts1p19.nl2k.ab.c Fri12PM 27 script
Filesystem Type Size Used Avail Use% Mounted on
/dev/sd0a ufs 3.9G 1.7G 2.1G 45% /
/dev/sd0h ufs 88G 41G 44G 49% /usr
/dev/sd0g ufs 88G 33G 52G 39% /var
/dev/sd0f ufs 88G 57G 28G 68% /usr/home
mfs:27 mfs 992M 4.2M 939M 1% /tmp
Delete is backspace
UNKNOWN 65535 UNKNOWN 65535
plain username protocol 2 privsep=yes comp=yes
tset: standard error: Operation not supported
/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
bad SSH_CONNECTION protocol 2 privsep=yes comp=yes: 5:27PM up 1 day, 2:57, 1 user, load averages: 4.61, 4.37, 5.97
USER TTY FROM LOGIN@ IDLE WHAT
doctor p0 ts1p19.nl2k.ab.c Fri12PM 27 script
Filesystem Type Size Used Avail Use% Mounted on
/dev/sd0a ufs 3.9G 1.7G 2.1G 45% /
/dev/sd0h ufs 88G 41G 44G 49% /usr
/dev/sd0g ufs 88G 33G 52G 39% /var
/dev/sd0f ufs 88G 57G 28G 68% /usr/home
mfs:27 mfs 992M 4.2M 939M 1% /tmp
Delete is backspace
UNKNOWN 65535 UNKNOWN 65535
username with style protocol 2
tset: standard error: Operation not supported
5:27PM up 1 day, 2:57, 1 user, load averages: 4.61, 4.37, 5.97
USER TTY FROM LOGIN@ IDLE WHAT
doctor p0 ts1p19.nl2k.ab.c Fri12PM 27 script
Filesystem Type Size Used Avail Use% Mounted on
/dev/sd0a ufs 3.9G 1.7G 2.1G 45% /
/dev/sd0h ufs 88G 41G 44G 49% /usr
/dev/sd0g ufs 88G 33G 52G 39% /var
/dev/sd0f ufs 88G 57G 28G 68% /usr/home
mfs:27 mfs 992M 4.2M 939M 1% /tmp
Delete is backspace
/root/.bashrc: line 227: /usr/contrib/lib/news/bin/ctlinnd: No such file or directory
daemon: /var/news/etc/send-uucp: No such file or directory
failed proxy connect
*** Error code 1

Stop.
*** Error code 1

Stop.
You have new mail in /var/mail/doctor
doctor.nl2k.ab.ca//usr/source/openssh-7.2rc2/openssh-portable-master$ exit
exit

Script done on Fri Feb 19 17:27:42 2016

[...]
It looks like you have shell initialisation scripts that produce output for
non-interactive shells. This will mess up the tests in all sorts of ways.

You should move anything that sends output from .bashrc to .bash_profile.
I'm not sure what is going wrong here, but I suspect that something (more
shell initialisation stuff) is messing up the $SSH_CONNECTION variable.
Looks like tset is running for non-interactive shells too.
Yeah, SSH_CONNECTION is being clobbered by output from your shell init scripts.

-d