| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 2 Jan 2018 19:34:04 -0800
From: Bryan Turner <bturner@...assian.com>
To: Junio C Hamano <gitster@...ox.com>,
Jonathan Nieder <jrnieder@...il.com>,
Brandon Williams <bmwill@...gle.com>,
Ben Humphreys <behumphreys@...assian.com>
Cc: Git Users <git@...r.kernel.org>,
Linux Kernel <linux-kernel@...r.kernel.org>,
git-packagers@...glegroups.com
Subject: Re: [ANNOUNCE] Git v2.16.0-rc0
On Thu, Dec 28, 2017 at 8:30 PM, Junio C Hamano <gitster@...ox.com> wrote:
> An early preview release Git v2.16.0-rc0 is now available for
> testing at the usual places. It is comprised of 435 non-merge
> commits since v2.15.0, contributed by 76 people, 22 of which are
> new faces.
> Brandon Williams (24):
> ssh: introduce a 'simple' ssh variant
> Jonathan Nieder (10):
> ssh test: make copy_ssh_wrapper_as clean up after itself
> connect: move no_fork fallback to git_tcp_connect
> connect: split git:// setup into a separate function
> connect: split ssh command line options into separate function
> connect: split ssh option computation to its own function
> ssh: 'auto' variant to select between 'ssh' and 'simple'
> ssh: 'simple' variant does not support -4/-6
> ssh: 'simple' variant does not support --port
> connect: correct style of C-style comment
> generate-cmdlist: avoid non-deterministic output
Sorry for being late to the party on the "simple" variant for SSH, but
we've been doing some testing with 2.16.0-rc0 and noticed an
unexpected issue.
Our test environment is still on Ubuntu 12.04 LTS (it's a long story,
but one I doubt is unique to us), which means it's using OpenSSH 5.9.
ssh -G was added in OpenSSH 6.8 [1], circa March 2015, which means the
"auto" detection "fails" and chooses "simple" instead of "ssh". But
OpenSSH 5.9 _does_ support -4, -6 and -p. As a result, commands which
have been working without issue on all previous versions of Git start
to fail saying:
git -c gc.auto=0 -c credential.helper= fetch --force --prune
--progress ssh://localhost:64281/repo.git +refs/*:refs/*' exited with
code 128 saying: fatal: ssh variant 'simple' does not support setting
port
I know Ubuntu 12.04 LTS is end-of-life, but 14.04 LTS, which is
running OpenSSH 6.6 [2], has the same issue. The following is from a
fully patched 14.04.5:
bturner@...ntu:~$ cat /etc/*ease | head -4
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
bturner@...ntu:~$ ssh -V
OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014
bturner@...ntu:~$ ssh -G -p 7999 localhost
unknown option -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-E log_file] [-e escape_char]
[-F configfile] [-I pkcs11] [-i identity_file]
[-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
[-O ctl_cmd] [-o option] [-p port]
[-Q cipher | cipher-auth | mac | kex | key]
[-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
[-w local_tun[:remote_tun]] [user@]hostname [command]
Is it possible to adjust the check, somehow, so it doesn't impact
older OpenSSH versions like this? As it stands, it seems likely a fair
number of users who have an SSH command that does support -4, -6 and
-p are going to end up getting "penalized" because it doesn't also
support -G, and have to manually set their SSH variant to "ssh" (or
something other than "auto") to avoid the automatic detection.
I'd love to say I have a brilliant idea for how to work around this,
oh and here's a patch, but I don't. One option might be trying to
actually review the output, and another might be to run "ssh -V", but
both of those have their own flaws (and the extra process forks aren't
"free").
[1] https://www.openssh.com/txt/release-6.8
[2] https://launchpad.net/ubuntu/+source/openssh
Best regards,
Bryan Turner
Powered by blists - more mailing lists