ssh-3.5p1 core dumps on Solaris 2.6

Martin MOKREJŠ mmokrejs at natur.cuni.cz
Thu Nov 7 02:05:30 EST 2002


On Wed, 16 Oct 2002, Darren Tucker wrote:

> Martin MOKREJŠ wrote:
> >   I've reported this problem a month ago on this list, and probably no-one
> > is interested? Binaries were configured with krb4 and afs enabled.
> > However, only the second crash seems to be related to krb4.
> > Any thoughts?

Hi,
  I feel I should post a conclusion. Maybe someone wants to update docs
for ssh+krb4 in the INSTALL document.


  I've faced couple of problems:

  1. If you ever installed shared libraries libkrb.so and libkafs.so, make
sure to rename them temporarily while linking openssh-3.5p1. If you don't,
then sshd "somehow" disconnects the client when trying to initiate
connection.

  2. If you ever installed /usr/athena/lib/libdes.* from KTH-KRB4
distribution and you use versions above 1.1.1 (I think, where the OpenSSL
support was added), be sure to remove this library. In such a case, you
already have kerberos binaroes linked against DES algorithms from
libcrypto, originating from openssl distributon. Configure script of
openssh-3.5p1 is quite stupid and will happily put both "-ldes" and
"-lcrypto" on the LDFLAGS line. The problem might be similar to one
appearing on SGI Irix platforms, where native cc compiler follows truly
POSIX and is single-pass linker, i.e. does not shuffle the order of
libraries while linking as gcc does. Thus, you have to specify them in
right order! The problem there was that crypt() from libdes returns
something completely different then crypt() from libcrypto, which point
to the function in libc. The proper order was:

  -lssh -lopenbsd-compat -lwrap -lkafs -lkrb -lz -lgen -lcrypto -ldes

  I believe the solution would be to ignore -ldes, as last two releases of
KTH-KRB4 do no provide anymore libdes. If user would have the old version,
he would get unresolved symbols at link stage. When thinking of the case
on Irix, I believe the RIGHT solution at time was to remove "-ldes".

  In my case, unknown function calls were resolved from libdes instead of
libcrypto would NOT happen, thus thus people won't face strange crashes
which I've seen. For example, the "./ssh-keygen" not working is one nice
example, see my previous posts. ;)


  3. After configuring, be sure to add one line to includes.h. This is
     Solaris specific!
  #include <sys/types.h>
  #include <sys/socket.h>
  #include <sys/ioctl.h>
  +#include <sys/ioccom.h>
  #include <sys/wait.h>

  4. Remember, that kerberos is not available under ssh protocol 2. You
have to use "-1" ssh command line option.


  I've tested openssh-3.5p1 as follows:

  openssl-0.9.6-stable-SNAP-20021102$ ./Configure solaris-sparcv7-gcc
    --prefix=/software/@sys/usr/openssl --openssldir=/usr/local/openssl
    no-threads

  krb4-1.2.1$ ./configure --with-readline --with-x
    --with-openssl=/software/@sys/usr/openssl --with-afsws=/usr/afsws
    --enable-rxkad --disable-shared

  openssh-3.5p1$ ./configure --prefix=/usr/local
    --with-kerberos4=/usr/athena --with-afs=/usr/afsws --with-tcp-wrappers
    --with-ssl-dir=/software/@sys/usr/openssl --without-rsh
    --disable-suid-ssh --with-privsep --with-zlib --with-pam


HtH
-- 
Martin Mokrejs <mmokrejs at natur.cuni.cz>, <m.mokrejs at gsf.de>
PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
MIPS / Institute for Bioinformatics <http://mips.gsf.de>
GSF - National Research Center for Environment and Health
Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
tel.: +49-89-3187 3683 , fax: +49-89-3187 3585







More information about the openssh-unix-dev mailing list