OpenSSH question, please!! :)

Jim Knoble jmknoble at pobox.com
Tue Feb 25 13:30:58 EST 2003 

Circa 2003-02-24 19:42:55 -0500 dixit Jason McCormick:
: > OpenSSL version mismatch: Built against 90602f, you have 90701f
: 
: This is what I was saying before 
: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104589343318200&w=2 
: .   The binary packages provided by RedHat have many things compiled 
: against them.  If you don't follow the upgrade path recommended by 
: RedHat (i.e. they keep everything at 0.9.6b as an internal version 
: number) then you run into instances like this.

Of course, another option is to build packages of OpenSSL such that
more than one is able to be installed at a time, as i've recently
described on the RPM mailing list:

  http://www.redhat.com/mailing-lists/rpm-list/msg18062.html

Then it's possible to rebuild each package that depends on OpenSSL
without having to stop the service, uninstall the package, rebuild,
install, and finally restart the service again.

: This is a security precaution.  If it would happen that someone replaced 
: the libraries of OpenSSL with a hacked version or a compromised 
: replacement it would be caught.  Obviously not a foolproof method but 
: is definitely a help.

It's not remotely a security measure.  It's there because the OpenSSL
maintainers do not guarantee that either the OpenSSL API or the ABI
will be stable until OpenSSL v1.0.

The only possible way this could be connected with security is to keep
OpenSSH from using an OpenSSL shared library that may have a different
API or ABI than OpenSSH expects, giving rise to potential, hypothetical
problems (for example, if the libcrypto API were to change such that
OpenSSH failed to call a newly required initialization function,
causing OpenSSH to send out unencrypted or weakly encrypted data).

It's much more likely that OpenSSH would simply crash unexpectedly due
to a strange pointer in a slightly incompatible ABI, and you wouldn't
be able to get OpenSSH running again.  As it is, when you run 'sshd -t'
after installing your new, potentially incompatible OpenSSL library,
OpenSSH complains immediately, instead of crashing later.

It's more of a reliability measure than a security measure.  If you
want to protect against the replacement of shared libraries (or any
other files, for that matter, such as /etc/ssh/sshd_config), you should
use a combination of immutable attributes, securelevels, and offline
SHA-1 hashes or the equivalent.  Anything else is just fooling
yourself.

: > Failed Dependencies:
  [...]

: RPM isn't always clear with its dependencies.  When dealing with RedHat 
: there's 5 packages for OpenSSH - openssh, openssh-server, 
: openssh-client, openssh-askpass and openssh-askpass-gnome.  You need to 
: upgrade all of those at the same time.

(or remove them first, or, if you *really* know what you're doing,
uninstall the required package using 'rpm --erase --nodeps').

: What you should do is go to Rawhide (my favorite mirror is 
: ftp.dulug.duke.edu) and go to the SRPMS tree 
: (ftp.redhat.com/pub/redhat/linux/rawhide/SRPMS/SRPMS) and get 
: openssh-3.5p1-6.src.rpm.  This is the source RPM for RedHat's openssh 
: packages.  If you're on RH8.0 you'll want to do an 'rpmbuild --rebuild 
: openssh-3.5p1-6.src.rpm'.  This will make the 5 packages you need in 
: /usr/src/redhat/RPMS/i386.  You can then install them from there and 
: should resolve your depedences.

Note that current Red Hat Rawhide uses rpm-4.2, which contains some
additions to specfile syntax (notable a %check section).  Consequently,
some Rawhide RPMs may not to rebuild properly under systems using
earlier versions of RPM.  Caveat utilisor.

If you're going to install RPMs of OpenSSH, why not simply use the ones
from ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/rpm/ ?  Or even
from the specfile in the openssh-3.5p1 source tarball?  That way you
don't have any of the sort of cross-platform incompatibility:

  http://cr.yp.to/compatibility.html

that continues to plague Unix, Linux, and other "compatible" operating
platforms.

-- 
jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
Stop the War on Freedom ... Start the War on Poverty!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 256 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030224/d03ecebf/attachment.bin

More information about the openssh-unix-dev mailing list