OpenSSH 4.1: call for testing.
Robert Banz
banz at umbc.edu
Wed Apr 6 02:09:57 EST 2005
Darren Tucker wrote:
> Edgar, Bob wrote:
>
>> On Solaris10/Sparc:
>>
>> My first make tests failed as below. Running again, all tests pass.
>> I then started again with a clean directory and did configure && make
>> tests
>> without errors. Pehaps this is just wierdness on my system but perhaps
>> someone else will see something obvious.
>
>
> No, nothing obvious.
>
> One possibility: if you're using OpenSSL <= 0.9.7e compiled on Solaris
> 10, it won't use the /dev/*random devices. This means that the
> ssh-rand-helper needs to exist in its final location (/usr/local/libexec
> by default) in order for the tests to run (so if it started working
> after a "make install" then that's probably the reason).
>
This is due to a bug in OpenSSL; they use the option O_NOFOLLOW on
opening the /dev/random devices -- and, on Solaris, this is a no-no, as
/dev/random is a symlink to /devices/pseudo/[blah blah].
You can comment out the O_NOFOLLOW option in your openssl source, it's
in crypto/rand/rand_unix.c. This shouldn't open up much of a security
hole -- if you have a situation where someone could place a trojan
symlink in /dev, you've got other problems on your hands than not having
a good random number source :)
I submitted a bug to the openssl folks awhile back; this worked previous
to S10, as Solaris just recently began supporting O_NOFOLLOW.
-rob
More information about the openssh-unix-dev
mailing list