Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows

Shyamal Pandya1 Shyamal_Pandya1 at symantec.com
Tue Jul 27 16:25:42 EST 2010


You need to make sure that the openssl fips libraries are there in the library path. On Linux it means setting the LD_LIBRARY_PATH environment variable to the directory where those libraries are.

Shyamal

-----Original Message-----
From: openssh-unix-dev-bounces+shyamal_pandya1=symantec.com at mindrot.org [mailto:openssh-unix-dev-bounces+shyamal_pandya1=symantec.com at mindrot.org] On Behalf Of Bryan
Sent: Monday, July 26, 2010 8:49 PM
To: openssh-unix-dev at mindrot.org
Subject: Re: Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows

On Fri, Jul 23, 2010 at 14:56, Jim Knoble <jmknoble at pobox.com> wrote:
> On 2010-07-23 11:09, Bryan wrote:
>
> : On Fri, Jul 23, 2010 at 09:42, Peter Stuge <peter at stuge.se> wrote:
> : > Bryan wrote:
> : >> Putty is not an option for us since it uses it's own OpenSSL libs
> : >> and we need it FIPS enabled.
>  [...]
> : >
> : >> I've been able to build OpenSSL 0.9.8o and enable the
> : >> fipcanister.lib and create the openssl executables and libraries.
> : >> I've been able to find instructions on how to build OpenSSH at this
> : >> site:
> : >>
> : >> http://www.nomachine.com/ar/view.php?ar_id=AR05H00563
> : >>
> : >> and here:
> : >>
> : >> http://www.cs.bham.ac.uk/~smp/projects/ssh-windows/compile/
> : >>
> : >> But I can't tell if either method is the correct one for building
> : >> using cygwin.
>
> A simple Google for "openssh fips cygwin" produces the following:
>
> http://www.sslshopper.com/article-how-to-set-up-openssh-on-windows.html
>
> That doesn't sound like a "minimal Cygwin presence", but it may well
> work (once the binary is built) with a base Cygwin install....


I tried building OpenSSH and used the following to try and build:

bbrake at IAVA-DEV-0% ./configure
--with-ssl-dir=/cygdrive/f/TRUNK/UPDATES/Linux/FIPS_SSL/openssl-0.9.8o
checking for useradd... useradd
checking for pkgmk... no
checking for special C compiler options needed for large files... no
checking for _FILE_OFFSET_BITS value needed for large files... no
checking for login... /usr/bin//login
checking for passwd... /usr/bin//passwd
checking for inline... inline
checking whether LLONG_MAX is declared... yes
checking if gcc accepts -fno-builtin-memset... yes
checking if gcc supports -fstack-protector-all... no
checking if gcc supports -fstack-protector... no
checking bstring.h usability... no
checking bstring.h presence... no
checking for bstring.h... no
checking crypt.h usability... yes
checking crypt.h presence... yes
checking for crypt.h... yes
checking crypto/sha2.h usability... no
checking crypto/sha2.h presence... no
checking for crypto/sha2.h... no
checking dirent.h usability... yes
checking dirent.h presence... yes
checking for dirent.h... yes
checking endian.h usability... yes
checking endian.h presence... yes
checking for endian.h... yes
checking features.h usability... yes
checking features.h presence... yes
checking for features.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking floatingpoint.h usability... no
checking floatingpoint.h presence... no
checking for floatingpoint.h... no
checking getopt.h usability... yes
checking getopt.h presence... yes
checking for getopt.h... yes
checking glob.h usability... yes
checking glob.h presence... yes
checking for glob.h... yes
checking ia.h usability... no
checking ia.h presence... no
checking for ia.h... no
checking iaf.h usability... no
checking iaf.h presence... no
checking for iaf.h... no
checking limits.h usability... yes
checking limits.h presence... yes
checking for limits.h... yes
checking login.h usability... no
checking login.h presence... no
checking for login.h... no
checking maillock.h usability... no
checking maillock.h presence... no
checking for maillock.h... no
checking ndir.h usability... no
checking ndir.h presence... no
checking for ndir.h... no
checking net/if_tun.h usability... no
checking net/if_tun.h presence... no
checking for net/if_tun.h... no
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking netgroup.h usability... no
checking netgroup.h presence... no
checking for netgroup.h... no
checking pam/pam_appl.h usability... no
checking pam/pam_appl.h presence... no
checking for pam/pam_appl.h... no
checking paths.h usability... yes
checking paths.h presence... yes
checking for paths.h... yes
checking poll.h usability... yes
checking poll.h presence... yes
checking for poll.h... yes
checking pty.h usability... yes
checking pty.h presence... yes
checking for pty.h... yes
checking readpassphrase.h usability... no
checking readpassphrase.h presence... no
checking for readpassphrase.h... no
checking rpc/types.h usability... yes
checking rpc/types.h presence... yes
checking for rpc/types.h... yes
checking security/pam_appl.h usability... no
checking security/pam_appl.h presence... no
checking for security/pam_appl.h... no
checking sha2.h usability... no
checking sha2.h presence... no
checking for sha2.h... no
checking shadow.h usability... no
checking shadow.h presence... no
checking for shadow.h... no
checking stddef.h usability... yes
checking stddef.h presence... yes
checking for stddef.h... yes
checking for stdint.h... (cached) yes
checking for string.h... (cached) yes
checking for strings.h... (cached) yes
checking sys/audit.h usability... no
checking sys/audit.h presence... no
checking for sys/audit.h... no
checking sys/bitypes.h usability... no
checking sys/bitypes.h presence... no
checking for sys/bitypes.h... no
checking sys/bsdtty.h usability... no
checking sys/bsdtty.h presence... no
checking for sys/bsdtty.h... no
checking sys/cdefs.h usability... yes
checking sys/cdefs.h presence... yes
checking for sys/cdefs.h... yes
checking sys/dir.h usability... no
checking sys/dir.h presence... no
checking for sys/dir.h... no
checking sys/mman.h usability... yes
checking sys/mman.h presence... yes
checking for sys/mman.h... yes
checking sys/ndir.h usability... no
checking sys/ndir.h presence... no
checking for sys/ndir.h... no
checking sys/poll.h usability... yes
checking sys/poll.h presence... yes
checking for sys/poll.h... yes
checking sys/prctl.h usability... no
checking sys/prctl.h presence... no
checking for sys/prctl.h... no
checking sys/pstat.h usability... no
checking sys/pstat.h presence... no
checking for sys/pstat.h... no
checking sys/select.h usability... yes
checking sys/select.h presence... yes
checking for sys/select.h... yes
checking for sys/stat.h... (cached) yes
checking sys/stream.h usability... no
checking sys/stream.h presence... no
checking for sys/stream.h... no
checking sys/stropts.h usability... no
checking sys/stropts.h presence... no
checking for sys/stropts.h... no
checking sys/strtio.h usability... no
checking sys/strtio.h presence... no
checking for sys/strtio.h... no
checking sys/statvfs.h usability... yes
checking sys/statvfs.h presence... yes
checking for sys/statvfs.h... yes
checking sys/sysmacros.h usability... yes
checking sys/sysmacros.h presence... yes
checking for sys/sysmacros.h... yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking sys/timers.h usability... no
checking sys/timers.h presence... no
checking for sys/timers.h... no
checking sys/un.h usability... yes
checking sys/un.h presence... yes
checking for sys/un.h... yes
checking time.h usability... yes
checking time.h presence... yes
checking for time.h... yes
checking tmpdir.h usability... no
checking tmpdir.h presence... no
checking for tmpdir.h... no
checking ttyent.h usability... no
checking ttyent.h presence... no
checking for ttyent.h... no
checking ucred.h usability... no
checking ucred.h presence... no
checking for ucred.h... no
checking for unistd.h... (cached) yes
checking usersec.h usability... no
checking usersec.h presence... no
checking for usersec.h... no
checking util.h usability... no
checking util.h presence... no
checking for util.h... no
checking utime.h usability... yes
checking utime.h presence... yes
checking for utime.h... yes
checking utmp.h usability... yes
checking utmp.h presence... yes
checking for utmp.h... yes
checking utmpx.h usability... yes
checking utmpx.h presence... yes
checking for utmpx.h... yes
checking vis.h usability... no
checking vis.h presence... no
checking for vis.h... no
checking for lastlog.h... yes
checking for sys/ptms.h... no
checking for login_cap.h... no
checking for sys/mount.h... yes
checking compiler and flags for sanity... yes
checking for yp_match... no
checking for yp_match in -lnsl... no
checking for setsockopt... yes
checking for dirname... yes
checking libgen.h usability... yes
checking libgen.h presence... yes
checking for libgen.h... yes
checking for getspnam... no
checking for getspnam in -lgen... no
checking for library containing basename... none required
checking zlib.h usability... yes
checking zlib.h presence... yes
checking for zlib.h... yes
checking for deflate in -lz... yes
checking for possibly buggy zlib... no
checking for strcasecmp... yes
checking for utimes... yes
checking libutil.h usability... no
checking libutil.h presence... no
checking for libutil.h... no
checking for library containing login... none required
checking for fmt_scaled... no
checking for logout... yes
checking for updwtmp... yes
checking for logwtmp... yes
checking for strftime... yes
checking for GLOB_ALTDIRFUNC support... yes
checking for gl_matchc field in glob_t... yes
checking whether GLOB_NOMATCH is declared... yes
checking whether struct dirent allocates space for d_name... yes
checking for /proc/pid/fd directory... yes
checking for arc4random... no
checking for arc4random_buf... no
checking for arc4random_uniform... no
checking for asprintf... yes
checking for b64_ntop... no
checking for __b64_ntop... no
checking for b64_pton... no
checking for __b64_pton... no
checking for bcopy... yes
checking for bindresvport_sa... yes
checking for clock... yes
checking for closefrom... no
checking for dirfd... yes
checking for fchmod... yes
checking for fchown... yes
checking for freeaddrinfo... yes
checking for fstatvfs... yes
checking for futimes... yes
checking for getaddrinfo... yes
checking for getcwd... yes
checking for getgrouplist... no
checking for getnameinfo... yes
checking for getopt... yes
checking for getpeereid... yes
checking for getpeerucred... no
checking for _getpty... no
checking for getrlimit... yes
checking for getttyent... no
checking for glob... yes
checking for group_from_gid... no
checking for inet_aton... yes
checking for inet_ntoa... yes
checking for inet_ntop... yes
checking for innetgr... no
checking for login_getcapbool... no
checking for md5_crypt... no
checking for memmove... yes
checking for mkdtemp... yes
checking for mmap... yes
checking for ngetaddrinfo... no
checking for nsleep... no
checking for ogetaddrinfo... no
checking for openlog_r... no
checking for openpty... yes
checking for poll... yes
checking for prctl... no
checking for pstat... no
checking for readpassphrase... no
checking for realpath... yes
checking for recvmsg... yes
checking for rresvport_af... yes
checking for sendmsg... yes
checking for setdtablesize... yes
checking for setegid... yes
checking for setenv... yes
checking for seteuid... yes
checking for setgroupent... no
checking for setgroups... yes
checking for setlogin... no
checking for setpassent... yes
checking for setpcred... no
checking for setproctitle... no
checking for setregid... yes
checking for setreuid... yes
checking for setrlimit... yes
checking for setsid... yes
checking for setvbuf... yes
checking for sigaction... yes
checking for sigvec... no
checking for snprintf... yes
checking for socketpair... yes
checking for statfs... yes
checking for statvfs... yes
checking for strdup... yes
checking for strerror... yes
checking for strlcat... yes
checking for strlcpy... yes
checking for strmode... no
checking for strnvis... no
checking for strtonum... no
checking for strtoll... yes
checking for strtoul... yes
checking for swap32... no
checking for sysconf... yes
checking for tcgetpgrp... yes
checking for truncate... yes
checking for unsetenv... yes
checking for updwtmpx... yes
checking for user_from_uid... no
checking for vasprintf... yes
checking for vhangup... yes
checking for vsnprintf... yes
checking for waitpid... yes
checking for library containing dlopen... none required
checking for gai_strerror... yes
checking for library containing nanosleep... none required
checking whether getrusage is declared... no
checking whether strsep is declared... yes
checking for strsep... yes
checking whether tcsendbreak is declared... yes
checking whether h_errno is declared... yes
checking whether SHUT_RD is declared... yes
checking whether O_NONBLOCK is declared... yes
checking whether writev is declared... yes
checking whether MAXSYMLINKS is declared... no
checking whether offsetof is declared... yes
checking for setresuid... no
checking for setresgid... no
checking for gettimeofday... yes
checking for time... yes
checking for endutent... yes
checking for getutent... yes
checking for getutid... yes
checking for getutline... yes
checking for pututline... yes
checking for setutent... yes
checking for utmpname... yes
checking for endutxent... yes
checking for getutxent... yes
checking for getutxid... yes
checking for getutxline... yes
checking for getutxuser... no
checking for pututxline... yes
checking for setutxdb... no
checking for setutxent... yes
checking for utmpxname... yes
checking for getlastlogxbyname... no
checking for daemon... yes
checking for getpagesize... yes
checking whether snprintf correctly terminates long strings... yes
checking whether snprintf can declare const char *fmt... yes
checking for (overly) strict mkstemp... yes
checking whether getpgrp requires zero arguments... yes
checking openssl/opensslv.h usability... no
checking openssl/opensslv.h presence... no
checking for openssl/opensslv.h... no
configure: error: *** OpenSSL headers missing - please install first
or check config.log ***
-----------------------------------------------------------------------------------------------------------------

How can I get openssh not to look for the headers.  I already built
OpenSSL.  I found the opensslv.h in the crypto directory under
openssl-0.9.8o, but pointing the '--with-ssl-dir' to that fails as
well.  I've added the location of the FIPS-enabled OpenSSL executables
to my PATH, but it's still not working...
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list