openssh static build - mission impossible?

Peter Stuge peter at stuge.se
Wed Mar 7 14:11:58 EST 2012


Mr Dash Four wrote:
>> It's clear now that you are using the unusual approach of trying to
>> reuse Fedora binaries for OpenSSH dependencies, in order to build
>> an OpenSSH binary targeted for a very different environment (bionic)
>> than Fedora.
>
> Nope! I am trying to build a static openssh to run on armv6l - the 
> "environment", whether bionic, OpenWRT or something else - is
> completely irrelevant to me

This is your mistake. The environment is quite significant during
the build process...


> and this is how it should be with monolithic statically-build
> binaries.

...but once the binaries have been built, *then* the environment is
more or less irrelevant. However, since you are doing the building,
you have to be quite thorough about the environment.


>> If you had been clear about your method you could have gotten the
>> following advice much sooner. I assumed you had taken the more
>> thorough approach, my bad.
>
> What advice?!

This:

>> You'll have much better success if you yourself build the
>> dependencies for OpenSSH. This is the usual way to build a
>> distribution.

I also suggested how you should do this in a very early email. I
suggested it again in the email you replied to. I'll repeat it one
more time below.

> Not from you anyway - you have posted 4 times in this thread
> without giving *any* sort of advice whatsoever - just
> pontificating.

I'll repeat it (with new wording) again below. Hopefully this time
it will be more clear.


>> You'll have much better success if you yourself build the
>> dependencies for OpenSSH. This is the usual way to build a
>> distribution.
> 
> That is already done.

No, since you use libcrypt (and libc) from Fedora.


> As I already pointed out - the only exception being

Exactly, there's an exception, so it isn't already done.


>> You only want to build OpenSSH and not a distribution,
>> but since you want the OpenSSH binary in a special way you
>> effectively must also build a small distribution (meaning in this
>> case a set of libraries) which allows building OpenSSH the way you
>> want.
> 
> I don't consider the way I build openssh (or any other package or
> binary for that matter) to be "special"

It is special because you have requirements other than what Fedora
already delivers. In this case you can also substitute "particular"
for "special" if you like.


> I would have succeeded if it wasn't for the fact that Fedora
> decided to ditch the entire crypto stack, implement Mozilla's
> NSS *and* link it with the standard libc library.

Yeah, this was clear already in the first or second email, where I
first suggested how to proceed.


>> That's not an excellent comment. You're overlooking the possibility
>> that I have given good advice which you misunderstood.
> 
> Which is what, exactly? Please enlighten me, because I fail to see
> what was the "advice" you have given me - going by what you've
> posted so far, I could see none whatsoever.

Here goes again:

Problem:
OpenSSH calls crypt() but Fedora libcrypt.a doesn't work because of NSS.

Advice:
Provide your own crypt() implementation and build OpenSSH without
Fedora's libcrypt.a.

I've suggested several sources where you can look for an
implementation, so that you don't have to write one from scratch.

It was also pointed out that actually the OpenSSL you are using
already includes a suitable implementation, DES_crypt().

So the simplest solution seems to be that you write a small wrapper
function named crypt() with the correct API, which uses DES_crypt()
in OpenSSL to do the work. Compile this function and link OpenSSH
with the object file (it doesn't even have to be a library) - done.


>> I think you may also overlook the right to free speech.
>
> You are not the one to lecture me about free speech - who the hell
> do you think you are?!

I'm the guy you said should not speak.


>> But I digress. If you refuse to build your own libcrypto then you
>> really have no way to accomplish your goal;
> 
> Where did I "refuse" to build my own crypto

As you can see I wrote "If" which is a condition. I did not claim
that you had refused anything. I tried to clarify that you had
somewhat few options on how to proceed.


> - are you to continue making things up as you go along?

It's a typo. I meant libcrypt, as in libcrypt.a. Since this is the
library that you are having problems with this typo might have been
evident from context. But I apologize for the extra byte causing
confusion.


//Peter


More information about the openssh-unix-dev mailing list