additional compiler hardening flags

Darren Tucker dtucker at
Thu Apr 18 11:16:13 EST 2013

On Wed, Apr 17, 2013 at 04:03:11PM -0700, Iain Morgan wrote:
> Hello Darren,
> Seeing as no one has responded on the list regarding this, I wanted to
> give a brief response. I applied your proposed changes to the 6.2p1
> release and have been running it for some time now. I'm not prepared to
> comment on the individual compiler/linker options, but they seem
> reasonable at a glance.

After doing some more reading, I don't think we need -fPIC for openssh
since that's only applicable to shared libraries, and -fPIE is
sufficient for static libraries and executables.

> The only complication which I encountered was that it failed to link a
> local build of OpenSSL. Once I rebuilt OpenSSL with -fPIC, everything
> was find.

Thanks.  What configuration was that?  (platform/compiler/flags/openssl
version?)  I tried several variations on linux (fedora, gcc 4.6.3,
openssl 1.0.1e) and it always produced a working binary.

Anyway, we could easily add a configure knob to turn it off should that
be necessary.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list