openssh static build - mission impossible?

Mr Dash Four mr.dash.four at googlemail.com
Tue Mar 6 15:13:36 EST 2012 

I am trying to build a static version of ssh, sshd and sftp, but after banging my head against the wall for the best part of the last 3 days I am about to give up...

Since I plan to use this on an embedded device (building dropbear is *NOT* an option!), I've excluded as many openssh configure options as I can but, ultimately, failed. This is my setup:

export LDFLAGS=' -pie -z relro -z now'
export CFLAGS='-O2 -g -march=armv6j -mtune=arm1136jf-s -mthumb-interwork -mno-thumb -Os -fpic'
export CXXFLAGS='-O2 -g -march=armv6j -mtune=arm1136jf-s -mthumb-interwork -mno-thumb'
export FFLAGS='-O2 -g -march=armv6j -mtune=arm1136jf-s -mthumb-interwork -mno-thumb'

./configure \
--host=armv6l-redhat-linux-gnueabi \
--build=armv7l-unknown-linux-gnueabi \
--program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --sysconfdir=/etc/ssh --libexecdir=/usr/libexec/openssh --datadir=/usr/share/openssh \
--without-tcp-wrappers \
--with-default-path=/usr/local/bin:/bin:/usr/bin \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
--with-privsep-path=/var/empty/sshd \
--disable-strip \
--without-zlib-version-check \
--with-ssl-engine \
--with-authorized-keys-command \
--disable-lastlog \
--disable-utmp \
--disable-utmpx \
--disable-wtmp \
--disable-wtmpx \
--without-shadow \
--without-nss \
--without-smartcard \
--without-ldap \
--without-pam \
--without-selinux \
--without-audit \
--without-kerberos5 \
--without-libedit \
--with-ldflags=-static

This passes through, no problem (I have a separate, and ultimately head-wrecking problem with using "--with-tcp-wrappers", but that is the least of my problems right now) and I get the following summary:
op
OpenSSH has been configured with the following options:
                     User binaries: /usr/bin
                   System binaries: /usr/sbin
               Configuration files: /etc/ssh
                   Askpass program: /usr/libexec/openssh/ssh-askpass
                      Manual pages: /usr/share/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/empty/sshd
            sshd default user PATH: /usr/local/bin:/bin:/usr/bin
          sshd superuser user PATH: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
                    Manpage format: doc
                       PAM support: no
                   OSF SIA support: no
                 KerberosV support: no
                   SELinux support: no
                 Smartcard support: 
                     S/KEY support: no
              TCP Wrappers support: no
              MD5 password support: no
                   libedit support: no
  Solaris process contract support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: yes
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY
              Host: armv6l-redhat-linux-gnueabi
          Compiler: gcc
    Compiler flags: -O2 -g -march=armv6j -mtune=arm1136jf-s -mthumb-interwork -mno-thumb -Os -fpic -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-strict-aliasing -fno-builtin-memset -fstack-protector-all 
Preprocessor flags: 
      Linker flags:  -pie -z relro -z now -fstack-protector-all -static
         Libraries: -lcrypto -ldl -lutil -lz  -lresolv

When I then execute make, I get this after a while:

/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libcrypto.a(fips.o): In function `FIPSCHECK_verify':
(.text+0x20): warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
groupaccess.o: In function `ga_init':
/builddir/build/BUILD/openssh-5.6p1/groupaccess.c:66: warning: Using 'getgrouplist' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
session.o: In function `do_setusercontext':
/builddir/build/BUILD/openssh-5.6p1/session.c:1509: warning: Using 'initgroups' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
groupaccess.o: In function `ga_init':
/builddir/build/BUILD/openssh-5.6p1/groupaccess.c:69: warning: Using 'getgrgid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
sshpty.o: In function `pty_setowner':
/builddir/build/BUILD/openssh-5.6p1/sshpty.c:211: warning: Using 'getgrnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
session.o: In function `do_setusercontext':
/builddir/build/BUILD/openssh-5.6p1/session.c:1513: warning: Using 'endgrent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
sshd.o: In function `main':
/builddir/build/BUILD/openssh-5.6p1/sshd.c:1545: warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
loginrec.o: In function `login_get_lastlog':
/builddir/build/BUILD/openssh-5.6p1/loginrec.c:312: warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
sshd.o: In function `main':
/builddir/build/BUILD/openssh-5.6p1/sshd.c:1555: warning: Using 'endpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
servconf.o: In function `add_one_listen_addr':
/builddir/build/BUILD/openssh-5.6p1/servconf.c:515: warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./libssh.a(canohost.o): In function `check_ip_options':
/builddir/build/BUILD/openssh-5.6p1/canohost.c:168: warning: Using 'getprotobyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
openbsd-compat//libopenbsd-compat.a(xcrypt.o): In function `xcrypt':
/builddir/build/BUILD/openssh-5.6p1/openbsd-compat/xcrypt.c:78: undefined reference to `crypt'
/usr/bin/ld: /usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libc.a(inet_ntoa.o)(.text+0x54): R_ARM_TLS_LE32 relocation not permitted in shared object
/usr/bin/ld: /usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libc.a(dl-tsd.o)(.text+0x14): R_ARM_TLS_LE32 relocation not permitted in shared object
collect2: ld returned 1 exit status

So, I figured, I need to include -lcrypt in the mix, but then I get this:

gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o roaming_common.o roaming_serv.o -L. -Lopenbsd-compat/  -pie -z relro -z now -lnsl -lpcre -lcdb -fstack-protector-all -static -static-libgcc -lssh -lopenbsd-compat -lcrypto -lcrypt -ldl -lutil -lz  -lresolv
/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libcrypto.a(fips.o): In function `FIPSCHECK_verify':
(.text+0x20): warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
groupaccess.o: In function `ga_init':
/builddir/build/BUILD/openssh-5.6p1/groupaccess.c:66: warning: Using 'getgrouplist' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
session.o: In function `do_setusercontext':
/builddir/build/BUILD/openssh-5.6p1/session.c:1509: warning: Using 'initgroups' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
groupaccess.o: In function `ga_init':
/builddir/build/BUILD/openssh-5.6p1/groupaccess.c:69: warning: Using 'getgrgid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
sshpty.o: In function `pty_setowner':
/builddir/build/BUILD/openssh-5.6p1/sshpty.c:211: warning: Using 'getgrnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
session.o: In function `do_setusercontext':
/builddir/build/BUILD/openssh-5.6p1/session.c:1513: warning: Using 'endgrent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
sshd.o: In function `main':
/builddir/build/BUILD/openssh-5.6p1/sshd.c:1545: warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
loginrec.o: In function `login_get_lastlog':
/builddir/build/BUILD/openssh-5.6p1/loginrec.c:312: warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
sshd.o: In function `main':
/builddir/build/BUILD/openssh-5.6p1/sshd.c:1555: warning: Using 'endpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
servconf.o: In function `add_one_listen_addr':
/builddir/build/BUILD/openssh-5.6p1/servconf.c:515: warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./libssh.a(canohost.o): In function `check_ip_options':
/builddir/build/BUILD/openssh-5.6p1/canohost.c:168: warning: Using 'getprotobyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libcrypt.a(md5-crypt.o): In function `__md5_crypt_r':
(.text+0xb4): undefined reference to `NSSLOW_Init'
/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libcrypt.a(md5-crypt.o): In function `__md5_crypt_r':

[... Ad nauseum!]

/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libcrypt.a(sha512-crypt.o): In function `__sha512_crypt_r':
(.text+0x1088): undefined reference to `NSSLOWHASH_Update'
/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libcrypt.a(sha512-crypt.o): In function `__sha512_crypt_r':
(.text+0x10d0): undefined reference to `NSSLOWHASH_End'
/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libcrypt.a(sha512-crypt.o): In function `__sha512_crypt_r':
(.text+0x10d8): undefined reference to `NSSLOWHASH_Destroy'
/usr/bin/ld: /usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libc.a(inet_ntoa.o)(.text+0x54): R_ARM_TLS_LE32 relocation not permitted in shared object
/usr/bin/ld: /usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libc.a(dl-tsd.o)(.text+0x14): R_ARM_TLS_LE32 relocation not permitted in shared object
collect2: ld returned 1 exit status

>From what I gather, all these NSS* references are from the nss-* packages/libraries, and to my knowledge, there isn't a static version of it. Any pointers as how to get out of this mess would be greately appreciated, thanks!

More information about the openssh-unix-dev mailing list