openssh static build - mission impossible?

Chris Adams cmadams at hiwaay.net
Wed Mar 7 07:11:28 EST 2012


Once upon a time, Mr Dash Four <mr.dash.four at googlemail.com> said:
> I don't consider the way I build openssh (or any other package or binary 
> for that matter) to be "special" - I would have succeeded if it wasn't 
> for the fact that Fedora decided to ditch the entire crypto stack, 
> implement Mozilla's NSS *and* link it with the standard libc library.

You appear to be confusing two things that unfortunately share the name
"nss":

- Name Switch Service: method for using a variety of sources of
  information for common things like users/passwords, hostnames/IPs,
  etc.  This is an integral part of the GNU C library, and uses dynamic
  loading to support different lookup methods (e.g. files, NIS, LDAP,
  DNS, etc.).

  If you don't want any dynamic loading, don't use the GNU C library
  (use something like uclibc instead).  I believe that's the offocial
  position of the authors.

- Network Security Services: a cross-platform encryption library,
  originally written by Netscape.  This AFAIK does not use any
  additional dynamic loading, although I don't know if they support
  building static libraries (static linking is considered bad for
  security, as a bug means lots of packages have to be rebuilt).

The names are both rather old at this point (Name Switch Service
originates with Solaris, IIRC from the early days of Solaris 2).

The only Fedora-specific thing here is that they have moved towards
using the NSS encryption library instead of OpenSSL for many packages
for a number of reasons (especially more stable ABI and because it is
FIPS validated, which is needed for RHEL).

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.


More information about the openssh-unix-dev mailing list