Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 10 Sep 2002 20:10:07 -0700
From:      richard childers <fscked@pacbell.net>
To:        freebsd-questions@freebsd.org
Subject:   Answers (& Questions) Re: OpenSSH 3.4p1 Upgrade
Message-ID:  <3D7EB40F.331798E0@pacbell.net>

next in thread | raw e-mail | index | archive | help
We use FreeBSD 4.6, which comes, by default, with OpenSSH 2.9 built in.

Recently a variety of ssh-related exploits have led us to consider
rigorously upgrading everything to the latest and greatest version:
OpenSSH 3.4.

Figuring out how to do this task took about one week. I thought I would
share my efforts (and results, and questions) with the community.
Researching the web as well as my collection of FreeBSD literature, I
found precious little, and thought I'd offer some insight into the
process, for interested peers.

Obligatory note: I am not a programmer - but I understand much of the
lingo, having been around about as long as page-relocatable code ...
and, naturally, I'm always interested in learning more.


Let me share the answers I've determined, first.

There are two ways to install OpenSSH. From a FreeBSD port ... and from
the source. I'll discuss source first.

Best practices dictate that I not assume you are a programmer, not
assume that you are conversant with cvsup (which is really more suited
for programmers and testers than it is for production systems, IMHO),
and not assume that you have anything installed beyond the basics.

Best practices dictate taking a hard look at OpenSSH's dependencies.
There are two that I know of: SSL and Zlib.

FreeBSD 4.6 is released with Zlib 1.1.3 and OpenSSL 0.9.6d. Current
versions are Zlib 1.1.4 and OpenSSL 0.9.6g. Upgrading is indicated.

Zlib is not available as a port and must be gotten directly from
www.libpng.org. Once you have downloaded it, there are a variety of
README-type files that are worth reading. (This is true for all of these
packages, really.)

As 'root', do the following:

# mkdir /usr/local/src
# cd /usr/local/src
# fetch http://www.libpng.org/pub/png/src/zlib-1.1.4.tar.gz
# tar xzf zlib-1.1.4.tar.gz
# cd zlib-1.1.4

Next, we use the zlib-provided utility 'configure', which probes the
system and generates an appropriate Makefile. I tell it to generate
files which will be installed in /usr - not /usr/local - because I want
the new zlib to overlay the zlib provided with FreeBSD 4.6, so that
there are no subsequent issues with multiple versions.

(Here's where the power of 'configure' shines; no longer do you have to
accept the choices of a porter regarding where your sshd should reside.
We'll talk about this more, below. If you're interested in learning more
about 'configure', you can examine it with file(1) and strings(1) and
more(1), as well as invoke it with the arguement '--help' in order to
see what options are supported.)

# ./configure --prefix=/usr
# make
# make test
# make install

Congratulations, you've upgraded your zlib. I timed this process on a
200 mHz CPU with 256 MB of RAM and it took about two minutes, as a shell
script.


Next we upgrade OpenSSL. The current version is 0.9.6g and is available
from both ftp.freebsd.org (../branches/-current/ports/security/openssl/)
and from the source, at www.openbsd.org.

FreeBSD purists will insist that one uses the port. I would have said
the same until I tried it and found that while it compiled and installed
flawlessly, I (again) wanted the new installation to overlay the old
installation, neatly, and it was insistent on installing the new OpenSSL
installation in /usr/local; leaving me with the task of (manually!!)
hunting down and eliminating the bits and pieces of the old OpenSSL
installation, in /usr.

I found that make(1), invoked with '-n', was useful for determining
where things would go *before* they were installed; and so I used this
to study the less documented aspects of the OpenSSL port's building
process. Using this, I determined that it was possible to accomplish a
very close fit to the original OpenSSL installation, with the following
set of commands:

# cd /usr/ports/security/openssl
# find . -type f -exec rm -f {} \; -print
# ftp ftp.freebsd.org

- log in as ftp

ftp> cd /pub/FreeBSD/branches/-current/ports/security/openssl
ftp> bin
ftp> bel
ftp> prompt
ftp> hash
ftp> mget *
ftp> quit

# vi Makefile

- find line where it says '#/usr/local#' and change it to '#/usr#'

# make PREFIX=/usr LOCALBASE=/usr
# make PREFIX=/usr LOCALBASE=/usr install

This creates a pretty close installation to that received with FreeBSD
4.6 but it still creates a /usr/local/openssl directory and puts some
libraries in there, if I recall correctly. And there were some issues
with trying to get the new SSL installation to select the correct
OPENSSLDIR, also - FreeBSD 4.6 is released with an OpenSSL compiled to
look for configuration files in /etc/ssl, and the port wanted to put
everything in /usr/local/openssl.

I wasn't happy. I'd been through the route of compiling OpenSSH 3.4 and
seeing the notorious 'Your OpenSSL headers do not match your library'
error. I'd tried ports. I returned to the source.

While I'd been flailing about, the first time, with different versions
of OpenSSL and whatnot, I'd had one successful installation of OpenSSH -
it had been after I'd deleted /usr/lib/libcrypto* instead of the
appropriate subset. I decided to try to repeat my 'mistake' and see if
this led to a successful compile of OpenSSH, subsequently.

Here's what I did.

# cd /usr/local/src
# fetch http://www.openssl.org/source/openssl-0.9.6g.tar.gz
# tar xzf openssl-0.9.6g.tar.gz
# cd openssl-0.9.6g
# ./config --prefix=/usr --openssldir=/etc/ssl
# make
# make test
# make install

During a previous test, noticing that one of the targets of the make was
libcrypto.a, I'd tried deleting it and rebuilding, to insure its
replacement, but accidentally deleted all /usr/lib/libcrypto* files
instead.

Imagine my surprise when the subsequent installation of OpenSSH
succeeded ... and imagine my horror when I found that I could not change
my passwords.

But here's the workaround to get OpenSSH 3.4p1 onto your FreeBSD box.

# tar cf /usr/local/src/usr.lib.libcrypto.tar /usr/lib/libcrypto.so*
/usr/lib/libcrypto_*
# rm -f /usr/lib/libcrypto*
# cd /usr/local/src/openssl-0.9.6g
# make install

Now, while things are wierd, is the time to build OpenSSH.

# cd /usr/local/src
# fetch
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz
# tar xzf openssh-3.4p1.tar.gz
# cd openssh-3.4p1
# ./configure --prefix=/usr --sysconfdir=/etc/ssh
--localstatedir=/var/run --mandir=/usr/share/man

Here's where one expects to see the message about OpenSSH headers and
libraries not matching ... hold your breath and cross your fingers ...
(-:

If you complete the 'configure' successfully, then proceed as usual:

# make

Delete your /etc/ssh directory if you want to rebuild your SSH keys from
scratch with the new libraries and executables:

# rm -rf /etc/ssh

... and complete the installation.

# make install


You'll see some messages about the missing user 'sshd'. Create a userid
with, say, UID near 'nobody' (but not identical), create a matching GID,
and edit /etc/ssh/sshd_config (you'll want to disable compression), and
you should be able to start your brand, spanking new 3.4p1 sshd.
Congratulations !!

Don't forget to go back and restore your old /usr/lib/libcrypto* files
and links:

# cd /
# tar xvf /usr/local/src/usr.lib.libcrypto.tar



Now for two questions:

(1) Why does this work? I studied the OpenSSL build from the port, in
detail, and noticed that it was not so much building a brand new
libcrypto.a as much as it was adding to it, with ar(1). I have to admit
that I don't recall ar(1) being amongst the pantheon of programmers'
tools the last time I looked; but maybe I missed something. Does the use
of ar(1) distinguish the port of OpenSSL 0.9.6g, to FreeBSD, from the
'standard' OpenSSL 0.9.6g release?

Where would one go to study these topics is greater detail? I found the
Web, as well as FreeBSD manuals, woefully lacking in the kind of details
that a programmer would desire; the online manual was somewhat more
helpful, and I wouldn't be surprised if there were further references
somewhere, but wonder if someone more knowledgeable could give me a clue
or two.


(2) Why do FreeBSD ports put everything in /usr/local ?  I would think
that critical things that are so important that they are included in the
operating system release (OpenSSL, OpenSSH) would be important enough
elements of a security infrastructure, that upgrading them via the ports
mechanism would result in a neatly overlaid new installation over the
old one - not a mixture of new and old libraries, executables, and
configuration files.

I was able to work through this set of problems somewhat faster, this
time, than I was, a few years ago, when the first weaknesses of SSH1
were published, because of the important knowledge I had acquired
regarding the interdependencies of OpenSSH, OpenSSL and Zlib. Otherwise
it might have taken several weeks. Hopefully, I will have saved others
at least that much time.

In closing, I will note that I found the same problems with Linux RPMs,
then, that I find, now, with FreeBSD ports - the author of the RPM would
create RPMs that did not conform to the pattern used by the original
release of Linux, requiring much additional work recreating RPMs - and
note that it is a little disconcerting to encounter the same sort of
weaknesses in FreeBSD's ports.

Perhaps it would be worth while to consider two ports - one
FreeBSD-centric, and the other, /usr/local-centric, as it were -
analogous to sunfreeware's model, where open source is compiled and
packaged for two audiences - those whom prefer their executables in /opt
... and those whose tastes are somewhat more baroque.  (-:


Reporting from the frontiers of FreeBSD (and struggling with a
2-year-old, for control of the keyboard :-),


-- richard

--

Richard A Childers/KG6HAC -- Senor UNIX System & Network Administrator
"Dont forget nothing." Maj Rogers, standing orders, 1st Ranger Bn, 1759



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D7EB40F.331798E0>