From owner-freebsd-questions Tue Sep 10 20: 8: 6 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C68637B400 for ; Tue, 10 Sep 2002 20:07:50 -0700 (PDT) Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by mx1.FreeBSD.org (Postfix) with ESMTP id E29D043E6A for ; Tue, 10 Sep 2002 20:07:49 -0700 (PDT) (envelope-from fscked@pacbell.net) Received: from pacbell.net ([64.171.190.96]) by mta5.snfc21.pbi.net (iPlanet Messaging Server 5.1 (built May 7 2001)) with ESMTP id <0H290094B7D05N@mta5.snfc21.pbi.net> for freebsd-questions@freebsd.org; Tue, 10 Sep 2002 20:07:49 -0700 (PDT) Date: Tue, 10 Sep 2002 20:10:07 -0700 From: richard childers Subject: Answers (& Questions) Re: OpenSSH 3.4p1 Upgrade To: freebsd-questions@freebsd.org Message-id: <3D7EB40F.331798E0@pacbell.net> MIME-version: 1.0 X-Mailer: Mozilla 4.79 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT X-Accept-Language: en Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG We use FreeBSD 4.6, which comes, by default, with OpenSSH 2.9 built in. Recently a variety of ssh-related exploits have led us to consider rigorously upgrading everything to the latest and greatest version: OpenSSH 3.4. Figuring out how to do this task took about one week. I thought I would share my efforts (and results, and questions) with the community. Researching the web as well as my collection of FreeBSD literature, I found precious little, and thought I'd offer some insight into the process, for interested peers. Obligatory note: I am not a programmer - but I understand much of the lingo, having been around about as long as page-relocatable code ... and, naturally, I'm always interested in learning more. Let me share the answers I've determined, first. There are two ways to install OpenSSH. From a FreeBSD port ... and from the source. I'll discuss source first. Best practices dictate that I not assume you are a programmer, not assume that you are conversant with cvsup (which is really more suited for programmers and testers than it is for production systems, IMHO), and not assume that you have anything installed beyond the basics. Best practices dictate taking a hard look at OpenSSH's dependencies. There are two that I know of: SSL and Zlib. FreeBSD 4.6 is released with Zlib 1.1.3 and OpenSSL 0.9.6d. Current versions are Zlib 1.1.4 and OpenSSL 0.9.6g. Upgrading is indicated. Zlib is not available as a port and must be gotten directly from www.libpng.org. Once you have downloaded it, there are a variety of README-type files that are worth reading. (This is true for all of these packages, really.) As 'root', do the following: # mkdir /usr/local/src # cd /usr/local/src # fetch http://www.libpng.org/pub/png/src/zlib-1.1.4.tar.gz # tar xzf zlib-1.1.4.tar.gz # cd zlib-1.1.4 Next, we use the zlib-provided utility 'configure', which probes the system and generates an appropriate Makefile. I tell it to generate files which will be installed in /usr - not /usr/local - because I want the new zlib to overlay the zlib provided with FreeBSD 4.6, so that there are no subsequent issues with multiple versions. (Here's where the power of 'configure' shines; no longer do you have to accept the choices of a porter regarding where your sshd should reside. We'll talk about this more, below. If you're interested in learning more about 'configure', you can examine it with file(1) and strings(1) and more(1), as well as invoke it with the arguement '--help' in order to see what options are supported.) # ./configure --prefix=/usr # make # make test # make install Congratulations, you've upgraded your zlib. I timed this process on a 200 mHz CPU with 256 MB of RAM and it took about two minutes, as a shell script. Next we upgrade OpenSSL. The current version is 0.9.6g and is available from both ftp.freebsd.org (../branches/-current/ports/security/openssl/) and from the source, at www.openbsd.org. FreeBSD purists will insist that one uses the port. I would have said the same until I tried it and found that while it compiled and installed flawlessly, I (again) wanted the new installation to overlay the old installation, neatly, and it was insistent on installing the new OpenSSL installation in /usr/local; leaving me with the task of (manually!!) hunting down and eliminating the bits and pieces of the old OpenSSL installation, in /usr. I found that make(1), invoked with '-n', was useful for determining where things would go *before* they were installed; and so I used this to study the less documented aspects of the OpenSSL port's building process. Using this, I determined that it was possible to accomplish a very close fit to the original OpenSSL installation, with the following set of commands: # cd /usr/ports/security/openssl # find . -type f -exec rm -f {} \; -print # ftp ftp.freebsd.org - log in as ftp ftp> cd /pub/FreeBSD/branches/-current/ports/security/openssl ftp> bin ftp> bel ftp> prompt ftp> hash ftp> mget * ftp> quit # vi Makefile - find line where it says '#/usr/local#' and change it to '#/usr#' # make PREFIX=/usr LOCALBASE=/usr # make PREFIX=/usr LOCALBASE=/usr install This creates a pretty close installation to that received with FreeBSD 4.6 but it still creates a /usr/local/openssl directory and puts some libraries in there, if I recall correctly. And there were some issues with trying to get the new SSL installation to select the correct OPENSSLDIR, also - FreeBSD 4.6 is released with an OpenSSL compiled to look for configuration files in /etc/ssl, and the port wanted to put everything in /usr/local/openssl. I wasn't happy. I'd been through the route of compiling OpenSSH 3.4 and seeing the notorious 'Your OpenSSL headers do not match your library' error. I'd tried ports. I returned to the source. While I'd been flailing about, the first time, with different versions of OpenSSL and whatnot, I'd had one successful installation of OpenSSH - it had been after I'd deleted /usr/lib/libcrypto* instead of the appropriate subset. I decided to try to repeat my 'mistake' and see if this led to a successful compile of OpenSSH, subsequently. Here's what I did. # cd /usr/local/src # fetch http://www.openssl.org/source/openssl-0.9.6g.tar.gz # tar xzf openssl-0.9.6g.tar.gz # cd openssl-0.9.6g # ./config --prefix=/usr --openssldir=/etc/ssl # make # make test # make install During a previous test, noticing that one of the targets of the make was libcrypto.a, I'd tried deleting it and rebuilding, to insure its replacement, but accidentally deleted all /usr/lib/libcrypto* files instead. Imagine my surprise when the subsequent installation of OpenSSH succeeded ... and imagine my horror when I found that I could not change my passwords. But here's the workaround to get OpenSSH 3.4p1 onto your FreeBSD box. # tar cf /usr/local/src/usr.lib.libcrypto.tar /usr/lib/libcrypto.so* /usr/lib/libcrypto_* # rm -f /usr/lib/libcrypto* # cd /usr/local/src/openssl-0.9.6g # make install Now, while things are wierd, is the time to build OpenSSH. # cd /usr/local/src # fetch ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz # tar xzf openssh-3.4p1.tar.gz # cd openssh-3.4p1 # ./configure --prefix=/usr --sysconfdir=/etc/ssh --localstatedir=/var/run --mandir=/usr/share/man Here's where one expects to see the message about OpenSSH headers and libraries not matching ... hold your breath and cross your fingers ... (-: If you complete the 'configure' successfully, then proceed as usual: # make Delete your /etc/ssh directory if you want to rebuild your SSH keys from scratch with the new libraries and executables: # rm -rf /etc/ssh ... and complete the installation. # make install You'll see some messages about the missing user 'sshd'. Create a userid with, say, UID near 'nobody' (but not identical), create a matching GID, and edit /etc/ssh/sshd_config (you'll want to disable compression), and you should be able to start your brand, spanking new 3.4p1 sshd. Congratulations !! Don't forget to go back and restore your old /usr/lib/libcrypto* files and links: # cd / # tar xvf /usr/local/src/usr.lib.libcrypto.tar Now for two questions: (1) Why does this work? I studied the OpenSSL build from the port, in detail, and noticed that it was not so much building a brand new libcrypto.a as much as it was adding to it, with ar(1). I have to admit that I don't recall ar(1) being amongst the pantheon of programmers' tools the last time I looked; but maybe I missed something. Does the use of ar(1) distinguish the port of OpenSSL 0.9.6g, to FreeBSD, from the 'standard' OpenSSL 0.9.6g release? Where would one go to study these topics is greater detail? I found the Web, as well as FreeBSD manuals, woefully lacking in the kind of details that a programmer would desire; the online manual was somewhat more helpful, and I wouldn't be surprised if there were further references somewhere, but wonder if someone more knowledgeable could give me a clue or two. (2) Why do FreeBSD ports put everything in /usr/local ? I would think that critical things that are so important that they are included in the operating system release (OpenSSL, OpenSSH) would be important enough elements of a security infrastructure, that upgrading them via the ports mechanism would result in a neatly overlaid new installation over the old one - not a mixture of new and old libraries, executables, and configuration files. I was able to work through this set of problems somewhat faster, this time, than I was, a few years ago, when the first weaknesses of SSH1 were published, because of the important knowledge I had acquired regarding the interdependencies of OpenSSH, OpenSSL and Zlib. Otherwise it might have taken several weeks. Hopefully, I will have saved others at least that much time. In closing, I will note that I found the same problems with Linux RPMs, then, that I find, now, with FreeBSD ports - the author of the RPM would create RPMs that did not conform to the pattern used by the original release of Linux, requiring much additional work recreating RPMs - and note that it is a little disconcerting to encounter the same sort of weaknesses in FreeBSD's ports. Perhaps it would be worth while to consider two ports - one FreeBSD-centric, and the other, /usr/local-centric, as it were - analogous to sunfreeware's model, where open source is compiled and packaged for two audiences - those whom prefer their executables in /opt ... and those whose tastes are somewhat more baroque. (-: Reporting from the frontiers of FreeBSD (and struggling with a 2-year-old, for control of the keyboard :-), -- richard -- Richard A Childers/KG6HAC -- Senor UNIX System & Network Administrator "Dont forget nothing." Maj Rogers, standing orders, 1st Ranger Bn, 1759 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message