In my experience, the suggested build6x workaround breaks the SSH1
protocol, although similarly broken machines may still be able to
intercommunicate.

An IMHO more effective fix is to adopt the suggestions of Jan Just
Keijser in comp.security.ssh, viz. one tweak to OpenSSL 0.9.6 RPM
source, and static linkage of OpenSSL within openssh.spec. The newer
OpenSSL fixes SSH1, but I've experienced ugly openssh failures to the
tune of

   OpenSSL version mismatch. Built against 90581f, you have 90600f

with the default, dynamic linkage.

Here's Jan's posting; I hope it helps. --rdt

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

From: _no_spam_janjust_no_spam_cisco.com (Jan Just Keijser)
Newsgroups: comp.security.ssh
Subject: patches for building OpenSSH 3.1p1 RPM's on RH6.x
Date: Mon, 11 Mar 2002 13:18:35 GMT
Organization: Cisco Systems Inc
Message-ID: <1015852517.770111sj-nntpcache-5>
Keywords: patch openssh rpm redhat rh6.x openssl
X-Newsreader: News Xpress 2.01
Lines: 72

hey all,

finally figured out how to build OpenSSH 3.1p1 RPM's on my RH6.1 based
box.

Problems:
1. OpenSSH 3.1 requires OpenSSL 0.9.6, for which there are no RH 6.x RPM's
2. I need a version of OpenSSH that is statically linked against OpenSSL to
avoid export regulations.

Here's what I did:

- grab the OpenSSL 0.9.6-8 SRPM from RH 7.2
- modify one of the RH patches to OpenSSL:

--- ../SOURCES/openssl-0.9.6a-soversion.patch Mon Apr 9 02:46:33 2001
+++ /scratch/download/ssl/openssl-0.9.6a-soversion.patch Mon Mar 11
14:06:48 2002
-9,7 +9,7
  SHLIB_MAJOR=
  SHLIB_MINOR=
  SHLIB_EXT=
-+SHLIB_SOVER=2
++SHLIB_SOVER=0
  PLATFORM=dist
  OPTIONS=
  CONFIGURE_ARGS=

to make sure that openssl.so.0 is built (otherwise you can't replace the
existing openssl-0.9.5 RPM's)

- install the new OpenSSL RPM (rpm -Fvh ....)
- take the OpenSSH 3.1p1 distrib and modify openssh.spec like this:

 # Options for Smartcard support: (needs libsectok and openssl-engine)
-171,7 +172,7
        $EXTRA_OPTS

 %if %{static_libcrypto}
-perl -pi -e "s|-lcrypto|/usr/lib/libcrypto.a|g" Makefile
+perl -pi -e "s|-lcrypto|/usr/lib/libcrypto.a -ldl|g" Makefile
 %endif

 make

This is required because OpenSSH links agaist libcrypto.a (when doing a
static link). However, OpenSSL 0.9.6's libcrypto.a depends on /lib/libdl.so
which is not listed in the list of libraries to link. This patch fixes that
problem.

- do a
  rpm -bb --define "static_openssl 1" .../openssh.spec

and you *should* end up with OpenSSH RPM's that are not dependent on any
OpenSSL RPM's.

JJK

-------------------------------------
       JJK / Jan Just Keijser
    Unix/Linux Systems Engineer
       janjust_at_cisco.com
               or
   janjust monkey-tail cisco.com
     for dutch-speaking people

If Microsoft is the answer, then it
must have been a VERY silly question.

    flames > /dev/null 2>&1
-------------------------------------

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Monday (03/11/02) at 11:25 +0800, Leon Harris wrote:

>2) The other thing to note using redhats rpm is that you must edit the
>spec file to
>%define build6x 1
>immunix 7.0 looks more like redhat 6.2 than 7.0 in some respects.

_______________________________________________
Immunix-users mailing list
Immunix-usersmail.wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]