openssh unix dev - Mar 2012 - openssh static build - mission impossible?

I am trying to build a static version of ssh, sshd and sftp, but after banging
my head against the wall for the best part of the last 3 days I am about to give
up...

Since I plan to use this on an embedded device (building dropbear is *NOT* an
option!), I've excluded as many openssh configure options as I can but,
ultimately, failed. This is my setup:

export LDFLAGS=' -pie -z relro -z now'
export CFLAGS='-O2 -g -march=armv6j -mtune=arm1136jf-s -mthumb-interwork
-mno-thumb -Os -fpic'
export CXXFLAGS='-O2 -g -march=armv6j -mtune=arm1136jf-s -mthumb-interwork
-mno-thumb'
export FFLAGS='-O2 -g -march=armv6j -mtune=arm1136jf-s -mthumb-interwork
-mno-thumb'

./configure \
--host=armv6l-redhat-linux-gnueabi \
--build=armv7l-unknown-linux-gnueabi \
--program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin
--sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share
--includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec
--localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man
--infodir=/usr/share/info --sysconfdir=/etc/ssh
--libexecdir=/usr/libexec/openssh --datadir=/usr/share/openssh \
--without-tcp-wrappers \
--with-default-path=/usr/local/bin:/bin:/usr/bin \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
\
--with-privsep-path=/var/empty/sshd \
--disable-strip \
--without-zlib-version-check \
--with-ssl-engine \
--with-authorized-keys-command \
--disable-lastlog \
--disable-utmp \
--disable-utmpx \
--disable-wtmp \
--disable-wtmpx \
--without-shadow \
--without-nss \
--without-smartcard \
--without-ldap \
--without-pam \
--without-selinux \
--without-audit \
--without-kerberos5 \
--without-libedit \
--with-ldflags=-static

This passes through, no problem (I have a separate, and ultimately head-wrecking
problem with using "--with-tcp-wrappers", but that is the least of my
problems right now) and I get the following summary:
op
OpenSSH has been configured with the following options:
                     User binaries: /usr/bin
                   System binaries: /usr/sbin
               Configuration files: /etc/ssh
                   Askpass program: /usr/libexec/openssh/ssh-askpass
                      Manual pages: /usr/share/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/empty/sshd
            sshd default user PATH: /usr/local/bin:/bin:/usr/bin
          sshd superuser user PATH:
/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
                    Manpage format: doc
                       PAM support: no
                   OSF SIA support: no
                 KerberosV support: no
                   SELinux support: no
                 Smartcard support: 
                     S/KEY support: no
              TCP Wrappers support: no
              MD5 password support: no
                   libedit support: no
  Solaris process contract support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: yes
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY
              Host: armv6l-redhat-linux-gnueabi
          Compiler: gcc
    Compiler flags: -O2 -g -march=armv6j -mtune=arm1136jf-s -mthumb-interwork
-mno-thumb -Os -fpic -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-strict-aliasing -fno-builtin-memset
-fstack-protector-all
Preprocessor flags: 
      Linker flags:  -pie -z relro -z now -fstack-protector-all -static
         Libraries: -lcrypto -ldl -lutil -lz  -lresolv

When I then execute make, I get this after a while:

/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libcrypto.a(fips.o):
In function `FIPSCHECK_verify':
(.text+0x20): warning: Using 'dlopen' in statically linked applications
requires at runtime the shared libraries from the glibc version used for linking
groupaccess.o: In function `ga_init':
/builddir/build/BUILD/openssh-5.6p1/groupaccess.c:66: warning: Using
'getgrouplist' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
session.o: In function `do_setusercontext':
/builddir/build/BUILD/openssh-5.6p1/session.c:1509: warning: Using
'initgroups' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
groupaccess.o: In function `ga_init':
/builddir/build/BUILD/openssh-5.6p1/groupaccess.c:69: warning: Using
'getgrgid' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
sshpty.o: In function `pty_setowner':
/builddir/build/BUILD/openssh-5.6p1/sshpty.c:211: warning: Using
'getgrnam' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
session.o: In function `do_setusercontext':
/builddir/build/BUILD/openssh-5.6p1/session.c:1513: warning: Using
'endgrent' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
sshd.o: In function `main':
/builddir/build/BUILD/openssh-5.6p1/sshd.c:1545: warning: Using
'getpwnam' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
loginrec.o: In function `login_get_lastlog':
/builddir/build/BUILD/openssh-5.6p1/loginrec.c:312: warning: Using
'getpwuid' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
sshd.o: In function `main':
/builddir/build/BUILD/openssh-5.6p1/sshd.c:1555: warning: Using
'endpwent' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
servconf.o: In function `add_one_listen_addr':
/builddir/build/BUILD/openssh-5.6p1/servconf.c:515: warning: Using
'getaddrinfo' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
./libssh.a(canohost.o): In function `check_ip_options':
/builddir/build/BUILD/openssh-5.6p1/canohost.c:168: warning: Using
'getprotobyname' in statically linked applications requires at runtime
the shared libraries from the glibc version used for linking
openbsd-compat//libopenbsd-compat.a(xcrypt.o): In function `xcrypt':
/builddir/build/BUILD/openssh-5.6p1/openbsd-compat/xcrypt.c:78: undefined
reference to `crypt'
/usr/bin/ld:
/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libc.a(inet_ntoa.o)(.text+0x54):
R_ARM_TLS_LE32 relocation not permitted in shared object
/usr/bin/ld:
/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libc.a(dl-tsd.o)(.text+0x14):
R_ARM_TLS_LE32 relocation not permitted in shared object
collect2: ld returned 1 exit status

So, I figured, I need to include -lcrypt in the mix, but then I get this:

gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o
sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o
session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o
auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o
auth2-jpake.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o
auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o
auth-shadow.o auth-sia.o md5crypt.o audit.o audit-bsm.o platform.o sftp-server.o
sftp-common.o roaming_common.o roaming_serv.o -L. -Lopenbsd-compat/  -pie -z
relro -z now -lnsl -lpcre -lcdb -fstack-protector-all -static -static-libgcc
-lssh -lopenbsd-compat -lcrypto -lcrypt -ldl -lutil -lz  -lresolv
/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libcrypto.a(fips.o):
In function `FIPSCHECK_verify':
(.text+0x20): warning: Using 'dlopen' in statically linked applications
requires at runtime the shared libraries from the glibc version used for linking
groupaccess.o: In function `ga_init':
/builddir/build/BUILD/openssh-5.6p1/groupaccess.c:66: warning: Using
'getgrouplist' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
session.o: In function `do_setusercontext':
/builddir/build/BUILD/openssh-5.6p1/session.c:1509: warning: Using
'initgroups' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
groupaccess.o: In function `ga_init':
/builddir/build/BUILD/openssh-5.6p1/groupaccess.c:69: warning: Using
'getgrgid' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
sshpty.o: In function `pty_setowner':
/builddir/build/BUILD/openssh-5.6p1/sshpty.c:211: warning: Using
'getgrnam' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
session.o: In function `do_setusercontext':
/builddir/build/BUILD/openssh-5.6p1/session.c:1513: warning: Using
'endgrent' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
sshd.o: In function `main':
/builddir/build/BUILD/openssh-5.6p1/sshd.c:1545: warning: Using
'getpwnam' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
loginrec.o: In function `login_get_lastlog':
/builddir/build/BUILD/openssh-5.6p1/loginrec.c:312: warning: Using
'getpwuid' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
sshd.o: In function `main':
/builddir/build/BUILD/openssh-5.6p1/sshd.c:1555: warning: Using
'endpwent' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
servconf.o: In function `add_one_listen_addr':
/builddir/build/BUILD/openssh-5.6p1/servconf.c:515: warning: Using
'getaddrinfo' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
./libssh.a(canohost.o): In function `check_ip_options':
/builddir/build/BUILD/openssh-5.6p1/canohost.c:168: warning: Using
'getprotobyname' in statically linked applications requires at runtime
the shared libraries from the glibc version used for linking
/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libcrypt.a(md5-crypt.o):
In function `__md5_crypt_r':
(.text+0xb4): undefined reference to `NSSLOW_Init'
/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libcrypt.a(md5-crypt.o):
In function `__md5_crypt_r':

[... Ad nauseum!]

/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libcrypt.a(sha512-crypt.o):
In function `__sha512_crypt_r':
(.text+0x1088): undefined reference to `NSSLOWHASH_Update'
/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libcrypt.a(sha512-crypt.o):
In function `__sha512_crypt_r':
(.text+0x10d0): undefined reference to `NSSLOWHASH_End'
/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libcrypt.a(sha512-crypt.o):
In function `__sha512_crypt_r':
(.text+0x10d8): undefined reference to `NSSLOWHASH_Destroy'
/usr/bin/ld:
/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libc.a(inet_ntoa.o)(.text+0x54):
R_ARM_TLS_LE32 relocation not permitted in shared object
/usr/bin/ld:
/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libc.a(dl-tsd.o)(.text+0x14):
R_ARM_TLS_LE32 relocation not permitted in shared object
collect2: ld returned 1 exit status
>From what I gather, all these NSS* references are from the nss-*
packages/libraries, and to my knowledge, there isn't a static version of it.
Any pointers as how to get out of this mess would be greately appreciated,
thanks!

Stephen Harris wrote:
> I'm not an ssh developer, but...
> 
>> /builddir/build/BUILD/openssh-5.6p1/groupaccess.c:66: warning: Using
'getgrouplist' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
> 
> The problem, here, is that glibc uses nsswitch.conf and nss libraries
> can be dynamically loaded (nss_ldap, nss_files, nss_nis, etc etc).
> getgrouplist() is a function that inherently uses the name service
> resolving routines in glibc.
It is highly unlikely that I will ever need or use the name resolution service
on the host device, so I am not worried by that aspect (I had this warning while
building other statically-linked programs - openvpn comes to mind - that work
just fine with no "side effects"). I also explicitly deactivated nss
(hence "--without-nss").
 
> If you're building your own embedded system then you should use a
> different libc implementation (uclibc, perhaps?) that doesn't _require_
> dynamic linking.
That is not an option for me at all - it is either statically-linked openssh or
nada!

Mr Dash Four wrote:
> ./configure \
> --host=armv6l-redhat-linux-gnueabi \
> --build=armv7l-unknown-linux-gnueabi \
Why? For which tuple are you building, and with which tuple are you
building?

> When I then execute make, I get this after a while:
You should not have cut away the command doing the linking. I.e.
*never* remove output when you are asking for help, because chances
are quite significant that you are removing the single key piece of
information required in order to determine the actual error.

> gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o
sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o
auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o
auth2-pubkey.o auth2-jpake.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o
kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o
auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o audit-bsm.o platform.o
sftp-server.o sftp-common.o roaming_common.o roaming_serv.o -L.
-Lopenbsd-compat/  -pie -z relro -z now -lnsl -lpcre -lcdb -fstack-protector-all
-static -static-libgcc -lssh -lopenbsd-compat -lcrypto -lcrypt -ldl -lutil -lz 
-lresolv
Who is running this command? Are you running it manually? You create
significant unneccessary confusion by not including complete output
from make without making any changes.

>
/usr/lib/gcc/armv5tel-redhat-linux-gnueabi/4.6.1/../../../libcrypt.a(md5-crypt.o):
In function `__md5_crypt_r': (.text+0xb4): undefined reference to
`NSSLOW_Init'
If you resolve that path you get /usr/lib/libcrypt.a and unless you
are building both on and for armv6l-redhat-linux-gnueabi then that is
certainly not the file you want to link against. Are you
cross-compiling or not?

> From what I gather, all these NSS* references are from the nss-*
> packages/libraries, and to my knowledge, there isn't a static
> version of it. Any pointers as how to get out of this mess would be
> greately appreciated, thanks!
If you show complete output then it is possible to say if you have
done anything wrong. If libcrypt.a for your target indeed requires
NSS then I suggest writing a replacement crypt() which you can link
OpenSSH against. Possibly there is one included in OpenSSH already,
and you just need to configure correctly to have it used.


//Peter

On 03/06/2012 05:13 AM, Mr Dash Four wrote:
> I am trying to build a static version of ssh, sshd and sftp, but after
banging my head against the wall for the best part of the last 3 days I am about
to give up...
Lately, I have been working on a Perl module that does just that.

It is still a work in progress. My aim was to be able to create easy to
install binaries for platforms that do not include recent versions of
OpenSSH (Solaris, HP-UX, AIX, etc.), but it may serve you as well. At
least you will see a set of flags and configure options that work on
Unix systems.

In order to use it, you will have to download the following two modules
from github

  https://github.com/salva/p5-Module-StaticBinaryBuilder
  https://github.com/salva/p5-Net-OpenSSH-StaticBinary

Install the first module and then run the StaticBuild.PL script from the
second. It will take care of downloading the packages (openssl and
openssh), and compile them from scratch with the proper options.

Hi,

On Tue, Mar 06, 2012 at 03:04:35PM +0000, Mr Dash Four
wrote:
> >Peter, a similar [abnormal] discussion was at OpenVPN list[1]
> >  
> Really? The "discussion" in question on that list was due to Alon
> modifying the openvpn source code and flogging it to the general public 
> as if this is an official openvpn release, without telling anyone the 
> code has been modified.
> 
> When I pulled Alon up on that, he reverted to petty insults. Alon was 
> then told by the moderators on that list to shut his gob (not for the 
> first time, I might add) in order not to get embarrassed even further.
Actually, Samuli and I tried to explain to *you* that you completely
missed the boat there.  So please stop spreading FUD on unrelated lists.

(Apologies to the OpenSSH people on this list that this is spilling over
from the OpenVPN list)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at
greenie.muc.de
fax: +49-89-35655025                        gert at
net.informatik.tu-muenchen.de

> Actually, Samuli and I tried to explain to *you* that you completely
> missed the boat there.  So please stop spreading FUD on unrelated lists.
>   
Samuli and *you*?! Would you like me to forward you what I had from 
Samuli on that particular topic? As for spreading FUD to "unrelated 
lists" - I am not the one who started this and when someone like Alon 
really starts "spreading FUD" I had to put him in his place - for his 
own sake.
> (Apologies to the OpenSSH people on this list that this is spilling over
> from the OpenVPN list)
>   
Ditto!

?ngel Gonz?lez wrote:
> Recompiling the same glibc version, but from upstream[1] instead of
> Fedora should theoretically work. Although I agree replacing glibc is
> not without risks.
I think libc can be left alone, all that is needed is a crypt()
implementation. If DES_crypt() can be used as-is then the missing
piece of the puzzle is a trivial wrapper.


//Peter