Hi, At the office, there is an old ss5 box running sunos 4.1.4. I have configured openssh using gcc on this machine. In doing so, I found a few compilation and configuration problems. 1. Compilation Problem. SunOS 4.1.4 doesn't have regex.h header nor the entry points regex.c is supposed to offer. Solution. Copy regex.c and regex.h from, say, GNU awk distribution to the openssh directory and add regex.o in Makefile (Makefile.in). configure and it would work. I have no idea how to fix configure.in, etc.. X-PMC-CI-e-mail-id: 14242 ==================================================================RCS file: RCS/Makefile,v retrieving revision 1.1 diff -cibw -r1.1 Makefile *** Makefile 2000/12/06 12:46:01 1.1 --- Makefile 2000/12/06 12:52:26 *************** *** 35,41 **** TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) $(EXTRA_TARGETS) ! LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o cli.o compat.o compress.o crc32.o cygwin_util.o deattack.o dispatch.o dsa.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o util.o uuencode.o xmalloc.o LIBOPENBSD_COMPAT_OBJS=bsd-arc4random.o bsd-base64.o bsd-bindresvport.o bsd-daemon.o bsd-getcwd.o bsd-inet_aton.o bsd-inet_ntoa.o bsd-misc.o bsd-mktemp.o bsd-realpath.o bsd-rresvport.o bsd-setenv.o bsd-sigaction.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bsd-strsep.o bsd-strtok.o bsd-vis.o bsd-setproctitle.o bsd-waitpid.o fake-getaddrinfo.o fake-getnameinfo.o next-posix.o --- 35,41 ---- TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) $(EXTRA_TARGETS) ! LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o cli.o compat.o compress.o crc32.o cygwin_util.o deattack.o dispatch.o dsa.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o util.o uuencode.o xmalloc.o regex.o LIBOPENBSD_COMPAT_OBJS=bsd-arc4random.o bsd-base64.o bsd-bindresvport.o bsd-daemon.o bsd-getcwd.o bsd-inet_aton.o bsd-inet_ntoa.o bsd-misc.o bsd-mktemp.o bsd-realpath.o bsd-rresvport.o bsd-setenv.o bsd-sigaction.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bsd-strsep.o bsd-strtok.o bsd-vis.o bsd-setproctitle.o bsd-waitpid.o fake-getaddrinfo.o fake-getnameinfo.o next-posix.o 2. Configuration problem: This may be serious since the problem described here may apply to wider installation base. Since SunOS 4.1.4 doesn't have (u)random devices, the sshd and ssh resort to a shell script installed in /usr/local/etc to gather entropy for pseudo random number generation. Well, I looked into the script and tested various commands by hand. There may be problems under certain configurations. There are many references to various system directories such as /var/adm, /var/log, etc.. It turns out some of the popular directory names on this particular sparc box are symlinks to directories on different physical disk. Since sun's default OS installer sets aside rather smallish amount for /var directory by default, I bet there are many systems where some of the heavily used var directories are symlinks to later added larger disks. Unfortunately, on SunOS, many ls commands in the scripts probably return the same data (just a symlink name with the same time stamp over and over. It won't descend into the target directory.) and won't add to entropy much. I wonder if someone can figure out a way to modify the directory entries in the script so that the target of the symlinks are placed in the installed copy instead of the original symlink names. I manually modified the script, but wonder if automatic way is better. Definitely yes, but I am not sure how to go about it. Just a thought. I tested the ssh (never inteded to run sshd on this machine) against an opensshd daemon running on Solaris 7 (sunos 5.7) for x86 box and it seemed to work fine. Please keep up the good work! Happy Hacking, ishikawa
Hmmm... I've got at least one box here that has a similar problem (where doing an ls of e.g. /var/log just gets the same non-varying answer) since /var/log/ is a symlink to /u1/newvarlog to make up for a poor choice by a long-ago sysadmin. I'm not sure whether the built-in entropy gathering notices that a particular command is a poor source of entropy. One solution is to have the ls be an "ls -alni /var/log/*" rather than /var/log, since /var/log/* will produce useful output even if /var/log is a symlink. Is there any disadvantage that I'm unaware of to making this change to each of the ls lines in ssh_prng_cmds? Obviously /dev/random is a better thing in general, but... Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Senior Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com> -----Original Message----- > From: Ishikawa [mailto:ishikawa at yk.rim.or.jp] > Sent: Thursday, December 07, 2000 11:50 AM[[SNIP]]> At the office, there is an old ss5 box running sunos 4.1.4. > I have configured openssh using gcc on this machine. > > In doing so, I found a few compilation and configuration problems.[[SNIP]]> This may be serious since the problem described here may apply to > wider installation base. > Since SunOS 4.1.4 doesn't have (u)random devices, the sshd and ssh > resort to a shell script installed in /usr/local/etc to > gather entropy for > pseudo random number generation.[[SNIP]]> > Unfortunately, on SunOS, many ls commands in the scripts probably > return the same data (just a symlink name with the same time stamp > over and over. It won't descend into the target directory.) > and won't add to entropy much. > > I wonder if someone can figure out a way to > modify the directory entries in the script so that > the target of the symlinks are placed in the > installed copy instead of the original symlink names. > > I manually modified the script, but wonder if automatic way > is better. Definitely yes, but I am not sure how to go about it.
mouring at etoh.eviladmin.org
2000-Dec-08 00:56 UTC
sunos 4.1.4 Makefile and regex.[ch] fix
On Fri, 8 Dec 2000, Ishikawa wrote:> Hi, > > At the office, there is an old ss5 box running sunos 4.1.4. > I have configured openssh using gcc on this machine. > > In doing so, I found a few compilation and configuration problems. > > 1. Compilation Problem. > SunOS 4.1.4 doesn't have regex.h header nor the entry points regex.c > is supposed to offer. >We support pcre (POSIX Regular Expression Library) for OS that lack regex, or have a non-POSIX version (Like NeXTStep). The 'INSTALL' file has a URL to where you can pick up the library. - Ben