openssh unix dev - Mar 2001 - Improper (?) OpenSSL version mismatch(was RE: OpenSSH_2.5.1p1 - RH 6.2)

Well, I've finally gotten around to compiling
and testing OpenSSH 2.5.2p1, in order to update
the contrib/solaris packaging scripts.

Somehow on my test system, I'm getting errors
that indicate that I've still got some old copy
of OpenSSL being found somewhere...but I can't
for the life of me tell where.  The compile went
fine (it found the OpenSSL 0.9.5a libraries that
I had compiled and installed in /usr/local/ssl),
but I get the error below with text indicating
that I've still got some other random version.

The screwy thing is that I'm rather sure that I
don't...in fact, I even downloaded, compiled,
and installed OpenSSL 0.9.6 in hopes that it
would fix it (no joy).  Then I did multiple
global finds looking for any crypto or ssl-related
libraries that might have been dangling (no joy).
Finally, I commented out the check in entropy.c
and re-compiled, and ssh/sshd run fine.  This
implies to me that the check possibly doesn't work
properly?

Any other hints as to a filename to look for, or
an alternate installation location?  It seems
particularly odd to me that the compile runs fine,
but on *the same box* it picks up a different
library version at run-time.

contrib/solaris updates to follow ASAP.

Rip Loomis		Voice Number: (410) 953-6874
--------------------------------------------------------
Senior Security Engineer
Center for Information Security Technology
Science Applications International Corporation
http://www.cist.saic.com

  
> -----Original Message-----
> From: Damien Miller [mailto:djm at mindrot.org]
> Sent: Monday, February 26, 2001 4:38 PM
> To: mouring at etoh.eviladmin.org
> Cc: Christophe GRENIER; openssh-unix-dev at mindrot.org
> Subject: Re: OpenSSH_2.5.1p1 - RH 6.2
> 
> 
> On Tue, 27 Feb 2001, Damien Miller wrote:
> 
> > How about we put something like:
> >
> > if (SSLeay() != OPENSSL_VERSION_NUMBER)
> > 	fatal("OpenSSL version mismatch. Built against %x, you have
%x",
> > 	    OPENSSL_VERSION_NUMBER, SSLeay());
> >
> > at the start of every executable to kill this thing once 
> and for all.
> 
> I might put this in init_rng() so we get it without any more 
> disruption.
> 
> -d
> 
> -- 
> | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are 
> the poor man's
> | http://www.mindrot.org          /   distributed 
> filesystem'' - Dan Geer
> 
>

I'm not using rpms, I am doing some work using kerberos authentication and
want to use OpenSSH to interface to kerberos. It's the damnedest thing
though, when I configure, no matter WHERE the krb.h file lives, it won't
get read in by the configure script. Has anyone run into this before?
Also, on RH7, tcpwrappers is a static lib, the src rpm seems to find it if
I rebuild, but the actual source doesn't seem to find it. The same goes
for libpam.so, that stuff exists in /usr/lib and ld.so.cache is updated, I
updated again it just to make sure.  Any pointers are much appreciated!

-- 
Austin Gonyou
Systems Architect
Coremetrics, Inc.
Phone: 512-796-9023
email: austin at coremetrics.com

On Thu, 22 Mar 2001, Loomis, Rip wrote:
> Well, I've finally gotten around to compiling
> and testing OpenSSH 2.5.2p1, in order to update
> the contrib/solaris packaging scripts.
>
> Somehow on my test system, I'm getting errors
> that indicate that I've still got some old copy
> of OpenSSL being found somewhere...but I can't
> for the life of me tell where.  The compile went
> fine (it found the OpenSSL 0.9.5a libraries that
> I had compiled and installed in /usr/local/ssl),
> but I get the error below with text indicating
> that I've still got some other random version.
>
> The screwy thing is that I'm rather sure that I
> don't...in fact, I even downloaded, compiled,
> and installed OpenSSL 0.9.6 in hopes that it
> would fix it (no joy).  Then I did multiple
> global finds looking for any crypto or ssl-related
> libraries that might have been dangling (no joy).
> Finally, I commented out the check in entropy.c
> and re-compiled, and ssh/sshd run fine.  This
> implies to me that the check possibly doesn't work
> properly?
>
> Any other hints as to a filename to look for, or
> an alternate installation location?  It seems
> particularly odd to me that the compile runs fine,
> but on *the same box* it picks up a different
> library version at run-time.
>
> contrib/solaris updates to follow ASAP.
>
> Rip Loomis		Voice Number: (410) 953-6874
> --------------------------------------------------------
> Senior Security Engineer
> Center for Information Security Technology
> Science Applications International Corporation
> http://www.cist.saic.com
>
>
>
> > -----Original Message-----
> > From: Damien Miller [mailto:djm at mindrot.org]
> > Sent: Monday, February 26, 2001 4:38 PM
> > To: mouring at etoh.eviladmin.org
> > Cc: Christophe GRENIER; openssh-unix-dev at mindrot.org
> > Subject: Re: OpenSSH_2.5.1p1 - RH 6.2
> >
> >
> > On Tue, 27 Feb 2001, Damien Miller wrote:
> >
> > > How about we put something like:
> > >
> > > if (SSLeay() != OPENSSL_VERSION_NUMBER)
> > > 	fatal("OpenSSL version mismatch. Built against %x, you have
%x",
> > > 	    OPENSSL_VERSION_NUMBER, SSLeay());
> > >
> > > at the start of every executable to kill this thing once
> > and for all.
> >
> > I might put this in init_rng() so we get it without any more
> > disruption.
> >
> > -d
> >
> > --
> > | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are
> > the poor man's
> > | http://www.mindrot.org          /   distributed
> > filesystem'' - Dan Geer
> >
> >
>

On Thu, 22 Mar 2001, Loomis, Rip wrote:
> Well, I've finally gotten around to compiling
> and testing OpenSSH 2.5.2p1, in order to update
> the contrib/solaris packaging scripts.
>
> Somehow on my test system, I'm getting errors
> that indicate that I've still got some old copy
> of OpenSSL being found somewhere...but I can't
> for the life of me tell where.  The compile went
> fine (it found the OpenSSL 0.9.5a libraries that
> I had compiled and installed in /usr/local/ssl),
> but I get the error below with text indicating
> that I've still got some other random version.
You probably have old header files lying around somewhere. Check all
your include directories.

-d

-- 
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor
man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan
Geer

Doh! After reading the openssl/des.h file, I found this set of lines.

#ifdef _KERBEROS_DES_H
#error <openssl/des.h> replaces <kerberos/des.h>.
#endif

-- 
Austin Gonyou
Systems Architect
Coremetrics, Inc.
Phone: 512-796-9023
email: austin at coremetrics.com

On Fri, 23 Mar 2001, Austin Gonyou wrote:
> Success!. I found that the des.h from openssl was conflicting with the one
> in /usr/kerberos/include/kerberosIV/. I moved the one in
> /usr/include/openssl to .orig and then ln -s the one in kerberosIV to
> openssl. Openssh Builds fine now. Is this the best way to do this or
> should it be done differently?
>
>