Loomis, Rip
2001-Mar-22 19:30 UTC
Improper (?) OpenSSL version mismatch(was RE: OpenSSH_2.5.1p1 - RH 6.2)
Well, I've finally gotten around to compiling and testing OpenSSH 2.5.2p1, in order to update the contrib/solaris packaging scripts. Somehow on my test system, I'm getting errors that indicate that I've still got some old copy of OpenSSL being found somewhere...but I can't for the life of me tell where. The compile went fine (it found the OpenSSL 0.9.5a libraries that I had compiled and installed in /usr/local/ssl), but I get the error below with text indicating that I've still got some other random version. The screwy thing is that I'm rather sure that I don't...in fact, I even downloaded, compiled, and installed OpenSSL 0.9.6 in hopes that it would fix it (no joy). Then I did multiple global finds looking for any crypto or ssl-related libraries that might have been dangling (no joy). Finally, I commented out the check in entropy.c and re-compiled, and ssh/sshd run fine. This implies to me that the check possibly doesn't work properly? Any other hints as to a filename to look for, or an alternate installation location? It seems particularly odd to me that the compile runs fine, but on *the same box* it picks up a different library version at run-time. contrib/solaris updates to follow ASAP. Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Senior Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com> -----Original Message----- > From: Damien Miller [mailto:djm at mindrot.org] > Sent: Monday, February 26, 2001 4:38 PM > To: mouring at etoh.eviladmin.org > Cc: Christophe GRENIER; openssh-unix-dev at mindrot.org > Subject: Re: OpenSSH_2.5.1p1 - RH 6.2 > > > On Tue, 27 Feb 2001, Damien Miller wrote: > > > How about we put something like: > > > > if (SSLeay() != OPENSSL_VERSION_NUMBER) > > fatal("OpenSSL version mismatch. Built against %x, you have %x", > > OPENSSL_VERSION_NUMBER, SSLeay()); > > > > at the start of every executable to kill this thing once > and for all. > > I might put this in init_rng() so we get it without any more > disruption. > > -d > > -- > | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are > the poor man's > | http://www.mindrot.org / distributed > filesystem'' - Dan Geer > >
Austin Gonyou
2001-Mar-22 22:44 UTC
Kerberos4, tcp-wrappers, afs, and pam support on RH7.0
I'm not using rpms, I am doing some work using kerberos authentication and want to use OpenSSH to interface to kerberos. It's the damnedest thing though, when I configure, no matter WHERE the krb.h file lives, it won't get read in by the configure script. Has anyone run into this before? Also, on RH7, tcpwrappers is a static lib, the src rpm seems to find it if I rebuild, but the actual source doesn't seem to find it. The same goes for libpam.so, that stuff exists in /usr/lib and ld.so.cache is updated, I updated again it just to make sure. Any pointers are much appreciated! -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: austin at coremetrics.com On Thu, 22 Mar 2001, Loomis, Rip wrote:> Well, I've finally gotten around to compiling > and testing OpenSSH 2.5.2p1, in order to update > the contrib/solaris packaging scripts. > > Somehow on my test system, I'm getting errors > that indicate that I've still got some old copy > of OpenSSL being found somewhere...but I can't > for the life of me tell where. The compile went > fine (it found the OpenSSL 0.9.5a libraries that > I had compiled and installed in /usr/local/ssl), > but I get the error below with text indicating > that I've still got some other random version. > > The screwy thing is that I'm rather sure that I > don't...in fact, I even downloaded, compiled, > and installed OpenSSL 0.9.6 in hopes that it > would fix it (no joy). Then I did multiple > global finds looking for any crypto or ssl-related > libraries that might have been dangling (no joy). > Finally, I commented out the check in entropy.c > and re-compiled, and ssh/sshd run fine. This > implies to me that the check possibly doesn't work > properly? > > Any other hints as to a filename to look for, or > an alternate installation location? It seems > particularly odd to me that the compile runs fine, > but on *the same box* it picks up a different > library version at run-time. > > contrib/solaris updates to follow ASAP. > > Rip Loomis Voice Number: (410) 953-6874 > -------------------------------------------------------- > Senior Security Engineer > Center for Information Security Technology > Science Applications International Corporation > http://www.cist.saic.com > > > > > -----Original Message----- > > From: Damien Miller [mailto:djm at mindrot.org] > > Sent: Monday, February 26, 2001 4:38 PM > > To: mouring at etoh.eviladmin.org > > Cc: Christophe GRENIER; openssh-unix-dev at mindrot.org > > Subject: Re: OpenSSH_2.5.1p1 - RH 6.2 > > > > > > On Tue, 27 Feb 2001, Damien Miller wrote: > > > > > How about we put something like: > > > > > > if (SSLeay() != OPENSSL_VERSION_NUMBER) > > > fatal("OpenSSL version mismatch. Built against %x, you have %x", > > > OPENSSL_VERSION_NUMBER, SSLeay()); > > > > > > at the start of every executable to kill this thing once > > and for all. > > > > I might put this in init_rng() so we get it without any more > > disruption. > > > > -d > > > > -- > > | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are > > the poor man's > > | http://www.mindrot.org / distributed > > filesystem'' - Dan Geer > > > > >
Damien Miller
2001-Mar-22 23:22 UTC
Improper (?) OpenSSL version mismatch(was RE: OpenSSH_2.5.1p1 - RH 6.2)
On Thu, 22 Mar 2001, Loomis, Rip wrote:> Well, I've finally gotten around to compiling > and testing OpenSSH 2.5.2p1, in order to update > the contrib/solaris packaging scripts. > > Somehow on my test system, I'm getting errors > that indicate that I've still got some old copy > of OpenSSL being found somewhere...but I can't > for the life of me tell where. The compile went > fine (it found the OpenSSL 0.9.5a libraries that > I had compiled and installed in /usr/local/ssl), > but I get the error below with text indicating > that I've still got some other random version.You probably have old header files lying around somewhere. Check all your include directories. -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer
Austin Gonyou
2001-Mar-23 16:41 UTC
Kerberos4, tcp-wrappers, afs, and pam support on RH7.0
Doh! After reading the openssl/des.h file, I found this set of lines. #ifdef _KERBEROS_DES_H #error <openssl/des.h> replaces <kerberos/des.h>. #endif -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: austin at coremetrics.com On Fri, 23 Mar 2001, Austin Gonyou wrote:> Success!. I found that the des.h from openssl was conflicting with the one > in /usr/kerberos/include/kerberosIV/. I moved the one in > /usr/include/openssl to .orig and then ln -s the one in kerberosIV to > openssl. Openssh Builds fine now. Is this the best way to do this or > should it be done differently? > >