openssh unix dev - Feb 2003 - OpenSSH question, please!! :)

Devin,
  I've CC-ed the list so this gets archived.
> when trying to run ssh, I get:
>
> OpenSSL version mismatch: Built against 90602f, you have 90701f
This is what I was saying before 
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104589343318200&w=2 
.   The binary packages provided by RedHat have many things compiled 
against them.  If you don't follow the upgrade path recommended by 
RedHat (i.e. they keep everything at 0.9.6b as an internal version 
number) then you run into instances like this.
> I wonder if this is something simple, but I
> am really confused as to why the latest version of SSH would be
> giving me these mismatch problems.
This is a security precaution.  If it would happen that someone replaced 
the libraries of OpenSSL with a hacked version or a compromised 
replacement it would be caught.  Obviously not a foolproof method but 
is definitely a help.
> Failed Dependencies:
> 	openssh = 3.4p1-2 is needed by (installed) openssh-server-3.4p1-2
> 	openssh = 3.4p1-2 is needed by (installed) openssh-clients-3.4p1-2
> 	openssh = 3.4p1-2 is needed by (installed) openssh-askpass3.4p1-2
RPM isn't always clear with its dependencies.  When dealing with RedHat 
there's 5 packages for OpenSSH - openssh, openssh-server, 
openssh-client, openssh-askpass and openssh-askpass-gnome.  You need to 
upgrade all of those at the same time.
> So basically I am stumped as to how to fix
> this.  Should I try and compile from source? I'd love to learn how to
> use RPMS instead though, especially for items like SSH which I wont
> need to recompile often.
What you should do is go to Rawhide (my favorite mirror is 
ftp.dulug.duke.edu) and go to the SRPMS tree 
(ftp.redhat.com/pub/redhat/linux/rawhide/SRPMS/SRPMS) and get 
openssh-3.5p1-6.src.rpm.  This is the source RPM for RedHat's openssh 
packages.  If you're on RH8.0 you'll want to do an 'rpmbuild
--rebuild
openssh-3.5p1-6.src.rpm'.  This will make the 5 packages you need in 
/usr/src/redhat/RPMS/i386.  You can then install them from there and 
should resolve your depedences.

On a side note, while I use many RedHat servers in a production release, 
I would not consider 8.0 "production ready" just yet.  They're
working
out a lot of bugs that'll be fixed in 8.1.

If you continue to have problems, please e-mail me back but please make 
sure to CC openssh-unix-dev at mindrot.org so other can benefit.  Thanks.

-- 
Jason McCormick
jason at devrandom.org

Circa 2003-02-24 19:42:55 -0500 dixit Jason McCormick:
: > OpenSSL version mismatch: Built against 90602f, you have 90701f
: 
: This is what I was saying before 
: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104589343318200&w=2
: .   The binary packages provided by RedHat have many things compiled 
: against them.  If you don't follow the upgrade path recommended by 
: RedHat (i.e. they keep everything at 0.9.6b as an internal version 
: number) then you run into instances like this.

Of course, another option is to build packages of OpenSSL such that
more than one is able to be installed at a time, as i've recently
described on the RPM mailing list:

  http://www.redhat.com/mailing-lists/rpm-list/msg18062.html

Then it's possible to rebuild each package that depends on OpenSSL
without having to stop the service, uninstall the package, rebuild,
install, and finally restart the service again.

: This is a security precaution.  If it would happen that someone replaced 
: the libraries of OpenSSL with a hacked version or a compromised 
: replacement it would be caught.  Obviously not a foolproof method but 
: is definitely a help.

It's not remotely a security measure.  It's there because the OpenSSL
maintainers do not guarantee that either the OpenSSL API or the ABI
will be stable until OpenSSL v1.0.

The only possible way this could be connected with security is to keep
OpenSSH from using an OpenSSL shared library that may have a different
API or ABI than OpenSSH expects, giving rise to potential, hypothetical
problems (for example, if the libcrypto API were to change such that
OpenSSH failed to call a newly required initialization function,
causing OpenSSH to send out unencrypted or weakly encrypted data).

It's much more likely that OpenSSH would simply crash unexpectedly due
to a strange pointer in a slightly incompatible ABI, and you wouldn't
be able to get OpenSSH running again.  As it is, when you run 'sshd -t'
after installing your new, potentially incompatible OpenSSL library,
OpenSSH complains immediately, instead of crashing later.

It's more of a reliability measure than a security measure.  If you
want to protect against the replacement of shared libraries (or any
other files, for that matter, such as /etc/ssh/sshd_config), you should
use a combination of immutable attributes, securelevels, and offline
SHA-1 hashes or the equivalent.  Anything else is just fooling
yourself.

: > Failed Dependencies:
  [...]

: RPM isn't always clear with its dependencies.  When dealing with RedHat 
: there's 5 packages for OpenSSH - openssh, openssh-server, 
: openssh-client, openssh-askpass and openssh-askpass-gnome.  You need to 
: upgrade all of those at the same time.

(or remove them first, or, if you *really* know what you're doing,
uninstall the required package using 'rpm --erase --nodeps').

: What you should do is go to Rawhide (my favorite mirror is 
: ftp.dulug.duke.edu) and go to the SRPMS tree 
: (ftp.redhat.com/pub/redhat/linux/rawhide/SRPMS/SRPMS) and get 
: openssh-3.5p1-6.src.rpm.  This is the source RPM for RedHat's openssh 
: packages.  If you're on RH8.0 you'll want to do an 'rpmbuild
--rebuild
: openssh-3.5p1-6.src.rpm'.  This will make the 5 packages you need in 
: /usr/src/redhat/RPMS/i386.  You can then install them from there and 
: should resolve your depedences.

Note that current Red Hat Rawhide uses rpm-4.2, which contains some
additions to specfile syntax (notable a %check section).  Consequently,
some Rawhide RPMs may not to rebuild properly under systems using
earlier versions of RPM.  Caveat utilisor.

If you're going to install RPMs of OpenSSH, why not simply use the ones
from ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/rpm/ ?  Or even
from the specfile in the openssh-3.5p1 source tarball?  That way you
don't have any of the sort of cross-platform incompatibility:

  http://cr.yp.to/compatibility.html

that continues to plague Unix, Linux, and other "compatible" operating
platforms.

-- 
jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
Stop the War on Freedom ... Start the War on Poverty!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 256 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030224/d03ecebf/attachment.bin