Hi all, lately I've built a RPM for OpenSSH 3.6.1p2 on AIX using the OpenSSL installation that comes with IBM's "AIX Toolbox for Linux". The latter by default installs in the /opt/freeware directory, so I've ran configure with the option '--with-ssl-dir=/opt/freeware'. This has worked fine for former versions of OpenSSH, but with 3.6.1p2, /opt/freeware/lib apparently does not get added to blibpath during the build. As a matter of fact, after installing the RPM, sshd refuses to start as it cannot find libcrypto.a in /usr/lib or /lib. If I add 'export blibpath="/opt/freeware/lib:/usr/lib:/lib"' to the SPEC file before running configure, all works well. But I would expect to get /opt/freeware/lib added to blibpath automatically by the --with-ssl-dir option. The ChangeLog contains 20030429 [...] - (djm) Fix blibpath specification for AIX/gcc [...] which I suspect to be the cause for what I'm seeing. Could anybody please comment? TIA, Markus P.S.: Please copy me on your replies, as I'm not subscribed to the list. -- Markus Alt IBM Lab Boeblingen, Germany altmark at de.ibm.com
Markus Alt wrote:> This has worked fine for former versions of OpenSSH, but with 3.6.1p2, > /opt/freeware/lib apparently does not get added to blibpath during the > build. As a matter of fact, after installing the RPM, sshd refuses to > start as it cannot find libcrypto.a in /usr/lib or /lib.Yeah, there's a reason for this: "Portable OpenSSH: Dangerous AIX linker behavior" http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=105167884027821> If I add 'export blibpath="/opt/freeware/lib:/usr/lib:/lib"' to the SPEC > file before running configure, all works well. But I would expect to get > /opt/freeware/lib added to blibpath automatically by the --with-ssl-dir > option.Good idea, but it would need to be sanity checked (eg --with-ssl-dir=../openssl-0.9.7b/ or --with-ssl-dir=/tmp/openssl-0.9.7b would produce exploitable binaries). It's only required if you're using an openssl shared library (which is still marked as as "experimental"). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Darren Tucker wrote:> > Markus Alt wrote: > > This has worked fine for former versions of OpenSSH, but with 3.6.1p2, > > /opt/freeware/lib apparently does not get added to blibpath during the > > build. As a matter of fact, after installing the RPM, sshd refuses to > > start as it cannot find libcrypto.a in /usr/lib or /lib. > > Yeah, there's a reason for this: > "Portable OpenSSH: Dangerous AIX linker behavior" > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=105167884027821I've seen that.> > If I add 'export blibpath="/opt/freeware/lib:/usr/lib:/lib"' to the SPEC > > file before running configure, all works well. But I would expect to get > > /opt/freeware/lib added to blibpath automatically by the --with-ssl-dir > > option. > > Good idea, but it would need to be sanity checked (eg > --with-ssl-dir=../openssl-0.9.7b/ or --with-ssl-dir=/tmp/openssl-0.9.7b > would produce exploitable binaries).So the new behaviour is a kind of security measure if I understand this correctly. And I will have to judge whether I trust the installation in the given directory, but this will not happen automatically. Makes sense. Thanks for your quick response! Markus -- Markus Alt IBM Lab Boeblingen, Germany altmark at de.ibm.com
Apparently Analagous Threads
- Error: Line starting 'Package: tools ...' is malformed!
- dirty hack to solve: 0509-150 Dependent module libcrypto.a(libcrypto.so.0.9.7) could not be loaded
- "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3
- Compiling 3.8p1 on AIX with IBM OpenSSL RPMs
- Call for testing: OpenSSH 6.8