If you haven’t heard yet, there’s a Buffer Management Bug in OpenSSH prior to 3.7.1. Of course, no matter your spin, their own take is “It is uncertain whether these errors are potentially exploitable, however, we prefer to see bugs fixed proactively.”, and I agree.
ALWAYS BACKUP YOUR PROGRAMS IF YOU INTEND TO INSTALL OVER THE SYSTEM DEFAULT!
That said, let’s forage into the installation of OpenSSH. Here’s what I did to (eventually) get it going – I’ve removed alot of the the debugging and excessive cruft:
%cd /tmp %curl -O ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.7.1p1.tar.gz %gzip -dc openssh-3.7.1p1.tar.gz | tar xf – %cd openssh-3.7.1p1 %./configure—with-pid-dir=/private/var/run—sysconfdir=/private/etc—mandir=/usr/share/man—libexecdir=/usr/libexec—with-xauth=/usr/X11R6/bin/xauth—with-default-path=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin—with-md5-passwords—with-privsep-path=/private/var/empty—without-rsh—prefix=/usr—- The below editing is only required with OpenSSH 3.7.1p1, OpenSSH 3.7.1p2 has been fixed—- %vi config.h // I changed the following: #define SETEUID_BREAKS_SETUID 1 #define BROKEN_SETREUID 1 #define BROKEN_SETREGID 1—%make %sudo make install %kill `ps -auxwww | grep /usr/sbin/sshd | grep -v grep | awk ’{ print $2}’` %sudo /usr/sbin/sshd %telnet localhost 22 SSH-1.99-OpenSSH_3.7.1p1One thing you might find is that OpenSSH does give you the identification banner, but then dies with no notice. If this is the case, enable debug mode (I like to use /usr/sbin/sshd -dddd -D). This will show you what’s going wrong (hopefully) – the most common case being the fact that Darwin doesn’t have a ‘real’ setreuid(). If it barfs out a setgroup/setuser error, you forgot to edit ‘config.h’ as specified above, your privsep is broken, or something else is amiss. ;)
Alternatively, if this is not the case – if it can’t load your RSA or DSA keys, you might try moving them out of the way and regenerating them for this session. For this, the easiest way to ensure you can revert if it’s not the fault of the keys:
%mkdir /etc/oldsshkeys; mv /etc/ssh*key* /etc/oldsshkeys; %./ssh-keygen -t rsa1 -f /private/etc/ssh_host_key -N “” %./ssh-keygen -t dsa -f /private/etc/ssh_host_dsa_key -N “” %./ssh-keygen -t rsa -f /private/etc/ssh_host_rsa_key -N “”If that works; toss your old keys, or, more preferable, figure out why they stopped working – then fix it.
(This is unrelated – if you’re only interested in updating OpenSSH, feel free to stop reading. ;)); Apple’s elder OpenSSL is based upon 0.9.6, and 0.9.7b is backwards compatible. I like to keep fairly current, and I do dislike having to jump through hoops with different places of installation for relatively similar tools and packages – especally when the only arguable reason is because I have a system library which is dynamic, and there is no source/headers/static library available. Wishing for less headaches, I’ve installed this update of OpenSSL locally into the standard Darwin filesystem heirarchy, but it only installs the headers and the static libraries. This will cause problems with dynamic compilation, and most programs will gripe about the dynamic libraries not matching the headers, either at run time, or during compilation, so I manually created my own dynamic libraries of 0.9.7b, after moving the 0.9.6 ones out of the way:
%mv /usr/lib/libcrypto.0.9.dylib /usr/lib/libcrypto.0.9.6.dynlib && mv /usr/lib/libssl.0.9.dylib /usr/lib/libssl.0.9.6.dynlib #Yes, I did mean to put the ‘n’ there %mkdir /tmp/t; cd /tmp/t %ar -x /usr/lib/libcrypto.a %gcc -dynamiclib *.o -o /usr/lib/libcrypto.0.9.dylib -compatibility_version 0.9.0 -current_version 0.9.7 %rm * %ar -x /usr/lib/libssl.a %gcc -dynamiclib *.o -o /usr/lib/libssl.0.9.dylib -lcrypto -compatibility_version 0.9.0 -current_version 0.9.7 %otool -L /usr/sbin/sshd /usr/sbin/sshd: /usr/lib/libz.1.1.4.dylib (compatibility version 1.0.0, current version 1.1.4) /usr/lib/libcrypto.0.9.dylib (compatibility version 0.9.0, current version 0.9.7) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 63.0.0) %Update: As noted above, OpenSSH 3.7.1p2 was released on 23.09.2003, and does not need the ‘config.h’ manual editing as defined above.