Thanks. And I "know".. Use case: sshd in single user on quasi FDE-encrypted servers on co-location not accessible via KVM/AMT. I've done this on many machines since 2014.
I acknowledge that it isn't recommended practice (and definitely not supported!) but if anyone should want to help out, feel free to contact me off-list! Best regards Erling On Mon, Feb 27, 2023 at 09:09:02PM -0700, Theo de Raadt wrote: > Oh my god, don't do that! > > Your program will have a single aspect of randomness. > > If you leave it as it is, it has 6 .so's with independent random placement, > and 4 of them (sshd, ld.so, libc.so, and libcrypto.so) are randomly linked > at boot. > > These independent randomness are an incomplete but strong mitigation > against ROP attack methods. > > What you are trying to do is counter productive. > > Erling Westenvik <[email protected]> wrote: > > > Hi! > > In the past, at least into several 6.x releases, I was able to produce a > > statically linked sshd(8) binary like this: > > > > # cd /usr/src/usr.bin/ssh > > # make clean > > # make LDSTATIC=-static lib sshd > > # strip /usr/src/usr.bin/ssh/sshd/sshd > > > > On a fresh 7.2 install however, the above won't do anymore. > > > > (It stops dead complaining about the "lib"-part in LDSTATIC=. When > > trying without "lib" it goes on for a while but ends with complaints > > about malloc-something. As you probabley understand by now, I'm not > > exactly a wizard.. : ) > > > > Anyone up for outlining a simple "how-to"? > > > > Kind regards, > > > > Erling > >
