Re: sshd failure following errata 007 for 5.8
On 2015-11-02, Stuart Henderson wrote: [...] > So I think your system is messed up somehow. Your symptoms are more > like what would happen if you'd copied some old libcrypto.so.XX file > to libcrypto.so.35.0 and locally built various apps against that. > > In your position I'd probably boot the 5.8 installer and do an > 'upgrade' install over the top of your current system to make sure the > files are correct for 5.8. Then forcibly reinstall all packages with > > # PKG_PATH=http://ftp.fr.openbsd.org/pub/OpenBSD/5.8/packages/amd64/ > pkg_add -u -D installed [...] Thank you Stuart. I: - rebooted on bsd.rd - launched upgrade - pkg_add -u -D installed - restarted applying patches : as before - 001 fails during make : sshd.o: In function `main': sshd.c:(.text+0x414e): undefined reference to `do_authentication' monitor.o: In function `mm_answer_rsa_response': monitor.c:(.text+0x9e0): undefined reference to `auth_rsa_verify_response' monitor.o: In function `mm_answer_rsa_challenge': monitor.c:(.text+0xbd7): undefined reference to `auth_rsa_generate_challenge' monitor.o: In function `mm_answer_rsa_keyallowed': monitor.c:(.text+0xe41): undefined reference to `auth_rsa_key_allowed' monitor.o: In function `mm_answer_keyallowed': monitor.c:(.text+0x1faf): undefined reference to `auth_rhosts_rsa_key_allowed' collect2: ld returned 1 exit status *** Error 1 in sshd (:87 'sshd') *** Error 1 in /usr/src/usr.bin/ssh (:48 'all') - 004 fails. I then stopped patching and started thinking. Last month, our firewall experienced three times some sort of freezing (no way to login), of which I couldn't find any other way out than cold booting and some fsck work in the case of the second freeze. Because of limited time to operate, I put it back to work, but I'm wondering now if I shouldn't reinstall it from scratch. Olivier Debré
Re: sshd failure following errata 007 for 5.8
Stuart Henderson writes: > I'm not sure what happened here, there's no way that patch 007 would > do this, and in any event EVP_mdc2 was removed before 5.8 so shouldn't > be referenced by that sshd binary. > > Where did your base58 file come from? Hello Stuart. Thanks for your help. I downloaded: - base58.tgz from http://ftp.fr.openbsd.org/pub/OpenBSD/5.8/amd64/ - cd-src.tar.gz from http://ftp.fr.openbsd.org/pub/OpenBSD/5.8/ It appears to me now that other apps are broken, for instance wget: wget:/usr/lib/libcrypto.so.35.0: undefined symbol 'ENGINE_load_rsax' As I wrote in a message that I now discover I never sent :-), though not being a developer, I thought that all executables dynamically linked with libcrypto would break. Wget behavior looks to me as a confirmation of that. So, once again, I choose to: - wipe out /usr/src/ - put in place a fresh cd-src.tar.gz - put in place base58.tgz - not apply patches that failed for me: 001, 004 and 007. Olivier Debré
Re: sshd failure following errata 007 for 5.8
On 2015-11-02, Tichodromawrote: > Stuart Henderson writes: > > > I'm not sure what happened here, there's no way that patch 007 would > > do this, and in any event EVP_mdc2 was removed before 5.8 so shouldn't > > be referenced by that sshd binary. > > > > Where did your base58 file come from? > > Hello Stuart. > > Thanks for your help. > > I downloaded: > - base58.tgz from http://ftp.fr.openbsd.org/pub/OpenBSD/5.8/amd64/ > - cd-src.tar.gz from http://ftp.fr.openbsd.org/pub/OpenBSD/5.8/ > > It appears to me now that other apps are broken, for instance wget: > wget:/usr/lib/libcrypto.so.35.0: undefined symbol 'ENGINE_load_rsax' > > As I wrote in a message that I now discover I never sent :-), though not > being a developer, I thought that all executables dynamically linked > with libcrypto would break. Wget behavior looks to me as a confirmation > of that. No, programs dynamically linking to libcrypto will continue to work unless functions are removed from the library or their calling interface changes. The patch doesn't do either of those things, so should be no problem. When those things *are* done in a library, we change the library version number so that existing binaries will continue to use the old library, but we don't do that for errata patches. So I think your system is messed up somehow. Your symptoms are more like what would happen if you'd copied some old libcrypto.so.XX file to libcrypto.so.35.0 and locally built various apps against that. In your position I'd probably boot the 5.8 installer and do an 'upgrade' install over the top of your current system to make sure the files are correct for 5.8. Then forcibly reinstall all packages with # PKG_PATH=http://ftp.fr.openbsd.org/pub/OpenBSD/5.8/packages/amd64/ pkg_add -u -D installed > So, once again, I choose to: > - wipe out /usr/src/ > - put in place a fresh cd-src.tar.gz > - put in place base58.tgz > - not apply patches that failed for me: 001, 004 and 007. I've just downloaded http://ftp.fr.openbsd.org/pub/OpenBSD/5.8/cd-src.tar.gz and tried patching; all of the 5.8 patches successfully apply for me. $ sha256 -b cd-src.tar.gz SHA256 (cd-src.tar.gz) = dPH+mhrjIgrG3jC/aOIaMW9LtdekZejihIl3zwXzs/o=
Re: sshd failure following errata 007 for 5.8
Olivier Debré free.fr> writes: > > Hello everyone. > > Following Ted's advice regarding the use of cd-src.tar.gz > (http://article.gmane.org/gmane.os.op enbsd.misc/226175), for all 5.8 > patches, I did so. > I first had an error during 004 smtpd security fix. Never mind, I use > Postfix. > I then applied 007 libcrypto reliability fix. No error visible during > the process, but now sshd barks: > > /usr/sbin/sshd:/usr/lib/libcrypto.so. 35.0: undefined symbol 'EVP_mdc2' > lazy binding failed! > Segmentation fault (core dumped) > > Libcrypto-linked applications are quite numerous, to say the least. I > found 45 in /usr/sbin, 15 in /usr/local/sbin/. > Any idea as to what went wrong? > I consider putting back the libcrypto-linked applications from base58 > file set, but I'm sure there's someting better to do! I'm not sure what happened here, there's no way that patch 007 would do this, and in any event EVP_mdc2 was removed before 5.8 so shouldn't be referenced by that sshd binary. Where did your base58 file come from?
Re: sshd failure following errata 007 for 5.8
Hi Olivier, I ran into this same issue. I simply rebuilt ssh after applying libcrypto patch with: cd /usr/src/usr.bin/ssh make obj make depend make make install Hope that helps -- Jared - Original message - From: Olivier Debré <tichodr...@free.fr> To: misc@openbsd.org Subject: sshd failure following errata 007 for 5.8 Date: Fri, 30 Oct 2015 14:34:01 + (UTC) Hello everyone. Following Ted's advice regarding the use of cd-src.tar.gz (http://article.gmane.org/gmane.os.openbsd.misc/226175), for all 5.8 patches, I did so. I first had an error during 004 smtpd security fix. Never mind, I use Postfix. I then applied 007 libcrypto reliability fix. No error visible during the process, but now sshd barks: /usr/sbin/sshd:/usr/lib/libcrypto.so.35.0: undefined symbol 'EVP_mdc2' lazy binding failed! Segmentation fault (core dumped) Libcrypto-linked applications are quite numerous, to say the least. I found 45 in /usr/sbin, 15 in /usr/local/sbin/. Any idea as to what went wrong? I consider putting back the libcrypto-linked applications from base58 file set, but I'm sure there's someting better to do! Thanks. Olivier Debré
Re: sshd failure following errata 007 for 5.8
Oof - forgive the top post. Sorry everyone. -- Jared
sshd failure following errata 007 for 5.8
Hello everyone. Following Ted's advice regarding the use of cd-src.tar.gz (http://article.gmane.org/gmane.os.openbsd.misc/226175), for all 5.8 patches, I did so. I first had an error during 004 smtpd security fix. Never mind, I use Postfix. I then applied 007 libcrypto reliability fix. No error visible during the process, but now sshd barks: /usr/sbin/sshd:/usr/lib/libcrypto.so.35.0: undefined symbol 'EVP_mdc2' lazy binding failed! Segmentation fault (core dumped) Libcrypto-linked applications are quite numerous, to say the least. I found 45 in /usr/sbin, 15 in /usr/local/sbin/. Any idea as to what went wrong? I consider putting back the libcrypto-linked applications from base58 file set, but I'm sure there's someting better to do! Thanks. Olivier Debré
Re: sshd failure following errata 007 for 5.8
Jared Hamilton fastmail.com> writes: > > Hi Olivier, > > I ran into this same issue. I simply rebuilt ssh after applying > libcrypto patch with: > cd /usr/src/usr.bin/ssh > make obj > make depend > make > make install > > Hope that helps > > -- > Jared Thank you Jared. I did as you suggest, however : /usr/src/usr.bin/ssh # make ===> lib ===> ssh ===> sshd cc -o sshd sshd.o auth-rhosts.o auth-passwd.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o sftp-server.o sftp-common.o roaming_common.o roaming_serv.o sandbox-systrace.o -L/usr/src/usr.bin/ssh/sshd/../lib/obj -lssh -lutil -L/usr/src/usr.bin/ssh/sshd/../lib/obj -lssh -lutil -lcrypto -lutil -lz sshd.o: In function `main': sshd.c:(.text+0x414e): undefined reference to `do_authentication' monitor.o: In function `mm_answer_rsa_response': monitor.c:(.text+0x9e0): undefined reference to `auth_rsa_verify_response' monitor.o: In function `mm_answer_rsa_challenge': monitor.c:(.text+0xbd7): undefined reference to `auth_rsa_generate_challenge' monitor.o: In function `mm_answer_rsa_keyallowed': monitor.c:(.text+0xe41): undefined reference to `auth_rsa_key_allowed' monitor.o: In function `mm_answer_keyallowed': monitor.c:(.text+0x1faf): undefined reference to `auth_rhosts_rsa_key_allowed' /usr/lib/libcrypto.so.35.0: undefined reference to `ENGINE_load_rsax' /usr/lib/libcrypto.so.35.0: undefined reference to `EVP_mdc2' collect2: ld returned 1 exit status *** Error 1 in sshd (:87 'sshd') *** Error 1 in /usr/src/usr.bin/ssh (:48 'all') I'm not a developer. Maybe I should have rebuilt /usr/src with cd-src.tar.gz before? Plus, as I wrote, there are 50+ apps linked with libcrypto, and I prefer putting back all base58.tgz in place instead of rebuilding all of them. Anyway, it seems that now we are two having experienced that. Olivier
Re: sshd failure following errata 007 for 5.8
On Fri, Oct 30, 2015 at 03:41:19PM +, Olivier Debr?? wrote: > Plus, as I wrote, there are 50+ apps linked with libcrypto, and I prefer > putting back all base58.tgz in place instead of rebuilding all of them. There aren't 50+ apps linked *statically* to libcrypto. They use it as a shared library. There's not need to rebuild all those. That's why the patch doesn't mention rebuilding other things. --Kurt