[ale] OpenSSH root vulnerability

John Mills jmmills at telocity.com
Sun Mar 10 20:57:46 EST 2002 

Mr. Pizza -

On Fri, 8 Mar 2002, Stuffed Crust wrote:

> On Fri, Mar 08, 2002 at 12:42:23PM -0500, John Mills wrote:
[Tale of woe building openssh-3.1p1 from source tarball]

> So, you need to upgrade to a newer versiopn of openssl.
> I built openssl 0.9.6b and openssh 3.1; RH 6.2 RPMs are at:

Thanks - I have generally had better luck building these from sources,
rather than installing the RH rpms, and I had already downloaded
'opesnssl-0.9.6c'

I did get a few more flesh-wounds in the process, which I'll list here in
case it is helpful.

I had no problem configuring, building, or installing openssl-0.9.6c,
except the usual quibble that the package expects you to configure and
build in the source tree. However, I couldn't get 'openssh-3.1p1' to
configure succesfully after that. Instead, I flailed around reconfiguring
until:

1) Configured openssl-0.9.6c with '--prefix=/usr/local' and
'--openssldir=/usr/local/openssl' <-- This seemed unneeded, but without
it, 'openssh-3.1p1/configure' couldn't "#include <openssl/rand.h>"

2) Linked the new 'libssl.*' and 'libcrypto*' into /usr/lib, where they
replaced older links to 'openssl-0.9.5' libs.

3) Now I was able to configure openssh-3.1p1 with the corresponding
'--with-ssl-dir=/usr/local/openssl' (as well as "--with-tcpwrappers
--with-pam, --with-md5-passwords" _ENOUGH_ARREADY_!!) , and built without
[further] incident.

In order to run the new package, I had to remove the old ssh* utils, as
the were in a different and earlier PATH branch than the new versions,
then I removed their old support files from '/usr/local/ssl/etc', _reran_
'make install' &8-P), did 'make host-key', and it seemed I was good to go.

Did a little patching on '/etc/rc.d/init.d/sshd', and restarted sshd.

First login from another box asked me to OK a new key, which I took as
confirming a successful installation.

Maybe this would have been simpler, thanks:

> ftp://ftp.shaftnet.org/pub/rpms/redhat-6.2/i386

> openssh-3.1p1-1.i386.rpm
> openssh-askpass-3.1p1-1.i386.rpm
> openssh-askpass-gnome-3.1p1-1.i386.rpm
> openssh-clients-3.1p1-1.i386.rpm
> openssh-server-3.1p1-1.i386.rpm
> openssl095a-0.9.5a-11.i386.rpm
> openssl-0.9.6b-8.i386.rpm
> openssl-devel-0.9.6b-8.i386.rpm
> openssl-perl-0.9.6b-8.i386.rpm

 - John Mills


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list