« Christmas Sightings | Main | Another Happy OS X User »

September 17, 2003

Wasting Time with OpenSSH Upgrade

Since the buzz started yesterday afternoon about the OpenSSH vulnerability I've been working on getting machines updated.

I have four flavors of boxes that are running sshd; OS X, Linux, Solaris 8 with 32-bit libraries and Solaris with a mix of 32-bit and 64-bit applications/libraries. I figured I'd wait for Apple to release the OS X update and started on Linux . . . no problems. Creating a package for Solaris 32-bit was also a snap. Then I started on the 64-bit (around 8 last night).

Assuming everything would go as it had on my previous installs I configured, compiled, built and installed package for OpenSSH 3.7p1. When it was all running I attempted to ssh to the machine and after entering my password get a message:

Connection to finch.hsdb.tufts.edu closed.
I fiddled for a bit, turned on debugging and discovered one, not very helpful message in the debug dump of the daemon:
debug1: Received SIGCHLD.
Not terribly useful. Didn't find much on Google either, a few different threads about the shell sending the signal because corrupt libraries.

It was midnight and I had to be up early so I fiddled with the sshd_config file a bit and with the UseLogin set to yes I could actually get a shell going. Unfortunately the environment was all messed up, no X11 forwarding, PATH all messed up. But I figured it would do for the few people who need ssh on the machine. Supposedly, UseLogin is for old systems where sshd doesn't know how to authenticate or setup a login session.

During the night I thought about the corrupt libraries thing and first thing this morning checked out the libraries OpenSSH uses. zlib was 64-bit, OpenSSL was a few versions old and 32-bit. Grabbed a new version of OpenSSL and tried to build OpenSSH 3.7p1 64-bit, hoping the problem would be solved. No luck.

For a sanity check I went and grabbed OpenSSH 3.6p1, built it 64-bit using the most recent OpenSSL. Wouldn't you know it, works perfectly.

Note: Somewhere in the process I decided that it was probably annoying to users who might need to ssh into the machine if sshd kept going up and down, or was in debug mode so I started up a daemon on port 22 and then moved my testing to another port. Simple to do by setting Port in sshd_config and using ssh -p <> <>. Should have probably started there, but kept thinking "it's going to work this time."

Right now I'm glad I got SSH service restored on the machine, even though it is an older version (not as old as the 3.1p1 that was on the machine before I started).

I guess in some ways I'm back where I started . . . now got to figure out what exactly is causing the problem.

Posted by mike at September 17, 2003 6:21 PM