September 17, 2003
Wasting Time with OpenSSH Upgrade
Since the buzz started yesterday afternoon about the OpenSSH vulnerability I've been working on getting machines updated.
I have four flavors of boxes that are running sshd; OS X, Linux, Solaris 8 with 32-bit libraries and Solaris with a mix of 32-bit and 64-bit applications/libraries. I figured I'd wait for Apple to release the OS X update and started on Linux . . . no problems. Creating a package for Solaris 32-bit was also a snap. Then I started on the 64-bit (around 8 last night).
Assuming everything would go as it had on my previous installs I configured, compiled, built and installed package for OpenSSH 3.7p1. When it was all running I attempted to ssh to the machine and after entering my password get a message:
Connection to finch.hsdb.tufts.edu closed.I fiddled for a bit, turned on debugging and discovered one, not very helpful message in the debug dump of the daemon:
debug1: Received SIGCHLD.Not terribly useful. Didn't find much on Google either, a few different threads about the shell sending the signal because corrupt libraries.
It was midnight and I had to be up early so I fiddled with the sshd_config file a bit and with the UseLogin set to yes I could actually get a shell going. Unfortunately the environment was all messed up, no X11 forwarding, PATH all messed up. But I figured it would do for the few people who need ssh on the machine. Supposedly, UseLogin is for old systems where sshd doesn't know how to authenticate or setup a login session.
During the night I thought about the corrupt libraries thing and first thing this morning checked out the libraries OpenSSH uses. zlib was 64-bit, OpenSSL was a few versions old and 32-bit. Grabbed a new version of OpenSSL and tried to build OpenSSH 3.7p1 64-bit, hoping the problem would be solved. No luck.
For a sanity check I went and grabbed OpenSSH 3.6p1, built it 64-bit using the most recent OpenSSL. Wouldn't you know it, works perfectly.
Note: Somewhere in the process I decided that it was probably annoying to users who might need to ssh into the machine if sshd kept going up and down, or was in debug mode so I started up a daemon on port 22 and then moved my testing to another port. Simple to do by setting Port in sshd_config and using ssh -p <
Right now I'm glad I got SSH service restored on the machine, even though it is an older version (not as old as the 3.1p1 that was on the machine before I started).
I guess in some ways I'm back where I started . . . now got to figure out what exactly is causing the problem.
Posted by mike at September 17, 2003 6:21 PM