How to update SSH on 5.0.7 to OpenSSH 6.7p1?

[Steve M. Fabac Jr.]

The OpenSSH supplied with 5.0.7 fails the PCI scan:

> 11 of the 13 fail points on this PCI scan are for the unix box at port 22

What is the recommended way to upgrade the 5.0.7 included version of
SSH with OpenSSH 6.7?

[mbennett]

Steve,
I never figured out a way to do it. I tried several years ago, downloaded the source and tried to compile it and it failed. I'm just not knowledgeable enough to debug it, but I know I never got around it. I don't even have notes on it any more. Because of the SCO vs. Linux wars, not many people in the open source community wanted to do anything to keep SCO current.

Are you running 'patchck' on your server?

Mark

[Steve M. Fabac Jr.]

Mark,

Yeah, I've run patchck but there is nothing listed concerning SSH.

I have downloaded openssh-6.7p1.tar, openssl-0.9.8i.tar, openssl-0.9.8zc.tar,
and openssl-1.0.1j.tar.

I'm not sure why I started with openssl-0.9.8i.tar (done several days ago
when .config in /iso/openssh-6.7p1 failed with:

> checking whether snprintf can declare const char *fmt... yes
> checking whether system supports SO_PEERCRED getsockopt... no
> checking whether getpgrp requires zero arguments... yes
> checking OpenSSL header version... 0090709f (OpenSSL 0.9.7i 14 Oct 2005)
> checking OpenSSL library version... configure: error: OpenSSL >= 0.9.8f required

So at the time, I found openssl-0.9.8i and noted that it is > 0.9.8f and so started
there.

I worked through the errors thrown by make in openssl-0.9.8i so that it compiles:

> ./configure
>
> ...
> ssltest.c => ../test/ssltest.c
> making links in engines...
> making links in apps...
> making links in test...
> making links in tools...
> generating dummy tests (if needed)...
>
> Configured for sco5-gcc.
>
> The library could not be configured for supporting multi-threaded
> applications as the compiler options required on this system are not known.
> See file INSTALL for details if you need multi-threading.
> #

And then make:

> * ./make
> ...
> gcc -I.. -I../.. -I../../include -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-f
> rame-pointer -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_AS
> M -DRMD160_ASM -DAES_ASM -c ui_lib.c
> gcc -I.. -I../.. -I../../include -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-f
> rame-pointer -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_AS
> M -DRMD160_ASM -DAES_ASM -c ui_openssl.c
> In file included from /usr/include/posix/signal.h:35,
> from /usr/include/signal.h:11,
> from ui_openssl.c:126:
> /usr/include/sys/signal.h:175: syntax error before `siginfo_t'
> *** Error code 1 (bu21)
> *** Error code 1 (bu21)
> *** Error code 1 (bu21)
> #

Googling on "/usr/include/sys/signal.h:175: syntax error before `siginfo_t'"

found at http://preview.tinyurl.com/ngpxmrl

> Instead of patching sys/signal.h you could patch crypto/ui/ui_openssl.c
> to comment out the "#define _POSIX_C_SOURCE 1" line.
> That will allow OpenServer 5 to include sys/siginfo.h where siginfo_t is.
> I don't have time right now to come up with a "correct" solution that
> will not break other platforms.
...
> I just tried gcc. (don't need no-sha512 w/ gcc)
> All tests pass
>
> --
> Tim Rice Multitalents (707) 887-1469

After the above hack to crypto/ui/ui_openssl.c ./make finished with:

H -O3 -fomit-frame-pointer -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA
1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM}"; \
LIBPATH=`for x in $LIBDEPS; do if echo $x | grep '^ *-L' > /dev/null
2>&1; then echo $x | sed -e 's/^ *-L//'; fi; done | uniq`; \
LIBPATH=`echo $LIBPATH | sed -e 's/ /:/g'`; \
LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH \
${LDCMD} ${LDFLAGS} -o ${APPNAME:=dummytest} dummytest.o ${LIBDEPS}
)
making all in tools...
#


Then run "make test"

# make test

...
DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
10 handshakes of 256 bytes done
Approximate total server time: 0.61 s
Approximate total client time: 1.51 s
Test IGE mode
../util/shlib_wrap.sh ./igetest
util/opensslwrap.sh version -a
OpenSSL 0.9.8i 15 Sep 2008
built on: Wed Dec 24 08:41:48 CST 2014
platform: sco5-gcc
options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowf
ish(idx)
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-frame-pointer -DOPENSSL_BN_A
SM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
OPENSSLDIR: "/usr/local/ssl"
#
# cd apps
# ./openssl
OpenSSL> version
OpenSSL 0.9.8i 15 Sep 2008
OpenSSL>

Make install populates /usr/local/ssl:

# ls -lt /usr/local/ssl
total 34
drwxr-xr-x 2 root sys 512 Dec 27 02:31 bin
drwxr-xr-x 4 root sys 512 Dec 27 02:31 lib
drwxr-xr-x 2 root sys 512 Dec 27 02:31 misc
-rw-r--r-- 1 root sys 9374 Dec 27 02:31 openssl.cnf
drwxr-xr-x 2 root sys 512 Dec 27 02:31 certs
drwxr-xr-x 3 root sys 512 Dec 27 02:31 include
drwxr-xr-x 2 root sys 512 Dec 27 02:31 private
drwxr-xr-x 6 root sys 512 Dec 27 02:26 man
#

Then with openssl.0.9.8i installed you can run ./config in ../openssl-6.7p1
as ./configure --with-ssl-dir=/usr/local/ssl
and see:

...
checking whether snprintf correctly terminates long strings... yes
checking whether vsnprintf returns correct values on overflow... no
configure: WARNING: ****** Your vsnprintf() function is broken, complain to your
checking whether snprintf can declare const char *fmt... yes
checking whether system supports SO_PEERCRED getsockopt... no
checking whether getpgrp requires zero arguments... yes
checking OpenSSL header version... 0090809f (OpenSSL 0.9.8i 15 Sep 2008)
checking OpenSSL library version... 0090809f (OpenSSL 0.9.8i 15 Sep 2008)
checking whether OpenSSL's headers match the library... yes
checking if programs using OpenSSL functions will link... yes
...
OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /usr/local/etc
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
(If PATH is set in /etc/default/login it will be used instead. If
used, ensure the path to scp is present, otherwise scp will not work.)
Manpage format: man
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
Smartcard support:
S/KEY support: no
MD5 password support: no
libedit support: no
Solaris process contract support: no
Solaris project support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: no
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: rlimit

Host: i686-pc-sco3.2v5.0.7
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
Preprocessor flags: -I/usr/local/ssl/include
Linker flags: -L/usr/local/ssl/lib
Libraries: -lcrypto -lz -lsocket -lprot -lx -ltinfo -lm

SVR4 style packages are supported with "make package"

WARNING: the operating system that you are using does not
appear to support getpeereid(), getpeerucred() or the
SO_PEERCRED getsockopt() option. These facilities are used to
enforce security checks to prevent unauthorised connections to
ssh-agent. Their absence increases the risk that a malicious
user can connect to your agent.

$ /usr/local/bin/ssh -V
OpenSSH_6.7p1, OpenSSL 0.9.8i 15 Sep 2008
$


And thats where I stopped. I tested the installed /usr/local/bin/ssh and it works to
connect to the sshd running on localhost (standard OpenSSH_4.3p2).

Where I'm having trouble is how to replace the standard SCO 5.0.7 sshd with the one
I compiled without having custom -> verify software stomp all over and put the system
back to using the 5.0.7 distributed sshd and ssh.

Here is another odd part: The compiled OpenSSD_6.7p1 /usr/local/bin/ssh does not seem
to depend upon any openSSL libraries.

# ls -lt /usr/local/bin/ssh
-rwxr-xr-x 1 root sys 1450336 Dec 28 17:07 /usr/local/bin/ssh
#
# ldd /usr/local/bin/ssh
/usr/local/bin/ssh needs:
/usr/lib/libz.so.1
/usr/lib/libsocket.so.2
/lib/libprot.so.1
/usr/lib/libcurses.so.1
/usr/lib/libm.so.1
/usr/lib/libc.so.1
#

# ls -l /usr/lib/libz.so.1 /usr/lib/libsocket.so.2 /lib/libprot.so.1 \
/usr/lib/libcurses.so.1 /usr/lib/libm.so.1 /usr/lib/libc.so.1

lrwxrwxrwx 1 root root 40 Apr 12 2012 /lib/libprot.so.1 -> /opt/K/SCO/Unix/5.0.7Hw/lib/libprot.so.1
lrwxrwxrwx 1 root root 41 Apr 12 2012 /usr/lib/libc.so.1 -> /opt/K/SCO/Unix/5.0.7Hw/usr/lib/libc.so.1
lrwxrwxrwx 1 root root 46 Apr 12 2012 /usr/lib/libcurses.so.1 -> /opt/K/SCO/Unix/5.0.7Hw/usr/lib/libcurses.so.1
lrwxrwxrwx 1 root root 41 Apr 12 2012 /usr/lib/libm.so.1 -> /opt/K/SCO/Unix/5.0.7Hw/usr/lib/libm.so.1
lrwxrwxrwx 1 root root 46 Apr 12 2012 /usr/lib/libsocket.so.2 -> /opt/K/SCO/Unix/5.0.7Hw/usr/lib/libsocket.so.2
lrwxrwxrwx 1 root sys 44 Apr 12 2012 /usr/lib/libz.so.1 -> /opt/K/SCO/gwxlibs/2.1.0Ce/usr/lib/libz.so.1

# ls -lt /usr/bin/ssh
lrwxrwxrwx 1 root sys 34 Apr 12 2012 /usr/bin/ssh -> /opt/K/SCO/ssh/6.0.0Ha/usr/bin/ssh

# l -l /usr/bin/ssh
-rwxr-xr-x 1 bin bin 258752 Aug 22 2006 /usr/bin/ssh@

# ldd /usr/bin/ssh
/usr/bin/ssh needs:
/usr/lib/libcrypto.so.0.9.7
/usr/lib/libz.so.1
/usr/lib/libsocket.so.2
/lib/libprot.so.1
/usr/lib/libc.so.1

So the size of the 5.0.7 /usr/bin/ssh is 258,752 while my compiled /usr/local/bin/ssh is 1,450,336.
Looks like the libcrypto functions provided by OpenSSL is statically linked into the elf? (WTF)

# file /usr/bin/ssh /usr/local/bin/ssh
/usr/bin/ssh: ELF 32-bit LSB executable 80386, dynamically linked, stripped, no debug

/usr/local/bin/ssh: ELF 32-bit LSB executable 80386, dynamically linked, stripped, no debug


# ls -lt /etc/sshd
lrwxrwxrwx 1 root sys 31 Apr 12 2012 /etc/sshd -> /opt/K/SCO/ssh/6.0.0Ha/etc/sshd

# l -l /etc/sshd /usr/local/sbin/sshd
-rwxr-xr-x 1 bin bin 308640 Aug 22 2006 /etc/sshd@
-rwxr-xr-x 1 root sys 1519632 Dec 28 17:07 /usr/local/sbin/sshd
--
Steve Fabac
S.M. Fabac & Associates
816/765-1670

[mbennett]

On Monday, December 29, 2014 10:41:07 AM UTC-6, Steve M. Fabac Jr. wrote:

You got a lot further than I ever did. Once you have this one working and make it available, take a crack at an updated version of Samba please. :-)

I have a few users still on SCO, but they're all behind firewalls, only accessible with VPNs. As the systems die and applications are no longer supported, they're moving off to newer platforms.

Mark

[Steve M. Fabac Jr.]

Mark,

I successfully compiled OpenSSL-0.9.8i and openSSH-6.7p1. I ran the make
package command in the openssh development directory and created
openssh-6.7p1-sco507.pkg.

The package installs with "cat openssh-6.7p1-sco507.pkg | pkgadd -d - " on
both SCO 5.0.6 and 5.0.7.

> The following packages are available:
> 1 OpenSSH OpenSSH Portable for OpenServer5
> (i386) OpenSSH_6.7p1

5.0.6 requires prngd and zlib to be pre-installed and working before
installation of the package.

5.0.6 requires a symlink: /var/run/egd.pool -> /usr/local/var/prngd/prngd-pool

5.0.7 requires zlib to be pre-installed before the package installation.

Both 5.0.6 and 5.0.7 requires /etc/default/accounts to be modified prior
to the package installation then may be set back to the default 200. This
allows the UID 67 to be assigned to the sshd user account:

> During the pre-authentication phase sshd will chroot to "/var/empty"
> and change its privileges to the "sshd" user and its primary group.
> "sshd" is a pseudo-account that should not be used by other daemons,
> and must be locked and should contain a "nologin" or invalid shell.
> "/var/empty" should not contain any files.

USER_TYPE=individual
MIN_ADMIN_UID=200 <-- Change to 50 before pkgadd
MAX_ADMIN_UID=60000
MIN_SUGGEST_UID=200 <-- Change to 50 before pkgadd
MAX_SUGGEST_UID=60000

Pkgadd creates /etc/init.d/opensshd with symlinks created from
/etc/rc2.d/S98opensshd and /etc/rc0.d/K30opensshd for start up and
shutdown.

I've modified /etc/init.d/opensshd to account for the the problem
with luid being set to root when /etc/rc2.d/S98opensshd is run by
root when the machine is up:

> #!/sbin/sh
> # Donated code that was put under PD license.
> #
> # Stripped PRNGd out of it for the time being.
>
> umask 022
>
> CAT=/bin/cat
> KILL=/bin/kill
> LD_LIBRARY_PATH=/usr/local/bin
> export LD_LIBRARY_PATH
>
> prefix=/usr/local
> sysconfdir=${prefix}/etc/ssh.d
> piddir=/var/run
>
> SSHD=$prefix/sbin/sshd
...
> start_service() {
> # XXX We really should check if the service is already going, but
> # XXX we will opt out at this time. - Bal
>
> # Check to see if we have keys that need to be made
> checkkeys
>
> # check to see if we have been started on boot up
> [ $$ -le 700 ] && {
> # Start SSHD
> echo "starting $SSHD... \c" ; $SSHD
> } || {
> # Start SSHD
> echo "starting $SSHD... \c" ; sd sshd
> }

This requires a change to /tcb/files/no_luid/cmdfiles to change the
SCO supplied sshd ID target from /bin/sshd to Openssh 6.7p1 target
of /usr/local/sbin/sshd:

# less /tcb/files/no_luid/cmdtable
cron:/etc/cron:cron
ct:/usr/lib/uucp/ct:*
utmp_getty:/etc/utmp_getty:root
tcp:/etc/tcp:sysadmin
xdm:/usr/bin/X11/xdm:sysadmin
sshd:/usr/local/sbin/sshd:root
#sshd:/etc/sshd:root
inetd:/etc/inetd:sysadmin
sendmail:/etc/init.d/sendmail:sysadmin
(END)

The test [ $$ -le 700 ] is not needed for 5.0.7 as 5.0.7 inittab starts
sdd before processing any run level files (rc2.d/*, rc3.d/*, etc...)
on boot up. 5.0.6 delays the start of sdd until later in the boot up
process. The hack just identifies that /etc/rc2.d/S98opensshd is running
from the initial boot up and calls $SSHD

[mbennett]

Steve,
Thanks for providing this and doing all the research. I'm going to try it on my system, but it might be a few days before I get a chance.
Mark