Jda*_*ian 5 linux openssl openssh build rhel5
我正在尝试在已安装旧 OpenSSL 版本的 Linux 机器中构建OpenSSH 7.3p1 。
\n\n首先,我已成功编译OpenSSL 1.0.2h并安装在 中/opt/openssh-1.0.2h,而不是/usr旧 OpenSSL 版本所在的位置。
tar xzf openssl-1.0.2h.tar.gz\ncd openssl-1.0.2h\n./config --prefix=/opt/openssl-1.0.2h shared\nmake depend\nmake\nmake test\nmake install\n然后我继续使用 OpenSSH:
\n\ntar xzf openssh-7.3p1.tar.gz\ncd openssh-7.3p1\n./configure --prefix=/opt/openssh-7.3p1 --with-openssl=/opt/openssl-1.0.2h\n但configure脚本失败并显示以下错误消息:
checking OpenSSL header version... 0090802f (OpenSSL 0.9.8e-rhel5 01 Jul 2008)\nchecking OpenSSL library version... configure: error: OpenSSL >= 0.9.8f required (have "0090802f (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008)")\n如果我使用,会显示相同的消息--with-ssl-dir=/opt/openssl-1.0.2h/ssl
该工具findssl.sh(位于子目录中contrib)可以正确找到所有 OpenSSL 版本。它里面的注释(评论)建议使用CFLAGS来指出所需的库 - 我引用:
# Now run findssl.sh. This should identify the headers and libraries\n# present and their versions. You should be able to identify the\n# libraries and headers used and adjust your CFLAGS or remove incorrect\n# versions. The output will show OpenSSL\'s internal version identifier\n# and should look something like:\n然后我尝试了
\n\n./configure CFLAGS="-I/opt/openssl-1.0.2h/include" --prefix=/opt/openssh-7.3p1 --with-openssl=/opt/openssl-1.0.2h\n这似乎有效,因为它找到了新的OpenSSL标头版本:
\n\nchecking OpenSSL header version... 1000208f (OpenSSL 1.0.2h 3 May 2016)\nchecking OpenSSL library version... configure: error: OpenSSL >= 0.9.8f required (have "0090802f (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008)")\n下一步是提供其他选项来定位库文件。但如果我添加LDFLAGS=\'-L/opt/openssl-1.0.2h/lib\'或--with-ldflags=\'-L/opt/openssl-1.0.2h/lib\',这就是我得到的:
checking OpenSSL header version... not found\nconfigure: error: OpenSSL version header not found.\n总之,我不知道如何configure使用新的 OpenSSL 库。
更新 1:--with-ldflags=\'-L/opt/openssl-1.0.2h/ssl\'使用 if 代替\xc2\xb7\xc2\xb7\xc2\xb7openssl-1.0.2h/libthen 标头版本检查正常工作(请参阅上面的几行),但库版本检查仍然失败。
更新2:我跟踪了这个问题,发现它与共享库有关。从config.log文件中我得到了源代码文件conftest.c和confdef.h用于构建可运行的选项conftest:
#include "confdefs.h"\n#include <stdio.h>\n#include <string.h>\n#include <openssl/opensslv.h>\n#include <openssl/crypto.h>\n#define DATA "conftest.ssllibver"\n\nint\nmain ()\n{\n\n FILE *fd;\n int rc;\n\n fd = fopen(DATA,"w");\n if (fd == NULL)\n exit(1);\n\n if ((rc = fprintf(fd, "%08lx (%s)\\n", (unsigned long)SSLeay(),\n SSLeay_version(SSLEAY_VERSION))) < 0)\n exit(1);\n\n exit(0);\n}\n该程序将 OpenSSL 版本以文本形式存储在文件中conftest.ssllibver。出于调试目的,我将fprint(fd,数据print(打印到终端中。
用于构建conftest程序的命令行是:
# gcc -o conftest -I/opt/openssl-1.0.2h/include -Wall \\\n-Wpointer-arith -Wsign-compare -Wformat-security -Wno-pointer-sign \\\n-fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset \\\n-fstack-protector-all -std=gnu99 -fPIE -Wl,-z,relro -Wl,-z,now \\ \n-Wl,-z,noexecstack -fstack-protector-all -pie conftest.c \\\n-lcrypto -lrt -ldl -lutil -lz\n\n# ldd conftest |grep libcrypto\n libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b5fc6c3e000)\n使用旧的 OpenSSL 库。
\n\n当-L/opt/openssl-1.0.2h/lib作为参数添加时,conftest无法运行,因为动态加载器( ld.so) 找不到libcrypto.so.1.0.0:
# ./conftest\n./conftest: error while loading shared libraries: libcrypto.so.1.0.0: cannot open shared object file: No such file or directory\n# ldd conftest | grep libcrypto\n libcrypto.so.1.0.0 => not found\n但是当我使LD_LIBRARY_PATH环境变量指向 时/opt/openssl-1.0.2h/lib,动态加载器会找到库文件libcrypto.so.1.0.0,因此可执行文件conftest可以正常工作 - 它使用新的 OpenSSL 库:
# export LD_LIBRARY_PATH=/opt/openssl-1.0.2h/lib\n# ./conftest\n1000208f (OpenSSL 1.0.2h 3 May 2016)\n# ldd conftest\n libcrypto.so.1.0.0 => /opt/openssl-1.0.2h/lib/libcrypto.so.1.0.0 (0x00002b450bf97000)\n导出环境变量,该变量必须保存新 OpenSSL 库文件LD_LIBRARY_PATH所在的目录,然后运行脚本:configure
# export LD_LIBRARY_PATH=/opt/openssl-1.0.2h/lib
# ./configure CFLAGS="-I/opt/openssl-1.0.2h/include" \
--prefix=/opt/openssh-7.3p1 \
--with-ldflags="-L/opt/openssl-1.0.2h/lib"
两个命令也可以合并为一个:
# LD_LIBRARY_PATH=/opt/openssl-1.0.2h/lib ./configure \
CFLAGS="-I/opt/openssl-1.0.2h/include" \
--prefix=/opt/openssh-7.3p1 \
--with-ldflags="-L/opt/openssl-1.0.2h/lib"
这就是结果:
OpenSSH has been configured with the following options:
User binaries: /opt/openssh-7.3p1/bin
System binaries: /opt/openssh-7.3p1/sbin
Configuration files: /opt/openssh-7.3p1/etc
Askpass program: /opt/openssh-7.3p1/libexec/ssh-askpass
Manual pages: /opt/openssh-7.3p1/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/opt/openssh-7.3p1/bin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
Smartcard support:
S/KEY support: no
MD5 password support: no
libedit support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: rlimit
Host: x86_64-unknown-linux-gnu
Compiler: gcc
Compiler flags: -I/opt/openssl-1.0.2h/include -Wall -Wpointer-arith -Wsign-compare \
-Wformat-security -Wno-pointer-sign -fno-strict-aliasing \
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all \
-std=gnu99 -fPIE
Preprocessor flags:
Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-all \
-L/opt/openssl-1.0.2h/lib -pie
Libraries: -lcrypto -lrt -ldl -lutil -lz -lcrypt -lresolv
LD_LIBRARY_PATH强烈建议在后续步骤中使用make和make install;否则make install将会失败,因为ssh-keygen运行命令来生成新的主机密钥,并且它将找不到新的 OpenSSH 库文件:
mkdir /opt/openssh-7.3p1/etc
./ssh-keygen: error while loading shared libraries: libcrypto.so.1.0.0: cannot open shared object file: No such file or directory
make: *** [host-key] Error 127