All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/openssh: add libxcrypt optional dependency for sshd
@ 2024-04-18 10:15 Romain Naour
  2024-04-30 21:43 ` Romain Naour
  0 siblings, 1 reply; 2+ messages in thread
From: Romain Naour @ 2024-04-18 10:15 UTC (permalink / raw)
  To: buildroot; +Cc: Romain Naour

When glibc was bumped to version 2.39 in commit
b5680f53d60acf8ff6010082f873438a39bd5d97 it removed the deprecated
libcrypt support.

As glibc's libcrypt was providing sshd's libcrypt dependency this broke
the sshd password authentification at runtime using glibc version 2.39.

  # sshpass -p testpwd ssh -oStrictHostKeyChecking=no localhost /bin/true
  Permission denied, please try again.

Without libcrypt, OpenSSH >= 6.2 fall back to using openssl's DES_crypt
function on platorms that don't have a native crypt() function [1].

Note that DES_crypt is deprecated since openssl 3.0 [2] [3].

"Use of the low level DES functions has been informally discouraged for a
 long time. We now formally deprecate them.

 Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex,
 EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the equivalently named decrypt
 functions."

Also DES_crypt is provided by openssl only if
BR2_PACKAGE_LIBOPENSSL_ENABLE_DES is enabled. Otherwise crypt() is
never defined:

  sd-compat.a(xcrypt.o): in function `xcrypt':
  xcrypt.c:(.text+0x48): undefined reference to `crypt'

It's not clear why the password authentification fail with openssl's
DES_crypt but since it's deprecated we use libxcrypt to provide
a working crypt() function for glibc based toolchains.

[1] https://github.com/openssh/openssh-portable/blob/V_9_7/openbsd-compat/xcrypt.c#L57
[2] https://github.com/openssl/openssl/commit/c6fec81b88131d08c1022504ccf6effa95497afb
[3] https://www.openssl.org/docs/man3.2/man3/DES_crypt.html

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/6623402147

Signed-off-by: Romain Naour <romain.naour@smile.fr>
---
 package/openssh/Config.in  | 1 +
 package/openssh/openssh.mk | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/package/openssh/Config.in b/package/openssh/Config.in
index 08d3c7d391..25843447a7 100644
--- a/package/openssh/Config.in
+++ b/package/openssh/Config.in
@@ -22,6 +22,7 @@ config BR2_PACKAGE_OPENSSH_CLIENT
 config BR2_PACKAGE_OPENSSH_SERVER
 	bool "server"
 	default y
+	select BR2_PACKAGE_LIBXCRYPT if BR2_TOOLCHAIN_USES_GLIBC
 	help
 	  Server programs: sshd, sftp-server
 
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index f0b499590a..d7f4db59ca 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -45,6 +45,11 @@ endif
 
 OPENSSH_DEPENDENCIES = host-pkgconf zlib openssl
 
+# crypt() in libcrypt only required for sshd.
+ifeq ($(BR2_PACKAGE_OPENSSH_SERVER)$(BR2_PACKAGE_LIBXCRYPT),yy)
+OPENSSH_DEPENDENCIES += libxcrypt
+endif
+
 ifeq ($(BR2_PACKAGE_CRYPTODEV_LINUX),y)
 OPENSSH_DEPENDENCIES += cryptodev-linux
 OPENSSH_CONF_OPTS += --with-ssl-engine
-- 
2.44.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [Buildroot] [PATCH] package/openssh: add libxcrypt optional dependency for sshd
  2024-04-18 10:15 [Buildroot] [PATCH] package/openssh: add libxcrypt optional dependency for sshd Romain Naour
@ 2024-04-30 21:43 ` Romain Naour
  0 siblings, 0 replies; 2+ messages in thread
From: Romain Naour @ 2024-04-30 21:43 UTC (permalink / raw)
  To: buildroot

Le 18/04/2024 à 12:15, Romain Naour a écrit :
> When glibc was bumped to version 2.39 in commit
> b5680f53d60acf8ff6010082f873438a39bd5d97 it removed the deprecated
> libcrypt support.
> 
> As glibc's libcrypt was providing sshd's libcrypt dependency this broke
> the sshd password authentification at runtime using glibc version 2.39.
> 
>   # sshpass -p testpwd ssh -oStrictHostKeyChecking=no localhost /bin/true
>   Permission denied, please try again.
> 
> Without libcrypt, OpenSSH >= 6.2 fall back to using openssl's DES_crypt
> function on platorms that don't have a native crypt() function [1].
> 
> Note that DES_crypt is deprecated since openssl 3.0 [2] [3].
> 
> "Use of the low level DES functions has been informally discouraged for a
>  long time. We now formally deprecate them.
> 
>  Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex,
>  EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the equivalently named decrypt
>  functions."
> 
> Also DES_crypt is provided by openssl only if
> BR2_PACKAGE_LIBOPENSSL_ENABLE_DES is enabled. Otherwise crypt() is
> never defined:
> 
>   sd-compat.a(xcrypt.o): in function `xcrypt':
>   xcrypt.c:(.text+0x48): undefined reference to `crypt'
> 
> It's not clear why the password authentification fail with openssl's
> DES_crypt but since it's deprecated we use libxcrypt to provide
> a working crypt() function for glibc based toolchains.
> 
> [1] https://github.com/openssh/openssh-portable/blob/V_9_7/openbsd-compat/xcrypt.c#L57
> [2] https://github.com/openssl/openssl/commit/c6fec81b88131d08c1022504ccf6effa95497afb
> [3] https://www.openssl.org/docs/man3.2/man3/DES_crypt.html
> 
> Fixes:
> https://gitlab.com/buildroot.org/buildroot/-/jobs/6623402147
> 
> Signed-off-by: Romain Naour <romain.naour@smile.fr>
> ---
>  package/openssh/Config.in  | 1 +
>  package/openssh/openssh.mk | 5 +++++
>  2 files changed, 6 insertions(+)
> 
> diff --git a/package/openssh/Config.in b/package/openssh/Config.in
> index 08d3c7d391..25843447a7 100644
> --- a/package/openssh/Config.in
> +++ b/package/openssh/Config.in
> @@ -22,6 +22,7 @@ config BR2_PACKAGE_OPENSSH_CLIENT
>  config BR2_PACKAGE_OPENSSH_SERVER
>  	bool "server"
>  	default y
> +	select BR2_PACKAGE_LIBXCRYPT if BR2_TOOLCHAIN_USES_GLIBC
>  	help
>  	  Server programs: sshd, sftp-server
>  
> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> index f0b499590a..d7f4db59ca 100644
> --- a/package/openssh/openssh.mk
> +++ b/package/openssh/openssh.mk
> @@ -45,6 +45,11 @@ endif
>  
>  OPENSSH_DEPENDENCIES = host-pkgconf zlib openssl
>  
> +# crypt() in libcrypt only required for sshd.
> +ifeq ($(BR2_PACKAGE_OPENSSH_SERVER)$(BR2_PACKAGE_LIBXCRYPT),yy)
> +OPENSSH_DEPENDENCIES += libxcrypt
> +endif
> +
>  ifeq ($(BR2_PACKAGE_CRYPTODEV_LINUX),y)
>  OPENSSH_DEPENDENCIES += cryptodev-linux
>  OPENSSH_CONF_OPTS += --with-ssl-engine

Applied to master, thanks.

Best regards,
Romain

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-04-30 21:43 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-18 10:15 [Buildroot] [PATCH] package/openssh: add libxcrypt optional dependency for sshd Romain Naour
2024-04-30 21:43 ` Romain Naour

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.