Installing OpenSSH and OpenSSL from ports*

* Note that this is a old article saved from a previous blog.

I had a few FreeBSD machine’s still running a old version of OpenSSH and OpenSSL, so it was about time to upgrade these to the latest version.

These were the current versions of OpenSSH and OpenSSL that I was running:

trouble@sun:$ openssl version
OpenSSL 0.9.7b 04 apr 2004
root@server:~# ssh -V
OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7b 04 apr 2004

There are multiple ways of upgrading these packages on FreeBSD, here I point out the way I like to use. First thing to do is setup telnetd so I can access the server using telnet, this way I won’t be lost if something goes wrong while updating OpenSSH to the latest version (Note that this is not needed if you do the upgrade local, but for me it will save me a 40KM trip to the colo).
Edit /etc/inetd.conf and enable the telnetd server:

trouble@sun:$ vi /etc/inetd.conf
Find the line:
#telnet stream tcp nowait root /usr/libexec/telnetd telnetd
And change it to:
telnet stream tcp nowait root /usr/libexec/telnetd telnetd

Then add inetd to the rc.conf so it will start at boot time (So you can give the server a powerboot if needed and use telnet again).

username@computername:$ vi /etc/rc.conf
Here add:
#———————————–
inetd_enable=”YES”
inetd_program=”/usr/sbin/inetd”
inetd_flags=”-wW -C 60
#———————————–

Now we need to start inetd and see if it works:

trouble@sun:$ /usr/sbin/inetd -wW -C 60

And to see if telnet works from a local machine:

trouble@earth:$ telnet SERVERIP
Trying SERVERIP…
Connected to SERVERIP.
Escape character is ‘^]’.

FreeBSD/i386 (HOSTNAME) (ttyp7)

login:

Good telnet is working now we can start the upgrade of OpenSSH and OpenSSL. Make sure you have cvsuped your ports tree to the latest version. First I will upgrade OpenSSL:

trouble@sun:$ cd /usr/ports/security/openssl
trouble@sun:$ make -DWITH_OPENSSL_PORT install

In version 5 you can’t upgrade OpenSSl over the base anymore so I backup the original versions so I can go back if anything is wrong and link the new version there.

1
2
3
4
5
6
7
8
9
10
11
12
#!/bin/sh
mv /usr/bin/openssl /usr/bin/openssl.bak
mv /lib/libcrypto.so.3 /lib/libcrypto.so.3.bak
mv /usr/lib/libssl.so.3 /usr/lib/libssl.so.3.bak
 
chmod 000 /usr/bin/openssl.bak
chmod 000 /lib/libcrypto.so.3.bak
chmod 000 /usr/lib/libssl.so.3.bak
 
ln -s /usr/local/lib/libssl.so.3 /usr/bin/openssl /usr/bin/openssl
ln -s /usr/local/lib/libssl.so.3 /usr/crypto.so.3 /lib/libcrypto.so.3
ln -s /usr/local/lib/libssl.so.3 /usr/lib/libssl.so.3

chmod 000 /usr/bin/openssl.bak
chmod 000 /lib/libcrypto.so.3.bak
chmod 000 /usr/lib/libssl.so.3.bak

ln -s /usr/local/lib/libssl.so.3 /usr/bin/openssl /usr/bin/openssl
ln -s /usr/local/lib/libssl.so.3 /usr/crypto.so.3 /lib/libcrypto.so.3
ln -s /usr/local/lib/libssl.so.3 /usr/lib/libssl.so.3

Now OpenSSL should be the latest version:

root@server:~# openssl version
OpenSSL 0.9.7g 11 Apr 2005

Good that worked, now its time to upgrade OpenSSH:

trouble@sun:$ cd /usr/ports/security/openssh-portable
trouble@sun:$ make -DOPENSSH_OVERWRITE_BASE=yes install

After the installation you should set NO_OPENSSH=true in your make.conf so it won’t be overwritten if you upgrade your system.

trouble@sun:$ echo “NO_OPENSSH=true” >> /etc/make.conf

The ports version has got its binary’s in /usr/local/bin while the base ssh is installed in /usr/bin/ now you could set your path’s to look in /usr/local/bin first, but I like to backup the old version and link the new version for the original.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/bin/sh
mv /usr/bin/ssh /usr/bin/ssh.bak
mv /usr/bin/ssh-keyscan /usr/bin/ssh-keyscan.bak
mv /usr/libexec/ssh-keysign /usr/libexec/ssh-keysign.bak
mv /usr/bin/ssh-agent /usr/bin/ssh-agent.bak
mv /usr/sbin/sshd /usr/sbin/sshd.bak
 
chmod 000 /usr/bin/ssh.bak
chmod 000 /usr/bin/ssh-keyscan.bak
chmod 000 /usr/libexec/ssh-keysign.bak
chmod 000 /usr/bin/ssh-agent.bak
chmod 000 /usr/sbin/sshd.bak
 
ln -s /usr/local/bin/ssh /usr/bin/ssh
ln -s /usr/local/bin/ssh-keyscan /usr/bin/ssh-keyscan
ln -s /usr/local/libexec/ssh-keysign /usr/libexec/ssh-keysign
ln -s /usr/local/bin/ssh-agent /usr/bin/ssh-agent
ln -s /usr/local/sbin/sshd /usr/sbin/sshd

chmod 000 /usr/bin/ssh.bak
chmod 000 /usr/bin/ssh-keyscan.bak
chmod 000 /usr/libexec/ssh-keysign.bak
chmod 000 /usr/bin/ssh-agent.bak
chmod 000 /usr/sbin/sshd.bak

ln -s /usr/local/bin/ssh /usr/bin/ssh
ln -s /usr/local/bin/ssh-keyscan /usr/bin/ssh-keyscan
ln -s /usr/local/libexec/ssh-keysign /usr/libexec/ssh-keysign
ln -s /usr/local/bin/ssh-agent /usr/bin/ssh-agent
ln -s /usr/local/sbin/sshd /usr/sbin/sshd

Also the ports version has got a nice start/stop script that you can use, i’m going to use that instead of starting the sshd using rc.conf. First edit /etc/rc.conf and disable the SSH daemon:

trouble@sun:$ vi /etc/rc.conf
Add or edit:
sshd_enable=”NO”
sshd_program=”/usr/local/sbin/sshd”

Now move the sample sshd script and edit the file to use your old sshd config file:

trouble@sun:$ cd /usr/local/etc/rc.d
trouble@sun:$ mv sshd.sh.sample sshd.sh
trouble@sun:$
trouble@sun:$ vi sshd.sh
— Find line nr 4 (/usr/local/sbin/sshd)
—-And change it to:
/usr/local/sbin/sshd -f /etc/ssh/sshd_config

This will tell the new sshd to look at the config file in /etc/ssh/sshd_config. Now find your current sshd pid and kill it then start ssh using the script.

trouble@sun:$ ps ax | grep ssh
607 ?? Is 0:00.22 /usr/sbin/sshd
trouble@sun:$ kill -9 607
trouble@sun:$ /usr/local/etc/rc.d/sshd.sh start
trouble@sun:$ ps ax | grep ssh
901 ?? Ss 0:00.00 /usr/local/sbin/sshd -f /etc/ssh/sshd_config

So SSH is running again and should be the latest version:

trouble@sun:$ ssh -V
OpenSSH_4.1p1, OpenSSL 0.9.7g 11 Apr 2005

Now connect from your client again to your server, you should get a warning that the key is changed, add the new key and you should be running using the latest version of ssh.
Now kill the inetd deamon and if you want to remove it from the rc.conf (I keep it in there untill I have rebooted the machine to make sure it is working.

0

FreeBSD Horde php4.4.0 Error

* Note that this is a old article saved from a previous blog

So today I upgraded my PHP version to 4.4.0 on this FreeBSD box, Everything seemed to be okay untill I loaded up my webmail thats running Horde. I got a few errors:

Notice: Only variable references should be returned by reference in
/webmail/horde/lib/Horde/Notification.php on line 98
Notice: Only variable references should be returned by reference in
/webmail/horde/kronolith/lib/Kronolith.php on line 459

So crap, that looks like a bug in horde, as I was a version behind on horde I patched my horde, imp, kronolith to the latest version to see if that fixed it.
But badly enough it didn’t fixed it
After searching the bug list I found it here bug nr 2261. Here they notice that its a bug in PHP, and someone els that it can be fixed by removing the ‘&’s.

This is a backward compatibility break in PHP, so don't blame us.
We are fixing those notices where we see them, any help in form of patches is welcome.

I don’t know if this really work, but the error message goes away 🙂

horde/lib/Horde/IMAP/Tree.php
Remove the & on line 292.

horde/lib/Horde/Notification.php
Remove the & on line 94.

Well the last option certainly works. I like to have a patch for it to not get in trouble upgrading to new versions.
After checking the mailing lists I noticed it was partially fixed in rc2, So it was time to upgrade to rc2.

# cd /webmail/horde/
# wget http://ftp.horde.org/pub/horde/patches/patch-horde-3.0.4-3.0.5-rc1.gz
# gunzip patch-horde-3.0.4-3.0.5-rc1.gz
# patch -p1 < patch-horde-3.0.4-3.0.5-rc1
# wget http://ftp.horde.org/pub/horde/patches/patch-horde-3.0.5-rc1-3.0.5-rc2.gz
# gunzip patch-horde-3.0.5-rc1-3.0.5-rc2.gz
# patch -p1 < patch-horde-3.0.5-rc1-3.0.5-rc2

Well this seemed to fix it in horde, but still had it in kronolith but there is no fix in kronolith for it yet.. So I had to fix that manually.
Checking the code I had to remove the & on line 366 before _getEvents.

# cd /webmail/horde/kronolith/lib
# cp Kronolith.php Kronolith.php.bak
# vi Kronolith.php

And change line 366 from:
    function &_getEvents(&$results, &$event, $startDate, $endDate,

to:
    function _getEvents(&$results, &$event, $startDate, $endDate,

That fixed it for now, now its time to wait for the official patch :)..

0
Page 11 of 15 «...910111213...»