FreeBSD 4.0-stable crypto is fuggered for international users
This problem has now been fixed. Skip to the last section of this article.I found out the hard way that FreeBSD 4.0-stable is not working for international users. Now that’s an overstatement, but the problem has added 48 hours to the time it will take me to launch this box.
I installed 4.0-Release from CDs on a box for a client. I then cvsup’d to 4.0-STABLE. Then I did the make world, the install world, the kernel, and the merge. I rebooted and then tried to connect to the box via ssh. I couldn’t. Checking /var/log/messages I found the following:
sshd[159]: ** RSAPrivateDecrypt: Unable to find an RSAREF shared library (librsaref.so). Install the /usr/ports/security/rsaref port or package and run this program again. See the OpenSSL chapter in the FreeBSD Handbook, located at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/openssl.html, for more information. sshd[159]: fatal: c() failed.
Now I knew the above wasn’t right. I had performed that type of install many times before and never had to install rsaref manually. I figured something must be broke.
So I checked the archives, found nothing in questions (I should have searched -stable though!) so I fired off a message. It appears I was not alone. See the following messages which refer to this problem:
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=85833+0+current/freebsd-stable
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=127987+0+current/freebsd-stable
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=130069+0+current/freebsd-stable
So what caused this mess?
It appears that crypto was broke as part of an attempt to unify the main (freefall) and international (internat) repositories. Essentially, rsa_eay.c was removed from the repository. Which means your ssh daemon won’t be compiled with everything it needs.The fix
The fix, which I have yet to confirm actually fixes the problem, is to add src-crypto-rsa to your secure supfile. Here is a short extract from my secure-supfile:# If your network link is a T1 or faster, comment out # the following line. *default compress ## The international secure collections. cvs-crypto src-crypto-rsa
The line I added is the last one and is in bold so you can see it more easily.
I will amend this article when I can confirm the fix.