Jul 042000
 

FreeBSD 4.0-stable crypto is fuggered for international users

This problem has now been fixed.  Skip to the last section of this article.

I found out the hard way that FreeBSD 4.0-stable is not working for international users.  Now that’s an overstatement, but the problem has added 48 hours to the time it will take me to launch this box.

I installed 4.0-Release from CDs on a box for a client.  I then cvsup’d to 4.0-STABLE.   Then I did the make world, the install world, the kernel, and the merge.  I rebooted and then tried to connect to the box via ssh.  I couldn’t.  Checking /var/log/messages I found the following:

sshd[159]: ** RSAPrivateDecrypt: Unable to find an RSAREF 
       shared library (librsaref.so). 
       Install the /usr/ports/security/rsaref port or 
       package and run this program again. See the OpenSSL 
       chapter in the FreeBSD Handbook, located at 
       http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/openssl.html, for more 
       information.
sshd[159]: fatal: c() failed.

Now I knew the above wasn’t right.  I had performed that type of install many times before and never had to install rsaref manually.  I figured something must be broke.

So I checked the archives, found nothing in questions (I should have searched -stable though!) so I fired off a message.  It appears I was not alone.  See the following messages which refer to this problem:

http://docs.freebsd.org/cgi/getmsg.cgi?fetch=85833+0+current/freebsd-stable
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=127987+0+current/freebsd-stable
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=130069+0+current/freebsd-stable

So what caused this mess?

It appears that crypto was broke as part of an attempt to unify the main (freefall) and international (internat) repositories.  Essentially, rsa_eay.c was removed from the repository.  Which means your ssh daemon won’t be compiled with everything it needs.

The fix

The fix, which I have yet to confirm actually fixes the problem, is to add src-crypto-rsa to your secure supfile.  Here is a short extract from my secure-supfile:
# If your network link is a T1 or faster, comment out 
# the following line.
*default compress

## The international secure collections.
cvs-crypto
src-crypto-rsa

The line I added is the last one and is in bold so you can see it more easily.

I will amend this article when I can confirm the fix.

Fixed (added on 11 July 2000)

The crypto problem has been fixed.  src-crypto-rsa has been removed. cvs-crypto is now part of cvs-all.  All of your source code is now available from a single cvsup server.  No need to go to an international mirror any more!