Crypto problem fixed

FreeBSD 4.0-stable crypto is fuggered for international users

This problem has now been fixed.  Skip to the last
section
of this article.

I found out the hard way that FreeBSD 4.0-stable is not
working for international users.  Now that’s an overstatement, but the problem has
added 48 hours to the time it will take me to launch this box.

I installed 4.0-Release from CDs on a box for a client.  I then cvsup’d to 4.0-STABLE.   Then I did the make world,
the install world, the kernel, and the merge.  I rebooted and then tried to connect
to the box via ssh.  I couldn’t.  Checking /var/log/messages I found the
following:

sshd[159]: ** RSAPrivateDecrypt: Unable to find an RSAREF 
       shared library (librsaref.so). 
       Install the /usr/ports/security/rsaref port or 
       package and run this program again. See the OpenSSL 
       chapter in the FreeBSD Handbook, located at 
       http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/openssl.html, for more 
       information.
sshd[159]: fatal: c() failed.

Now I knew the above wasn’t right.  I had performed that type of install many
times before and never had to install rsaref manually.  I figured
something must be broke.

So I checked the archives, found nothing in questions (I should have searched -stable
though!) so I fired off a message.  It appears I was not alone.  See the
following messages which refer to this problem:

http://docs.freebsd.org/cgi/getmsg.cgi?fetch=85833+0+current/freebsd-stable
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=127987+0+current/freebsd-stable
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=130069+0+current/freebsd-stable

So what caused this mess?

It appears that crypto was broke as part of an attempt to unify the main
(freefall) and international (internat) repositories.  Essentially, rsa_eay.c was
removed from the repository.  Which means your ssh daemon won’t be compiled with
everything it needs.

The fix

The fix, which I have yet to confirm actually fixes the problem, is to add
src-crypto-rsa to your secure supfile.  Here is a short extract from my
secure-supfile:

# If your network link is a T1 or faster, comment out 
# the following line.
*default compress

## The international secure collections.
cvs-crypto
src-crypto-rsa

The line I added is the last one and is in bold so you can see it more
easily.

I will amend this article when I can confirm the fix.

Fixed (added on 11 July 2000)

The crypto problem has been fixed.  src-crypto-rsa has
been removed. cvs-crypto is now part of cvs-all.  All of your
source code is now available from a single cvsup server.  No need to go to an
international mirror any more!

Leave a Comment

Scroll to Top