FreeBSD 4.0-stable crypto is fuggered for international users
This problem has now been fixed. Skip to the last
section of this article.
I found out the hard way that FreeBSD 4.0-stable is not
working for international users. Now that’s an overstatement, but the problem has
added 48 hours to the time it will take me to launch this box.
I installed 4.0-Release from CDs on a box for a client. I then cvsup’d to 4.0-STABLE. Then I did the make world,
the install world, the kernel, and the merge. I rebooted and then tried to connect
to the box via ssh. I couldn’t. Checking /var/log/messages I found the
following:
sshd[159]: ** RSAPrivateDecrypt: Unable to find an RSAREF shared library (librsaref.so). Install the /usr/ports/security/rsaref port or package and run this program again. See the OpenSSL chapter in the FreeBSD Handbook, located at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/openssl.html, for more information. sshd[159]: fatal: c() failed.
Now I knew the above wasn’t right. I had performed that type of install many
times before and never had to install rsaref manually. I figured
something must be broke.
So I checked the archives, found nothing in questions (I should have searched -stable
though!) so I fired off a message. It appears I was not alone. See the
following messages which refer to this problem:
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=85833+0+current/freebsd-stable
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=127987+0+current/freebsd-stable
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=130069+0+current/freebsd-stable
So what caused this mess?
It appears that crypto was broke as part of an attempt to unify the main
(freefall) and international (internat) repositories. Essentially, rsa_eay.c was
removed from the repository. Which means your ssh daemon won’t be compiled with
everything it needs.
The fix
The fix, which I have yet to confirm actually fixes the problem, is to add
src-crypto-rsa to your secure supfile. Here is a short extract from my
secure-supfile:
# If your network link is a T1 or faster, comment out # the following line. *default compress ## The international secure collections. cvs-crypto src-crypto-rsa
The line I added is the last one and is in bold so you can see it more
easily.
I will amend this article when I can confirm the fix.
Fixed (added on 11 July 2000)
The crypto problem has been fixed. src-crypto-rsa has
been removed. cvs-crypto is now part of cvs-all. All of your
source code is now available from a single cvsup server. No need to go to an
international mirror any more!