AIX => Administration => Topic started by: DementedCanuck on June 09, 2017, 09:53:16 AM

Title: OpenSSL & OpenSSH IBM Packages Updated Again ( ~ May 31)
Post by: DementedCanuck on June 09, 2017, 09:53:16 AM
Updated Openssl & OpenSSH installp packages available from IBM

Code: [Select]
  Fileset                      Level  State  Type  Description (Uninstaller)
  openssh.base.client    C     F    Open Secure Shell Commands
  openssh.base.server    C     F    Open Secure Shell Server
  openssh.license    C     F    Open Secure Shell License    C     F    Open Secure Shell
                                                   Documentation - U.S. English
  openssh.msg.EN_US    C     F    Open Secure Shell Messages -
                                                   U.S. English (UTF)
  openssh.msg.en_US    C     F    Open Secure Shell Messages -
                                                   U.S. English
  openssl.base      C     F    Open Secure Socket Layer
  openssl.license    C     F    Open Secure Socket License    C     F    Open Secure Socket Layer

Code: [Select]
ssh -V
OpenSSH_7.1p1, OpenSSL 1.0.2k  26 Jan 2017

The previously released packages had a MAJOR issue (sshd would not start Symbol resolution of mkdtemp and memset_s) - on older releases of AIX. Was running a mass update of several hundred AIX instances 7.2 down to 5.3. Failed on the first 5.3 target. Issue occurs on 5.3 (possibly earlier) and older AIX 6.1. Later 6.1 , 7,1 & 7.2 all joy.  I could not find any hits for this - Google search and IBM support turned up nothing. Checked the download site (was going to try an earlier package) and discovered new packages (they had not been there 2 days earlier). Read me for SSH listed this issue as fixed. I have installed and am re-validating on 7.2 , 7.1 , 6.1 & 5.3, Only issues so far are some developers that do not bother to read my email announcements and got nailed for still using DSA keys  :)

A hack I often use while in RPM dependency hell and RPM is insisting on the OpenSSL RPM install - I install only the RPM DB using the --justdb option.
Title: Re: OpenSSL & OpenSSH IBM Packages Updated Again ( ~ May 31)
Post by: Michael on June 09, 2017, 03:24:17 PM
Have you tried my packaging?

Pre-installation Failure/Warning Summary
Name                      Level           Pre-installation Failure/Warning
aixtools.openbsd.openssh.      Already installed
aixtools.openbsd.openssh.      Already installed

Installation Summary
Name                        Level           Part        Event       Result
aixtools.openbsd.openssh.rt      USR         APPLY       SUCCESS      USR         APPLY       SUCCESS
aixtools.openbsd.openssh.rt      ROOT        APPLY       SUCCESS      ROOT        APPLY       SUCCESS

michael@x071.home.local:[/home/michael]ssh -V
OpenSSH_7.5p1, OpenSSL 1.0.2h  3 May 2016
michael@x071.home.local:[/home/michael]which ssh

Title: Re: OpenSSL & OpenSSH IBM Packages Updated Again ( ~ May 31)
Post by: DementedCanuck on June 10, 2017, 02:18:36 AM
Hi Michael,

I have been following your work on AIXTOOLS with great interest.

I am an old geezer and have been supporting AIX since 1991 (initially "came of age" on IBM mainframe in the days of OS/MVT and its successors). I am an AIX die hard - best "commercial grade" *NIX as far as I am concerned. Incredible RAS with top notch security integrated in the Hardware , Firmware , Virtualization (Power/VM) and AIX. Most excellent for sleeping at night - I not even remember the last time I was paged in the middle of the night for an AIX or PSeries problem.

As for your packaging of SSH - would only be able to try it in my sandbox test AIX instances. My environment is rather large with many cooks dictating things - security boys have said "thou shalt use the IBM SSL & SSH packages". That and the recent contract to "out source" IT "run time" (Infrastructure & Ops) to IBM makes "going with the flow" the best option for now. Do not want to "rock the boat" as the "higher powers" decide who will be offered the "re-badge option" as opposed to the finality of the "release" option. I would miss all the toys for big boys I have at present  ;)

However I am in the initial certification of AIX 7.2 TL01 as the basis of the target level for upgrading ~ 300 AIX instances (LPAR / WPAR + several PowerHA clusters). I am hoping to replace the current RPM packages with installp packages - and as much as possible compiled with xl/C & xl/C++ with optimization for Power 8. Get away from all the various hassles of RPM packages - installp requisite handling is most excellent and using installp packaging will hopefully do away with the RPM compatibility issues when using multiple sources of RPM (s).

You shall be hearing more from me on this  :)

I still miss the days when I had an AIX wks under my desk and a display running the CDE as my desktop.

Title: Re: OpenSSL & OpenSSH IBM Packages Updated Again ( ~ May 31)
Post by: Michael on June 10, 2017, 08:55:54 AM
Well, send me of list of the "must have" RPM's you use now.

And it is simple matter, should it be important to flag the hardware as POWER8 (and anything later). Currently I package as POWER4 or as POWER5 as the "lowest" level of "common" code supported.

And, if you would be interested in learning how to package "company system management scripts" as installp, rather than as RPM - let me know, and I'll work on an "article" on how that can be done.

And, should you have a sandbox to test with - I would welcome the feedback on what I need to do better. (e.g., I saw some messages with my upgrade from aixtools.openbsd.openssh from version 7.4 to version 7.5 (that are harmless, but I should clean up just the same).

FYI: as far as OpenSSL goes - other than getting the hooks needed for AIX into LibreSSL - I try and leave that to IBM. Esp[ecially when it comes to FIPS (related) issues - noone is going to accept a site smaller than "IBM". And, as it is still, or better, now - in installp format - I go with that flow.

Many thanks for the comments. And, any questions - or suggestions - are extremely welcome!

e.g., I am only now understanding the necessity of your "hack" - to let the system think OpenSSL as RPM is installed, so other packages who still want to depend on that can install.

And, before I forget - I try hard (and independent verification is MUCH desired) to make sure my packages can be installed in parallel with AIX and "freeware-branded" RPM packages (i.e., those that install into /opt/freeware and then set symbolic links from the "normal" locations to /opt/freeware).

In hindsight, to have been true to the "standards" I should have been installing to /opt/aixtools/* - but I was young and ignorant and skipped "package" directly to /opt/* (so, /opt/bin, /opt/sbin, /opt/lib, etc.). Still trying to decide if I should "change" all - and start setting symbolic links to /opt/aixtools/bin from /opt/bin. Still not going to "touch" /usr/bin, etc. - if I can. (There are certain libraries, e.g., libiconv.a that need to be "rebuilt" so that the IBM members are extracted from the IBM archive, and then added to the new archive (that has GNU iconv). And there is a similar issue with zlib (aka libz.a).

Getting back to OpenSSH - my packaging can installed "in parallel" with the AIX version.

Looking forward to your feedback!