Please login or register. June 27, 2017, 10:37:47 AM

Author Topic: OpenSSL & OpenSSH IBM Packages Updated Again ( ~ May 31)  (Read 71 times)

0 Members and 1 Guest are viewing this topic.

DementedCanuck

  • New Member
  • *
  • Posts: 2
  • Karma: +0/-0
OpenSSL & OpenSSH IBM Packages Updated Again ( ~ May 31)
« on: June 09, 2017, 09:53:16 AM »
Updated Openssl & OpenSSH installp packages available from IBM

https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp

Code: [Select]
  Fileset                      Level  State  Type  Description (Uninstaller)
  ----------------------------------------------------------------------------
  openssh.base.client   7.1.102.1100    C     F    Open Secure Shell Commands
  openssh.base.server   7.1.102.1100    C     F    Open Secure Shell Server
  openssh.license       7.1.102.1100    C     F    Open Secure Shell License
  openssh.man.en_US     7.1.102.1100    C     F    Open Secure Shell
                                                   Documentation - U.S. English
  openssh.msg.EN_US     7.1.102.1100    C     F    Open Secure Shell Messages -
                                                   U.S. English (UTF)
  openssh.msg.en_US     7.1.102.1100    C     F    Open Secure Shell Messages -
                                                   U.S. English
  openssl.base            1.0.2.1100    C     F    Open Secure Socket Layer
  openssl.license         1.0.2.1100    C     F    Open Secure Socket License
  openssl.man.en_US       1.0.2.1100    C     F    Open Secure Socket Layer

Code: [Select]
ssh -V
OpenSSH_7.1p1, OpenSSL 1.0.2k  26 Jan 2017

The previously released packages had a MAJOR issue (sshd would not start Symbol resolution of mkdtemp and memset_s) - on older releases of AIX. Was running a mass update of several hundred AIX instances 7.2 down to 5.3. Failed on the first 5.3 target. Issue occurs on 5.3 (possibly earlier) and older AIX 6.1. Later 6.1 , 7,1 & 7.2 all joy.  I could not find any hits for this - Google search and IBM support turned up nothing. Checked the download site (was going to try an earlier package) and discovered new packages (they had not been there 2 days earlier). Read me for SSH listed this issue as fixed. I have installed and am re-validating on 7.2 , 7.1 , 6.1 & 5.3, Only issues so far are some developers that do not bother to read my email announcements and got nailed for still using DSA keys  :)

A hack I often use while in RPM dependency hell and RPM is insisting on the OpenSSL RPM install - I install only the RPM DB using the --justdb option.

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1039
  • Karma: +0/-0
Re: OpenSSL & OpenSSH IBM Packages Updated Again ( ~ May 31)
« Reply #1 on: June 09, 2017, 03:24:17 PM »
Have you tried my packaging?

...
Pre-installation Failure/Warning Summary
----------------------------------------
Name                      Level           Pre-installation Failure/Warning
-------------------------------------------------------------------------------
aixtools.openbsd.openssh. 7.4.0.1602      Already installed
aixtools.openbsd.openssh. 7.4.0.1602      Already installed


Installation Summary
--------------------
Name                        Level           Part        Event       Result
-------------------------------------------------------------------------------
aixtools.openbsd.openssh.rt 7.5.0.1601      USR         APPLY       SUCCESS
aixtools.openbsd.openssh.ma 7.5.0.1601      USR         APPLY       SUCCESS
aixtools.openbsd.openssh.rt 7.5.0.1601      ROOT        APPLY       SUCCESS
aixtools.openbsd.openssh.ma 7.5.0.1601      ROOT        APPLY       SUCCESS

michael@x071.home.local:[/home/michael]ssh -V
OpenSSH_7.5p1, OpenSSL 1.0.2h  3 May 2016
michael@x071.home.local:[/home/michael]which ssh
/opt/bin/ssh


DementedCanuck

  • New Member
  • *
  • Posts: 2
  • Karma: +0/-0
Re: OpenSSL & OpenSSH IBM Packages Updated Again ( ~ May 31)
« Reply #2 on: June 10, 2017, 02:18:36 AM »
Hi Michael,

I have been following your work on AIXTOOLS with great interest.

I am an old geezer and have been supporting AIX since 1991 (initially "came of age" on IBM mainframe in the days of OS/MVT and its successors). I am an AIX die hard - best "commercial grade" *NIX as far as I am concerned. Incredible RAS with top notch security integrated in the Hardware , Firmware , Virtualization (Power/VM) and AIX. Most excellent for sleeping at night - I not even remember the last time I was paged in the middle of the night for an AIX or PSeries problem.

As for your packaging of SSH - would only be able to try it in my sandbox test AIX instances. My environment is rather large with many cooks dictating things - security boys have said "thou shalt use the IBM SSL & SSH packages". That and the recent contract to "out source" IT "run time" (Infrastructure & Ops) to IBM makes "going with the flow" the best option for now. Do not want to "rock the boat" as the "higher powers" decide who will be offered the "re-badge option" as opposed to the finality of the "release" option. I would miss all the toys for big boys I have at present  ;)

However I am in the initial certification of AIX 7.2 TL01 as the basis of the target level for upgrading ~ 300 AIX instances (LPAR / WPAR + several PowerHA clusters). I am hoping to replace the current RPM packages with installp packages - and as much as possible compiled with xl/C & xl/C++ with optimization for Power 8. Get away from all the various hassles of RPM packages - installp requisite handling is most excellent and using installp packaging will hopefully do away with the RPM compatibility issues when using multiple sources of RPM (s).

You shall be hearing more from me on this  :)

I still miss the days when I had an AIX wks under my desk and a display running the CDE as my desktop.

Ciao

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1039
  • Karma: +0/-0
Re: OpenSSL & OpenSSH IBM Packages Updated Again ( ~ May 31)
« Reply #3 on: June 10, 2017, 08:55:54 AM »
Well, send me of list of the "must have" RPM's you use now.

And it is simple matter, should it be important to flag the hardware as POWER8 (and anything later). Currently I package as POWER4 or as POWER5 as the "lowest" level of "common" code supported.

And, if you would be interested in learning how to package "company system management scripts" as installp, rather than as RPM - let me know, and I'll work on an "article" on how that can be done.

And, should you have a sandbox to test with - I would welcome the feedback on what I need to do better. (e.g., I saw some messages with my upgrade from aixtools.openbsd.openssh from version 7.4 to version 7.5 (that are harmless, but I should clean up just the same).

FYI: as far as OpenSSL goes - other than getting the hooks needed for AIX into LibreSSL - I try and leave that to IBM. Esp[ecially when it comes to FIPS (related) issues - noone is going to accept a site smaller than "IBM". And, as it is still, or better, now - in installp format - I go with that flow.

Many thanks for the comments. And, any questions - or suggestions - are extremely welcome!

e.g., I am only now understanding the necessity of your "hack" - to let the system think OpenSSL as RPM is installed, so other packages who still want to depend on that can install.

And, before I forget - I try hard (and independent verification is MUCH desired) to make sure my packages can be installed in parallel with AIX and "freeware-branded" RPM packages (i.e., those that install into /opt/freeware and then set symbolic links from the "normal" locations to /opt/freeware).

In hindsight, to have been true to the "standards" I should have been installing to /opt/aixtools/* - but I was young and ignorant and skipped "package" directly to /opt/* (so, /opt/bin, /opt/sbin, /opt/lib, etc.). Still trying to decide if I should "change" all - and start setting symbolic links to /opt/aixtools/bin from /opt/bin. Still not going to "touch" /usr/bin, etc. - if I can. (There are certain libraries, e.g., libiconv.a that need to be "rebuilt" so that the IBM members are extracted from the IBM archive, and then added to the new archive (that has GNU iconv). And there is a similar issue with zlib (aka libz.a).

Getting back to OpenSSH - my packaging can installed "in parallel" with the AIX version.
    the configfiles in /etc/ssh get copied to /etc/openssh/etc
    the SRC subsystem gets updated to start /opt/sbin/sshd
    the uninstall scripts restore AIX openssh to start from SRC

Looking forward to your feedback!