[MacPorts] #67442: openssh @9.3p1_0+kerberos5+xauth not compatible with openssl @3_10--segmentation fault
MacPorts
noreply at macports.org
Wed May 17 12:18:58 UTC 2023
#67442: openssh @9.3p1_0+kerberos5+xauth not compatible with openssl @3_10--
segmentation fault
-------------------------+----------------------
Reporter: EJFielding | Owner: artkiver
Type: defect | Status: assigned
Priority: Normal | Milestone:
Component: ports | Version: 2.8.1
Resolution: | Keywords:
Port: openssh |
-------------------------+----------------------
Comment (by artkiver):
Replying to [ticket:67442 EJFielding]:
> I recently installed a port that apparently triggered an update to the
`openssl` port so I have `openssl @3_10` installed and active.
>
> I tried to use the `ssh` program from the `openssh` port (version
`@9.2p1_0+kerberos5+xauth`) and I got an error about a version mismatch:
> {{{
> OpenSSL version mismatch. Built against 30000080, you have 30100000
> }}}
>
> I then ran `port selfupdate` and `port upgrade outdated` and it
installed a new version of the `openssh @9.3p1_0+kerberos5+xauth`.
>
> The new version 9.3 now simply fails with a `Segmentation fault`.
>
> I checked what `ssh` is linked to with:
> {{{
> otool -L /opt/local/bin/ssh
> /opt/local/bin/ssh:
> /usr/lib/libbsm.0.dylib (compatibility version 1.0.0, current
version 1.0.0)
> /usr/lib/libresolv.9.dylib (compatibility version 1.0.0, current
version 1.0.0)
> /opt/local/lib/libgssapi_krb5.2.2.dylib (compatibility version
2.0.0, current version 2.2.0)
> /opt/local/libexec/openssl3/lib/libcrypto.3.dylib (compatibility
version 3.0.0, current version 3.0.0)
> /opt/local/lib/libz.1.dylib (compatibility version 1.0.0, current
version 1.2.13)
> /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1319.100.3)
> }}}
>
> I am on macOS 13.3.1(a) and this is an Intel Mac.
Thank you for that.
I was previously aware that there were already compatibility issues with
LibreSSL and Kerberos5 (also see: https://github.com/macports/macports-
ports/pull/16927 which was an attempt to fix that) but as I do not
currently have a kerberized environment with which to test that variant, I
don't tend to do much aside from see if it builds.
Moreover, OpenBSD (the parent project for OpenSSH) defaults to LibreSSL,
as does macOS, so compatibility with OpenSSL, while certainly not without
merits, I don't think is as much of a priority for the upstream project.
Additionally, in the upstream project Kerberos is only in the -portable
branch (albeit that is what we use in MacPorts, but my guess is it has
less scrutiny by many of the OpenSSH developers as a result). If you scan
https://www.openssh.com/releasenotes.html you'll note that the most recent
time it is even mentioned was in the 7.4 portable release, and prior to
that was 6.1 with the following:
{{{
"ssh(1): Don't link in the Kerberos libraries. They aren't necessary
on the client, just on sshd(8). bz#2072"
}}}
I can look into this some, but I am afraid my preliminary gut feeling is I
won't be able to do much.
Presumably it functions OK with removing the -kerberos5 variant? Though
doubtlessly you want that for other reasons related to your environment.
--
Ticket URL: <https://trac.macports.org/ticket/67442#comment:2>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list