OpenBSD Journal

Compiling OpenSSH No Longer Requires Linking in OpenSSL

Contributed by pitrh on from the SSH! SSLide closer! dept.

It's a move that has been mulled and polished on and off for a while before the Heartbleed kerfuffle that lead to our own LibreSSL fork, but with this commit Markus Friedl (markus@) has made linking with OpenSSL optional for building OpenSSH.

CVSROOT:	/cvs
Module name:	src
Changes by:	markus@cvs.openbsd.org	2014/04/29 12:01:49

Modified files:
	usr.bin/ssh    : Makefile.inc auth.c authfd.c authfile.c 
	                 bufaux.c cipher.c cipher.h hostfile.c kex.c 
	                 key.c mac.c monitor.c monitor_wrap.c 
	                 myproposal.h packet.c roaming_client.c 
	                 ssh-agent.c ssh-keygen.c ssh-keyscan.c 
	                 ssh-keysign.c ssh-pkcs11.h ssh.c sshconnect.c 
	                 sshconnect2.c sshd.c 
	usr.bin/ssh/lib: Makefile 
	usr.bin/ssh/ssh: Makefile 
	usr.bin/ssh/sshd: Makefile 

Log message:
make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm

This could mean a slimmer, standalone OpenSSH is on the horizon, but at this point it's likely more important that it makes life easier the OpenSSH developers when/if they want to explore other options to improve the build system and OpenSSH itself.

(Comments are closed)


Comments
  1. By Anonymous Coward (141.136.122.219) on

    One of these further options being linking to LibreSSL instead to get (most of) the missing algorithms back I presume?

    Comments
    1. By phessler (phessler) on why in god's name am I wearing pants?

      > One of these further options being linking to LibreSSL instead to get (most of) the missing algorithms back I presume?

      Yes, that is correct (and the current default).

    2. By markus (84.56.5.102) on

      > One of these further options being linking to LibreSSL instead to get (most of) the missing algorithms back I presume?

      No.

      OpenSSL and LibreSSL already have identical APIs and features from OpenSSH's point of view.

  2. By Hirlimann Ludovic (86.217.131.148) ludovic@hirlimann.net on ludovic@hirlimann.net

    What about using NSS ?

    Comments
    1. By Anonymous Coward (2001:470:b01e:3:214:51ff:fe67:4efb) on

      > What about using NSS ?

      Since when does OpenBSD come with NSS?

      Comments
      1. By Noryungi (noryungi) on

        > > What about using NSS ?
        > Since when does OpenBSD come with NSS?

        http://www.openbsd.org/cgi-bin/cvsweb/ports/security/nss/

        You should read about this thing called ''ports'' methinks...

        Comments
        1. By phessler (phessler) on why in god's name am I wearing pants?

          > > > What about using NSS ?
          > > Since when does OpenBSD come with NSS?
          >
          > http://www.openbsd.org/cgi-bin/cvsweb/ports/security/nss/
          >
          > You should read about this thing called ''ports'' methinks...
          >

          that is "NSS is available as a post-install step". SSH requires the things it use to be built-in. *THAT* is what "OpenBSD does not come with NSS" means.

          Comments
          1. By Noryungi (noryungi) on

            > > > > What about using NSS ?
            > > > Since when does OpenBSD come with NSS?
            > >
            > > http://www.openbsd.org/cgi-bin/cvsweb/ports/security/nss/
            > >
            > > You should read about this thing called ''ports'' methinks...
            > >
            >
            > that is "NSS is available as a post-install step". SSH requires the things it use to be built-in. *THAT* is what "OpenBSD does not come with NSS" means.

            I stand corrected.

  3. By brynet (Brynet) on http://brynet.biz.tm/

    This is great work, there's plenty of use cases for "OpenSSH, without OpenSSL" like embedded.

    It only supports private keys in the new bcrypt kdf format, correct? I'd assume so, if ed25519 is the only key type supported at the moment.

    Comments
    1. By markus (84.56.5.102) on

      > It only supports private keys in the new bcrypt kdf format, correct? I'd assume so, if ed25519 is the only key type supported at the moment.

      yes & yes.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]