search

jtesta / ssh-audit

SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
MIT License
3.44k stars 179 forks source link

Docker Testing Image Creation Failure on Ubuntu 18 & 20 #66

Closed jugmac00 closed 4 years ago

jugmac00 commented 4 years ago

Without having a deeper look what the Docker tests actually do, I ran the script while on the current master.

I am on Ubuntu 18.04, but I'd assume the Docker tests should(?) be independent of the host.

Signature on TinySSH sources verified.

Uncompressing OpenSSH 4.0p1...
Compiling OpenSSH 4.0p1...
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables... 
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking whether byte ordering is bigendian... no
checking for gawk... no
checking for mawk... mawk
checking how to run the C preprocessor... gcc -E
checking for ranlib... ranlib
checking for a BSD-compatible install... /usr/bin/install -c
checking for ar... /usr/bin/ar
checking for cat... /bin/cat
checking for kill... /bin/kill
checking for perl5... no
checking for perl... /usr/bin/perl
checking for sed... /bin/sed
checking for ent... no
checking for bash... /bin/bash
checking for ksh... (cached) /bin/bash
checking for sh... (cached) /bin/bash
checking for sh... /bin/sh
checking for groupadd... /usr/sbin/groupadd
checking for useradd... /usr/sbin/useradd
checking for pkgmk... no
checking for special C compiler options needed for large files... no
checking for _FILE_OFFSET_BITS value needed for large files... no
checking for _LARGE_FILES value needed for large files... no
checking for login... /bin/login
checking for passwd... /usr/bin/passwd
checking for inline... inline
checking compiler and flags for sanity... yes
checking for egrep... grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking bstring.h usability... no
checking bstring.h presence... no
checking for bstring.h... no
checking crypt.h usability... yes
checking crypt.h presence... yes
checking for crypt.h... yes
checking dirent.h usability... yes
checking dirent.h presence... yes
checking for dirent.h... yes
checking endian.h usability... yes
checking endian.h presence... yes
checking for endian.h... yes
checking features.h usability... yes
checking features.h presence... yes
checking for features.h... yes
checking floatingpoint.h usability... no
checking floatingpoint.h presence... no
checking for floatingpoint.h... no
checking getopt.h usability... yes
checking getopt.h presence... yes
checking for getopt.h... yes
checking glob.h usability... yes
checking glob.h presence... yes
checking for glob.h... yes
checking ia.h usability... no
checking ia.h presence... no
checking for ia.h... no
checking lastlog.h usability... yes
checking lastlog.h presence... yes
checking for lastlog.h... yes
checking limits.h usability... yes
checking limits.h presence... yes
checking for limits.h... yes
checking login.h usability... no
checking login.h presence... no
checking for login.h... no
checking login_cap.h usability... no
checking login_cap.h presence... no
checking for login_cap.h... no
checking maillock.h usability... no
checking maillock.h presence... no
checking for maillock.h... no
checking ndir.h usability... no
checking ndir.h presence... no
checking for ndir.h... no
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking netgroup.h usability... no
checking netgroup.h presence... no
checking for netgroup.h... no
checking netinet/in_systm.h usability... yes
checking netinet/in_systm.h presence... yes
checking for netinet/in_systm.h... yes
checking pam/pam_appl.h usability... no
checking pam/pam_appl.h presence... no
checking for pam/pam_appl.h... no
checking paths.h usability... yes
checking paths.h presence... yes
checking for paths.h... yes
checking pty.h usability... yes
checking pty.h presence... yes
checking for pty.h... yes
checking readpassphrase.h usability... no
checking readpassphrase.h presence... no
checking for readpassphrase.h... no
checking rpc/types.h usability... yes
checking rpc/types.h presence... yes
checking for rpc/types.h... yes
checking security/pam_appl.h usability... no
checking security/pam_appl.h presence... no
checking for security/pam_appl.h... no
checking shadow.h usability... yes
checking shadow.h presence... yes
checking for shadow.h... yes
checking stddef.h usability... yes
checking stddef.h presence... yes
checking for stddef.h... yes
checking for stdint.h... (cached) yes
checking for strings.h... (cached) yes
checking sys/dir.h usability... yes
checking sys/dir.h presence... yes
checking for sys/dir.h... yes
checking sys/strtio.h usability... no
checking sys/strtio.h presence... no
checking for sys/strtio.h... no
checking sys/audit.h usability... no
checking sys/audit.h presence... no
checking for sys/audit.h... no
checking sys/bitypes.h usability... yes
checking sys/bitypes.h presence... yes
checking for sys/bitypes.h... yes
checking sys/bsdtty.h usability... no
checking sys/bsdtty.h presence... no
checking for sys/bsdtty.h... no
checking sys/cdefs.h usability... yes
checking sys/cdefs.h presence... yes
checking for sys/cdefs.h... yes
checking sys/mman.h usability... yes
checking sys/mman.h presence... yes
checking for sys/mman.h... yes
checking sys/ndir.h usability... no
checking sys/ndir.h presence... no
checking for sys/ndir.h... no
checking sys/prctl.h usability... yes
checking sys/prctl.h presence... yes
checking for sys/prctl.h... yes
checking sys/pstat.h usability... no
checking sys/pstat.h presence... no
checking for sys/pstat.h... no
checking sys/select.h usability... yes
checking sys/select.h presence... yes
checking for sys/select.h... yes
checking for sys/stat.h... (cached) yes
checking sys/stream.h usability... no
checking sys/stream.h presence... no
checking for sys/stream.h... no
checking sys/stropts.h usability... yes
checking sys/stropts.h presence... yes
checking for sys/stropts.h... yes
checking sys/sysmacros.h usability... yes
checking sys/sysmacros.h presence... yes
checking for sys/sysmacros.h... yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking sys/timers.h usability... no
checking sys/timers.h presence... no
checking for sys/timers.h... no
checking sys/un.h usability... yes
checking sys/un.h presence... yes
checking for sys/un.h... yes
checking time.h usability... yes
checking time.h presence... yes
checking for time.h... yes
checking tmpdir.h usability... no
checking tmpdir.h presence... no
checking for tmpdir.h... no
checking ttyent.h usability... yes
checking ttyent.h presence... yes
checking for ttyent.h... yes
checking usersec.h usability... no
checking usersec.h presence... no
checking for usersec.h... no
checking util.h usability... no
checking util.h presence... no
checking for util.h... no
checking utime.h usability... yes
checking utime.h presence... yes
checking for utime.h... yes
checking utmp.h usability... yes
checking utmp.h presence... yes
checking for utmp.h... yes
checking utmpx.h usability... yes
checking utmpx.h presence... yes
checking for utmpx.h... yes
checking vis.h usability... no
checking vis.h presence... no
checking for vis.h... no
checking for sys/ptms.h... no
checking for yp_match... no
checking for yp_match in -lnsl... yes
checking for setsockopt... yes
checking for dirname... yes
checking libgen.h usability... yes
checking libgen.h presence... yes
checking for libgen.h... yes
checking for getspnam... yes
checking for library containing basename... none required
checking for deflate in -lz... yes
checking zlib.h usability... yes
checking zlib.h presence... yes
checking for zlib.h... yes
checking for zlib 1.1.4 or greater... yes
checking for strcasecmp... yes
checking for utimes... yes
checking libutil.h usability... no
checking libutil.h presence... no
checking for libutil.h... no
checking for library containing login... -lutil
checking for logout... yes
checking for updwtmp... yes
checking for logwtmp... yes
checking for strftime... yes
checking for GLOB_ALTDIRFUNC support... yes
checking for gl_matchc field in glob_t... no
checking whether struct dirent allocates space for d_name... yes
checking for /proc/pid/fd directory... yes
checking for arc4random... no
checking for __b64_ntop... no
checking for b64_ntop... no
checking for __b64_pton... no
checking for b64_pton... no
checking for bcopy... yes
checking for bindresvport_sa... no
checking for clock... yes
checking for closefrom... no
checking for dirfd... yes
checking for fchdir... yes
checking for fchmod... yes
checking for fchown... yes
checking for freeaddrinfo... yes
checking for futimes... yes
checking for getaddrinfo... yes
checking for getcwd... yes
checking for getgrouplist... yes
checking for getnameinfo... yes
checking for getopt... yes
checking for getpeereid... no
checking for _getpty... no
checking for getrlimit... yes
checking for getttyent... yes
checking for glob... yes
checking for inet_aton... yes
checking for inet_ntoa... yes
checking for inet_ntop... yes
checking for innetgr... yes
checking for login_getcapbool... no
checking for md5_crypt... no
checking for memmove... yes
checking for mkdtemp... yes
checking for mmap... yes
checking for ngetaddrinfo... no
checking for nsleep... no
checking for ogetaddrinfo... no
checking for openlog_r... no
checking for openpty... yes
checking for pstat... no
checking for prctl... yes
checking for readpassphrase... no
checking for realpath... yes
checking for recvmsg... yes
checking for rresvport_af... yes
checking for sendmsg... yes
checking for setdtablesize... no
checking for setegid... yes
checking for setenv... yes
checking for seteuid... yes
checking for setgroups... yes
checking for setlogin... no
checking for setpcred... no
checking for setproctitle... no
checking for setregid... yes
checking for setreuid... yes
checking for setrlimit... yes
checking for setsid... yes
checking for setvbuf... yes
checking for sigaction... yes
checking for sigvec... no
checking for snprintf... yes
checking for socketpair... yes
checking for strerror... yes
checking for strlcat... no
checking for strlcpy... no
checking for strmode... no
checking for strnvis... no
checking for strtoul... yes
checking for sysconf... yes
checking for tcgetpgrp... yes
checking for truncate... yes
checking for unsetenv... yes
checking for updwtmpx... yes
checking for utimes... (cached) yes
checking for vhangup... yes
checking for vsnprintf... yes
checking for waitpid... yes
checking for gai_strerror... yes
checking for library containing nanosleep... none required
checking whether strsep is declared... yes
checking for strsep... yes
checking whether getrusage is declared... no
checking whether tcsendbreak is declared... yes
checking whether h_errno is declared... yes
checking for setresuid... yes
checking if setresuid seems to work... yes
checking for setresgid... yes
checking if setresgid seems to work... yes
checking for gettimeofday... yes
checking for time... yes
checking for endutent... yes
checking for getutent... yes
checking for getutid... yes
checking for getutline... yes
checking for pututline... yes
checking for setutent... yes
checking for utmpname... yes
checking for endutxent... yes
checking for getutxent... yes
checking for getutxid... yes
checking for getutxline... yes
checking for pututxline... yes
checking for setutxent... yes
checking for utmpxname... yes
checking for daemon... yes
checking for getpagesize... yes
checking whether snprintf correctly terminates long strings... yes
checking whether system supports SO_PEERCRED getsockopt... yes
checking for (overly) strict mkstemp... yes
checking if openpty correctly handles controlling tty... yes
checking whether getpgrp requires zero arguments... yes
checking OpenSSL header version... 1010100f (OpenSSL 1.1.1  11 Sep 2018)
checking OpenSSL library version... 1010100f (OpenSSL 1.1.1  11 Sep 2018)
checking whether OpenSSL's headers match the library... no
configure: error: Your OpenSSL headers do not match your library.
Check config.log for details.
Also see contrib/findssl.sh for help identifying header/library mismatches.
Error: sshd not built!
jtesta commented 4 years ago

I'd assume the Docker tests should(?) be independent of the host.

The SSH servers get compiled on the host, then a Docker image is created around them.

checking whether OpenSSL's headers match the library... no configure: error: Your OpenSSL headers do not match your library.

Did you manually install another version of OpenSSL?

To debug this, try downloading OpenSSH v4.0 from the archives (https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.0p1.tar.gz / https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.0p1.tar.gz.sig), then simply do a "./configure && make -j XX". Once you fix the issues there, then the docker_test.sh script should work.

Please let me know if this is a general problem with Ubuntu 18, or if it was just a local issue.

jugmac00 commented 4 years ago

I am pretty sure I did not touch my local OpenSSL version.

When downloading the mentioned package and trying to compile it, I get the same error message:

~/Downloads/openssh-4.0p1 
❯ ./configure && make -j XX
checking for gcc... gcc

---- snip ----

checking OpenSSL header version... 1010100f (OpenSSL 1.1.1  11 Sep 2018)
checking OpenSSL library version... 1010100f (OpenSSL 1.1.1  11 Sep 2018)
checking whether OpenSSL's headers match the library... no
configure: error: Your OpenSSL headers do not match your library.
Check config.log for details.
Also see contrib/findssl.sh for help identifying header/library mismatches.

~/Downloads/openssh-4.0p1 took 9s

Both version numbers from above (header and library) look exactly the same.

I only have one Ubuntu box with 18.04 available (my dev machine) - so I cannot rule out that this is a local problem.

While there are tons of StackOverFlow questions/answers, currently I have no time for further debugging.

As I do not use the Docker tests and I just wanted to report a possible problem, which may be on my local machine, feel free to close the issue.

jtesta commented 4 years ago

This is a problem with docker_test.sh, not your system.

The issue is that the development libraries for OpenSSL v1.0.x are necessary to build the older versions of OpenSSH and Dropbear. It's possible to install them on Ubuntu 18 with apt install libssl1.0-dev, but your OpenSSL v1.1.1 headers would get automatically removed since they can't co-exist. But even if you're ok with that, I ran into other problems with building the image on Ubuntu 18.

The solution is for docker_test.sh to download & compile the sources of OpenSSL v1.0.x, then compile the SSH servers against this version.

Ubuntu 20 is likely affected by this issue as well.

jtesta commented 4 years ago

I updated docker_test.sh so that it now pulls & uses the image I built from Dockerhub. It should work for you now.

Now I'm the only person who has to deal with build issues. ;)

jugmac00 commented 4 years ago

ALL TESTS PASS!

Works like a charm now. Thanks!