Tuesday, February 28, 2023

Re: How to produce statically linked sshd binary

Thanks. And I "know"..

Use case: sshd in single user on quasi FDE-encrypted servers on co-location not
accessible via KVM/AMT. I've done this on many machines since 2014.

I acknowledge that it isn't recommended practice (and definitely not
supported!) but if anyone should want to help out, feel free to contact me
off-list!

Best regards

Erling

On Mon, Feb 27, 2023 at 09:09:02PM -0700, Theo de Raadt wrote:
> Oh my god, don't do that!
>
> Your program will have a single aspect of randomness.
>
> If you leave it as it is, it has 6 .so's with independent random placement,
> and 4 of them (sshd, ld.so, libc.so, and libcrypto.so) are randomly linked
> at boot.
>
> These independent randomness are an incomplete but strong mitigation
> against ROP attack methods.
>
> What you are trying to do is counter productive.
>
> Erling Westenvik <erling.westenvik@gmail.com> wrote:
>
> > Hi!
> > In the past, at least into several 6.x releases, I was able to produce a
> > statically linked sshd(8) binary like this:
> >
> > # cd /usr/src/usr.bin/ssh
> > # make clean
> > # make LDSTATIC=-static lib sshd
> > # strip /usr/src/usr.bin/ssh/sshd/sshd
> >
> > On a fresh 7.2 install however, the above won't do anymore.
> >
> > (It stops dead complaining about the "lib"-part in LDSTATIC=. When
> > trying without "lib" it goes on for a while but ends with complaints
> > about malloc-something. As you probabley understand by now, I'm not
> > exactly a wizard.. : )
> >
> > Anyone up for outlining a simple "how-to"?
> >
> > Kind regards,
> >
> > Erling
> >

No comments:

Post a Comment