The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
FreeBSD 4.0-stable crypto is fuggered for international users 4 July 2000
Need more help on this topic? Click here
This article has no comments
Show me similar articles
This problem has now been fixed.  Skip to the last section of this article.

I found out the hard way that FreeBSD 4.0-stable is not working for international users.  Now that's an overstatement, but the problem has added 48 hours to the time it will take me to launch this box.

I installed 4.0-Release from CDs on a box for a client.  I then cvsup'd to 4.0-STABLE.   Then I did the make world, the install world, the kernel, and the merge.  I rebooted and then tried to connect to the box via ssh.  I couldn't.  Checking /var/log/messages I found the following:

sshd[159]: ** RSAPrivateDecrypt: Unable to find an RSAREF 
       shared library ( 
       Install the /usr/ports/security/rsaref port or 
       package and run this program again. See the OpenSSL 
       chapter in the FreeBSD Handbook, located at, for more 
sshd[159]: fatal: c() failed.

Now I knew the above wasn't right.  I had performed that type of install many times before and never had to install rsaref manually.  I figured something must be broke.

So I checked the archives, found nothing in questions (I should have searched -stable though!) so I fired off a message.  It appears I was not alone.  See the following messages which refer to this problem:

So what caused this mess?
It appears that crypto was broke as part of an attempt to unify the main (freefall) and international (internat) repositories.  Essentially, rsa_eay.c was removed from the repository.  Which means your ssh daemon won't be compiled with everything it needs.
The fix
The fix, which I have yet to confirm actually fixes the problem, is to add src-crypto-rsa to your secure supfile.  Here is a short extract from my secure-supfile:
# If your network link is a T1 or faster, comment out 
# the following line.
*default compress

## The international secure collections.

The line I added is the last one and is in bold so you can see it more easily.

I will amend this article when I can confirm the fix.

Fixed 11 July 2000
The crypto problem has been fixed.  src-crypto-rsa has been removed. cvs-crypto is now part of cvs-all.  All of your source code is now available from a single cvsup server.  No need to go to an international mirror any more!

Need more help on this topic? Click here
This article has no comments
Show me similar articles