Why does sshd not start after upgrading openssh to RHEA-2010:0683?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • OpenSSH update RHEA-2010:0683 (https://rhn.redhat.com/errata/RHEA-2010-0683.html)

Issue

  • A change in the behavior in the openssh package included in the RHEA-2010:0683 update (openssh-4.3p2-41.el5_5.1) prevents some systems from starting the sshd daemon when using a modified openssl.cnf file.

Resolution

  • Use an explicit openssl.cnf file for home certificate authority (CA). The updated openssh package (sshd command) now reads the openssl.cnf configuration file via the openssl library (openssl-0.9.8e-12.el5_4.6) in order to load the hardware cryptographic modules that can be configured there.

Root Cause

A custom openssl.cnf file containing references to environment  variables (such as ENV_TYPE) not present in the sshd process  environment could result in error messages such as the following:

1578:error:0E065068:configuration file routines:STR_COPY:variable value:conf_def.c:629:line 176

This error was due to the following line in the openssl.cnf file:

nsCertType = $ENV::ENV_TYPE
  • Component
  • nss

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.