From nobody Wed Jun 04 17:02:43 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bCDRC73SBz5xJwH; Wed, 04 Jun 2025 17:02:47 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta004.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bCDRB3Cnbz4FML; Wed, 04 Jun 2025 17:02:46 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of cy.schubert@cschubert.com designates 3.97.99.33 as permitted sender) smtp.mailfrom=cy.schubert@cschubert.com; dmarc=permerror reason="p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com" header.from=cschubert.com (policy=permerror) Received: from shw-obgw-4001a.ext.cloudfilter.net ([10.228.9.142]) by cmsmtp with ESMTPS id MjRquBYQf5MqyMrVluMoEw; Wed, 04 Jun 2025 17:02:45 +0000 Received: from spqr.komquats.com ([70.66.136.217]) by cmsmtp with ESMTPSA id MrVkuHsflQwcXMrVkuXQzD; Wed, 04 Jun 2025 17:02:45 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=DaW0qetW c=1 sm=1 tr=0 ts=68407c35 a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17 a=kj9zAlcOel0A:10 a=6IFa9wvqVegA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=YxBL1-UpAAAA:8 a=KVCL-4bghCjaS_59dZgA:9 a=CjuIK1q_8ugA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 9D6ADFD; Wed, 04 Jun 2025 10:02:43 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id 96B29BB; Wed, 04 Jun 2025 10:02:43 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: freebsd-current@freebsd.org, arch@freebsd.org cc: jrm@freebsd.org, emaste@freebsd.org Subject: MIT KRB5 Commits List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 04 Jun 2025 10:02:43 -0700 Message-Id: <20250604170243.96B29BB@slippy.cwsent.com> X-CMAE-Envelope: MS4xfEOI7IHff6G1AQCOv85JCk+oIPox1fz2mwn2bdCbjZPyjVAZg/GGaTTFAHnJ9JELjMsEhhwA3vGm95osuIIxL8qNmKHKMh4MWkv8Yxv0Guq2NFHNsYlh uyfawKSoV5+79n9XGDqS7CmdlCfOi+OMO0XclHQ4H8vQOWw7TEpgrqxI1NalQMxBnsjWyBm5OwVU3KtwQMESb7mtTuUD4hGR5sTZZlUM+v1iB23hhUOHkCJ/ /Mvxthxsi7qOP0IbnychtstrZLF1tKV3jF99I2hXaHCdO8KHS/SPXU5MpESc7co2 X-Spamd-Result: default: False [1.31 / 15.00]; NEURAL_SPAM_LONG(0.98)[0.983]; NEURAL_SPAM_MEDIUM(0.78)[0.782]; NEURAL_HAM_SHORT(-0.55)[-0.554]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:3.97.99.32/31]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.33:from]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; RCVD_COUNT_THREE(0.00)[4]; MIME_TRACE(0.00)[0:+]; DMARC_BAD_POLICY(0.00)[cschubert.com : p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,arch@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; RCPT_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_TLS_LAST(0.00)[]; REPLYTO_EQ_FROM(0.00)[] X-Rspamd-Queue-Id: 4bCDRB3Cnbz4FML X-Spamd-Bar: + I will be pushing the first of many MIT KRB5 commits, in this approximate order. 1. MFV contrib/pam-krb5, the MIT compatible pam_krb5. Not hooked into buildworld yet. 2. MFV crypto/krb5, MIT KRB5. Again not hooked into buildworld. 3. Alterations to crytpo/krb5 to allow it to build under FreeBSD. 4. share/mk/src.opts.mk: Add WITH_MITKRB5 and MK_MITKRB5, default disabled. The reason this is added at this point is subsequent commits that will reference MK_MITKRB5 will disable MIT KRB5. Partially because it will be disabled at first and partially because the series of commits must be completed before it will build. This allows for smaller commits that can be easily reviewed. It has been submitted under https://reviews.freebsd.org/D50684. 5. krb5: MIT KRB5 itself. By itself this requires changes to existing components. This is the lion's share of the additions, 124 files. As MK_MITKRB5 is disabled this will not be part of the build until WITH_MITKRB5 is added to /etc/src.conf. This also includes additions/changes to: - share/mk/bsd.libnames.mk - share/mk/src.libnames.mk - Makefile.libcompat 6. lib/libpam: Conditionally build pam-krb5 when MK_MITKRB5 == yes. 7. lib/Makefile: Conditionally build libcom_err when building Heimdal only. Our lib/libcom_err is an extract of Heimdal. The libcom_err bundled with MIT KRB5 will be used when MK_MITKRB5 is enabled. 8. secure/libexec/sshd-session/Makefile and secure/ssh.mk. Honour MK+MITKRB5 to fix build with MIT KRB5 enabled. 9. Patches to usr.bin/Makefile: compile_et shipped with MIT KRB5 will be used when MK_MITKRB5 is enabled. usr.bin/compile_et is a heimdal extract. 10. Patches to usr.bin/telnet disabling telnet crypto. Telnet crypto uses DES which has been removed from newer MIT KRB5 (and newer Heimdal). 11. usr.sbin/gssd: Use MIT KRB5 libraries instead of Hiemdal libraries when MK_MITKRB5 is enabled. 12. Finally Makefile.inc1. Add MK_MITKRB5 support and MIT KRB5 prebuild libraries. Is this commit plan sound? -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0