MIT Kerberos and OpenSSH

Curry Searle searle at unt.edu
Tue Jan 11 07:07:58 PST 2005 

You probably want to define one of the following examples from 
/etc/defaults/make.conf in your /etc/make.conf:

# Kerberos IV
# If you want KerberosIV (KTH eBones), define this:
#
#MAKE_KERBEROS4=        yes
#
#
# Kerberos 5
# If you want Kerberos 5 (KTH Heimdal), define this:
#
#MAKE_KERBEROS5=        yes
#
# Kerberos 5 su (k5su)
# If you want to use the k5su utility, define this to have it installed
# set-user-ID.
#ENABLE_SUID_K5SU=      yes
#
#
# Kerberos5
# If you want to install MIT Kerberos5 port somewhere other than /usr/local,
# define this (this is also used to tell ssh1 that kerberos is needed):
#
#KRB5_HOME=             /usr/local


Jeremie Le Hen wrote:
>>	Is there a way to get the default BSD 5.3 openssh to compile 
>>against the MIT kerberos libraries? I have set NO_KERBEROS=yes in 
>>/etc/make.conf so
>>that the heimdal kerberos is not built, and rebuilt world, then installed 
>>/usr/ports/security/krb5 and rebuilt world again. sshd is however not being 
>>built against MIT at all.
>>
>>[root at foobar] ~ # ldd /usr/sbin/sshd
>>/usr/sbin/sshd:
>>        libssh.so.2 => /usr/lib/libssh.so.2 (0x28098000)
>>        libutil.so.4 => /lib/libutil.so.4 (0x280c7000)
>>        libz.so.2 => /lib/libz.so.2 (0x280d3000)
>>        libwrap.so.3 => /usr/lib/libwrap.so.3 (0x280e3000)
>>        libpam.so.2 => /usr/lib/libpam.so.2 (0x280eb000)
>>        libcrypto.so.3 => /lib/libcrypto.so.3 (0x280f2000)
>>        libcrypt.so.2 => /lib/libcrypt.so.2 (0x281e7000)
>>        libc.so.5 => /lib/libc.so.5 (0x281ff000)
> 
> 
> I'm not a buildworld guru, but I think that with NO_KERBEROS=yes,
> /usr/bin/sshd(8) will obviously NOT be linked with any krb library.
> IMHO, you should build OpenSSH from ports with the KERBEROS=yes knob.
> 
> Hope this helps.
> Regards,

-- 
____________________________________________________
Curry Searle               |
searle at unt.edu             |  Postmaster
www.cas.unt.edu/~searle    |  Unix Hosts
College of Arts & Sciences |  Windows Desktops
Computing Support Services |  Security Liaison
www.cascss.unt.edu         |

More information about the freebsd-security mailing list