MIT Kerberos and OpenSSH

Gareth Hopkins gareth at za.uu.net
Tue Jan 11 09:16:56 PST 2005 

On Tue, 11 Jan 2005, Curry Searle wrote:

CS>You probably want to define one of the following examples from
CS>/etc/defaults/make.conf in your /etc/make.conf:
CS>
CS># Kerberos IV
CS># If you want KerberosIV (KTH eBones), define this:
CS>#
CS>#MAKE_KERBEROS4=        yes
CS>#
CS>#
CS># Kerberos 5
CS># If you want Kerberos 5 (KTH Heimdal), define this:
CS>#
CS>#MAKE_KERBEROS5=        yes
CS>#
CS># Kerberos 5 su (k5su)
CS># If you want to use the k5su utility, define this to have it installed
CS># set-user-ID.
CS>#ENABLE_SUID_K5SU=      yes
CS>#
CS>#
CS># Kerberos5
CS># If you want to install MIT Kerberos5 port somewhere other than /usr/local,
CS># define this (this is also used to tell ssh1 that kerberos is needed):
CS>#
CS>#KRB5_HOME=             /usr/local

Howdie,

	According to /usr/src/UPDATING of a freshly supped 5.3 machine

<snip>

20030505:
        Kerberos 5 (Heimdal) is now built by default. Setting
        MAKE_KERBEROS5 no longer has any effect. If you do NOT
        want the "base" Kerberos 5, you need to set NO_KERBEROS.

</snip>

	Will try installing the MIT port from /usr/ports/security/krb5 and setting
KRB5_HOME in /etc/make.conf

CS>Jeremie Le Hen wrote:
CS>> > 	Is there a way to get the default BSD 5.3 openssh to compile against
CS>> > the MIT kerberos libraries? I have set NO_KERBEROS=yes in /etc/make.conf
CS>> > so
CS>> > that the heimdal kerberos is not built, and rebuilt world, then installed
CS>> > /usr/ports/security/krb5 and rebuilt world again. sshd is however not
CS>> > being built against MIT at all.
CS>> > 
CS>> > [root at foobar] ~ # ldd /usr/sbin/sshd
CS>> > /usr/sbin/sshd:
CS>> >        libssh.so.2 => /usr/lib/libssh.so.2 (0x28098000)
CS>> >        libutil.so.4 => /lib/libutil.so.4 (0x280c7000)
CS>> >        libz.so.2 => /lib/libz.so.2 (0x280d3000)
CS>> >        libwrap.so.3 => /usr/lib/libwrap.so.3 (0x280e3000)
CS>> >        libpam.so.2 => /usr/lib/libpam.so.2 (0x280eb000)
CS>> >        libcrypto.so.3 => /lib/libcrypto.so.3 (0x280f2000)
CS>> >        libcrypt.so.2 => /lib/libcrypt.so.2 (0x281e7000)
CS>> >        libc.so.5 => /lib/libc.so.5 (0x281ff000)
CS>> 
CS>> 
CS>> I'm not a buildworld guru, but I think that with NO_KERBEROS=yes,
CS>> /usr/bin/sshd(8) will obviously NOT be linked with any krb library.
CS>> IMHO, you should build OpenSSH from ports with the KERBEROS=yes knob.
CS>> 
CS>> Hope this helps.
CS>> Regards,
CS>
CS>-- 
CS>____________________________________________________
CS>Curry Searle               |
CS>searle at unt.edu             |  Postmaster
CS>www.cas.unt.edu/~searle    |  Unix Hosts
CS>College of Arts & Sciences |  Windows Desktops
CS>Computing Support Services |  Security Liaison
CS>www.cascss.unt.edu         |
CS>_______________________________________________
CS>freebsd-security at freebsd.org mailing list
CS>http://lists.freebsd.org/mailman/listinfo/freebsd-security
CS>To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
CS>

---
Gareth Hopkins
Server Operations
UUNET South Africa

More information about the freebsd-security mailing list