MIT Kerberos and OpenSSH

Jeff Aitken jaitken at aitken.com
Wed Jan 12 12:25:01 PST 2005 

On Wed, Jan 12, 2005 at 10:33:28AM -0500, Tom Rhodes wrote:
> > 	There must be a way to get the base system openssh to build against
> > the installed MIT port. 
> 
> Have you asked Mark Murray about this?  I think he has worked
> with Kerberos in the base system.

On a related note, when building the krb5 port in FreeBSD-5.3, it
appears that ksu is not installed.  I'm not sure I understand
fully why this is the case, but it appears that the following
lines in /usr/ports/security/krb5/Makefile:

    CONFIGURE_ENV=          INSTALL="${INSTALL}" YACC=/usr/bin/yacc \
                            CFLAGS="${CFLAGS}"
    MAKE_ARGS=              INSTALL="${INSTALL}"

clobber the value of INSTALL in several of the generated Makefiles.
This only appears to affect ksu because it is the only one where the
install target references INSTALL_SETUID.  After running a 'make' in
the top level, this is what you get in src/clients/Makefile:

    INSTALL=install
    INSTALL_STRIP=
    INSTALL_PROGRAM=install  -s -o root -g wheel -m 555 $(INSTALL_STRIP)
    INSTALL_SCRIPT=install  -o root -g wheel -m 555
    INSTALL_DATA=install  -o root -g wheel -m 444
    INSTALL_SHLIB=@INSTALL_SHLIB@
    INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root

Note that INSTALL_SETUID references INSTALL, which is not defined as
I would expect; I think the correct value should look like this:

    INSTALL=/usr/bin/install -c -o root -g wheel

Most of the other executables that get installed seem to reference
INSTALL_PROGRAM directly.

Also interesting is that src/clients/ksu/Makefile appears to lack a
defined install-unix target.  All of the other Makefiles have something
that looks like this:

    install-unix::
            for f in klist; do \
              $(INSTALL_PROGRAM) $$f \
                    $(DESTDIR)$(CLIENT_BINDIR)/`echo $$f|sed '$(transform)'`; \
              $(INSTALL_DATA) $(srcdir)/$$f.M \
                    $(DESTDIR)$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \
            done

I don't know if this is a problem or not.

Anyway, if you remove the CONFIGURE_ENV and MAKE_ARGS definitions in
/usr/ports/security/krb5/Makefile, you get a "correct" Makefile in
src/clients/ksu:

    INSTALL=/usr/bin/install -c -o root -g wheel
    INSTALL_STRIP=
    INSTALL_PROGRAM=install  -s -o root -g wheel -m 555 $(INSTALL_STRIP)
    INSTALL_SCRIPT=install  -o root -g wheel -m 555
    INSTALL_DATA=install  -o root -g wheel -m 444
    INSTALL_SHLIB=@INSTALL_SHLIB@
    INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root

The krb5 Makefiles are a maze of indirection so I'm not sure I have
this figured out, but figured I'd toss it out and see if anyone else
can confirm or deny.


--Jeff

More information about the freebsd-security mailing list