From owner-freebsd-security@FreeBSD.ORG  Tue Jan 11 14:24:39 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1F50F16A4CE
	for <freebsd-security@freebsd.org>;
	Tue, 11 Jan 2005 14:24:39 +0000 (GMT)
Received: from postfix3-1.free.fr (postfix3-1.free.fr [213.228.0.44])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A479643D1F
	for <freebsd-security@freebsd.org>;
	Tue, 11 Jan 2005 14:24:38 +0000 (GMT)
	(envelope-from tataz@tataz.chchile.org)
Received: from tatooine.tataz.chchile.org
	(vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98])
	by postfix3-1.free.fr (Postfix) with ESMTP id A85601734ED;
	Tue, 11 Jan 2005 15:24:37 +0100 (CET)
Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000)
	id B4FCE40B9; Tue, 11 Jan 2005 15:27:39 +0100 (CET)
Date: Tue, 11 Jan 2005 15:27:39 +0100
From: Jeremie Le Hen <jeremie@le-hen.org>
To: Gareth Hopkins <gareth@uunet.co.za>
Message-ID: <20050111142739.GK686@obiwan.tataz.chchile.org>
References: <20050110190814.J49931@gabba.so.cpt1.za.uu.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050110190814.J49931@gabba.so.cpt1.za.uu.net>
User-Agent: Mutt/1.5.6i
cc: freebsd-security@freebsd.org
Subject: Re: MIT Kerberos and OpenSSH
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jan 2005 14:24:39 -0000

> 	Is there a way to get the default BSD 5.3 openssh to compile 
> against the MIT kerberos libraries? I have set NO_KERBEROS=yes in 
> /etc/make.conf so
> that the heimdal kerberos is not built, and rebuilt world, then installed 
> /usr/ports/security/krb5 and rebuilt world again. sshd is however not being 
> built against MIT at all.
> 
> [root@foobar] ~ # ldd /usr/sbin/sshd
> /usr/sbin/sshd:
>         libssh.so.2 => /usr/lib/libssh.so.2 (0x28098000)
>         libutil.so.4 => /lib/libutil.so.4 (0x280c7000)
>         libz.so.2 => /lib/libz.so.2 (0x280d3000)
>         libwrap.so.3 => /usr/lib/libwrap.so.3 (0x280e3000)
>         libpam.so.2 => /usr/lib/libpam.so.2 (0x280eb000)
>         libcrypto.so.3 => /lib/libcrypto.so.3 (0x280f2000)
>         libcrypt.so.2 => /lib/libcrypt.so.2 (0x281e7000)
>         libc.so.5 => /lib/libc.so.5 (0x281ff000)

I'm not a buildworld guru, but I think that with NO_KERBEROS=yes,
/usr/bin/sshd(8) will obviously NOT be linked with any krb library.
IMHO, you should build OpenSSH from ports with the KERBEROS=yes knob.

Hope this helps.
Regards,
-- 
Jeremie Le Hen
jeremie@le-hen.org