From owner-freebsd-security@FreeBSD.ORG Tue Jan 11 15:07:58 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5599116A4CE for ; Tue, 11 Jan 2005 15:07:58 +0000 (GMT) Received: from mailhost.unt.edu (mailhost.unt.edu [129.120.209.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC58F43D2D for ; Tue, 11 Jan 2005 15:07:57 +0000 (GMT) (envelope-from searle@unt.edu) Received: from iatro (localhost.localdomain [127.0.0.1]) by mail5 (Postfix) with SMTP id CFD547429F; Tue, 11 Jan 2005 09:07:56 -0600 (CST) Received: from [129.120.32.22] (slink.cascss.unt.edu [129.120.32.22]) by mailhost.unt.edu (Postfix) with ESMTP id CB3A3742A9; Tue, 11 Jan 2005 09:07:49 -0600 (CST) Message-ID: <41E3EBD2.3000202@unt.edu> Date: Tue, 11 Jan 2005 09:08:02 -0600 From: Curry Searle User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jeremie Le Hen References: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> <20050111142739.GK686@obiwan.tataz.chchile.org> In-Reply-To: <20050111142739.GK686@obiwan.tataz.chchile.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: searle@unt.edu List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 15:07:58 -0000 You probably want to define one of the following examples from /etc/defaults/make.conf in your /etc/make.conf: # Kerberos IV # If you want KerberosIV (KTH eBones), define this: # #MAKE_KERBEROS4= yes # # # Kerberos 5 # If you want Kerberos 5 (KTH Heimdal), define this: # #MAKE_KERBEROS5= yes # # Kerberos 5 su (k5su) # If you want to use the k5su utility, define this to have it installed # set-user-ID. #ENABLE_SUID_K5SU= yes # # # Kerberos5 # If you want to install MIT Kerberos5 port somewhere other than /usr/local, # define this (this is also used to tell ssh1 that kerberos is needed): # #KRB5_HOME= /usr/local Jeremie Le Hen wrote: >> Is there a way to get the default BSD 5.3 openssh to compile >>against the MIT kerberos libraries? I have set NO_KERBEROS=yes in >>/etc/make.conf so >>that the heimdal kerberos is not built, and rebuilt world, then installed >>/usr/ports/security/krb5 and rebuilt world again. sshd is however not being >>built against MIT at all. >> >>[root@foobar] ~ # ldd /usr/sbin/sshd >>/usr/sbin/sshd: >> libssh.so.2 => /usr/lib/libssh.so.2 (0x28098000) >> libutil.so.4 => /lib/libutil.so.4 (0x280c7000) >> libz.so.2 => /lib/libz.so.2 (0x280d3000) >> libwrap.so.3 => /usr/lib/libwrap.so.3 (0x280e3000) >> libpam.so.2 => /usr/lib/libpam.so.2 (0x280eb000) >> libcrypto.so.3 => /lib/libcrypto.so.3 (0x280f2000) >> libcrypt.so.2 => /lib/libcrypt.so.2 (0x281e7000) >> libc.so.5 => /lib/libc.so.5 (0x281ff000) > > > I'm not a buildworld guru, but I think that with NO_KERBEROS=yes, > /usr/bin/sshd(8) will obviously NOT be linked with any krb library. > IMHO, you should build OpenSSH from ports with the KERBEROS=yes knob. > > Hope this helps. > Regards, -- ____________________________________________________ Curry Searle | searle@unt.edu | Postmaster www.cas.unt.edu/~searle | Unix Hosts College of Arts & Sciences | Windows Desktops Computing Support Services | Security Liaison www.cascss.unt.edu |