Date: Tue, 11 Jan 2005 19:16:46 +0200 (SAST) From: Gareth Hopkins <gareth@za.uu.net> To: Curry Searle <searle@unt.edu> Cc: freebsd-security@freebsd.org Subject: Re: MIT Kerberos and OpenSSH Message-ID: <20050111191439.M49931@gabba.so.cpt1.za.uu.net> In-Reply-To: <41E3EBD2.3000202@unt.edu> References: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> <20050111142739.GK686@obiwan.tataz.chchile.org> <41E3EBD2.3000202@unt.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 11 Jan 2005, Curry Searle wrote:
CS>You probably want to define one of the following examples from
CS>/etc/defaults/make.conf in your /etc/make.conf:
CS>
CS># Kerberos IV
CS># If you want KerberosIV (KTH eBones), define this:
CS>#
CS>#MAKE_KERBEROS4= yes
CS>#
CS>#
CS># Kerberos 5
CS># If you want Kerberos 5 (KTH Heimdal), define this:
CS>#
CS>#MAKE_KERBEROS5= yes
CS>#
CS># Kerberos 5 su (k5su)
CS># If you want to use the k5su utility, define this to have it installed
CS># set-user-ID.
CS>#ENABLE_SUID_K5SU= yes
CS>#
CS>#
CS># Kerberos5
CS># If you want to install MIT Kerberos5 port somewhere other than /usr/local,
CS># define this (this is also used to tell ssh1 that kerberos is needed):
CS>#
CS>#KRB5_HOME= /usr/local
Howdie,
According to /usr/src/UPDATING of a freshly supped 5.3 machine
<snip>
20030505:
Kerberos 5 (Heimdal) is now built by default. Setting
MAKE_KERBEROS5 no longer has any effect. If you do NOT
want the "base" Kerberos 5, you need to set NO_KERBEROS.
</snip>
Will try installing the MIT port from /usr/ports/security/krb5 and setting
KRB5_HOME in /etc/make.conf
CS>Jeremie Le Hen wrote:
CS>> > Is there a way to get the default BSD 5.3 openssh to compile against
CS>> > the MIT kerberos libraries? I have set NO_KERBEROS=yes in /etc/make.conf
CS>> > so
CS>> > that the heimdal kerberos is not built, and rebuilt world, then installed
CS>> > /usr/ports/security/krb5 and rebuilt world again. sshd is however not
CS>> > being built against MIT at all.
CS>> >
CS>> > [root@foobar] ~ # ldd /usr/sbin/sshd
CS>> > /usr/sbin/sshd:
CS>> > libssh.so.2 => /usr/lib/libssh.so.2 (0x28098000)
CS>> > libutil.so.4 => /lib/libutil.so.4 (0x280c7000)
CS>> > libz.so.2 => /lib/libz.so.2 (0x280d3000)
CS>> > libwrap.so.3 => /usr/lib/libwrap.so.3 (0x280e3000)
CS>> > libpam.so.2 => /usr/lib/libpam.so.2 (0x280eb000)
CS>> > libcrypto.so.3 => /lib/libcrypto.so.3 (0x280f2000)
CS>> > libcrypt.so.2 => /lib/libcrypt.so.2 (0x281e7000)
CS>> > libc.so.5 => /lib/libc.so.5 (0x281ff000)
CS>>
CS>>
CS>> I'm not a buildworld guru, but I think that with NO_KERBEROS=yes,
CS>> /usr/bin/sshd(8) will obviously NOT be linked with any krb library.
CS>> IMHO, you should build OpenSSH from ports with the KERBEROS=yes knob.
CS>>
CS>> Hope this helps.
CS>> Regards,
CS>
CS>--
CS>____________________________________________________
CS>Curry Searle |
CS>searle@unt.edu | Postmaster
CS>www.cas.unt.edu/~searle | Unix Hosts
CS>College of Arts & Sciences | Windows Desktops
CS>Computing Support Services | Security Liaison
CS>www.cascss.unt.edu |
CS>_______________________________________________
CS>freebsd-security@freebsd.org mailing list
CS>http://lists.freebsd.org/mailman/listinfo/freebsd-security
CS>To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
CS>
---
Gareth Hopkins
Server Operations
UUNET South Africa
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050111191439.M49931>