From owner-freebsd-security@FreeBSD.ORG Tue Jan 11 17:16:56 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 014D016A4CE for ; Tue, 11 Jan 2005 17:16:56 +0000 (GMT) Received: from mx01.uunet.co.za (mx01.uunet.co.za [196.31.48.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 014D243D2D for ; Tue, 11 Jan 2005 17:16:55 +0000 (GMT) (envelope-from gareth@za.uu.net) Received: from [196.30.72.11] (helo=pixproxy.so.cpt1.za.uu.net) by mx01.uunet.co.za with esmtp (Exim 4.34; FreeBSD) id 1CoPdR-0008kL-77; Tue, 11 Jan 2005 19:16:53 +0200 Received: from gabba.so.cpt1.za.uu.net (gabba.so.cpt1.za.uu.net [196.30.72.25]) by pixproxy.so.cpt1.za.uu.net (Postfix) with ESMTP id 4132057AC; Tue, 11 Jan 2005 19:16:46 +0200 (SAST) Date: Tue, 11 Jan 2005 19:16:46 +0200 (SAST) From: Gareth Hopkins X-X-Sender: gareth@gabba.so.cpt1.za.uu.net To: Curry Searle In-Reply-To: <41E3EBD2.3000202@unt.edu> Message-ID: <20050111191439.M49931@gabba.so.cpt1.za.uu.net> References: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> <20050111142739.GK686@obiwan.tataz.chchile.org> <41E3EBD2.3000202@unt.edu> X-Cell: +27 82 929 6668 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanner: Scanned By ClamAV X-Spam-Score: -4.9 (----) X-Scan-Signature: ee24718dac2ea057c9322e86be57669f cc: freebsd-security@freebsd.org Subject: Re: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 17:16:56 -0000 On Tue, 11 Jan 2005, Curry Searle wrote: CS>You probably want to define one of the following examples from CS>/etc/defaults/make.conf in your /etc/make.conf: CS> CS># Kerberos IV CS># If you want KerberosIV (KTH eBones), define this: CS># CS>#MAKE_KERBEROS4= yes CS># CS># CS># Kerberos 5 CS># If you want Kerberos 5 (KTH Heimdal), define this: CS># CS>#MAKE_KERBEROS5= yes CS># CS># Kerberos 5 su (k5su) CS># If you want to use the k5su utility, define this to have it installed CS># set-user-ID. CS>#ENABLE_SUID_K5SU= yes CS># CS># CS># Kerberos5 CS># If you want to install MIT Kerberos5 port somewhere other than /usr/local, CS># define this (this is also used to tell ssh1 that kerberos is needed): CS># CS>#KRB5_HOME= /usr/local Howdie, According to /usr/src/UPDATING of a freshly supped 5.3 machine 20030505: Kerberos 5 (Heimdal) is now built by default. Setting MAKE_KERBEROS5 no longer has any effect. If you do NOT want the "base" Kerberos 5, you need to set NO_KERBEROS. Will try installing the MIT port from /usr/ports/security/krb5 and setting KRB5_HOME in /etc/make.conf CS>Jeremie Le Hen wrote: CS>> > Is there a way to get the default BSD 5.3 openssh to compile against CS>> > the MIT kerberos libraries? I have set NO_KERBEROS=yes in /etc/make.conf CS>> > so CS>> > that the heimdal kerberos is not built, and rebuilt world, then installed CS>> > /usr/ports/security/krb5 and rebuilt world again. sshd is however not CS>> > being built against MIT at all. CS>> > CS>> > [root@foobar] ~ # ldd /usr/sbin/sshd CS>> > /usr/sbin/sshd: CS>> > libssh.so.2 => /usr/lib/libssh.so.2 (0x28098000) CS>> > libutil.so.4 => /lib/libutil.so.4 (0x280c7000) CS>> > libz.so.2 => /lib/libz.so.2 (0x280d3000) CS>> > libwrap.so.3 => /usr/lib/libwrap.so.3 (0x280e3000) CS>> > libpam.so.2 => /usr/lib/libpam.so.2 (0x280eb000) CS>> > libcrypto.so.3 => /lib/libcrypto.so.3 (0x280f2000) CS>> > libcrypt.so.2 => /lib/libcrypt.so.2 (0x281e7000) CS>> > libc.so.5 => /lib/libc.so.5 (0x281ff000) CS>> CS>> CS>> I'm not a buildworld guru, but I think that with NO_KERBEROS=yes, CS>> /usr/bin/sshd(8) will obviously NOT be linked with any krb library. CS>> IMHO, you should build OpenSSH from ports with the KERBEROS=yes knob. CS>> CS>> Hope this helps. CS>> Regards, CS> CS>-- CS>____________________________________________________ CS>Curry Searle | CS>searle@unt.edu | Postmaster CS>www.cas.unt.edu/~searle | Unix Hosts CS>College of Arts & Sciences | Windows Desktops CS>Computing Support Services | Security Liaison CS>www.cascss.unt.edu | CS>_______________________________________________ CS>freebsd-security@freebsd.org mailing list CS>http://lists.freebsd.org/mailman/listinfo/freebsd-security CS>To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" CS> --- Gareth Hopkins Server Operations UUNET South Africa