Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 12 Dec 2020 11:21:14 +0100
From:      Andrea Venturoli <ml@netfence.it>
To:        Benjamin Kaduk <kaduk@mit.edu>
Cc:        freebsd-security@freebsd.org
Subject:   Kerberos: base or port? [Was: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl]
Message-ID:  <08c18c5e-d0fe-16c2-dd17-af5162fd8716@netfence.it>
In-Reply-To: <20201211202315.GK64351@kduck.mit.edu>
References:  <20201209230300.03251CA1@freefall.freebsd.org> <0ccfbeb4-c4e1-53e6-81e8-112318cd9bf1@netfence.it> <20201211202315.GK64351@kduck.mit.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
On 12/11/20 9:23 PM, Benjamin Kaduk wrote:

> It would be useful to give more specifics on the failures, as there's a few
> classes of things that can go wrong.

I thought this would be OT in this thread, but I'll gladly comply :)



> It doesn't look like openssl from
> ports attempts to support the TLS ciphers with kerberos, which would rule
> out the "openssl tries to depend on kerberos" class of issues.

Not sure I understand (too much ignorance on my part).



> I assume,
> then, that you're running into API conflicts where hcrypto and libcrypto
> present similar-named symbols

Actually, I didn't get that far: /usr/ports/Mk/Uses/gssapi.ml just 
forbids compilation if using OpenSSL from ports and GSSAPI from base:
> IGNORE= You are using OpenSSL from ports and have selected GSSAPI from base, please select another GSSAPI value

Now that I know there are patches for 11.4, I hope I'm not going to need 
OpenSSL from ports, so this is losing interest for me.





> (The heimdal in base is quite old anyway, and using an external kerberos
> would be recommended in general if you're using it for much.)

This is an interesting statement.
I barely know what Kerberos is: granted, I know what it was designed for 
and what it provides, but for me it's more or less just a dependency of 
Samba and related software.

My uses cases are:
_ Samba AD DC;
_ Samba AD member file server;
_ various ways of authenticating against Samba (winbindd, pam_ldap, 
nss_ldap, saslauthd, etc...);
_ kerberizing NFSv4 has been in my todo list for a while (but with too 
low priority for now :)

In spite of everything working, should I abandon Heimdal from base? For 
Heimdal from ports?
(Consider Samba is using it's own bundled Heimdal, so this would be for 
pam_ldap, nss_ldap, saslauthd, ....).


  bye & Thanks
	av.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?08c18c5e-d0fe-16c2-dd17-af5162fd8716>