Date: Sat, 12 Dec 2020 11:21:14 +0100 From: Andrea Venturoli <ml@netfence.it> To: Benjamin Kaduk <kaduk@mit.edu> Cc: freebsd-security@freebsd.org Subject: Kerberos: base or port? [Was: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl] Message-ID: <08c18c5e-d0fe-16c2-dd17-af5162fd8716@netfence.it> In-Reply-To: <20201211202315.GK64351@kduck.mit.edu> References: <20201209230300.03251CA1@freefall.freebsd.org> <0ccfbeb4-c4e1-53e6-81e8-112318cd9bf1@netfence.it> <20201211202315.GK64351@kduck.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/11/20 9:23 PM, Benjamin Kaduk wrote: > It would be useful to give more specifics on the failures, as there's a few > classes of things that can go wrong. I thought this would be OT in this thread, but I'll gladly comply :) > It doesn't look like openssl from > ports attempts to support the TLS ciphers with kerberos, which would rule > out the "openssl tries to depend on kerberos" class of issues. Not sure I understand (too much ignorance on my part). > I assume, > then, that you're running into API conflicts where hcrypto and libcrypto > present similar-named symbols Actually, I didn't get that far: /usr/ports/Mk/Uses/gssapi.ml just forbids compilation if using OpenSSL from ports and GSSAPI from base: > IGNORE= You are using OpenSSL from ports and have selected GSSAPI from base, please select another GSSAPI value Now that I know there are patches for 11.4, I hope I'm not going to need OpenSSL from ports, so this is losing interest for me. > (The heimdal in base is quite old anyway, and using an external kerberos > would be recommended in general if you're using it for much.) This is an interesting statement. I barely know what Kerberos is: granted, I know what it was designed for and what it provides, but for me it's more or less just a dependency of Samba and related software. My uses cases are: _ Samba AD DC; _ Samba AD member file server; _ various ways of authenticating against Samba (winbindd, pam_ldap, nss_ldap, saslauthd, etc...); _ kerberizing NFSv4 has been in my todo list for a while (but with too low priority for now :) In spite of everything working, should I abandon Heimdal from base? For Heimdal from ports? (Consider Samba is using it's own bundled Heimdal, so this would be for pam_ldap, nss_ldap, saslauthd, ....). bye & Thanks av.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?08c18c5e-d0fe-16c2-dd17-af5162fd8716>