Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 11 Jan 2005 09:08:02 -0600
From:      Curry Searle <searle@unt.edu>
To:        Jeremie Le Hen <jeremie@le-hen.org>
Cc:        freebsd-security@freebsd.org
Subject:   Re: MIT Kerberos and OpenSSH
Message-ID:  <41E3EBD2.3000202@unt.edu>
In-Reply-To: <20050111142739.GK686@obiwan.tataz.chchile.org>
References:  <20050110190814.J49931@gabba.so.cpt1.za.uu.net> <20050111142739.GK686@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
You probably want to define one of the following examples from 
/etc/defaults/make.conf in your /etc/make.conf:

# Kerberos IV
# If you want KerberosIV (KTH eBones), define this:
#
#MAKE_KERBEROS4=        yes
#
#
# Kerberos 5
# If you want Kerberos 5 (KTH Heimdal), define this:
#
#MAKE_KERBEROS5=        yes
#
# Kerberos 5 su (k5su)
# If you want to use the k5su utility, define this to have it installed
# set-user-ID.
#ENABLE_SUID_K5SU=      yes
#
#
# Kerberos5
# If you want to install MIT Kerberos5 port somewhere other than /usr/local,
# define this (this is also used to tell ssh1 that kerberos is needed):
#
#KRB5_HOME=             /usr/local


Jeremie Le Hen wrote:
>>	Is there a way to get the default BSD 5.3 openssh to compile 
>>against the MIT kerberos libraries? I have set NO_KERBEROS=yes in 
>>/etc/make.conf so
>>that the heimdal kerberos is not built, and rebuilt world, then installed 
>>/usr/ports/security/krb5 and rebuilt world again. sshd is however not being 
>>built against MIT at all.
>>
>>[root@foobar] ~ # ldd /usr/sbin/sshd
>>/usr/sbin/sshd:
>>        libssh.so.2 => /usr/lib/libssh.so.2 (0x28098000)
>>        libutil.so.4 => /lib/libutil.so.4 (0x280c7000)
>>        libz.so.2 => /lib/libz.so.2 (0x280d3000)
>>        libwrap.so.3 => /usr/lib/libwrap.so.3 (0x280e3000)
>>        libpam.so.2 => /usr/lib/libpam.so.2 (0x280eb000)
>>        libcrypto.so.3 => /lib/libcrypto.so.3 (0x280f2000)
>>        libcrypt.so.2 => /lib/libcrypt.so.2 (0x281e7000)
>>        libc.so.5 => /lib/libc.so.5 (0x281ff000)
> 
> 
> I'm not a buildworld guru, but I think that with NO_KERBEROS=yes,
> /usr/bin/sshd(8) will obviously NOT be linked with any krb library.
> IMHO, you should build OpenSSH from ports with the KERBEROS=yes knob.
> 
> Hope this helps.
> Regards,

-- 
____________________________________________________
Curry Searle               |
searle@unt.edu             |  Postmaster
www.cas.unt.edu/~searle    |  Unix Hosts
College of Arts & Sciences |  Windows Desktops
Computing Support Services |  Security Liaison
www.cascss.unt.edu         |

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41E3EBD2.3000202>