Building for Kerberos on OpenBSD openssh (non portable) seems to be broken.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 




It seems it is currently not possible to compile openssh (nonportable) with Kerberos support on openbsd (6.4).

Partly include files are missing, partly the Makefile needs to be changed to find the relevant includes and libs.

Also, with current openbsd heimdal, the AFS support isn't available, so I borrowed the USE_AFS mechanism from the portable version (seesion.c).

The patch is rather trivial and doesn't touch anything if the Makefile has KERBEROS5 set to "no". If set to yes, it allows to build, which probably nobody have tried in a long time on a recent plain install of OpenBSD.


I would file this as a bug in bugzilla too, but it appears the bugzilla is for the portable version, so I didn't.



Markus

diff -ur ssh-orig/auth-krb5.c ssh/auth-krb5.c
--- ssh-orig/auth-krb5.c	Mon Jul  9 23:35:50 2018
+++ ssh/auth-krb5.c	Thu Mar 21 10:58:35 2019
@@ -36,6 +36,7 @@
 #include "ssh.h"
 #include "packet.h"
 #include "log.h"
+#include "misc.h"
 #include "sshbuf.h"
 #include "sshkey.h"
 #include "servconf.h"
diff -ur ssh-orig/auth2-gss.c ssh/auth2-gss.c
--- ssh-orig/auth2-gss.c	Tue Jul 31 05:10:27 2018
+++ ssh/auth2-gss.c	Thu Mar 21 10:58:35 2019
@@ -34,6 +34,7 @@
 #include "auth.h"
 #include "ssh2.h"
 #include "log.h"
+#include "misc.h"
 #include "dispatch.h"
 #include "sshbuf.h"
 #include "ssherr.h"
diff -ur ssh-orig/gss-serv.c ssh/gss-serv.c
--- ssh-orig/gss-serv.c	Mon Jul  9 23:37:55 2018
+++ ssh/gss-serv.c	Thu Mar 21 10:58:35 2019
@@ -26,6 +26,8 @@
 
 #include <sys/types.h>
 #include <sys/queue.h>
+#include <sys/param.h>
+#include <netdb.h>
 
 #ifdef GSSAPI
 
diff -ur ssh-orig/session.c ssh/session.c
--- ssh-orig/session.c	Thu Oct  4 02:10:11 2018
+++ ssh/session.c	Fri Mar 22 10:48:57 2019
@@ -88,7 +88,7 @@
 #include "sftp.h"
 #include "atomicio.h"
 
-#ifdef KRB5
+#if defined(KRB5) && defined(USE_AFS)
 #include <kafs.h>
 #endif
 
@@ -1274,7 +1274,7 @@
 	 */
 	environ = env;
 
-#ifdef KRB5
+#if defined(KRB5) && defined(USE_AFS)
 	/*
 	 * At this point, we check to see if AFS is active and if we have
 	 * a valid Kerberos 5 TGT. If so, it seems like a good idea to see
diff -ur ssh-orig/ssh/Makefile ssh/ssh/Makefile
--- ssh-orig/ssh/Makefile	Wed Jul 25 19:12:35 2018
+++ ssh/ssh/Makefile	Fri Mar 22 11:28:18 2019
@@ -18,12 +18,15 @@
 KERBEROS5=no
 
 .if (${KERBEROS5:L} == "yes")
-CFLAGS+= -DKRB5 -I${DESTDIR}/usr/include/kerberosV -DGSSAPI
+CFLAGS+= -I${DESTDIR}/usr/local/heimdal/include -DKRB5 -DGSSAPI
+LDFLAGS+= -L${DESTDIR}/usr/local/lib -L${DESTDIR}/usr/local/heimdal/lib
+SRCS+= gss-genr.c
 .endif # KERBEROS5
 
 .include <bsd.prog.mk>
 
 .if (${KERBEROS5:L} == "yes")
+# kerberos build will require to build heimdal from ports for additional libs (as of openbsd6.4). 
 DPADD+=  ${LIBGSSAPI} ${LIBKRB5}
 LDADD+=  -lgssapi -lkrb5 -lasn1
 LDADD+=  -lwind -lroken -lcom_err -lpthread -lheimbase
diff -ur ssh-orig/sshd/Makefile ssh/sshd/Makefile
--- ssh-orig/sshd/Makefile	Wed Jul 25 19:12:35 2018
+++ ssh/sshd/Makefile	Fri Mar 22 11:30:14 2019
@@ -19,18 +19,32 @@
 .include <bsd.own.mk> # for KERBEROS and AFS
 
 KERBEROS5=no
+KRB5AFS=no
 
 .if (${KERBEROS5:L} == "yes")
-CFLAGS+=-DKRB5 -I${DESTDIR}/usr/include/kerberosV -DGSSAPI
-SRCS+=  auth-krb5.c auth2-gss.c gss-serv.c gss-serv-krb5.c
+CFLAGS+=  -I${DESTDIR}/usr/local/include -I${DESTDIR}/usr/local/heimdal/include -DKRB5 -DGSSAPI
+LDFLAGS+= -L${DESTDIR}/usr/local/lib -L${DESTDIR}/usr/local/heimdal/lib
+SRCS+=    auth-krb5.c auth2-gss.c gss-serv.c gss-serv-krb5.c gss-genr.c
 .endif
 
+.if (${KRB5AFS:L} == "yes")
+# kafs.h currently not available (as of openbsd 6.4).
+CFLAGS+=  -DUSE_AFS
+.endif
+
+
 .include <bsd.prog.mk>
 
 .if (${KERBEROS5:L} == "yes")
+# kerberos build will require to build heimdal from ports for additional libs (as of openbsd6.4). 
 LDADD+= -lgssapi -lkrb5 -lasn1
-LDADD+= -lwind -lroken -lcom_err -lpthread -lheimbase -lkafs
+LDADD+= -lwind -lroken -lcom_err -lpthread -lheimbase
 DPADD+= ${LIBGSSAPI} ${LIBKRB5}
+.endif
+
+.if (${KRB5AFS:L} == "yes")
+# libkafs currently not available (as of openbsd 6.4).
+LDADD+= -lkafs
 .endif
 
 .if (${OPENSSL:L} == "yes")
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux