Building OpenSSH with Heimdal/Kerberos on OpenBSD

Markus Schmidt markus at
Sat Mar 16 02:58:49 AEDT 2019

I'm new to openbsd to please excuse if some of the following questions 
are stupid (I did google).

Am I supposed to build OpenSSH from the non-portable version with 
Kerberos on a rather fresh install of OpenBSD 6.4?

I did download OpenSSH-7.9, followed instructions in README and it 
builds ok.

I have installed heimdal via pkg_ad and have the commands and the libs 
are in /usr/local/heimdal/libs. kinit works.

SSH: -------

When I go to the ssh folder and edit the makefile to set kerberos=yes I 
get errors.  I had to change the kerberos include path add an LDFLAG to 
point it to the heimdal lib folder.

Then it was missing choking on -lcom_err and I had to point it to 
/usr/local/lib as well.  (Meanwhile I had compiled heimdal from the 
ports package, so I don't know if was there in the first 
place or came with the heimdal compile).

Then it turned out that gss-genr.c needed to be added to SRCS in the 

I guess the lib paths may be my lack of understanding OpenBSD, but teh 
missing source looks like a bug in the Makefile to me.

SSHD: -------

Similar things happened with sshd.  Once I added the lib-paths and 
include-paths, I got error messages. Essentially some include files were 
missing in various files to make them compile, e.g. in gss-serv.c

QUESTIONS: -------

I guess the missing paths are my fault one way or another, but I wonder 
if I should compile it based on heimdal or (seening the different 
include path originally pointing to "/usr/include/KerberosV") if I 
should use a different kerberos package (self compiled MIT or something).

Also, judging from the compile errors in sshd, once -DGSSAPI is enabled, 
I guess these are real errors.

So another question is, if it is so unusual to use OpenBSD with ssh and 
Kerberos, that nobody tried it in a long time.  Should I build the 
portable version instead or what else should I do (make a patch, if so, 
including the new lib paths?)


Markus Schmidt

More information about the openssh-unix-dev mailing list