Building for Kerberos on OpenBSD openssh (non portable) seems to be broken.

Markus Schmidt markus at blueflash.cc
Fri Mar 22 21:43:27 AEDT 2019 

It seems it is currently not possible to compile openssh (nonportable) 
with Kerberos support on openbsd (6.4).

Partly include files are missing, partly the Makefile needs to be 
changed to find the relevant includes and libs.

Also, with current openbsd heimdal, the AFS support isn't available, so 
I borrowed the USE_AFS mechanism from the portable version (seesion.c).

The patch is rather trivial and doesn't touch anything if the Makefile 
has KERBEROS5 set to "no".  If set to yes, it allows to build, which 
probably nobody have tried in a long time on a recent plain install of 
OpenBSD.


I would file this as a bug in bugzilla too, but it appears the bugzilla 
is for the portable version, so I didn't.



Markus

-------------- next part --------------
diff -ur ssh-orig/auth-krb5.c ssh/auth-krb5.c
--- ssh-orig/auth-krb5.c	Mon Jul  9 23:35:50 2018
+++ ssh/auth-krb5.c	Thu Mar 21 10:58:35 2019
@@ -36,6 +36,7 @@
 #include "ssh.h"
 #include "packet.h"
 #include "log.h"
+#include "misc.h"
 #include "sshbuf.h"
 #include "sshkey.h"
 #include "servconf.h"
diff -ur ssh-orig/auth2-gss.c ssh/auth2-gss.c
--- ssh-orig/auth2-gss.c	Tue Jul 31 05:10:27 2018
+++ ssh/auth2-gss.c	Thu Mar 21 10:58:35 2019
@@ -34,6 +34,7 @@
 #include "auth.h"
 #include "ssh2.h"
 #include "log.h"
+#include "misc.h"
 #include "dispatch.h"
 #include "sshbuf.h"
 #include "ssherr.h"
diff -ur ssh-orig/gss-serv.c ssh/gss-serv.c
--- ssh-orig/gss-serv.c	Mon Jul  9 23:37:55 2018
+++ ssh/gss-serv.c	Thu Mar 21 10:58:35 2019
@@ -26,6 +26,8 @@
 
 #include <sys/types.h>
 #include <sys/queue.h>
+#include <sys/param.h>
+#include <netdb.h>
 
 #ifdef GSSAPI
 
diff -ur ssh-orig/session.c ssh/session.c
--- ssh-orig/session.c	Thu Oct  4 02:10:11 2018
+++ ssh/session.c	Fri Mar 22 10:48:57 2019
@@ -88,7 +88,7 @@
 #include "sftp.h"
 #include "atomicio.h"
 
-#ifdef KRB5
+#if defined(KRB5) && defined(USE_AFS)
 #include <kafs.h>
 #endif
 
@@ -1274,7 +1274,7 @@
 	 */
 	environ = env;
 
-#ifdef KRB5
+#if defined(KRB5) && defined(USE_AFS)
 	/*
 	 * At this point, we check to see if AFS is active and if we have
 	 * a valid Kerberos 5 TGT. If so, it seems like a good idea to see
diff -ur ssh-orig/ssh/Makefile ssh/ssh/Makefile
--- ssh-orig/ssh/Makefile	Wed Jul 25 19:12:35 2018
+++ ssh/ssh/Makefile	Fri Mar 22 11:28:18 2019
@@ -18,12 +18,15 @@
 KERBEROS5=no
 
 .if (${KERBEROS5:L} == "yes")
-CFLAGS+= -DKRB5 -I${DESTDIR}/usr/include/kerberosV -DGSSAPI
+CFLAGS+= -I${DESTDIR}/usr/local/heimdal/include -DKRB5 -DGSSAPI
+LDFLAGS+= -L${DESTDIR}/usr/local/lib -L${DESTDIR}/usr/local/heimdal/lib
+SRCS+= gss-genr.c
 .endif # KERBEROS5
 
 .include <bsd.prog.mk>
 
 .if (${KERBEROS5:L} == "yes")
+# kerberos build will require to build heimdal from ports for additional libs (as of openbsd6.4). 
 DPADD+=  ${LIBGSSAPI} ${LIBKRB5}
 LDADD+=  -lgssapi -lkrb5 -lasn1
 LDADD+=  -lwind -lroken -lcom_err -lpthread -lheimbase
diff -ur ssh-orig/sshd/Makefile ssh/sshd/Makefile
--- ssh-orig/sshd/Makefile	Wed Jul 25 19:12:35 2018
+++ ssh/sshd/Makefile	Fri Mar 22 11:30:14 2019
@@ -19,18 +19,32 @@
 .include <bsd.own.mk> # for KERBEROS and AFS
 
 KERBEROS5=no
+KRB5AFS=no
 
 .if (${KERBEROS5:L} == "yes")
-CFLAGS+=-DKRB5 -I${DESTDIR}/usr/include/kerberosV -DGSSAPI
-SRCS+=  auth-krb5.c auth2-gss.c gss-serv.c gss-serv-krb5.c
+CFLAGS+=  -I${DESTDIR}/usr/local/include -I${DESTDIR}/usr/local/heimdal/include -DKRB5 -DGSSAPI
+LDFLAGS+= -L${DESTDIR}/usr/local/lib -L${DESTDIR}/usr/local/heimdal/lib
+SRCS+=    auth-krb5.c auth2-gss.c gss-serv.c gss-serv-krb5.c gss-genr.c
 .endif
 
+.if (${KRB5AFS:L} == "yes")
+# kafs.h currently not available (as of openbsd 6.4).
+CFLAGS+=  -DUSE_AFS
+.endif
+
+
 .include <bsd.prog.mk>
 
 .if (${KERBEROS5:L} == "yes")
+# kerberos build will require to build heimdal from ports for additional libs (as of openbsd6.4). 
 LDADD+= -lgssapi -lkrb5 -lasn1
-LDADD+= -lwind -lroken -lcom_err -lpthread -lheimbase -lkafs
+LDADD+= -lwind -lroken -lcom_err -lpthread -lheimbase
 DPADD+= ${LIBGSSAPI} ${LIBKRB5}
+.endif
+
+.if (${KRB5AFS:L} == "yes")
+# libkafs currently not available (as of openbsd 6.4).
+LDADD+= -lkafs
 .endif
 
 .if (${OPENSSL:L} == "yes")

More information about the openssh-unix-dev mailing list