Building for Kerberos on OpenBSD openssh (non portable) seems to be broken.
Markus Schmidt
markus at blueflash.cc
Fri Mar 22 21:43:27 AEDT 2019
It seems it is currently not possible to compile openssh (nonportable)
with Kerberos support on openbsd (6.4).
Partly include files are missing, partly the Makefile needs to be
changed to find the relevant includes and libs.
Also, with current openbsd heimdal, the AFS support isn't available, so
I borrowed the USE_AFS mechanism from the portable version (seesion.c).
The patch is rather trivial and doesn't touch anything if the Makefile
has KERBEROS5 set to "no". If set to yes, it allows to build, which
probably nobody have tried in a long time on a recent plain install of
OpenBSD.
I would file this as a bug in bugzilla too, but it appears the bugzilla
is for the portable version, so I didn't.
Markus
-------------- next part --------------
diff -ur ssh-orig/auth-krb5.c ssh/auth-krb5.c
--- ssh-orig/auth-krb5.c Mon Jul 9 23:35:50 2018
+++ ssh/auth-krb5.c Thu Mar 21 10:58:35 2019
@@ -36,6 +36,7 @@
#include "ssh.h"
#include "packet.h"
#include "log.h"
+#include "misc.h"
#include "sshbuf.h"
#include "sshkey.h"
#include "servconf.h"
diff -ur ssh-orig/auth2-gss.c ssh/auth2-gss.c
--- ssh-orig/auth2-gss.c Tue Jul 31 05:10:27 2018
+++ ssh/auth2-gss.c Thu Mar 21 10:58:35 2019
@@ -34,6 +34,7 @@
#include "auth.h"
#include "ssh2.h"
#include "log.h"
+#include "misc.h"
#include "dispatch.h"
#include "sshbuf.h"
#include "ssherr.h"
diff -ur ssh-orig/gss-serv.c ssh/gss-serv.c
--- ssh-orig/gss-serv.c Mon Jul 9 23:37:55 2018
+++ ssh/gss-serv.c Thu Mar 21 10:58:35 2019
@@ -26,6 +26,8 @@
#include <sys/types.h>
#include <sys/queue.h>
+#include <sys/param.h>
+#include <netdb.h>
#ifdef GSSAPI
diff -ur ssh-orig/session.c ssh/session.c
--- ssh-orig/session.c Thu Oct 4 02:10:11 2018
+++ ssh/session.c Fri Mar 22 10:48:57 2019
@@ -88,7 +88,7 @@
#include "sftp.h"
#include "atomicio.h"
-#ifdef KRB5
+#if defined(KRB5) && defined(USE_AFS)
#include <kafs.h>
#endif
@@ -1274,7 +1274,7 @@
*/
environ = env;
-#ifdef KRB5
+#if defined(KRB5) && defined(USE_AFS)
/*
* At this point, we check to see if AFS is active and if we have
* a valid Kerberos 5 TGT. If so, it seems like a good idea to see
diff -ur ssh-orig/ssh/Makefile ssh/ssh/Makefile
--- ssh-orig/ssh/Makefile Wed Jul 25 19:12:35 2018
+++ ssh/ssh/Makefile Fri Mar 22 11:28:18 2019
@@ -18,12 +18,15 @@
KERBEROS5=no
.if (${KERBEROS5:L} == "yes")
-CFLAGS+= -DKRB5 -I${DESTDIR}/usr/include/kerberosV -DGSSAPI
+CFLAGS+= -I${DESTDIR}/usr/local/heimdal/include -DKRB5 -DGSSAPI
+LDFLAGS+= -L${DESTDIR}/usr/local/lib -L${DESTDIR}/usr/local/heimdal/lib
+SRCS+= gss-genr.c
.endif # KERBEROS5
.include <bsd.prog.mk>
.if (${KERBEROS5:L} == "yes")
+# kerberos build will require to build heimdal from ports for additional libs (as of openbsd6.4).
DPADD+= ${LIBGSSAPI} ${LIBKRB5}
LDADD+= -lgssapi -lkrb5 -lasn1
LDADD+= -lwind -lroken -lcom_err -lpthread -lheimbase
diff -ur ssh-orig/sshd/Makefile ssh/sshd/Makefile
--- ssh-orig/sshd/Makefile Wed Jul 25 19:12:35 2018
+++ ssh/sshd/Makefile Fri Mar 22 11:30:14 2019
@@ -19,18 +19,32 @@
.include <bsd.own.mk> # for KERBEROS and AFS
KERBEROS5=no
+KRB5AFS=no
.if (${KERBEROS5:L} == "yes")
-CFLAGS+=-DKRB5 -I${DESTDIR}/usr/include/kerberosV -DGSSAPI
-SRCS+= auth-krb5.c auth2-gss.c gss-serv.c gss-serv-krb5.c
+CFLAGS+= -I${DESTDIR}/usr/local/include -I${DESTDIR}/usr/local/heimdal/include -DKRB5 -DGSSAPI
+LDFLAGS+= -L${DESTDIR}/usr/local/lib -L${DESTDIR}/usr/local/heimdal/lib
+SRCS+= auth-krb5.c auth2-gss.c gss-serv.c gss-serv-krb5.c gss-genr.c
.endif
+.if (${KRB5AFS:L} == "yes")
+# kafs.h currently not available (as of openbsd 6.4).
+CFLAGS+= -DUSE_AFS
+.endif
+
+
.include <bsd.prog.mk>
.if (${KERBEROS5:L} == "yes")
+# kerberos build will require to build heimdal from ports for additional libs (as of openbsd6.4).
LDADD+= -lgssapi -lkrb5 -lasn1
-LDADD+= -lwind -lroken -lcom_err -lpthread -lheimbase -lkafs
+LDADD+= -lwind -lroken -lcom_err -lpthread -lheimbase
DPADD+= ${LIBGSSAPI} ${LIBKRB5}
+.endif
+
+.if (${KRB5AFS:L} == "yes")
+# libkafs currently not available (as of openbsd 6.4).
+LDADD+= -lkafs
.endif
.if (${OPENSSL:L} == "yes")
More information about the openssh-unix-dev
mailing list