[PATCH] Building for Kerberos on OpenBSD openssh (non portable) seems to be broken.

Markus Schmidt markus at blueflash.cc
Fri Mar 22 21:58:33 AEDT 2019 

Resending with "[PATCH]" tag.

Sorry for the double.


Markus



On 03.22.19 11:43 , Markus Schmidt wrote:
> 
> It seems it is currently not possible to compile openssh (nonportable) 
> with Kerberos support on openbsd (6.4).
> 
> Partly include files are missing, partly the Makefile needs to be 
> changed to find the relevant includes and libs.
> 
> Also, with current openbsd heimdal, the AFS support isn't available, so 
> I borrowed the USE_AFS mechanism from the portable version (seesion.c).
> 
> The patch is rather trivial and doesn't touch anything if the Makefile 
> has KERBEROS5 set to "no".  If set to yes, it allows to build, which 
> probably nobody have tried in a long time on a recent plain install of 
> OpenBSD.
> 
> 
> I would file this as a bug in bugzilla too, but it appears the bugzilla 
> is for the portable version, so I didn't.
> 
> 
> 
> Markus
> 
> 
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 

-------------- next part --------------
diff -ur ssh-orig/auth-krb5.c ssh/auth-krb5.c
--- ssh-orig/auth-krb5.c	Mon Jul  9 23:35:50 2018
+++ ssh/auth-krb5.c	Thu Mar 21 10:58:35 2019
@@ -36,6 +36,7 @@
 #include "ssh.h"
 #include "packet.h"
 #include "log.h"
+#include "misc.h"
 #include "sshbuf.h"
 #include "sshkey.h"
 #include "servconf.h"
diff -ur ssh-orig/auth2-gss.c ssh/auth2-gss.c
--- ssh-orig/auth2-gss.c	Tue Jul 31 05:10:27 2018
+++ ssh/auth2-gss.c	Thu Mar 21 10:58:35 2019
@@ -34,6 +34,7 @@
 #include "auth.h"
 #include "ssh2.h"
 #include "log.h"
+#include "misc.h"
 #include "dispatch.h"
 #include "sshbuf.h"
 #include "ssherr.h"
diff -ur ssh-orig/gss-serv.c ssh/gss-serv.c
--- ssh-orig/gss-serv.c	Mon Jul  9 23:37:55 2018
+++ ssh/gss-serv.c	Thu Mar 21 10:58:35 2019
@@ -26,6 +26,8 @@
 
 #include <sys/types.h>
 #include <sys/queue.h>
+#include <sys/param.h>
+#include <netdb.h>
 
 #ifdef GSSAPI
 
diff -ur ssh-orig/session.c ssh/session.c
--- ssh-orig/session.c	Thu Oct  4 02:10:11 2018
+++ ssh/session.c	Fri Mar 22 10:48:57 2019
@@ -88,7 +88,7 @@
 #include "sftp.h"
 #include "atomicio.h"
 
-#ifdef KRB5
+#if defined(KRB5) && defined(USE_AFS)
 #include <kafs.h>
 #endif
 
@@ -1274,7 +1274,7 @@
 	 */
 	environ = env;
 
-#ifdef KRB5
+#if defined(KRB5) && defined(USE_AFS)
 	/*
 	 * At this point, we check to see if AFS is active and if we have
 	 * a valid Kerberos 5 TGT. If so, it seems like a good idea to see
diff -ur ssh-orig/ssh/Makefile ssh/ssh/Makefile
--- ssh-orig/ssh/Makefile	Wed Jul 25 19:12:35 2018
+++ ssh/ssh/Makefile	Fri Mar 22 11:28:18 2019
@@ -18,12 +18,15 @@
 KERBEROS5=no
 
 .if (${KERBEROS5:L} == "yes")
-CFLAGS+= -DKRB5 -I${DESTDIR}/usr/include/kerberosV -DGSSAPI
+CFLAGS+= -I${DESTDIR}/usr/local/heimdal/include -DKRB5 -DGSSAPI
+LDFLAGS+= -L${DESTDIR}/usr/local/lib -L${DESTDIR}/usr/local/heimdal/lib
+SRCS+= gss-genr.c
 .endif # KERBEROS5
 
 .include <bsd.prog.mk>
 
 .if (${KERBEROS5:L} == "yes")
+# kerberos build will require to build heimdal from ports for additional libs (as of openbsd6.4). 
 DPADD+=  ${LIBGSSAPI} ${LIBKRB5}
 LDADD+=  -lgssapi -lkrb5 -lasn1
 LDADD+=  -lwind -lroken -lcom_err -lpthread -lheimbase
diff -ur ssh-orig/sshd/Makefile ssh/sshd/Makefile
--- ssh-orig/sshd/Makefile	Wed Jul 25 19:12:35 2018
+++ ssh/sshd/Makefile	Fri Mar 22 11:30:14 2019
@@ -19,18 +19,32 @@
 .include <bsd.own.mk> # for KERBEROS and AFS
 
 KERBEROS5=no
+KRB5AFS=no
 
 .if (${KERBEROS5:L} == "yes")
-CFLAGS+=-DKRB5 -I${DESTDIR}/usr/include/kerberosV -DGSSAPI
-SRCS+=  auth-krb5.c auth2-gss.c gss-serv.c gss-serv-krb5.c
+CFLAGS+=  -I${DESTDIR}/usr/local/include -I${DESTDIR}/usr/local/heimdal/include -DKRB5 -DGSSAPI
+LDFLAGS+= -L${DESTDIR}/usr/local/lib -L${DESTDIR}/usr/local/heimdal/lib
+SRCS+=    auth-krb5.c auth2-gss.c gss-serv.c gss-serv-krb5.c gss-genr.c
 .endif
 
+.if (${KRB5AFS:L} == "yes")
+# kafs.h currently not available (as of openbsd 6.4).
+CFLAGS+=  -DUSE_AFS
+.endif
+
+
 .include <bsd.prog.mk>
 
 .if (${KERBEROS5:L} == "yes")
+# kerberos build will require to build heimdal from ports for additional libs (as of openbsd6.4). 
 LDADD+= -lgssapi -lkrb5 -lasn1
-LDADD+= -lwind -lroken -lcom_err -lpthread -lheimbase -lkafs
+LDADD+= -lwind -lroken -lcom_err -lpthread -lheimbase
 DPADD+= ${LIBGSSAPI} ${LIBKRB5}
+.endif
+
+.if (${KRB5AFS:L} == "yes")
+# libkafs currently not available (as of openbsd 6.4).
+LDADD+= -lkafs
 .endif
 
 .if (${OPENSSL:L} == "yes")

More information about the openssh-unix-dev mailing list