Markus Schmidt
2019-Mar-22 10:43 UTC
Building for Kerberos on OpenBSD openssh (non portable) seems to be broken.
It seems it is currently not possible to compile openssh (nonportable) with Kerberos support on openbsd (6.4). Partly include files are missing, partly the Makefile needs to be changed to find the relevant includes and libs. Also, with current openbsd heimdal, the AFS support isn't available, so I borrowed the USE_AFS mechanism from the portable version (seesion.c). The patch is rather trivial and doesn't touch anything if the Makefile has KERBEROS5 set to "no". If set to yes, it allows to build, which probably nobody have tried in a long time on a recent plain install of OpenBSD. I would file this as a bug in bugzilla too, but it appears the bugzilla is for the portable version, so I didn't. Markus -------------- next part -------------- diff -ur ssh-orig/auth-krb5.c ssh/auth-krb5.c --- ssh-orig/auth-krb5.c Mon Jul 9 23:35:50 2018 +++ ssh/auth-krb5.c Thu Mar 21 10:58:35 2019 @@ -36,6 +36,7 @@ #include "ssh.h" #include "packet.h" #include "log.h" +#include "misc.h" #include "sshbuf.h" #include "sshkey.h" #include "servconf.h" diff -ur ssh-orig/auth2-gss.c ssh/auth2-gss.c --- ssh-orig/auth2-gss.c Tue Jul 31 05:10:27 2018 +++ ssh/auth2-gss.c Thu Mar 21 10:58:35 2019 @@ -34,6 +34,7 @@ #include "auth.h" #include "ssh2.h" #include "log.h" +#include "misc.h" #include "dispatch.h" #include "sshbuf.h" #include "ssherr.h" diff -ur ssh-orig/gss-serv.c ssh/gss-serv.c --- ssh-orig/gss-serv.c Mon Jul 9 23:37:55 2018 +++ ssh/gss-serv.c Thu Mar 21 10:58:35 2019 @@ -26,6 +26,8 @@ #include <sys/types.h> #include <sys/queue.h> +#include <sys/param.h> +#include <netdb.h> #ifdef GSSAPI diff -ur ssh-orig/session.c ssh/session.c --- ssh-orig/session.c Thu Oct 4 02:10:11 2018 +++ ssh/session.c Fri Mar 22 10:48:57 2019 @@ -88,7 +88,7 @@ #include "sftp.h" #include "atomicio.h" -#ifdef KRB5 +#if defined(KRB5) && defined(USE_AFS) #include <kafs.h> #endif @@ -1274,7 +1274,7 @@ */ environ = env; -#ifdef KRB5 +#if defined(KRB5) && defined(USE_AFS) /* * At this point, we check to see if AFS is active and if we have * a valid Kerberos 5 TGT. If so, it seems like a good idea to see diff -ur ssh-orig/ssh/Makefile ssh/ssh/Makefile --- ssh-orig/ssh/Makefile Wed Jul 25 19:12:35 2018 +++ ssh/ssh/Makefile Fri Mar 22 11:28:18 2019 @@ -18,12 +18,15 @@ KERBEROS5=no .if (${KERBEROS5:L} == "yes") -CFLAGS+= -DKRB5 -I${DESTDIR}/usr/include/kerberosV -DGSSAPI +CFLAGS+= -I${DESTDIR}/usr/local/heimdal/include -DKRB5 -DGSSAPI +LDFLAGS+= -L${DESTDIR}/usr/local/lib -L${DESTDIR}/usr/local/heimdal/lib +SRCS+= gss-genr.c .endif # KERBEROS5 .include <bsd.prog.mk> .if (${KERBEROS5:L} == "yes") +# kerberos build will require to build heimdal from ports for additional libs (as of openbsd6.4). DPADD+= ${LIBGSSAPI} ${LIBKRB5} LDADD+= -lgssapi -lkrb5 -lasn1 LDADD+= -lwind -lroken -lcom_err -lpthread -lheimbase diff -ur ssh-orig/sshd/Makefile ssh/sshd/Makefile --- ssh-orig/sshd/Makefile Wed Jul 25 19:12:35 2018 +++ ssh/sshd/Makefile Fri Mar 22 11:30:14 2019 @@ -19,18 +19,32 @@ .include <bsd.own.mk> # for KERBEROS and AFS KERBEROS5=no +KRB5AFS=no .if (${KERBEROS5:L} == "yes") -CFLAGS+=-DKRB5 -I${DESTDIR}/usr/include/kerberosV -DGSSAPI -SRCS+= auth-krb5.c auth2-gss.c gss-serv.c gss-serv-krb5.c +CFLAGS+= -I${DESTDIR}/usr/local/include -I${DESTDIR}/usr/local/heimdal/include -DKRB5 -DGSSAPI +LDFLAGS+= -L${DESTDIR}/usr/local/lib -L${DESTDIR}/usr/local/heimdal/lib +SRCS+= auth-krb5.c auth2-gss.c gss-serv.c gss-serv-krb5.c gss-genr.c .endif +.if (${KRB5AFS:L} == "yes") +# kafs.h currently not available (as of openbsd 6.4). +CFLAGS+= -DUSE_AFS +.endif + + .include <bsd.prog.mk> .if (${KERBEROS5:L} == "yes") +# kerberos build will require to build heimdal from ports for additional libs (as of openbsd6.4). LDADD+= -lgssapi -lkrb5 -lasn1 -LDADD+= -lwind -lroken -lcom_err -lpthread -lheimbase -lkafs +LDADD+= -lwind -lroken -lcom_err -lpthread -lheimbase DPADD+= ${LIBGSSAPI} ${LIBKRB5} +.endif + +.if (${KRB5AFS:L} == "yes") +# libkafs currently not available (as of openbsd 6.4). +LDADD+= -lkafs .endif .if (${OPENSSL:L} == "yes")
Markus Schmidt
2019-Mar-22 10:58 UTC
[PATCH] Building for Kerberos on OpenBSD openssh (non portable) seems to be broken.
Resending with "[PATCH]" tag. Sorry for the double. Markus On 03.22.19 11:43 , Markus Schmidt wrote:> > It seems it is currently not possible to compile openssh (nonportable) > with Kerberos support on openbsd (6.4). > > Partly include files are missing, partly the Makefile needs to be > changed to find the relevant includes and libs. > > Also, with current openbsd heimdal, the AFS support isn't available, so > I borrowed the USE_AFS mechanism from the portable version (seesion.c). > > The patch is rather trivial and doesn't touch anything if the Makefile > has KERBEROS5 set to "no".? If set to yes, it allows to build, which > probably nobody have tried in a long time on a recent plain install of > OpenBSD. > > > I would file this as a bug in bugzilla too, but it appears the bugzilla > is for the portable version, so I didn't. > > > > Markus > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >-------------- next part -------------- diff -ur ssh-orig/auth-krb5.c ssh/auth-krb5.c --- ssh-orig/auth-krb5.c Mon Jul 9 23:35:50 2018 +++ ssh/auth-krb5.c Thu Mar 21 10:58:35 2019 @@ -36,6 +36,7 @@ #include "ssh.h" #include "packet.h" #include "log.h" +#include "misc.h" #include "sshbuf.h" #include "sshkey.h" #include "servconf.h" diff -ur ssh-orig/auth2-gss.c ssh/auth2-gss.c --- ssh-orig/auth2-gss.c Tue Jul 31 05:10:27 2018 +++ ssh/auth2-gss.c Thu Mar 21 10:58:35 2019 @@ -34,6 +34,7 @@ #include "auth.h" #include "ssh2.h" #include "log.h" +#include "misc.h" #include "dispatch.h" #include "sshbuf.h" #include "ssherr.h" diff -ur ssh-orig/gss-serv.c ssh/gss-serv.c --- ssh-orig/gss-serv.c Mon Jul 9 23:37:55 2018 +++ ssh/gss-serv.c Thu Mar 21 10:58:35 2019 @@ -26,6 +26,8 @@ #include <sys/types.h> #include <sys/queue.h> +#include <sys/param.h> +#include <netdb.h> #ifdef GSSAPI diff -ur ssh-orig/session.c ssh/session.c --- ssh-orig/session.c Thu Oct 4 02:10:11 2018 +++ ssh/session.c Fri Mar 22 10:48:57 2019 @@ -88,7 +88,7 @@ #include "sftp.h" #include "atomicio.h" -#ifdef KRB5 +#if defined(KRB5) && defined(USE_AFS) #include <kafs.h> #endif @@ -1274,7 +1274,7 @@ */ environ = env; -#ifdef KRB5 +#if defined(KRB5) && defined(USE_AFS) /* * At this point, we check to see if AFS is active and if we have * a valid Kerberos 5 TGT. If so, it seems like a good idea to see diff -ur ssh-orig/ssh/Makefile ssh/ssh/Makefile --- ssh-orig/ssh/Makefile Wed Jul 25 19:12:35 2018 +++ ssh/ssh/Makefile Fri Mar 22 11:28:18 2019 @@ -18,12 +18,15 @@ KERBEROS5=no .if (${KERBEROS5:L} == "yes") -CFLAGS+= -DKRB5 -I${DESTDIR}/usr/include/kerberosV -DGSSAPI +CFLAGS+= -I${DESTDIR}/usr/local/heimdal/include -DKRB5 -DGSSAPI +LDFLAGS+= -L${DESTDIR}/usr/local/lib -L${DESTDIR}/usr/local/heimdal/lib +SRCS+= gss-genr.c .endif # KERBEROS5 .include <bsd.prog.mk> .if (${KERBEROS5:L} == "yes") +# kerberos build will require to build heimdal from ports for additional libs (as of openbsd6.4). DPADD+= ${LIBGSSAPI} ${LIBKRB5} LDADD+= -lgssapi -lkrb5 -lasn1 LDADD+= -lwind -lroken -lcom_err -lpthread -lheimbase diff -ur ssh-orig/sshd/Makefile ssh/sshd/Makefile --- ssh-orig/sshd/Makefile Wed Jul 25 19:12:35 2018 +++ ssh/sshd/Makefile Fri Mar 22 11:30:14 2019 @@ -19,18 +19,32 @@ .include <bsd.own.mk> # for KERBEROS and AFS KERBEROS5=no +KRB5AFS=no .if (${KERBEROS5:L} == "yes") -CFLAGS+=-DKRB5 -I${DESTDIR}/usr/include/kerberosV -DGSSAPI -SRCS+= auth-krb5.c auth2-gss.c gss-serv.c gss-serv-krb5.c +CFLAGS+= -I${DESTDIR}/usr/local/include -I${DESTDIR}/usr/local/heimdal/include -DKRB5 -DGSSAPI +LDFLAGS+= -L${DESTDIR}/usr/local/lib -L${DESTDIR}/usr/local/heimdal/lib +SRCS+= auth-krb5.c auth2-gss.c gss-serv.c gss-serv-krb5.c gss-genr.c .endif +.if (${KRB5AFS:L} == "yes") +# kafs.h currently not available (as of openbsd 6.4). +CFLAGS+= -DUSE_AFS +.endif + + .include <bsd.prog.mk> .if (${KERBEROS5:L} == "yes") +# kerberos build will require to build heimdal from ports for additional libs (as of openbsd6.4). LDADD+= -lgssapi -lkrb5 -lasn1 -LDADD+= -lwind -lroken -lcom_err -lpthread -lheimbase -lkafs +LDADD+= -lwind -lroken -lcom_err -lpthread -lheimbase DPADD+= ${LIBGSSAPI} ${LIBKRB5} +.endif + +.if (${KRB5AFS:L} == "yes") +# libkafs currently not available (as of openbsd 6.4). +LDADD+= -lkafs .endif .if (${OPENSSL:L} == "yes")