[Bug 277650] Remove supporting linking against Heimdal from base (GSSAPI_BASE)

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 277650] Remove supporting linking against Heimdal from base (GSSAPI_BASE)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 02 Apr 2024 20:01:14 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277650

--- Comment #11 from Siva Mahadevan <me@svmhdvn.name> ---
Then why not build security/openssh-portable from ports and set the GSSAPI
option there? What are the clear advantages of having kerberos included in base
and forcing GSSAPI support to be enabled in base-provided sshd? Additionally,
aren't current users who depend on base-provided Kerberos subject to any
possible CVEs that have affected Heimdal in base (or MIT krb5 once that gets
hypothetically included into base) since 12 years ago? Heimdal and MIT krb5 are
up-to-date in the ports collection right now.

I agree that kerberos support in sshd is great, since I use it in my own
servers as well. But since I build my own private poudriere repo, I'm able to
quite easily select the latest (with all security patches included) GSSAPI
provider from ports and use that to build ports-provided sshd with GSSAPI
enabled.

-- 
You are receiving this mail because:
You are on the CC list for the bug.