Kerberos: base or port? [Was: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl]
Andrea Venturoli
ml at netfence.it
Sat Dec 12 10:21:27 UTC 2020
On 12/11/20 9:23 PM, Benjamin Kaduk wrote:
> It would be useful to give more specifics on the failures, as there's a few
> classes of things that can go wrong.
I thought this would be OT in this thread, but I'll gladly comply :)
> It doesn't look like openssl from
> ports attempts to support the TLS ciphers with kerberos, which would rule
> out the "openssl tries to depend on kerberos" class of issues.
Not sure I understand (too much ignorance on my part).
> I assume,
> then, that you're running into API conflicts where hcrypto and libcrypto
> present similar-named symbols
Actually, I didn't get that far: /usr/ports/Mk/Uses/gssapi.ml just
forbids compilation if using OpenSSL from ports and GSSAPI from base:
> IGNORE= You are using OpenSSL from ports and have selected GSSAPI from base, please select another GSSAPI value
Now that I know there are patches for 11.4, I hope I'm not going to need
OpenSSL from ports, so this is losing interest for me.
> (The heimdal in base is quite old anyway, and using an external kerberos
> would be recommended in general if you're using it for much.)
This is an interesting statement.
I barely know what Kerberos is: granted, I know what it was designed for
and what it provides, but for me it's more or less just a dependency of
Samba and related software.
My uses cases are:
_ Samba AD DC;
_ Samba AD member file server;
_ various ways of authenticating against Samba (winbindd, pam_ldap,
nss_ldap, saslauthd, etc...);
_ kerberizing NFSv4 has been in my todo list for a while (but with too
low priority for now :)
In spite of everything working, should I abandon Heimdal from base? For
Heimdal from ports?
(Consider Samba is using it's own bundled Heimdal, so this would be for
pam_ldap, nss_ldap, saslauthd, ....).
bye & Thanks
av.
More information about the freebsd-security
mailing list