Kerberos: base or port? [Was: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl]

Andrea Venturoli ml at netfence.it
Sat Dec 12 10:21:27 UTC 2020


On 12/11/20 9:23 PM, Benjamin Kaduk wrote:

> It would be useful to give more specifics on the failures, as there's a few
> classes of things that can go wrong.

I thought this would be OT in this thread, but I'll gladly comply :)



> It doesn't look like openssl from
> ports attempts to support the TLS ciphers with kerberos, which would rule
> out the "openssl tries to depend on kerberos" class of issues.

Not sure I understand (too much ignorance on my part).



> I assume,
> then, that you're running into API conflicts where hcrypto and libcrypto
> present similar-named symbols

Actually, I didn't get that far: /usr/ports/Mk/Uses/gssapi.ml just 
forbids compilation if using OpenSSL from ports and GSSAPI from base:
> IGNORE= You are using OpenSSL from ports and have selected GSSAPI from base, please select another GSSAPI value

Now that I know there are patches for 11.4, I hope I'm not going to need 
OpenSSL from ports, so this is losing interest for me.





> (The heimdal in base is quite old anyway, and using an external kerberos
> would be recommended in general if you're using it for much.)

This is an interesting statement.
I barely know what Kerberos is: granted, I know what it was designed for 
and what it provides, but for me it's more or less just a dependency of 
Samba and related software.

My uses cases are:
_ Samba AD DC;
_ Samba AD member file server;
_ various ways of authenticating against Samba (winbindd, pam_ldap, 
nss_ldap, saslauthd, etc...);
_ kerberizing NFSv4 has been in my todo list for a while (but with too 
low priority for now :)

In spite of everything working, should I abandon Heimdal from base? For 
Heimdal from ports?
(Consider Samba is using it's own bundled Heimdal, so this would be for 
pam_ldap, nss_ldap, saslauthd, ....).


  bye & Thanks
	av.


More information about the freebsd-security mailing list