diff options
author | netchild <netchild@FreeBSD.org> | 2004-01-25 09:58:39 +0000 |
---|---|---|
committer | netchild <netchild@FreeBSD.org> | 2004-01-25 09:58:39 +0000 |
commit | 7893b4b3fc38b4a6b5ff7668b565608a55c69b6c (patch) | |
tree | e4be62ca43bc34b4fdaa6c8ce359fcdb89d5f2a2 /security | |
parent | c57aca504d09f6ddee1ba4b912b8633f0c9f71e8 (diff) | |
download | FreeBSD-ports-7893b4b3fc38b4a6b5ff7668b565608a55c69b6c.zip FreeBSD-ports-7893b4b3fc38b4a6b5ff7668b565608a55c69b6c.tar.gz |
---snip---
Improve Kerberos support in ssh2:
- Change the WITH_KERBEROS knob into a WITHOUT_KERBEROS knob so kerberized
ssh2 automatically is built when MIT Kerberos is installed, unless the
WITHOUT_KERBEROS knob is defined.
- Check for a library unique to MIT Kerberos to make sure it's not Heimdal
that KRB5_HOME accidentally points to.
- Add dependency on security/krb5 when built with Kerberos support.
- When compiled with Kerberos support also turn it on by default in client
and server config files and set "PermitRootLogin" to "nopwd" to only allow
those with root tickets declared in ~root/.k5login" to login as root. [1]
Ssh2 now should work out of the box in an environment using MIT Kerberos.
Submitted by: Peter Losher <Peter_Losher@isc.org> [1] (kerberos-patch-*)
Tested by: Peter Losher <Peter_Losher@isc.org>
---snip---
Submitted by: maintainer
Strange commit log formatting to prevent
ambiguous "Submitted by" lines by: committer
Diffstat (limited to 'security')
-rw-r--r-- | security/ssh2/Makefile | 8 | ||||
-rw-r--r-- | security/ssh2/files/kerberos-patch-apps::ssh::ssh2_config | 10 | ||||
-rw-r--r-- | security/ssh2/files/kerberos-patch-apps::ssh::sshd2_config | 19 |
3 files changed, 35 insertions, 2 deletions
diff --git a/security/ssh2/Makefile b/security/ssh2/Makefile index 9d246a4..2cf8bd1 100644 --- a/security/ssh2/Makefile +++ b/security/ssh2/Makefile @@ -7,6 +7,7 @@ PORTNAME= ssh2 PORTVERSION= 3.2.9.1 +PORTREVISION= 1 CATEGORIES= security ipv6 # The list of official mirror sites is at: # http://www.ssh.com/support/downloads/secureshellserver/non-commercial.html @@ -77,9 +78,12 @@ CONFIGURE_ARGS+= --enable-group-writeability # Kerberos5 support in ssh2 is EXPERIMENTAL and requires MIT Kerberos, # Heimdal is unsupported. # -.if defined(WITH_KERBEROS) && defined(KRB5_HOME) && \ - exists(${KRB5_HOME}/lib/libkrb5.a) +.if !defined(WITHOUT_KERBEROS) && defined(KRB5_HOME) && \ + exists(${KRB5_HOME}/lib/libk5crypto.a) +LIB_DEPENDS+= krb5.3:${PORTSDIR}/security/krb5 CONFIGURE_ARGS+= --with-kerberos5=${KRB5_HOME} --disable-suid-ssh-signer +EXTRA_PATCHES+= ${FILESDIR}/kerberos-patch-apps::ssh::ssh2_config \ + ${FILESDIR}/kerberos-patch-apps::ssh::sshd2_config .endif .if defined(WITH_X11) || (exists(${X11BASE}/lib/libX11.a) \ diff --git a/security/ssh2/files/kerberos-patch-apps::ssh::ssh2_config b/security/ssh2/files/kerberos-patch-apps::ssh::ssh2_config new file mode 100644 index 0000000..895d04d --- /dev/null +++ b/security/ssh2/files/kerberos-patch-apps::ssh::ssh2_config @@ -0,0 +1,10 @@ +--- apps/ssh/ssh2_config.orig Wed Jan 21 19:14:28 2004 ++++ apps/ssh/ssh2_config Wed Jan 21 19:26:01 2004 +@@ -76,6 +76,7 @@ + + # AllowedAuthentications publickey,keyboard-interactive,password + # AllowedAuthentications hostbased,publickey,keyboard-interactive,password ++ AllowedAuthentications kerberos-tgt-2@ssh.com,kerberos-2@ssh.com,password + + + # For ssh-signer2 (only effective if set in the global configuration diff --git a/security/ssh2/files/kerberos-patch-apps::ssh::sshd2_config b/security/ssh2/files/kerberos-patch-apps::ssh::sshd2_config new file mode 100644 index 0000000..089ccc5 --- /dev/null +++ b/security/ssh2/files/kerberos-patch-apps::ssh::sshd2_config @@ -0,0 +1,19 @@ +--- apps/ssh/sshd2_config.orig Wed Jan 21 19:12:25 2004 ++++ apps/ssh/sshd2_config Wed Jan 21 19:24:11 2004 +@@ -101,6 +101,7 @@ + # AllowedAuthentications publickey,password + # AllowedAuthentications hostbased,publickey,password + # AllowedAuthentications hostbased,publickey,keyboard-interactive ++ AllowedAuthentications kerberos-tgt-2@ssh.com,kerberos-2@ssh.com,password + # RequiredAuthentications publickey,password + # LoginGraceTime 600 + # AuthInteractiveFailureTimeout 2 +@@ -169,7 +170,7 @@ + # AllowGroups staff,users + # DenyGroups guest,anonymous + # PermitRootLogin yes +-# PermitRootLogin nopwd ++ PermitRootLogin nopwd + + ## Chrooted environment + |