summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authornetchild <netchild@FreeBSD.org>2004-01-25 09:58:39 +0000
committernetchild <netchild@FreeBSD.org>2004-01-25 09:58:39 +0000
commit7893b4b3fc38b4a6b5ff7668b565608a55c69b6c (patch)
treee4be62ca43bc34b4fdaa6c8ce359fcdb89d5f2a2 /security
parentc57aca504d09f6ddee1ba4b912b8633f0c9f71e8 (diff)
downloadFreeBSD-ports-7893b4b3fc38b4a6b5ff7668b565608a55c69b6c.zip
FreeBSD-ports-7893b4b3fc38b4a6b5ff7668b565608a55c69b6c.tar.gz
---snip---
Improve Kerberos support in ssh2: - Change the WITH_KERBEROS knob into a WITHOUT_KERBEROS knob so kerberized ssh2 automatically is built when MIT Kerberos is installed, unless the WITHOUT_KERBEROS knob is defined. - Check for a library unique to MIT Kerberos to make sure it's not Heimdal that KRB5_HOME accidentally points to. - Add dependency on security/krb5 when built with Kerberos support. - When compiled with Kerberos support also turn it on by default in client and server config files and set "PermitRootLogin" to "nopwd" to only allow those with root tickets declared in ~root/.k5login" to login as root. [1] Ssh2 now should work out of the box in an environment using MIT Kerberos. Submitted by: Peter Losher <Peter_Losher@isc.org> [1] (kerberos-patch-*) Tested by: Peter Losher <Peter_Losher@isc.org> ---snip--- Submitted by: maintainer Strange commit log formatting to prevent ambiguous "Submitted by" lines by: committer
Diffstat (limited to 'security')
-rw-r--r--security/ssh2/Makefile8
-rw-r--r--security/ssh2/files/kerberos-patch-apps::ssh::ssh2_config10
-rw-r--r--security/ssh2/files/kerberos-patch-apps::ssh::sshd2_config19
3 files changed, 35 insertions, 2 deletions
diff --git a/security/ssh2/Makefile b/security/ssh2/Makefile
index 9d246a4..2cf8bd1 100644
--- a/security/ssh2/Makefile
+++ b/security/ssh2/Makefile
@@ -7,6 +7,7 @@
PORTNAME= ssh2
PORTVERSION= 3.2.9.1
+PORTREVISION= 1
CATEGORIES= security ipv6
# The list of official mirror sites is at:
# http://www.ssh.com/support/downloads/secureshellserver/non-commercial.html
@@ -77,9 +78,12 @@ CONFIGURE_ARGS+= --enable-group-writeability
# Kerberos5 support in ssh2 is EXPERIMENTAL and requires MIT Kerberos,
# Heimdal is unsupported.
#
-.if defined(WITH_KERBEROS) && defined(KRB5_HOME) && \
- exists(${KRB5_HOME}/lib/libkrb5.a)
+.if !defined(WITHOUT_KERBEROS) && defined(KRB5_HOME) && \
+ exists(${KRB5_HOME}/lib/libk5crypto.a)
+LIB_DEPENDS+= krb5.3:${PORTSDIR}/security/krb5
CONFIGURE_ARGS+= --with-kerberos5=${KRB5_HOME} --disable-suid-ssh-signer
+EXTRA_PATCHES+= ${FILESDIR}/kerberos-patch-apps::ssh::ssh2_config \
+ ${FILESDIR}/kerberos-patch-apps::ssh::sshd2_config
.endif
.if defined(WITH_X11) || (exists(${X11BASE}/lib/libX11.a) \
diff --git a/security/ssh2/files/kerberos-patch-apps::ssh::ssh2_config b/security/ssh2/files/kerberos-patch-apps::ssh::ssh2_config
new file mode 100644
index 0000000..895d04d
--- /dev/null
+++ b/security/ssh2/files/kerberos-patch-apps::ssh::ssh2_config
@@ -0,0 +1,10 @@
+--- apps/ssh/ssh2_config.orig Wed Jan 21 19:14:28 2004
++++ apps/ssh/ssh2_config Wed Jan 21 19:26:01 2004
+@@ -76,6 +76,7 @@
+
+ # AllowedAuthentications publickey,keyboard-interactive,password
+ # AllowedAuthentications hostbased,publickey,keyboard-interactive,password
++ AllowedAuthentications kerberos-tgt-2@ssh.com,kerberos-2@ssh.com,password
+
+
+ # For ssh-signer2 (only effective if set in the global configuration
diff --git a/security/ssh2/files/kerberos-patch-apps::ssh::sshd2_config b/security/ssh2/files/kerberos-patch-apps::ssh::sshd2_config
new file mode 100644
index 0000000..089ccc5
--- /dev/null
+++ b/security/ssh2/files/kerberos-patch-apps::ssh::sshd2_config
@@ -0,0 +1,19 @@
+--- apps/ssh/sshd2_config.orig Wed Jan 21 19:12:25 2004
++++ apps/ssh/sshd2_config Wed Jan 21 19:24:11 2004
+@@ -101,6 +101,7 @@
+ # AllowedAuthentications publickey,password
+ # AllowedAuthentications hostbased,publickey,password
+ # AllowedAuthentications hostbased,publickey,keyboard-interactive
++ AllowedAuthentications kerberos-tgt-2@ssh.com,kerberos-2@ssh.com,password
+ # RequiredAuthentications publickey,password
+ # LoginGraceTime 600
+ # AuthInteractiveFailureTimeout 2
+@@ -169,7 +170,7 @@
+ # AllowGroups staff,users
+ # DenyGroups guest,anonymous
+ # PermitRootLogin yes
+-# PermitRootLogin nopwd
++ PermitRootLogin nopwd
+
+ ## Chrooted environment
+
OpenPOWER on IntegriCloud