OpenSSH-3.5p1 with Kerberos on Mac OS X.2

Steven Michaud smichaud at pobox.com
Sun Jan 12 18:15:01 EST 2003 

Peter D. Barnes, Jr. wrote:

> I've advanced three patches:
>
> Simon Wilkinson's patch,
> Steven Michaud's patch,
> Alexandra Ellwood's fix for the krb5_init_ets linker error
>
> from OpenSSH-3.4p1 to OpenSSH-3.5p1 as a single patch, available at
> http://home.fnal.gov/~pdbarnes/openSSH.html
>
> Enjoy,
> Peter
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krbdev
>
I tried out your patch, and it works for me.

Do be aware that if you don't also patch OS X's SecurityServer and 
Security framework, you are at least theoretically open to exploits by 
people with accounts on your system, because ssh sessions will have 
access to the root authorization session.  See Alexandra Ellwood's 
message to the krbdev list of 10/2/2002 
(http://mailman.mit.edu/pipermail/krbdev/2002/000761.html) and my 
message of 11/11/2002 
(http://mailman.mit.edu/pipermail/krbdev/2002/000907.html) for more 
information.

Do run autoreconf after applying the patch, instead of autoconf.  My 
OpenSSH patch already contains a fix for the krb5_init_ets problem.  If, 
after having applied your patch, you'd run autoreconf instead of 
autoconf, you wouldn't have seen complaints about _krb5_init_ets being 
undefined.

In the course of thoroughly checking out your patch, I hand-upgraded 
both Simon Wilkinson's patch and my own patch to the 3.5p1 level.  Since 
I went to the trouble, I'll post these patches to the krbdev list on 
Monday.  (I won't post them now, because the size of the patches would 
cause any message containing them to be held for the moderator, so they 
probably wouldn't appear til Monday anyway.)

When I diffed the results of applying my patches with the results of 
applying yours, I noticed a few minor differences (besides cosmetic 
ones, that is):

1) My patch doesn't contain your fix for the krb5_init_ets problem ... 
and (as I explained above) it doesn't need to.

2) In your patch to compat.h, you define SSH_OLD_GSSAPI and 
SSH_BUG_PROBE to the same value (0x00800000).  SSH_BUG_PROBE is new as 
of OpenSSH 3.5p1.  So I changed Simon Wilkinson's SSH_OLD_GSSAPI to 
0x01000000 so as not to conflict with it.

3) I've made the logic of the GSI/Globus block in configure.ac slightly 
different from what it is in your patch.  I haven't tried compiling with 
GSI support, and I actually think either of our patches would "work". 
 But I think my patch better preserves the new logic (new with OpenSSH 
3.5p1) that checks the OpenSSL version numbers and decides whether or 
not to use crypt() from libcrypt.

4) Finally, I've made one revision to my patch (at line 1772 of the 
original OpenSSH 3.5p1 configure.ac) to better detect when Heimdal is 
being used.

More information about the krbdev mailing list