OpenSSH-3.5p1 with Kerberos on Mac OS X.2
smichaud at pobox.com
Sun Jan 12 18:15:01 EST 2003
Peter D. Barnes, Jr. wrote:
> I've advanced three patches:
> Simon Wilkinson's patch,
> Steven Michaud's patch,
> Alexandra Ellwood's fix for the krb5_init_ets linker error
> from OpenSSH-3.4p1 to OpenSSH-3.5p1 as a single patch, available at
> krbdev mailing list krbdev at mit.edu
I tried out your patch, and it works for me.
Do be aware that if you don't also patch OS X's SecurityServer and
Security framework, you are at least theoretically open to exploits by
people with accounts on your system, because ssh sessions will have
access to the root authorization session. See Alexandra Ellwood's
message to the krbdev list of 10/2/2002
(http://mailman.mit.edu/pipermail/krbdev/2002/000761.html) and my
message of 11/11/2002
(http://mailman.mit.edu/pipermail/krbdev/2002/000907.html) for more
Do run autoreconf after applying the patch, instead of autoconf. My
OpenSSH patch already contains a fix for the krb5_init_ets problem. If,
after having applied your patch, you'd run autoreconf instead of
autoconf, you wouldn't have seen complaints about _krb5_init_ets being
In the course of thoroughly checking out your patch, I hand-upgraded
both Simon Wilkinson's patch and my own patch to the 3.5p1 level. Since
I went to the trouble, I'll post these patches to the krbdev list on
Monday. (I won't post them now, because the size of the patches would
cause any message containing them to be held for the moderator, so they
probably wouldn't appear til Monday anyway.)
When I diffed the results of applying my patches with the results of
applying yours, I noticed a few minor differences (besides cosmetic
ones, that is):
1) My patch doesn't contain your fix for the krb5_init_ets problem ...
and (as I explained above) it doesn't need to.
2) In your patch to compat.h, you define SSH_OLD_GSSAPI and
SSH_BUG_PROBE to the same value (0x00800000). SSH_BUG_PROBE is new as
of OpenSSH 3.5p1. So I changed Simon Wilkinson's SSH_OLD_GSSAPI to
0x01000000 so as not to conflict with it.
3) I've made the logic of the GSI/Globus block in configure.ac slightly
different from what it is in your patch. I haven't tried compiling with
GSI support, and I actually think either of our patches would "work".
But I think my patch better preserves the new logic (new with OpenSSH
3.5p1) that checks the OpenSSL version numbers and decides whether or
not to use crypt() from libcrypt.
4) Finally, I've made one revision to my patch (at line 1772 of the
original OpenSSH 3.5p1 configure.ac) to better detect when Heimdal is
More information about the krbdev