Kerberos 5 support for OpenSSH

[ghost]

It appears OpenSSH is building without the '--with-kerberos5' flag rendering sshd unable to support Kerberos authentication. sshd fails config parsing tests raising 'unsupported option' errors and does not enable kerberos authentication support when restarted.

System

• xuname: Void 4.19.50_1 x86_64 GenuineIntel/KVM uptodate rFF
• package: openssh 8.0p1 r2

Expected behavior

Setting the following params in /etc/ssh/sshd_config:

# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Should pass sshd's config parsing:

[root@kerberos-1]# sshd -t
[root@kerberos-1]#

Actual behavior

sshd config test fails with unsupported options:

[root@kerberos-1]# sshd -T
/etc/ssh/sshd_config line 52: Unsupported option KerberosAuthentication
/etc/ssh/sshd_config line 53: Unsupported option KerberosOrLocalPasswd
/etc/ssh/sshd_config line 54: Unsupported option KerberosTicketCleanup
/etc/ssh/sshd_config line 58: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 59: Unsupported option GSSAPICleanupCredentials
reprocess config line 52: Unsupported option KerberosAuthentication
reprocess config line 58: Unsupported option GSSAPIAuthentication
...

Steps to reproduce the behavior

Enable the following params in /etc/ssh/sshd_config:

# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Run the sshd config parse test:

[root@kerberos-1]# sshd -T
[root@kerberos-1]#

[ghost]

I believe this is just a change to the build options for the package. CC'ing @xtraeme

[steinex]

The template already has support for this via the "gssapi" build option. It's just not the default because upstream doesn't build with Kerberos support per default either.

So you can just build your own Kerberos-enabled OpenSSH package via ./xbps-src pkg -o gssapi openssh.

HTH.