If a kerberos .hx source file is newer than the .h copy, but the content
is the same, then during buildworld the "cmp -s || cp" command in the
.hx.h rule would do nothing, leaving the .h copy with the older
timestamp. During installworld the rule would again be invoked, causing
a failure as neither cmp or cp would exist in the temporary path.
As the underlying issue should be resolved by r262209, unconditionally
copy the file.
No objection: peter@
Tested by: gjb@
Sponsored by: The FreeBSD Foundation
and finish the job. ncurses is now the only Makefile in the tree that
uses it since it wasn't a simple mechanical change, and will be
addressed in a future commit.
levels. The root of the problem was that make was attempting to run up
to three concurrent asn1_compile commands to produce the three outputs
that it was declared to produce. The failure was caused when the
asn1_compiles were started out of sync and a later one was truncating
the files that another thread was trying to copy. In reality it is
supposed to be run exactly once and all three outputs are produced in
one pass.
Use the same hack as for the parent's Makefile.inc for the compile_et
multi-output rule.
libkafs5 needs a header from libkrb5, it includes this from
${.OBJDIR}/mumble, this used to work fine as long as you happen to have
a krb_err.h in your base system, this doesn't work for bootstrapping or
using a cross-compiler with a different sysroot. This is just a
best-effort bandaid, sufficient parallelism can still break it.
Fix a SRCS override that dropped krb5_err.h.
Discussed with: stas
private shared libraries, instead of hacked-together archives of PIC
objects. This makes it possible to build a static libkrb5 that works.
Reviewed by: stas
Approved by: re (gjb)
that it handles the ERANGE error return case. Without this fix, authentication
of users for certain system setups could fail unexpectedly.
Reported by: Elias Martenson (lokedhs@gmail.com)
Tested by: Elias Martenson (earlier version)
MFC after: 2 weeks
With the current binutils, symbols from libheimtlm.so are loaded because
it is referenced by DT_NEEDED. This feature is not implemented in
mclinker (https://code.google.com/p/mclinker/issues/detail?id=104).
I encountered the same issue when linking with a recent devel/binutils
invoked via clang. This was the only use of DT_NEEDED in the tree so
removing it simplifies toolchain requirements.
Submitted by: Pete Chou <petechou@gmail.com> (mclinker issue)
1. Don't do upgrade_checks when using bmake. As long as we have WITH_BMAKE,
there's a bootstrap complication in ths respect. Avoid it. Make the
necessary changes to have upgrade_checks work wth bmake anyway.
2. Remove the use of -E. It's not needed in our build because we use ?= for
the respective variables, which means that we'll take the environment
value (if any) anyway.
3. Properly declare phony targets as phony as bmake is a lot smarter (and
thus agressive) about build avoidance.
4. Make sure CLEANFILES is complete and use it on .NOPATH. bmake is a lot
smarter about build avoidance and should not find files we generate in
the source tree. We should not have files in the repository we want to
generate, but this is an easier way to cross this hurdle.
5. Have behavior under bmake the same as it is under make with respect to
halting when sub-commands fail. Add "set -e" to compound commands so
that bmake is informed when sub-commands fail.
6. Make sure crunchgen uses the same make as the rest of the build. This
is important when the make utility isn't called make (but bmake for
example).
7. While here, add support for using MAKEOBJDIR to set the object tree
location. It's the second alternative bmake looks for when determining
the actual object directory (= .OBJDIR).
Submitted by: Simon Gerraty <sjg@juniper.net>
Submitted by: John Van Horne <jvanhorne@juniper.net>
of the version map just exported all the symbols, which caused a
binutils bug being triggered when ld fails to link two objects, one
of which exports a versioned version of the symbol, and another --
unversioned. [1]
- Also add version map for libkafs5.
Submitted by: jchandra@ (based on)
This makes our naming scheme more closely match other systems and the
expectations of much third-party software. MIPS builds which are little-endian
should require and exhibit no changes. Big-endian TARGET_ARCHes must be
changed:
From: To:
mipseb mips
mipsn32eb mipsn32
mips64eb mips64
An entry has been added to UPDATING and some foot-shooting protection (complete
with warnings which should become errors in the near future) to the top-level
base system Makefile.
several new kerberos related libraries and applications to FreeBSD:
o kgetcred(1) allows one to manually get a ticket for a particular service.
o kf(1) securily forwards ticket to another host through an authenticated
and encrypted stream.
o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1)
and other user kerberos operations. klist and kswitch are just symlinks
to kcc(1) now.
o kswitch(1) allows you to easily switch between kerberos credentials if
you're running KCM.
o hxtool(1) is a certificate management tool to use with PKINIT.
o string2key(1) maps a password into key.
o kdigest(8) is a userland tool to access the KDC's digest interface.
o kimpersonate(8) creates a "fake" ticket for a service.
We also now install manpages for some lirbaries that were not installed
before, libheimntlm and libhx509.
- The new HEIMDAL version no longer supports Kerberos 4. All users are
recommended to switch to Kerberos 5.
- Weak ciphers are now disabled by default. To enable DES support (used
by telnet(8)), use "allow_weak_crypto" option in krb5.conf.
- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings
disabled due to the function they use (krb5_get_err_text(3)) being
deprecated. I plan to work on this next.
- Heimdal's KDC now require sqlite to operate. We use the bundled version
and install it as libheimsqlite. If some other FreeBSD components will
require it in the future we can rename it to libbsdsqlite and use for these
components as well.
- This is not a latest Heimdal version, the new one was released while I was
working on the update. I will update it to 1.5.2 soon, as it fixes some
important bugs and security issues.
kerberos libraries were not linked properly (missing dependencies),
which causes 3rd party applications linking to fail when --as-needed
ld flag is used. I also added the --no-undefined ld(1) flag to make
sure that there're no missing dependencies.
MFC after: 3 days
This change was erronously ommitted from the r185690, and attempt
to simply add the prototype to string.h has revealed that several
contributed programs defined local prototypes for strndup(), controlled
by autoconfed config.h. So, manually change #undef HAVE_STRNDUP to
#define HAVE_STRNDUP 1. Next import of the corresponding program would
regenerate config.h, overriding the changes in this commit.
No objections from: kan
is based on an old implementation from the University of Michigan with lots of
changes and fixes by me and the addition of a Solaris-compatible API.
Sponsored by: Isilon Systems
Reviewed by: alfred
libraries had not had their versions bumped relative to 6.3-REL but
had indeed been changed. We need to bump their version so they can be
properly added to the compat6x port:
libasn1.so.8 libgssapi.so.8 libhdb.so.8 libkadm5clnt.so.8
libkadm5srv.so.8 libkafs5.so.8 libkrb5.so.8 libobjc.so.2
MFC After: 1 day
In the Heimdal distro, only kerberized telnet refers to INET6,
but we don't build it, we use contrib/telnet linked with the
Kerberos libs instead.
Tested with: cmp(1)
similar the the Solaris implementation. Repackage the krb5 GSS mechanism
as a plugin library for the new implementation. This also includes a
comprehensive set of manpages for the GSS-API functions with text mostly
taken from the RFC.
Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts)
causes them to be recreated (if needed) early, when doing "make
depend" here, before generating headers that depend on them.
This should fix breakages often seen while doing incremental
(NO_CLEAN) cross-builds.
branches but missed HEAD. This patch extends his a little bit,
setting it up via the Makefiles so that adding _FREEFALL_CONFIG
to /etc/make.conf is the only thing needed to cluster-ize things
(current setup also requires overriding CFLAGS).
From Peter's commit to the RELENG_* branches:
> Add the freebsd.org custer's source modifications under #ifdefs to aid
> keeping things in sync. For ksu:
> * install suid-root by default
> * don't fall back to asking for a unix password (ie: be pure kerberos)
> * allow custom user instances for things like www and not just root
The Makefile tweaks will be MFC-ed, the rest is already done.
MFC after: 3 days
Approved by: re (dwhite)
to PRECIOUSLIB from bsd.lib.mk. The side effect of this
is making installing the world under jail(8) possible by
using another knob, NOFSCHG.
Reviewed by: oliver
of releases. The -DNOCRYPT build option still exists for anyone who
really wants to build non-cryptographic binaries, but the "crypto"
release distribution is now part of "base", and anyone installing from a
release will get cryptographic binaries.
Approved by: re (scottl), markm
Discussed on: freebsd-current, in late April 2004
works before bsd.dep.mk,v 1.44, whether .depend file exists or not,
but the contents of .depend file is wrong. With bsd.dep.mk,v 1.44,
the contents of .depend file is always broken, and build without a
.depend file is broken too. With this change it works reliably in
all cases. Ugh.
- Dropped support for standalone builds, this was only partially
supported anyway, and required so much magic in makefiles that
made life dangerous (e.g., by using the custom yacc rules).
- Got rid of .OBJDIR in makefiles -- makes building of individual
files possible again.
- Made the .x.c transformations -j safe.
- Reprogrammed LDADD to fix static build of some utilities that
was broken.
- Fixed LDFLAGS and DPADD in the WITH_OPENLDAP case -- positively
affects the contents of .depend files.
- Removed redundant .h's from SRCS, only kept those that are
generated.
- libkrb5/ INCS were bogusly installed again with libgssapi/.
- Made build-tools real tools with their own makefiles in
separate directories. This allows us to properly track
their dependencies, etc.
- Faster build, 21% less of makefile code!
Approved by: nectar
Reviewed by: markm
Silence on: arch
(`WITH_OPENLDAP'). Previously, the KDC could fail to start if it was
invoked before `ldconfig'.
This solution was chosen rather than adding an `ldconfig' dependency
to `kerberos' in rcNG, because it is more robust and there is no
guarantee that the LDAP libraries will be in ldconfig's path anyway.
Problem reported by: Sean McNeil <sean@mcneil.com>
looking ${.OBJDIR} work that has the up-side of actually working
in upgrade and make -jN cases.
This needs to be revisited further, and it is conceivable that
the ${.OBJDIR} stuff can be simplified, but the sheer number of
edge cases and other causes make this Hard(tm). For now, this works.
looking ${.OBJDIR} work that has the up-side of actually working
in upgrade and make -jN cases.
This needs to be revisited further, and it is conceivable that
the ${.OBJDIR} stuff can be simplified, but the sheer number of
edge cases and other causes make this Hard(tm). For now, this works.
Previously, there were two copies of telnet; a non-crypto version
that lived in the usual places, and a crypto version that lived in
crypto/telnet/. The latter was built in a broken manner somewhat akin
to other "contribified" sources. This meant that there were 4 telnets
competing with each other at build time - KerberosIV, Kerberos5,
plain-old-secure and base. KerberosIV is no longer in the running, but
the other three took it in turns to jump all over each other during a
"make buildworld".
As the crypto issue has been clarified, and crypto _calls_ are not
a problem, crypto/telnet has been repo-copied to contrib/telnet,
and with this commit, all telnets are now "contribified". The contrib
path was chosen to not destroy history in the repository, and differs
from other contrib/ entries in that it may be worked on as "normal"
BSD code. There is no dangerous crypto in these sources, only a
very weak system less strong than enigma(1).
Kerberos5 telnet and Secure telnet are now selected by using the usual
macros in /etc/make.conf, and the build process is unsurprising and
less treacherous.
Tests with openldap20 where successful whereas openldap21 didn't like
the way hdb-ldap accessed openldap (doesn't like non-bind access).
To activate the support put a USE_OPENLDAP=yes in your make.conf.
The OPENLDAPBASE is also optional and points to /usr/local as default.
Approved by: markm
MFC after: 2 weeks