The average home user is unlikely to have need of the special security capabilities of kerberos, heimdal, or the various GSSAPI options. We who will have no need of it, can exclude it from our kernel and world configurations, and also deny any options from ports which require or use it. This is a rather easy adjustment in general, but the complete process includes rebuilding your kernel. For those who would rather avoid customizing their kernel away from default, a customized make.conf which avoids all things kerberos will be at least as useful as the whole enchilada.
The make.conf adjustments I will provide first, as it is the minimum effective action to eliminate the unneeded security tool and any complications it causes. The adjustments for a custom kernel will be after, with a reminder section on rebuilding the kernel. Add the following lines to your /etc/make.conf as general configuration option overrides.
OPTIONS_UNSET+=KERBEROS HEIMDAL MIT HEIMDAL_BASE KERB_GSSAPI GSSAPI_BASE GSSAPI_MIT GSSAPI_HEIMDAL OPTIONS_SET+=GSSAPI_NONE
In my opinion the port option MIT should instead be MIT_KERB to make it a bit more specific and obvious, as presently away from specific ports it has no context to clarify it which could be problematic. A list of ports which are in some way tied to kerberos as a dependency. I have this in my poudriere blacklist but you can remove or avoid building them.
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# # kerberos or heimdal or gssapi stuff not needed # #_______________________________________________________# net-mgmt/nagstamon net/rubygem-omniauth-kerberos security/cyrus-sasl2-gssapi security/heimdal security/krb5-appl security/krb5-devel security/p5-Authen-Krb5 security/p5-Authen-Krb5-Simple security/p5-Authen-Simple-Kerberos security/p5-GSSAPI security/p5-Heimdal-Kadm5 security/pam_krb5 security/py-flask-kerberos security/py-gssapi security/py-kerberos security/py-pywinrm security/py-requests-kerberos security/rubygem-gssapi www/gitlab-ce www/mod_auth_gssapi www/mod_auth_kerb2
A list of ports that you may need to rebuild because they have options which by default tie them to GSSAPI which is related to kerberos and by our adjustments will no longer be needed, will not function.
benchmarks/polygraph comms/conserver-com devel/cvs-devel devel/rudiments dns/bind9-devel dns/bind911 dns/samba-nsupdate editors/libreoffice ftp/curl mail/cyrus-imapd23 mail/cyrus-imapd24 mail/cyrus-imapd25 mail/cyrus-imapd30 mail/dovecot mail/dovecot-pigeonhole mail/fetchmail mail/mailutils mail/mutt net/nss_ldap net/ocserv net/openldap24-server net/wireshark net-mgmt/adcli news/inn print/cups security/cyrus-sasl2 security/cyrus-sasl2-saslauthd security/ipsec-tools security/libssh security/openssh-portable security/p5-Authen-SASL security/putty security/racoon2 security/sssd sysutils/msktutil sysutils/rsyslog8 sysutils/rubygem-winrm www/lighttpd www/neon www/nginx www/nginx-devel www/serf www/squid www/squid-devel
Making adjustments to /etc/src.conf is another way to customize your kernel or world. These type of adjustments are listed in man 5 src.conf and the build process is described in man 7 build if you would like to learn more. The specific lines we will add are below, you could place values after the equal sign but those are not necessary.
WITHOUT_KERBEROS= WITHOUT_KERBEROS_SUPPORT= WITHOUT_GSSAPI=
The next steps are the same as for any kernel and world build, and reinstall. It would be a good idea to update your
No comments:
Post a Comment