The average home user is unlikely to have need of the special security capabilities of kerberos, heimdal, or the various GSSAPI options. We who will have no need of it, can exclude it from our kernel and world configurations, and also deny any options from ports which require or use it. This is a rather easy adjustment in general, but the complete process includes rebuilding your kernel. For those who would rather avoid customizing their kernel away from default, a customized make.conf which avoids all things kerberos will be at least as useful as the whole enchilada.
The make.conf adjustments I will provide first, as it is the minimum effective action to eliminate the unneeded security tool and any complications it causes. The adjustments for a custom kernel will be after, with a reminder section on rebuilding the kernel. Add the following lines to your /etc/make.conf as general configuration option overrides.
OPTIONS_UNSET+=KERBEROS HEIMDAL MIT HEIMDAL_BASE KERB_GSSAPI GSSAPI_BASE GSSAPI_MIT GSSAPI_HEIMDAL OPTIONS_SET+=GSSAPI_NONE
In my opinion the port option MIT should instead be MIT_KERB to make it a bit more specific and obvious, as presently away from specific ports it has no context to clarify it which could be problematic.
A list of ports which are in some way tied to kerberos as a dependency. I have this in my poudriere blacklist but you can remove or avoid building them.
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# # kerberos or heimdal or gssapi stuff not needed # #_______________________________________________________# net-mgmt/nagstamon net/rubygem-omniauth-kerberos security/cyrus-sasl2-gssapi security/heimdal security/krb5-appl security/krb5-devel security/p5-Authen-Krb5 security/p5-Authen-Krb5-Simple security/p5-Authen-Simple-Kerberos security/p5-GSSAPI security/p5-Heimdal-Kadm5 security/pam_krb5 security/py-flask-kerberos security/py-gssapi security/py-kerberos security/py-pywinrm security/py-requests-kerberos security/rubygem-gssapi www/gitlab-ce www/mod_auth_gssapi www/mod_auth_kerb2
A list of ports that you may need to rebuild because they have options which by default tie them to GSSAPI which is related to kerberos and by our adjustments will no longer be needed, will not function.
benchmarks/polygraph comms/conserver-com devel/cvs-devel devel/rudiments dns/bind9-devel dns/bind911 dns/samba-nsupdate editors/libreoffice ftp/curl mail/cyrus-imapd23 mail/cyrus-imapd24 mail/cyrus-imapd25 mail/cyrus-imapd30 mail/dovecot mail/dovecot-pigeonhole mail/fetchmail mail/mailutils mail/mutt net/nss_ldap net/ocserv net/openldap24-server net/wireshark net-mgmt/adcli news/inn print/cups security/cyrus-sasl2 security/cyrus-sasl2-saslauthd security/ipsec-tools security/libssh security/openssh-portable security/p5-Authen-SASL security/putty security/racoon2 security/sssd sysutils/msktutil sysutils/rsyslog8 sysutils/rubygem-winrm www/lighttpd www/neon www/nginx www/nginx-devel www/serf www/squid www/squid-devel
Making adjustments to /etc/src.conf is another way to customize
your kernel or world. These type of adjustments are listed in
man 5 src.conf and the build process is described in
man 7 build if you would like to learn more. The
specific lines we will add are below, you could place values after
the equal sign but those are not necessary.
WITHOUT_KERBEROS= WITHOUT_KERBEROS_SUPPORT= WITHOUT_GSSAPI=
The next steps are the same as for any kernel and world build, and reinstall. It would be a good idea to update your /usr/src so that you can take care of two things with one rebuild and reinstall but that is up to you. However, you will certainly need to obtain the source code for your present version of the operating system before attempting only this kerberos excisement operation. Look at the distilled page for updating kernel and world for the steps needed to rebuild.
No comments:
Post a Comment
Thank you for your interest!