several new kerberos related libraries and applications to FreeBSD:
o kgetcred(1) allows one to manually get a ticket for a particular service.
o kf(1) securily forwards ticket to another host through an authenticated
and encrypted stream.
o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1)
and other user kerberos operations. klist and kswitch are just symlinks
to kcc(1) now.
o kswitch(1) allows you to easily switch between kerberos credentials if
you're running KCM.
o hxtool(1) is a certificate management tool to use with PKINIT.
o string2key(1) maps a password into key.
o kdigest(8) is a userland tool to access the KDC's digest interface.
o kimpersonate(8) creates a "fake" ticket for a service.
We also now install manpages for some lirbaries that were not installed
before, libheimntlm and libhx509.
- The new HEIMDAL version no longer supports Kerberos 4. All users are
recommended to switch to Kerberos 5.
- Weak ciphers are now disabled by default. To enable DES support (used
by telnet(8)), use "allow_weak_crypto" option in krb5.conf.
- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings
disabled due to the function they use (krb5_get_err_text(3)) being
deprecated. I plan to work on this next.
- Heimdal's KDC now require sqlite to operate. We use the bundled version
and install it as libheimsqlite. If some other FreeBSD components will
require it in the future we can rename it to libbsdsqlite and use for these
components as well.
- This is not a latest Heimdal version, the new one was released while I was
working on the update. I will update it to 1.5.2 soon, as it fixes some
important bugs and security issues.
that it is better to error out when people attempt to build using the
wrong bsd.*.mk files, than to silently ignore the problem.
This means, that after this commit, if you want to build kernel modules
by hand (or via a port) from a head source tree, you *must* make sure
the files in /usr/share/mk are in sync with that tree. If that isn't
possible, for example when you are running on an older FreeBSD branch,
you can:
- Run "make buildenv" from your head source tree, to have the correct
environment setup. (It's advisable to have run "make buildworld", or
at a minimum "make toolchain" first.)
- Alternatively, set MAKESYSPATH to the share/mk directory under your
head source tree. If your build tools are too old, other problems may
still occur.
- Alternatively, use "make -m" and specify the share/mk directory under
your head source tree. Again, build tools that are too old may still
result in trouble.
MFC after: 2 weeks
kernel modules using their old installed /usr/share/mk/bsd.*.mk files,
instead of the updated ones in their source tree. This leads to errors
like:
"sys/conf/kmod.mk", line 111: Malformed conditional (${MK_CLANG_IS_CC} == "no" && ${CC:T:Mclang} != "clang")
Obviously, these errors will go away after a "make installworld", or
alternatively, by using "make buildenv" before attempting to manually
build modules.
However, since it is apparently an expected use case to build using old
.mk files, change the way we test for clang, so it also works when the
MK_CLANG_IS_CC macro doesn't exist.
Note the conditional expressions are becoming rather unreadable now, but
I will attempt to fix that on a followup commit.
MFC after: 2 weeks
installs clang as /usr/bin/cc, /usr/bin/c++ and /usr/bin/cpp.
Note this does *not* disable building and installing gcc, which will
still be available as /usr/bin/gcc, /usr/bin/g++ and /usr/bin/gcpp. If
you want to disable gcc completely, you must use WITHOUT_GCC.
MFC after: 2 weeks
get rid of testing explicitly for clang (using ${CC:T:Mclang}) in
individual Makefiles.
Instead, use the following extra macros, for use with clang:
- NO_WERROR.clang (disables -Werror)
- NO_WCAST_ALIGN.clang (disables -Wcast-align)
- NO_WFORMAT.clang (disables -Wformat and friends)
- CLANG_NO_IAS (disables integrated assembler)
- CLANG_OPT_SMALL (adds flags for extra small size optimizations)
As a side effect, this enables setting CC/CXX/CPP in src.conf instead of
make.conf! For clang, use the following:
CC=clang
CXX=clang++
CPP=clang-cpp
MFC after: 2 weeks
kernel modules that include binary-only code.
More fine-grained control is provided via MK_SOURCELESS_HOST (for native code
that runs on host CPU) and MK_SOURCELESS_UCODE (for microcode).
Reviewed by: julian, delphij, freebsd-arch
Approved by: kib (mentor)
MFC after: 2 weeks
to selectively work around warnings in programs that don't use flexible
array members, but instead define arrays of length 1 at the end of the
struct, and then access those beyond their declared bounds.
MFC after: 1 week
against text. Provide the override switch to turn off the strict
behaviour. Apparently, openssl libcrypto needs it due to assembler
code not being PIC.
Discussed with: bf
MFC after: 2 weeks
defined based on WITH/WITHOUT_CTF settings, default is WITHOUT_CTF,
NO_CTF overrides WITH_CTF (used by Makefile.inc1)
- CTFCONVERT_CMD/NORMAL_CTFCONVERT are now defined to empty string
if make(1) can handle empty commands
- CTFCONVERT_CMD=... is a hack (should be defined to empty string instead):
make(1) should be taught to ignore empty commands silently in compat mode
(as it does in !compat mode, GNU make also silently ignores empty commands)
and to skip printing empty commands in !compat mode
- config(8) should generate ${NORMAL_CTFCONVERT} invocation without '@':
this will allow to simplify kern.pre.mk even more and lessen the number
of shell invocations during kernel build when CTF is turned off
- WITH_CTF can now be converted to usual MK_CTF=yes/no infrastructure
Pointy hat to: fjoe [1]
This is required to override knobs (e.g. WITH_PROFILE) during buildworld
stages in Makefile.inc1 (otherwise the build is stopped due to both WITH_FOO
and WITHOUT_FOO defined).
not disabled in the usual way (by adding it to __DEFAULT_NO_OPTIONS in
share/mk/bsd.own.mk), and because the test for MK_LIBCPLUSPLUS in
Makefile.inc1 was incorrect.
Pointy hat to: dim
MK_LIBCPLUSPLUS=yes to enable). This is a work-in-progress. It works for
me, but is not guaranteed to work for anyone else and may eat your dog.
To build C++ using libc++, add -stdlib=libc++ to your CXX and LD flags.
Bug reports welcome, bug fixes even more welcome...
Approved by: dim (mentor)
libtool.m4. With these fixes libtool will correctly indentify the
system as ELF (and not a.out).
- While here, change the substitutions so they're still correctly
match freebsd1.x, freebsd2.x etc.
With this, I can build various ports on a 10.0-CURRENT system without
hacking or hiding the version number.
This commit should be reverted when there is a cleaner fix in autotools
and/or ports/Mk/bsd.port.mk.
The original patch is from Ed Schouten but needed some additions.
This knob removes the tools that are exclusively used to view and
maintain the databases maintained by utmpx, namely last, users, who,
wtmpcvt, ac, lastlogin and utxrm.
The tool w is not in this list, because it has some other functionality
which is unrelated to utmpx; it is hardlinked to the uptime tool.
uses the .RP macro, a separate cover page is created as page 0 which
is not otherwise output. The bug was hiding by a hack in troffrc
that disables SGR support in grotty(1), which I'm going to remove now.
For POLA reasons, still disable SGR support in grotty(1), by passing
-P-c to groff(1). If we want SGR sequences in these documents, this
can be removed.
MFC after: 1 week
WITH{OUT,}_KERNEL_SYMBOLS (defaulting to WITH). In the fullness of
time, likely around 2020, INSTALL_NODEBUG will be removed. For now,
don't print a warning when using INSTALL_NODEBUG, but that will be
coming soon.
with INET6 equivalents. Patch reather than re-genenerating src.conf
(given the current problem with the script that does the re-gen).
Reviewed by: gnn
Sponsored by: The FreeBSD Foundation
Sponsored by: iXsystems
MFC after: 2 weeks
This support has not worked for several years, and is not likely to work
again, unless Intel decides to release a native FreeBSD version of their
compiler. ;)