Copy stable/10@r272459 to releng/10.1 as part of
the 10.1-RELEASE process.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Centralize the specification of the krb5 build tools.

* Remove headers from SRCS that are not generated
(and are in /usr/src/crypto/heimdal/).

* Avoid race conditions with 'make -j<N>'.

- Update FreeBSD Heimdal distribution to version 1.5.1. This also brings
several new kerberos related libraries and applications to FreeBSD:
o kgetcred(1) allows one to manually get a ticket for a particular service.
o kf(1) securily forwards ticket to another host through an authenticated
and encrypted stream.
o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1)
and other user kerberos operations. klist and kswitch are just symlinks
to kcc(1) now.
o kswitch(1) allows you to easily switch between kerberos credentials if
you're running KCM.
o hxtool(1) is a certificate management tool to use with PKINIT.
o string2key(1) maps a password into key.
o kdigest(8) is a userland tool to access the KDC's digest interface.
o kimpersonate(8) creates a "fake" ticket for a service.

We also now install manpages for some lirbaries that were not installed
before, libheimntlm and libhx509.

- The new HEIMDAL version no longer supports Kerberos 4. All users are
recommended to switch to Kerberos 5.

- Weak ciphers are now disabled by default. To enable DES support (used
by telnet(8)), use "allow_weak_crypto" option in krb5.conf.

- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings
disabled due to the function they use (krb5_get_err_text(3)) being
deprecated. I plan to work on this next.

- Heimdal's KDC now require sqlite to operate. We use the bundled version
and install it as libheimsqlite. If some other FreeBSD components will
require it in the future we can rename it to libbsdsqlite and use for these
components as well.

- This is not a latest Heimdal version, the new one was released while I was
working on the update. I will update it to 1.5.2 soon, as it fixes some
important bugs and security issues.

Link with -ledit instead of -lreadline.

Fix a typo.

MFC after: 1 month

Fix a typo.

MFC after: 1 month

Update magic sed script for heimdal-1.1

Fix conflicts after heimdal-1.1 import and add build infrastructure. Import
all non-style changes made by heimdal to our own libgssapi.

Remove _FREEFALL_CONFIG hacks

This is sort of an MFS. Peter made these changes to the RELENG_*
branches but missed HEAD. This patch extends his a little bit,
setting it up via the Makefiles so that adding _FREEFALL_CONFIG
to /etc/make.conf is the only thing needed to cluster-ize things
(current setup also requires overriding CFLAGS).

From Peter's commit to the RELENG_* branches:
> Add the freebsd.org custer's source modifications under #ifdefs to aid
> keeping things in sync. For ksu:
> * install suid-root by default
> * don't fall back to asking for a unix password (ie: be pure kerberos)
> * allow custom user instances for things like www and not just root

The Makefile tweaks will be MFC-ed, the rest is already done.

MFC after: 3 days
Approved by: re (dwhite)

Update Heimdal 0.6.1 -> 0.6.3.

Start the dreaded NOFOO -> NO_FOO conversion.

OK'ed by: core

Introduce the PRECIOUSPROG knob in bsd.prog.mk, similar
to PRECIOUSLIB from bsd.lib.mk. The side effect of this
is making installing the world under jail(8) possible by
using another knob, NOFSCHG.

Reviewed by: oliver

Update version strings for Heimdal: 0.6 -> 0.6.1

style.Makefile(5).

OK'ed by: nectar

Put libraries in the link order.

Reported by: lorder(1) (modified to work with libraries)

Overhaul of kerberos5/ makefiles. Most significant changes are:

- Dropped support for standalone builds, this was only partially
supported anyway, and required so much magic in makefiles that
made life dangerous (e.g., by using the custom yacc rules).

- Got rid of .OBJDIR in makefiles -- makes building of individual
files possible again.

- Made the .x.c transformations -j safe.

- Reprogrammed LDADD to fix static build of some utilities that
was broken.

- Fixed LDFLAGS and DPADD in the WITH_OPENLDAP case -- positively
affects the contents of .depend files.

- Removed redundant .h's from SRCS, only kept those that are
generated.

- libkrb5/ INCS were bogusly installed again with libgssapi/.

- Made build-tools real tools with their own makefiles in
separate directories. This allows us to properly track
their dependencies, etc.

- Faster build, 21% less of makefile code!

Approved by: nectar
Reviewed by: markm
Silence on: arch

Build and install the verify_krb5_conf(8) utility, which checks
krb5.conf(5) for obvious errors.

Update build infrastructure for Heimdal 0.6.

Big fixup of the makefiles. Sort out the dependancies so that "make"
without "make depend" works, "make -j N" works, and lists of source
files are made vertical to reduce future diffs.

Very big makeover in the way telnet, telnetd and libtelnet are built.

Previously, there were two copies of telnet; a non-crypto version
that lived in the usual places, and a crypto version that lived in
crypto/telnet/. The latter was built in a broken manner somewhat akin
to other "contribified" sources. This meant that there were 4 telnets
competing with each other at build time - KerberosIV, Kerberos5,
plain-old-secure and base. KerberosIV is no longer in the running, but
the other three took it in turns to jump all over each other during a
"make buildworld".

As the crypto issue has been clarified, and crypto _calls_ are not
a problem, crypto/telnet has been repo-copied to contrib/telnet,
and with this commit, all telnets are now "contribified". The contrib
path was chosen to not destroy history in the repository, and differs
from other contrib/ entries in that it may be worked on as "normal"
BSD code. There is no dangerous crypto in these sources, only a
very weak system less strong than enigma(1).

Kerberos5 telnet and Secure telnet are now selected by using the usual
macros in /etc/make.conf, and the build process is unsurprising and
less treacherous.

Fixed "make checkdpadd".

OK'ed by: markm

Add (optional, default off) support to kerberos5 for supporting openldap.
Tests with openldap20 where successful whereas openldap21 didn't like
the way hdb-ldap accessed openldap (doesn't like non-bind access).
To activate the support put a USE_OPENLDAP=yes in your make.conf.
The OPENLDAPBASE is also optional and points to /usr/local as default.

Approved by: markm
MFC after: 2 weeks

Remove some KRB4 scraps, and allow NOSHARED make worlds to
complete.

OK'ed by: re(scottl)

Post KerberosIV de-orbit: Clean up Kerberos5. We dont need KerberosIV
compatiblity mode anymore. Rename the k5foo utils to kfoo (after
repo-copy).

Don't copy headers from the source tree to the object tree without
making sure the copies in the object tree are writable. When files
in the source tree are not writable (as would be the case for a p4
tree) then a buildworld -DNOCLEAN will try to copy over the existing
non-writable headers. This fails. Instead we cat the headers with
redirection. This is just one of the possibilities.

Unbreak Kerberos 5 authentication in telnet.
(Credential forwarding is still broken.)

PR: bin/45397

Update version numbers after import of Heimdal 0.5.1.

Approved by: re

Repair buglet introduced with the last import of Heimdal:
`krb5-config --cflags' spewed an erroneous argument.

Reported by: Gabor@Zahemszky.HU
Approved by: re (jhb)

This is Heimdal 0.5.

= The prefix should be `/usr', not `/'.
= Correct the Heimdal version number hiding in here.

Kerberos 5 no longer needs -lmd

Approved by: nectar

Give k5admin a manpage.

Added new bsd.incs.mk which handles installing of header files
via INCS. Implemented INCSLINKS (equivalent to SYMLINKS) to
handle symlinking include files. Allow for multiple groups of
include files to be installed, with the powerful INCSGROUPS knob.
Documentation to follow.

Added standard `includes' and `incsinstall' targets, use them
in Makefile.inc1. Headers from the following makefiles were
not installed before (during `includes' in Makefile.inc1):

kerberos5/lib/libtelnet/Makefile
lib/libbz2/Makefile
lib/libdevinfo/Makefile
lib/libform/Makefile
lib/libisc/Makefile
lib/libmenu/Makefile
lib/libmilter/Makefile
lib/libpanel/Makefile

Replaced all `beforeinstall' targets for installing includes
with the INCS stuff.

Renamed INCDIR to INCSDIR, for consistency with FILES and SCRIPTS,
and for compatibility with NetBSD. Similarly for INCOWN, INCGRP,
and INCMODE.

Consistently use INCLUDEDIR instead of /usr/include.

gnu/lib/libstdc++/Makefile and gnu/lib/libsupc++/Makefile changes
were only lightly tested due to the missing contrib/libstdc++-v3.
I fully tested the pre-WIP_GCC31 version of this patch with the
contrib/libstdc++.295 stuff.

These changes have been tested on i386 with the -DNO_WERROR "make
world" and "make release".

Turn on the set-user-ID bit for k5su if ENABLE_SUID_K5SU is defined.

Do not install this with set-user-ID bit set. This utility does not
grok the `wheel' group.

Noticed by: jmallett

= We need `-lcrypt' and `-lcom_err' to when building Kerberos
applications.
= The Heimdal version number is hiding here also. Correct it.

Milestone #1 in cross-arch make releases.

Do not install games and profiled libraries to the ${CHROOTDIR}
with the initial installworld.

Eliminate the need in the second installworld. For that, make sure
_everything_ is built in the "world" environment, using the right
tool chain.

Added SUBDIR_OVERRIDE helper stuff to Makefile.inc1. Split the
buildworld process into stages, and skip some stages when
SUBDIR_OVERRIDE is set (used to build crypto, krb4, and krb5
dists).

Added NO_MAKEDB_RUN knob to Makefile.inc1 to avoid running
makewhatis(1) at the end of installworld (used when making crypto,
krb4, and krb5 dists).

In release/scripts/doFS.sh, ensure that the correct boot blocks are
used.

Moved the creation of the "crypto" dist from release.5 to
release.2.

In release.3 and doMFSKERN, build kernels in the "world"
environment. KERNELS now means "additional" kernels, GENERIC is
always built.

Ensure we build crunched binaries in the "world" environment.
Obfuscate release/Makefile some more (WMAKEENV) to achieve this.

Inline createBOOTMFS target.

Use already built GENERIC kernel modules to augment mfsfd's
/stand/modules. GC doMODULES as such.

Assorted fixes:

Get rid of the "afterdistribute" target by moving the single use
of it from sys/Makefile to etc/Makefile's "distribute".

Makefile.inc1: apparently "etc" no longer needs to be last for
"distribute" to succeed.

gnu/usr.bin/perl/library/Makefile.inc: do not override the
"install" and "distribute" targets, do it the "canonical" way.

release/scripts/{man,cat}pages-make.sh: make sure Perl manpages and
catpages appear in the right dists. Note that because Perl does
not respect the MANBUILDCAT (and NOMAN), this results in a loss of
/usr/share/perl/man/cat* empty directories. This will be fixed
soon.

Turn MAKE_KERBEROS4 into a plain boolean variable (if it is set it
means "make KerberosIV"), as documented in the make.conf(5)
manpage. Most of the userland makefiles did not test it for "YES"
anyway.

XXX Should specialized kerberized libpam versions be included into
the krb4 and krb5 dists? (libpam.a would be incorrect anyway if
both krb4 and krb5 dists were choosen.)

Make sure "games" dist is made before "catpages", otherwise games
catpages settle in the wrong dist.

Fast build machine provided by: Igor Kucherenko <kivvy@sunbay.com>

Update build after import of Heimdal Kerberos 2002/02/17.

Install script via SCRIPTS.

add krb4 libraries

Add the necessary paths to the kerberos libraries and includes.

This fix "make release".

Reviewed by: markm

Style clean-up, and diff-reduce WRT src/secure/*telnet*/Makefile

Lost in this commit - KerberosIV compatability. This will be
re-added later.

make libtelnet (and telnet, telnetd) use libkrb when required

style fixes (by the way of bde)

sort SUBDIR

Requested by: bde

add krb5-config

Diff reduce all the crypto telnet Makefiles.

Revamp and diff-reduce the various secure telnets. Make sure that
Kerberos5 has _a_ telnet (which is not currently K5 enabled).
Incorporate BDE's static linking fixes.

Install this SUID root. Heck, it is su, after all.

Fix PAMized telnet in exactly the same way as BDE did it for the other
telnet instances.

Bye-bye /usr/lib/libtelnet.a. This should fix ``make release'' brokeness.

Approved by: markm

*Sigh*. What I did without this, I have no idea.

update build infrastructure for heimdal 0.3e

Properly separate the K5-only buld from K4.

Submitted by: sheldonh

KerberosIV is no longer compulsory. This should fix "make release".

Remove largescale evidence of crack-smoking.

Where a k4 applet has a k5 namesake, rename the k5 version
from k<app> to k5<app>. (Repo copy done).

Do some repairs to dependancies to support make world properly.

Use libcrypto instead of libdes. Upgrade for Heimdal-0.2p

Use libcrypto in place of libdes.

another tcp apps IPv6 updates.(should be make world safe)
ftp, telnet, ftpd, faithd
also telnet related sync with crypto, secure, kerberosIV

Obtained from: KAME project

This commit was generated by cvs2svn to compensate for changes in r56067,
which included commits to RCS files with non-trunk default branches.

Userland build of Kerberos5 (AKA Heimdal). More to come.

This is not ready for primetime yet! Please hold off on the bug reports.

Bring in SRA for telnet.

Submitted by: Nick Sayer

Fix for new Common Error system.

Don't -DTERMCAP or we define a few conflicting functions and cause
recursion in a rather ugly way.

$Id$ -> $FreeBSD$

Link everything against libcrypt. ELF builds complain without it.
Clean up the master makefile a bit and add a "dekerberise" target
for those who have shot themselves in the foot.

Thanks to: Randy Bush

Initial import of the new kerberosIV Makefiles.

I will follow up with the userland sources over the next few days.
The impatient of you can play with this, but you do this without
support or blessing until I am finished ;-)