# Switching to heimdal security



## jonfr (Jan 22, 2017)

Due to issues with the current security implementation in FreeBSD, that is 
	
	



```
GSSAPI_BASE
```
 and 
	
	



```
GSSAPI_MIT
```
. I switched everything to 
	
	



```
GSSAPI_HEIMDAL
```
 and installed security/heimdal.

This means I need to rebuild several ports. What is the best way to do so? I've already rebuilt lang/perl5.24 and security/p5-GSSAPI.

Thanks for the help.


----------



## ShelLuser (Jan 22, 2017)

You probably not only need to rebuild, you'll also need to reconfigure them. As to the best method, that heavily depends on opinion I guess. My preference would be to collect all port origins (for example: dns/bind910) and add these to a list (text file). Then all you need to do is feed that list to ports-mgmt/portmaster and it will handle the rest.

Better yet: if you have that list already be sure to use the --force-config Portmaster parameter, this enforces the config to be re-issued which allows you to change the appropriate settings.

Another approach I just thought off...  OPTIONS_SET which can be set in /etc/make.conf. This should be able to work:


```
OPTIONS_SET=GSSAPI_HEIMDAL
```
You'll probably still need to reconfigure the ports, but at least the option will have been set for you, which allows you to simply hit enter to confirm the updated settings.

Hope this can help.


----------



## gofer_touch (Jan 22, 2017)

I've been reading a lot lately about security issues in FreeBSD, what is the real issue at the moment? Is it a matter of wanting backwards compitability? Is it really that difficult to break some conventions if it increases security for end users?


----------



## drhowarddrfine (Jan 22, 2017)

gofer_touch said:


> I've been reading a lot lately about security issues in FreeBSD


Don't get led astray by chicken little articles and posters. These issues are matter-of-fact, "course of the day" issues that every system has at one point in their existence and will be solved if they haven't already. 

jonfr I thought we were to use the MIT setting because there are some things it sets that heimdal ignores. There are rare instances this could cause problems and the MIT setting covers those. 

I don't have my notes so I can't recall anything about it.


----------

