Created: 09-08-2008 THIS IS NOT FOR THE FAINT OF HEART!!!!! YOUR BINARIES MAY BREAK DURING AN UPGRADE, FORCING YOU TO RE-DO EVERYTHING!!! YOU HAVE BEEN WARNED!!!!! NOTE: BE SURE TO DO YOUR WORK IN /private/var OR ELSE YOU WILL QUICKLY EXHAUST YOUR AVAILABLE DISK SPACE!!! I was successful in getting Kerberos utilities (kinit, klist), GSSAPI enabled SSH client and KCA support on a (Jailbroken) iTouch/iPhone v2.0.1 as a Proof of Concept test. All building was performed on the iTouch directly. Note that is was not easy, and can be frustrating. I did not keep good notes, so I am tossing out all the steps below in hopes that they are mostly complete. If you are attempting this, you should be semi-versed in compiling code and how to resolve compiling errors, library paths and the like. I have added notes of potential issues as needed. First, you need terminal access to your device. Terminal is OK, but clunky to use for most of this work. Instead, install SSH support, then SSH into your device (NOTE: The root/mobile passwords are WELL KNOWN, so you will want to change them. Also, if enabling SSH while on the FNAL Network, YOU WILL GET BLOCKED due to it not accepting Kerberos authentication, so please attempt this exercise at home). Next, you will need some tools: com.bigboss.20toolchain com.liv2.togglessh cydia krb5 ldid gcc-iphone openssl wget The easiest way to install these is to install Cydia (http://www.saurik.com/id/1) which may already be installed if you are jailbroken. Once Cydia is installed, you have access to APT. Simply run the apt command `apt-get install `. For example, `apt-get install krb5` will get you the Kerberos client utilities. Make sure you also install wget using `apt-get install wget` to simplify downloading of other packages and sources. I installed Google's gcc-iphone for gcc support (http://code.google.com/p/iphone-gcc/) and Toolchain2.0 (http://thebigboss.org/moreinfo/Toolchain2.php) to ease compiling. Also, grab LDID (`apt-get install ldid`) to permit you to fake-sign binaries so they run. If you do not, you will not be able to run unsigned binaries (they will error with a 'Killed' message). The OS uses signed binaries, which can be a pain if you are rolling your own software. There are a few ways to get your code to run: 1) Do cross-platform development on another system and sign the code with an Apple developer issued certificate. 2) Create a self-signed cert and sign the code (and do any other tricks to get the cert accepted on the device) 3) Use ldid to create acceptable SHA1 hashes on the device ( ldid -S ) 4) Disable the code signing enforcement. Note by doing this WILL BREAK various applications such as the app store. This method is useful for running configure files that need to check if gcc can make an executable, but be sure to re-enable it when done. DISABLE SIGNED BINARY CHECKING Run the following at the command prompt: sysctl -w security.mac.proc_enforce=0 sysctl -w security.mac.vnode_enforce=0 RE-ENABLE SIGNED BINARY CHECKING Run the following at the command prompt: sysctl -w security.mac.proc_enforce=1 sysctl -w security.mac.vnode_enforce=1 Once you get KRB installed, be sure to grab a good krb5.conf file for your realm and copy it to /etc. You should now be able to kinit/klist without problems (hopefully). Next, make sure you can compile code. Make a simple helloworld.c file, compile and try to run. If your output is displayed, you are good to go. If you get the 'Killed' error, disable the code signing check or fake it out with ldid. To continue with your journey, grab some sources: From OpenSSH.com: openssh-5.1p1 From OpenSSL.org: openssl-0.9.8h KCA client from FNAL: fnalkcaclient (http://security.fnal.gov/tools) You may or may not need openssl, but grab it anyway just in case. Build openssh. If you want GSSAPI support (Kerberos client support), be sure to add the './configure --with-kerberos5=/private/var/stash' flag to compile (providing the KRB package installed Kerberos support in /private/var/stash - mine did). You may get compilation errors due to missing libraries, etc. Resolve them as they come up. Be sure to then tweak the /etc/ssh/ssh_config to your liking (enable GSSAPI support, etc). Compile fnalkcaclient. You WILL receive errors due to an unknown 'HEADER' declaration. This is because the HEADER struct is part of arpa/nameser_compat.h (BIND8) and BIND9 deprecated that. Instead of trying to transform the packages, either grab the nameser.h and nameser_compat.h headers from another computer and put them in your $INCLUDE path -OR- hack up the KCA source sode to include the missing declarations of HEADER and C_INT from nameser_compat.h to the client/get_kca_list.c source code. If you receive a Binary Error for time_t when compiling store_in_cc.c, make the following hack to store_in_cc.c: -------------------------------------------------------------- Before: -------------------------------------------------------------- #ifdef darwin utime += tms.tm_gmtoff; #else utime = utime - timezone + tms.tm_isdst*3600; -------------------------------------------------------------- After: -------------------------------------------------------------- #ifdef darwin utime += tms.tm_gmtoff; #else utime += tms.tm_gmtoff; If all works well, you should now have a working kx509 and kxlist client binary. One last note: If you receive the error 'OpenSSL version mismatch. Built against XXXXX, you have YYYYY' error when running any binaries linked to OpenSSL, this means the installed version of OpenSSL libraries delivered by Apple is one version, but you are using a different version of the headers. To fix this, I moved /private/var/include/openssl to a different name, then symlinked /private/var/stash/include/openssl to /private/var/include/openssl. You can also do other LD tricks if you want. Be warned, if you follow my symlinking instruction, the Apple provided ssh will no longer work. ToDo: ------------------------- - Build a GSSAPI aware SSHD. I have it built, but it keeps erroring with an 'Abort trap' error. Maybe when I get more time, I will continue debugging it.