Re: Bug in Kerberos support for openssh.

On Tue, 28 Feb 2006, Eric Youngdale wrote:

> When I first built openssh with kerberos turned on, I just ran configure, and
> the resulting Makefile was using libgssapi.so,

That's very odd. Recent OpenSSH's use krb5-config to work out which
libraries to use, and MIT's krb5-config certainly tells it to use
libgssapi_krb5.so

Could you send me (off list)
1) The command you're running configure with
2) The contents of config.log
3) The results of running 'krb5-config'
4) The results of running 'krb5-config --libs gssapi'

> Given the current state of affairs, would it not be reasonable for the
> configure script for openssh to ignore this library if it is encountered? Is
> there any circumstance where using libgssapi.so is the right thing to do
> (i.e. are there platforms where you do want to use this shared library)?

Heimdal's GSSAPI library is installed as libgssapi - we have to check for
this one so that OpenSSH will build against Heimdal.

I agree with you that we shouldn't link OpenSSH against the CITI
libgssapi, though. Even if it worked correctly, it wouldn't be suitable
for our purposes as it doesn't provide a mechanism to convert GSSAPI
credentials into Kerberos ones (which we need in order to support
credential delegation). The test I wrote for Thunderbird checks whether
the selected GSSAPI library includes the functions
'internal_krb5_gss_initialize' and 'gssd_pname_to_uid' - perhaps the
OpenSSH should have a similar test in configure.ac, and bomb out if you're
trying to link against this library.

Cheers,

Simon.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev