[krbdev.mit.edu #2240] krb5-config --cflags gssapi whenusedbyOpenSSH-snap-20040212

DEEngert@anl.gov via RT rt-comment at krbdev.mit.edu
Thu Feb 19 14:09:21 EST 2004 

My argument is that the MIT krb5-config does not do what is expected.

I would also point out that the OpenSSH code already is doing some
strange things with the output which it should not have to to,
namely trying to split the output of krb5-config --libs 
into LDFLAGS and LIBS:

  2105           K5LDFLAGS="`$KRB5CONF --libs | sed 's/-l@<:@^ @:>@*//g'`"
  2106           K5LIBS="`$KRB5CONF --libs | sed 's/-L@<:@^ @:>@*//g'`"

(I saw a fix on the list against this, as it would not allow a - 
in a path name. It was trying to delete -L/path/to/heimdal-0.6/lib
but stoped short and left -0.6/lib.) 

So the question is then: When will krb5-config be useable? Is it worth
trying to use with OpenSSH in its current state?

The patch I sent would work against the current krb5-config scripts,
including the krb5-1.3.2-beta4.  




I also have some other concerns about the krb5-config, as it returns
the final install location of the files. We like to build and install
Kerberos in AFS,along with OpenSSL, and OpenSSH and install them all
as a package on to a local system in a well known location: /krb5/*.
This require the Kerberos and OpenSSL to be installed somewhere not 
on the running system while OpenSSH is built. 

Without krb5-config, we can easily configure OpenSSH with something like:

   ...
   --prefix=/krb5 \
    --with-kerberos5=/afs/anl.gov/appl/krb5-1.3.2/@sys/krb5 \ 
   ...

But with krb5-config, it will try to include the /krb5/lib 
rather then /afs/anl.gov/appl/krb5-1.3.2/@sys/krb5/lib
So it may try and include the wrong libs from the running system. 

krb5-config has the same relocaiton problem as trying to compile in the 
-R or -rpath for a shared lib. YOu need the final locaiton in the
shared lib, even if you are installing somewhere else. 
 
(I have a local circumvention for this last point, and we also 
provide the -R or -rpath to point at /krb5/lib for OpenSSL, 
Kerberos and OpenSSH.) 

  

Sam Hartman wrote:
> 
> >>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:
> 
>     Douglas> Darren Tucker wrote:
>     >>
>     >> Douglas E. Engert wrote:
>     >> > More or less, but the new code uses > CPPFLAGS="$CPPFLAGS
>     >> ${K5CFLAGS}/gssapi"
>     >>
>     >> What guarantee is there that K5CFLAGS will contain only
>     >> -I/path/to/includes?"  What happens if it contains, eg,
>     >> "-I/path/to/include -DSOME_FLAG"?
> 
>     Douglas> The current MIT krb5-config returns only
>     Douglas> -I/path/to/include
> 
>     Douglas> By the time MIT releases a new version of krb5-config,
>     Douglas> they should have gssapi.h in the path so the code in
>     Douglas> question to test for gssapi.h in the sub directory will
>     Douglas> not be executed. The Heimdal code (as I understand) does
>     Douglas> not have this problem, so does not execute this code.
> 
> Hi.  MIT has not made a determination as to whether Doug's bug is
> actually a bug nor whether we will fix it.  We certainly will not fix
> it for the upcoming 1.3.2 release; we have passed our final change
> deadline for that release.
> 
> I disagree with Doug's assertion that most programs include gssapi.h
> not gssapi/gssapi.h.
> 
> AT this time I would recommend including gssapi.h for Heimdal and
> gssapi/gssapi.h for MIT Kerberos.
> 
> We'll certainly evaluate Doug's bug report and make a determination
> about whet we think the correct behavior is.  However I am very
> reluctant to recommend that people accept patches that depend on the
> specific output of krb5-config.
> 
> --Sam

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krb5-bugs mailing list