Bug in Kerberos support for openssh.
sxw@inf.ed.ac.uk
sxw at inf.ed.ac.uk
Tue Feb 28 14:15:40 EST 2006
On Tue, 28 Feb 2006, Eric Youngdale wrote:
> When I first built openssh with kerberos turned on, I just ran configure, and
> the resulting Makefile was using libgssapi.so,
That's very odd. Recent OpenSSH's use krb5-config to work out which
libraries to use, and MIT's krb5-config certainly tells it to use
libgssapi_krb5.so
Could you send me (off list)
1) The command you're running configure with
2) The contents of config.log
3) The results of running 'krb5-config'
4) The results of running 'krb5-config --libs gssapi'
> Given the current state of affairs, would it not be reasonable for the
> configure script for openssh to ignore this library if it is encountered? Is
> there any circumstance where using libgssapi.so is the right thing to do
> (i.e. are there platforms where you do want to use this shared library)?
Heimdal's GSSAPI library is installed as libgssapi - we have to check for
this one so that OpenSSH will build against Heimdal.
I agree with you that we shouldn't link OpenSSH against the CITI
libgssapi, though. Even if it worked correctly, it wouldn't be suitable
for our purposes as it doesn't provide a mechanism to convert GSSAPI
credentials into Kerberos ones (which we need in order to support
credential delegation). The test I wrote for Thunderbird checks whether
the selected GSSAPI library includes the functions
'internal_krb5_gss_initialize' and 'gssd_pname_to_uid' - perhaps the
OpenSSH should have a similar test in configure.ac, and bomb out if you're
trying to link against this library.
Cheers,
Simon.
More information about the Kerberos
mailing list