Bug in Kerberos support for openssh.

sxw@inf.ed.ac.uk sxw at inf.ed.ac.uk
Tue Feb 28 14:15:40 EST 2006


On Tue, 28 Feb 2006, Eric Youngdale wrote:

> When I first built openssh with kerberos turned on, I just ran configure, and 
> the resulting Makefile was using libgssapi.so,

That's very odd. Recent OpenSSH's use krb5-config to work out which 
libraries to use, and MIT's krb5-config certainly tells it to use 
libgssapi_krb5.so

Could you send me (off list)
1) The command you're running configure with
2) The contents of config.log
3) The results of running 'krb5-config'
4) The results of running 'krb5-config --libs gssapi'

> Given the current state of affairs, would it not be reasonable for the 
> configure script for openssh to ignore this library if it is encountered?  Is 
> there any circumstance where using libgssapi.so is the right thing to do 
> (i.e. are there platforms where you do want to use this shared library)?

Heimdal's GSSAPI library is installed as libgssapi - we have to check for 
this one so that OpenSSH will build against Heimdal.

I agree with you that we shouldn't link OpenSSH against the CITI 
libgssapi, though. Even if it worked correctly, it wouldn't be suitable 
for our purposes as it doesn't provide a mechanism to convert GSSAPI 
credentials into Kerberos ones (which we need in order to support 
credential delegation). The test I wrote for Thunderbird checks whether 
the selected GSSAPI library includes the functions 
'internal_krb5_gss_initialize' and 'gssd_pname_to_uid' - perhaps the 
OpenSSH should have a similar test in configure.ac, and bomb out if you're 
trying to link against this library.

Cheers,

Simon.



More information about the Kerberos mailing list