Problem with kerberos and ssh.

Wyllys Ingersoll wyllys.ingersoll at sun.com
Wed Mar 1 13:29:05 EST 2006


Eric wrote:
>  Jeffrey Altman wrote:
> > Perhaps your ssh was built with one libgss and is linking to
> > another.
> >
> > Jeffrey Altman
>
>  I would have asked what other libgss could there possibly be.  But
>  then someone on the openssh mailing list pointed out that I should
>  just bypass the libgssapi-0.7 stuff entirely - up until that point
>  the thought never even entered my head that libgssapi_krb5 provides
>  all of the same functionality, and that other stupid thing wasn't
>  even needed. My guess is that all of these problems simply go away if
>  I bypass that thing.


Linking directly to libgssapi_krb5 is a hack and is generally not going
to be a  portable solution.

There are actually GSSAPI implementations that support more than
just Kerberos mechanisms (Solaris and others).  If you hardcode
your app to link directly to the underlying mechanism library instead
of the proper GSSAPI library itself, you are then venturing into
a sort of pseudo-gssapi/KRB5 area that is neither Kerberos nor GSSAPI
and will likely fail to port to other systems.


>  I don't think it is a matter of building against one lib and linking
>  against the other - the libgssapi-0.7 thing essentially dynamically
>  loads libgssapi_krb5 and constructs a function table.  It does some
>  additional work but for the most part simply calls through.  I just
>  assumed that this was how libgssapi_krb5 was always used.  When I
>  stepped the thing in the debugger, the problem was simply that it was
>  passing back a union_name thing, which in turn was getting passed
>  into gss_export_name, and this is what caused the problem.

It is designed that way because the main GSSAPI layer is supposed
to be generic and able to load mechanism for other security layers
(i.e. protocols besides Kerberos).   The fact that the implementation
you are using calls straight thru to the Kerberos mech is just
a limitation of that particular implementation, it is not necessarily
the way all GSSAPI libraries are written.


-Wyllys





More information about the Kerberos mailing list