Using KfM's credentials cache with Krb5 1.3 on OS X 10.2.6

Steven Michaud smichaud at pobox.com
Mon Aug 11 18:19:10 EDT 2003 

Here's a slightly modified version of the patch that Chas Williams
submitted to this list on 7-24-2003.

Most of the changes are minor -- all routines from CredentialsCache.h
and CredentialsCache2.h have been included, the patch has been updated
to 1.3.1, the configure process determines whether USE_CCAPI is
defined (this happens only on Darwin), and (for this and other
reasons) 1.3.1 with this patch should (in principle) configure and
compile correctly on other platforms (i.e. the choice as to whether or
not to use the CCAPI stuff should happen automatically).

But there's one other change which, though small, makes this patch
_much_ easier to use:  In Chas Williams' code, the symbols for the
CCAPI routines in the "Unix" distribution are different from the ones
that they load and call from the Kerberos framework -- they all have
an extra leading "_".  For example, with his patch you need to call
_cc_initialize() in the "Unix" distribution in order to get
cc_initialize() from the Kerberos framework.  But I found that you
don't need the extra "_".  The CCAPI symbols in the "Unix"
distribution can have exactly the same names that they do in the
Kerberos framework.

I don't really know why this works.  I posted a question about it to
the OpenDarwin Discuss list, but didn't receive any response.  (I
chose them because they host the dlcompat project.  Maybe I should
repost the question elsewhere.)  But I have no doubt that it _does_
work ... at least on OS X 10.2.6.

Like Chas Williams I used the NSAddImage(), NSLookupSymbolInImage()
and NSAddressOfSymbol() functions.  These only work properly in a
process that has a two-level namespace, but as far as I can tell this
shouldn't be a problem.

In Chas Williams code (and by default in mine, too), the Kerberos
framework is always loaded the first time you make a CCAPI call.
Which is potentially different from what happens when you link to the
Kerberos framework with the static linker -- if you use -bind_at_load,
it's loaded when your program (or shared library) is first launched.
 From my experience with using Simon Wilkinson's patch to OpenSSH on OS
X, I know of at least one case where the load order makes a
difference.  (If your program uses SessionGetInfo().  See
http://mailman.mit.edu/pipermail/krbdev/2002/000907.html and
http://mailman.mit.edu/pipermail/krbdev/2003/001548.html.)  In that
case it's actually better for the Kerberos framework to be loaded
dynamically.  But in other cases the opposite may be true.

To deal with this I added a bit of extra code to the top of my
CredCache.c file.  It uses the CALL_ON_LOAD pragma to load the
Kerberos framework as soon krb5_32.dylib is loaded.  By default it's
defined out, but you can change this if need be.

Though I haven't tested this, it should be possible to use CredCache.c
and CredCache.h to build a standalone "libCredCache.dylib".  This
might (I suppose) be of interest to the Heimdal developers.

Finally, I'm glad Sam Hartman made his suggestion to dynamically load
the CCAPI routines from the Kerberos framework.  This turns out be
much cleaner and simpler than my original hack :-) And thanks again to
Chas Williams for posting his code.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: krb5-1.3.1-ccapi.txt
Url: http://mailman.mit.edu/pipermail/krbdev/attachments/20030811/23f6d2ee/attachment.txt

More information about the krbdev mailing list