Using KfM's credentials cache with Krb5 1.3 on OS X 10.2.6

Steven Michaud smichaud at
Tue Jul 22 18:55:03 EDT 2003

With judicious hacking, I've been able to compile from source
( just those
parts of KfM's Kerberos framework (libCredentialsCache.a and its
dependencies in libKerberosIPC.a, libKerberosDebug.a, libKerberos4.a
and some system libraries) that talk to its credentials cache server

A bit more hacking and I was able to get Krb5 1.3 to default to using
KfM's credentials cache.  Programs that link to this (altered) Krb5
1.3, but which don't use the CCAPI, can now use KfM's credentials
cache without any further coding -- examples are the utilties and
servers that come with Krb5 1.3, such as klist, kinit, kdestroy, ftpd
and telnetd, and third party programs such as Pine and UW IMAP.
Programs that do use the CCAPI (such as OpenSSH after being patched
with Simon Wilkinson's GSSAPI keyex patch and my own OS X patch) must
link both to Krb5 1.3 and to the KfM credentials cache code.

I've even managed to package up libCredentialsCache.a,
libKerberosIPC.a, libKerberosDebug.a, libKerberos4.a and their
external dependencies into a shared library, which I've called
libCredCache.dylib (so as not to have the name conflict with
libCredentialsCache.a).  It is, of course, more convenient to link to
this one shared library than to all those static libraries (and to
their dependent libraries).

The chief advantage (to my mind) of integrating KfM's credentials
cache with Krb5 1.3 is that this (in effect) makes KfM's credentials
cache support Krb5 1.3's new encryption types.

I haven't tested my changes throughly, but everything that I've tried
has worked.  Even, which I haven't changed and which
doesn't support the new encryption types, still displays information
on your credentials ... even if it doesn't understand all the
encryption types.  (Though if you use it to get new credentials, your
session key will be in one of the types that it does understand.)

However, I'd like to hear from someone on this list if there's
something I've overlooked:  Is there a good reason that one _shouldn't_
mix KfM's credentials cache and Krb5 1.3?

Here's what I did.  Needless to say, this is all very experimental.
Try it out and see how it works, but don't expect to use it in
production without considerable testing :-)

A) If you don't already have it, get Apple's Developer Tools from

B) Build Jam 2.4

    1) Download the source from

    2) Fix the Makefile by changing line 68 from

    3) Run make and copy the binary (in the bin.macosxppc directory) to
       a reasonable loction.

C) Fix up the KfM source (downloaded from

    1) Obtain source code for the Security framework from

    2) Copy AuthSession.h from the
       Security/SecurityServer/Authorization directory of the
       distribution to

    3) In the Common/Scripts directory of the KfM source distribution
       put a soft link to jam called "jam-2.4"

D) Build pieces of KfM

    1) In the KerberosFramework/KerberosIPC/Projects directory of the
       KfM source distribution run

           pbxbuild -alltargets -buildstyle Deployment

    2) Look for the result (libKerberosIPC.a) in the
       KerberosFramework/KerberosIPC/Projects/build directory.  Copy it
       to the KerberosFramework/CredentialsCache/Projects/build and run
       ranlib on the copy.

    3) Repeat steps 1 and 2 for KerberosDebug and Kerberos4.

    4) In the KerberosFramework/CredentialsCache/Projects directory run

          pbxbuild -target "Mach IPC Generation" -buildstyle Deployment


          pbxbuild -target CredentialsCache -buildstyle Deployment

    5) Copy libCredentialsCache.a, libKerberosIPC.a, libKerberosDebug.a
       and libKerberos4.a to another staging area (where you'll use
       them to build libCredCache.dylib).  Run ranlib on all the

E) Build libCredCache.dylib

    1) In the staging area from the previous step run the following
       command (it should be all on one line):

          libtool -dynamic -o libCredCache.dylib \
                  -compatibility_version 1.0.0 \
                  -current_version 1.0.0 libKerberosIPC.a \
                  libKerberosDebug.a \
                  /path/to/krb5-1.3/lib/libkrb4.dylib \
                  -lstdc++ -lgcc -framework Security \
                  -framework CoreFoundation -framework CoreServices \
                  -lSystem.B -v libCredentialsCache.a

Finally, I'll append to this message patches for Krb5 1.3 and OpenSSH.
The patch to OpenSSH is a patch to my patch
( to Simon
Wilkinson's openssh-3.6.1p2-gssapi-20030430.diff patch.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: krb5-1.3-ccapi-only-patch.txt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openssh-3.6.1p2-gss-michaud-mit1.3-ccapi.txt

More information about the krbdev mailing list