MIT support for a Solaris like libgss?

Luke Howard lukeh at
Wed Apr 10 03:27:23 EDT 2013

On 10/04/2013, at 12:03 AM, Will Fiveash <will.fiveash at> wrote:

> Does MITKC have any plans to support/provide a libgss similar to the
> Solaris libgss which relies on dynamically loaded mech plugins unlike
> the current MIT libgss_krb5?

[I don't speak for MIT, of course.]

But, I think we discussed that when I ported the Novell mechglue enhancements over many years ago. I could dig up the email, but the question is how to maintain ABI compatibility with applications that link against libgssapi_krb5. Ideally you could just forward the symbols over to the new libgss (except for gsskrb5_XXX which can remain only in libgssapi_krb5). But this may require linker magic that is not portable across all the platforms MIT support.

That's to do it cleanly, anyway.

(At Novell, the Kerberos mechanism itself was separated into a plugin, and any Kerberos-specific GSS-APIs were in libgssapi_krb5; the rest was in libgss. But ABI compatibility was not an issue there so libgssapi_krb5 didn't need to contain non-mechanism-specific APIs.)

Note that dynamic loading of other mechanisms is already supported by the MIT libgssapi_krb5. Mechanisms can either export a dispatch table, or just export the GSS-API itself. We have used this successfully with mechanisms built independently (i.e. with no private headers), such as GSS EAP and GSS BrowserID.

-- Luke

More information about the krbdev mailing list