GSS API new mechanism integration

Ondřej Velíšek ondrejvelisek at
Thu Aug 30 07:38:38 EDT 2018

Hey there,

I'm writing diploma thesis and a part of it is developing new GSS API
mechanism. I'm not able to force services to use it instead of Kerberos.
I'm not sure if I understand the concept correctly so I think the best is
to explain my understanding first.

GSS API is just a spec describing interface. Defining contract between two
(resp 4) software.
Client - wants to access server and be verified
GSS API Client library
Server - wants to verify clients identity
GSS API Server library

Most likely GSS API Client and server library are at the end the same
library just copied on two places containing methods for both sides.

lets call Client and Server "Software" and GSS API Server/Client "GSS

Talking about C it means On the machine there is .so linux library file
somewhere with implemented GSS library C interface. And the Software loads
it and calling its methods.
So they need to have somewhere path to that library. e.g.
/usr/lib/ I would expect it should be in some config file
and I will just edit it to point to /usr/lib/

The other options is something I found called mechglue. Which is another
layer between Software and GSS library. So Software can have hard coded the
path to and call mechglue GSS API methods and mechglue will
dispatch it to real mechanism configured in /etc/gss/mech (or mech.d/*.conf)

The problem is that when I installed Krb5 I would expect to have kerberos
configured in /etc/gss/mech so I would just edit it to point to my GSS
library. But its empty.

What I'm missing? I want to force SSH to use my GSS library and since the
config option in SSH is just yes/no I would expect that real GSS library
will be configurable through mechglue. Is that right?

Thnak you!

Wish you beautiful day

Ondrej Velisek

More information about the krbdev mailing list