On Tue, 28 Feb 2006, Eric Youngdale wrote: > When I first built openssh with kerberos turned on, I just ran configure, and > the resulting Makefile was using libgssapi.so,
That's very odd. Recent OpenSSH's use krb5-config to work out which libraries to use, and MIT's krb5-config certainly tells it to use libgssapi_krb5.so Could you send me (off list) 1) The command you're running configure with 2) The contents of config.log 3) The results of running 'krb5-config' 4) The results of running 'krb5-config --libs gssapi' > Given the current state of affairs, would it not be reasonable for the > configure script for openssh to ignore this library if it is encountered? Is > there any circumstance where using libgssapi.so is the right thing to do > (i.e. are there platforms where you do want to use this shared library)? Heimdal's GSSAPI library is installed as libgssapi - we have to check for this one so that OpenSSH will build against Heimdal. I agree with you that we shouldn't link OpenSSH against the CITI libgssapi, though. Even if it worked correctly, it wouldn't be suitable for our purposes as it doesn't provide a mechanism to convert GSSAPI credentials into Kerberos ones (which we need in order to support credential delegation). The test I wrote for Thunderbird checks whether the selected GSSAPI library includes the functions 'internal_krb5_gss_initialize' and 'gssd_pname_to_uid' - perhaps the OpenSSH should have a similar test in configure.ac, and bomb out if you're trying to link against this library. Cheers, Simon. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos