[Bug 1276] Link stage fails when gssapi exists

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Jan 18 03:59:39 EST 2007 

http://bugzilla.mindrot.org/show_bug.cgi?id=1276

           Summary: Link stage fails when gssapi exists
           Product: Portable OpenSSH
           Version: v4.5p1
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Build system
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: jengelh at gmx.de


Hello,


there is a problem with OpenSSH 4.5p1 (dates back to 4.2 IIRC) where 
configure, if called with `configure --enable-kerberos5=/usr`, will 
incorrectly determine the libraries to be linked into the final
binaries 
on openSUSE 10.2 (and before) when /usr/lib/libgssapi* exists, i.e. the 
libgssapi.rpm package is installed. krb5 and krb5-devel are installed 
to. I suppose this problem also surfaces on other distributions.

configure output is:
checking for gss_init_sec_context in -lgssapi... yes

but actually compiling and linking the program suite yields:

gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o
sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o
auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o
auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o
monitor_wrap.o kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o
gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o
md5crypt.o audit.o audit-bsm.o platform.o -L. -Lopenbsd-compat/ 
-L/usr/lib -lssh -lopenbsd-compat     -lresolv -lcrypto -lutil -lz
-lnsl  -lcrypt -lgssapi -lkrb5 -lk5crypto -lcom_err
gss-serv-krb5.o: In function `ssh_gssapi_krb5_storecreds':
/usr/src/packages/BUILD/openssh-4.5p1/gss-serv-krb5.c:164: undefined 
reference to `gss_krb5_copy_ccache'
collect2: ld returned 1 exit status
make: *** [sshd] Error 1

This missing function is defined in libgssapi_krb5. I think the problem 
behind this is that gss_init_sec_context, which is used in 
the configure{,.ac} test is present in both:

$ readelf -a /usr/lib/libgssapi.so | grep init_sec
    73: 00003cb0   551 FUNC    GLOBAL DEFAULT   11
gss_init_sec_context@@libgssapi_CITI_2
$ readelf -a /usr/lib/libgssapi_krb5.so | grep init_sec
...
   183: 00009b00   617 FUNC    GLOBAL DEFAULT   11
gss_init_sec_context@@gssapi_krb5_2_MIT

While gss_krb5_copy_cache is only in the latter:

$ readelf -a /usr/lib/libgssapi.so | grep gss_krb5_copy_ccache
$ readelf -a /usr/lib/libgssapi_krb5.so | grep gss_krb5_copy_ccache
   196: 0001d680   136 FUNC    GLOBAL DEFAULT   11
gss_krb5_copy_ccache@@gssapi_krb5_2_MIT


Googling turns up
http://marc2.theaimsgroup.com/?l=secure-shell&m=112109538913024&w=2
but I doubt my gssapi is "old", as this is a default openSUSE install 
and I am quite "clean" (gssapi _is_ under rpm control).


Here is a patch that "fixes" it for me:
<attachment>




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list