Curious about final KRB5/GSSAPI patch inclusion.

Daniel Kouril kouril at ics.muni.cz
Tue May 21 23:23:20 EST 2002


On Sun, May 19, 2002 at 01:43:59AM -0400, Carson Gaspar wrote:
> 
> 
> --On Saturday, May 18, 2002 1:24 PM +0200 Daniel Kouril 
> <kouril at ics.muni.cz> wrote:
> 
> > Thus, the same openssh binary compiled with
> > GSS-API support can work either with krb5 or X.509 authentication -- the
> > only thing you have to do is supply the rigth gssapi library. And when
> > some more sophisticated implementation of gss library is available (I
> > mean mechglue or something similar), more different methods could be used
> > with the same GSS code at once.
> 
> Ummm... sort-of. GSS-API is _not_ an ABI (binary interface), it's an source 
> level API. And each underlying method uses different datatypes. So 
> combining more than one in the same binary is non-trivial. And you can't 
> just add a new .o - you have to recompile everything that references a 
> GSS-API datatype. Feh.

I didn't say it was easy. But it can be implemented eg. by means of dynamic
linking linker (via dlopen() etc.). However, the main advantage of GSS-API is
that only one adaptation of an application code is needed, and once it's done
it's very easy to switch among various authentication mechanisms (or even
make them cooperate -- see above) without any changes in the source code.

I believe that the Simon's patch is very well written (and there is quite
large community of users who use it) and could be placed in the standard 
Openssh distribuiton.

cheers

--
Dan



More information about the openssh-unix-dev mailing list