Curious about final KRB5/GSSAPI patch inclusion.
Daniel Kouril
kouril at ics.muni.cz
Tue May 21 23:23:20 EST 2002
On Sun, May 19, 2002 at 01:43:59AM -0400, Carson Gaspar wrote:
>
>
> --On Saturday, May 18, 2002 1:24 PM +0200 Daniel Kouril
> <kouril at ics.muni.cz> wrote:
>
> > Thus, the same openssh binary compiled with
> > GSS-API support can work either with krb5 or X.509 authentication -- the
> > only thing you have to do is supply the rigth gssapi library. And when
> > some more sophisticated implementation of gss library is available (I
> > mean mechglue or something similar), more different methods could be used
> > with the same GSS code at once.
>
> Ummm... sort-of. GSS-API is _not_ an ABI (binary interface), it's an source
> level API. And each underlying method uses different datatypes. So
> combining more than one in the same binary is non-trivial. And you can't
> just add a new .o - you have to recompile everything that references a
> GSS-API datatype. Feh.
I didn't say it was easy. But it can be implemented eg. by means of dynamic
linking linker (via dlopen() etc.). However, the main advantage of GSS-API is
that only one adaptation of an application code is needed, and once it's done
it's very easy to switch among various authentication mechanisms (or even
make them cooperate -- see above) without any changes in the source code.
I believe that the Simon's patch is very well written (and there is quite
large community of users who use it) and could be placed in the standard
Openssh distribuiton.
cheers
--
Dan
More information about the openssh-unix-dev
mailing list