Curious about final KRB5/GSSAPI patch inclusion.

Daniel Kouril kouril at
Tue May 21 23:23:20 EST 2002

On Sun, May 19, 2002 at 01:43:59AM -0400, Carson Gaspar wrote:
> --On Saturday, May 18, 2002 1:24 PM +0200 Daniel Kouril 
> <kouril at> wrote:
> > Thus, the same openssh binary compiled with
> > GSS-API support can work either with krb5 or X.509 authentication -- the
> > only thing you have to do is supply the rigth gssapi library. And when
> > some more sophisticated implementation of gss library is available (I
> > mean mechglue or something similar), more different methods could be used
> > with the same GSS code at once.
> Ummm... sort-of. GSS-API is _not_ an ABI (binary interface), it's an source 
> level API. And each underlying method uses different datatypes. So 
> combining more than one in the same binary is non-trivial. And you can't 
> just add a new .o - you have to recompile everything that references a 
> GSS-API datatype. Feh.

I didn't say it was easy. But it can be implemented eg. by means of dynamic
linking linker (via dlopen() etc.). However, the main advantage of GSS-API is
that only one adaptation of an application code is needed, and once it's done
it's very easy to switch among various authentication mechanisms (or even
make them cooperate -- see above) without any changes in the source code.

I believe that the Simon's patch is very well written (and there is quite
large community of users who use it) and could be placed in the standard 
Openssh distribuiton.



More information about the openssh-unix-dev mailing list