Syncing sshd/krb GetAFSToken change to Portable: help wanted

Steven Michaud smichaud at pobox.com
Sat Jan 10 10:26:20 EST 2004


> Configure is probably going to be changed to use krb5-config [1]
> (assuming it tests OK, hint hint) where available, and the current
> plan will check for libkafs regardless of whether it's Heimdal or
> MIT Kerberos.  If that goes ahead, I think we should change
> session.c to "#if defined(KRB5) && defined(AFS)" to cover the case
> you describe.

The MIT folks don't (apparently) want to make libkafs part of MIT
Kerberos or use krb5-config to store its configuration (see
http://mailman.mit.edu/pipermail/krbdev/2004-January/002139.html and
following).  Others (including myself) think these are good ideas,
even if they end up being implemented by someone other than MIT.  But
both sides seem to agree that a port of Heimdal's libkafs to MIT
Kerberos is desirable.  So it will probably eventually happen
... though it's difficult to predict exactly _how_ it will happen
... or when :-)

So your current plan will do no harm (presuming that your code doesn't
assume that Heimdal's libkafs will work with MIT Kerberos).  But I
suspect it will have to be revised (at least a little) when/if a port
of Heimdal's libkafs to MIT Kerberos 5 does appear.

On Fri, 9 Jan 2004, Darren Tucker wrote:

> Steven Michaud wrote:
>
> > I haven't (yet) tried your patch, but here's some information you
> > may find useful:
> >
> > There exists a "krbafs" library, which is in effect a port of KTH
> > Kerberos's libkafs to MIT Kerberos V
> > (http://web.mit.edu/openafs/krbafs/).  But KTH-krb is (of course)
> > a clone of Kerberos 4, so libkrbafs requires Kerberos 4
> > credentials.  (I've only built krbafs on OS X, and its "home page"
> > is directed towards users of OS X.  But krbafs should in principle
> > work on other platforms, and several different RPM versions of it
> > are available --
> > e.g. http://www.redhat.com/swr/i386/krbafs-1.0-3.i386.html)
> >
> > Eventually someone may port Heimdal's libkafs to MIT Kerberos V.
> > But until that happens I'd just wrap your new code inside #ifdef
> > HEIMDAL blocks.
>
> Thanks.  At the moment, the code in session.c is inside "#if
> defined(HEIMDAL) && defined(AFS)", and configure only test for
> libkafs if it detects Heimdal.
>
> Configure is probably going to be changed to use krb5-config [1]
> (assuming it tests OK, hint hint) where available, and the current
> plan will check libkafs for regardless of whether it's Heimdal or
> MIT Kerberos.  If that goes ahead, I think we should change
> session.c to "#if defined(KRB5) && defined(AFS)" to cover the case
> you describe.
>
> [1] http://bugzilla.mindrot.org/attachment.cgi?id=525&action=view
>      and http://bugzilla.mindrot.org/show_bug.cgi?id=635
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>      Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>
>
>




More information about the openssh-unix-dev mailing list