Pending OpenSSH release: contains Kerberos/GSSAPI changes

Douglas E. Engert deengert at
Fri Jan 23 02:41:27 EST 2004

Paliminary results of testing with MIT krb5-1.3.2-beta2, OpenSSL-0.9.7c
on sun4x_57 with gcc. 

Problem 1:

We are using using Simon's current mods with the "gssapi" method. 
The new code implements the "gssapi-with-mic". I don't see a transition
stratagy to get from using "gssapi" to get to using "gssapi-with-mic",
other then to update all clients and servers at the same time. 
(The SecurtCRT for Windows, does appear to work with either.)

I know we want to get to using only gssapi-with-mic, but need
some time to convert. I would like to see the server offer both
and the client work with both "gssapi-with-mic" and "gssapi" either
 by #ifdef, or a sshd_config flag, or testing the peer's version string.  

I am willing to write this mod if needed. 

Problem 2:

Since kafs.h is not defined in MIT Kerberos, I change the #ifdef
to match the #ifdef used with the code that needed kafs.h.

--- ,session.c  Tue Jan 20 18:00:46 2004
+++ session.c   Thu Jan 22 08:40:34 2004
@@ -58,7 +58,7 @@
 #include "session.h"
 #include "monitor_wrap.h"
-#ifdef KRB5
+#if defined(HEIMDAL) && defined(AFS)
 #include <kafs.h>

We have AFS, and call another routine to get the PAG and token.
It does not rely on the AFS libraries, but issues a syscall for
the PAG and fork/exec aklog to get the token. I will be looking 
at how to get this local mod out as well, and use kafs.h and the 
calls you provide.


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the openssh-unix-dev mailing list