Pending OpenSSH release: contains Kerberos/GSSAPI changes
Douglas E. Engert
deengert at anl.gov
Fri Jan 23 02:41:27 EST 2004
Paliminary results of testing with MIT krb5-1.3.2-beta2, OpenSSL-0.9.7c
on sun4x_57 with gcc.
Problem 1:
We are using using Simon's current mods with the "gssapi" method.
The new code implements the "gssapi-with-mic". I don't see a transition
stratagy to get from using "gssapi" to get to using "gssapi-with-mic",
other then to update all clients and servers at the same time.
(The SecurtCRT for Windows, does appear to work with either.)
I know we want to get to using only gssapi-with-mic, but need
some time to convert. I would like to see the server offer both
and the client work with both "gssapi-with-mic" and "gssapi" either
by #ifdef, or a sshd_config flag, or testing the peer's version string.
I am willing to write this mod if needed.
Problem 2:
Since kafs.h is not defined in MIT Kerberos, I change the #ifdef
to match the #ifdef used with the code that needed kafs.h.
--- ,session.c Tue Jan 20 18:00:46 2004
+++ session.c Thu Jan 22 08:40:34 2004
@@ -58,7 +58,7 @@
#include "session.h"
#include "monitor_wrap.h"
-#ifdef KRB5
+#if defined(HEIMDAL) && defined(AFS)
#include <kafs.h>
#endif
We have AFS, and call another routine to get the PAG and token.
It does not rely on the AFS libraries, but issues a syscall for
the PAG and fork/exec aklog to get the token. I will be looking
at how to get this local mod out as well, and use kafs.h and the
calls you provide.
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the openssh-unix-dev
mailing list