OpenSSH 4.7p1, AIX 5.2, with IBM Kerberos = No Joy.

Sandor W. Sklar ssklar at stanford.edu
Fri Sep 7 12:32:39 EST 2007 

I just tried to build the 4.7p1 on AIX 5.2, with Kerberos 5 enabled,  
using the IBM Kerberos implementation (krb5.client.rte,  
krb5.toolkit.adt, etc.)  Is this supposed to work, or is the full MIT  
Kerberos distribution required?  IBM provides an older version of  
OpenSSH (4.3p2), with Kerberos support, but there are some problems  
with it, and I was hoping the problems would be resolved with a newer  
version.

Unfortunately, I couldn't even get it to build successfully:


CC=gcc ./configure --with-kerberos5=/usr/krb5

... produces ...

checking for gss_init_sec_context in -lgssapi... no
checking for gss_init_sec_context in -lgssapi_krb5... no
configure: WARNING: Cannot find any suitable gss-api library - build  
may fail
checking gssapi.h usability... no
checking gssapi.h presence... no
checking for gssapi.h... no
checking gssapi.h usability... no
checking gssapi.h presence... no
checking for gssapi.h... no
configure: WARNING: Cannot find any suitable gss-api header - build  
may fail
checking gssapi_krb5.h usability... no
checking gssapi_krb5.h presence... no
checking for gssapi_krb5.h... no
checking for gssapi.h... (cached) no
checking gssapi/gssapi.h usability... yes
checking gssapi/gssapi.h presence... yes
checking for gssapi/gssapi.h... yes
checking for gssapi_krb5.h... (cached) no
checking gssapi/gssapi_krb5.h usability... no
checking gssapi/gssapi_krb5.h presence... yes
configure: WARNING: gssapi/gssapi_krb5.h: present but cannot be compiled
configure: WARNING: gssapi/gssapi_krb5.h:     check for missing  
prerequisite headers?
configure: WARNING: gssapi/gssapi_krb5.h: see the Autoconf documentation
configure: WARNING: gssapi/gssapi_krb5.h:     section "Present But  
Cannot Be Compiled"
configure: WARNING: gssapi/gssapi_krb5.h: proceeding with the  
preprocessor's result
configure: WARNING: gssapi/gssapi_krb5.h: in the future, the compiler  
will take precedence
configure: WARNING:     ##  
------------------------------------------- ##
configure: WARNING:     ## Report this to openssh-unix- 
dev at mindrot.org ##
configure: WARNING:     ##  
------------------------------------------- ##
checking for gssapi/gssapi_krb5.h... yes

... and make fails with ...

         gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o   
sshconnect.o sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/  -L/ 
usr/krb5/lib -Wl,-blibpath:/usr/lib:/lib:/usr/krb5/lib -lssh - 
lopenbsd-compat -lcrypto -lz  -lkrb5 -lk5crypto -lcom_err
collect2: library libk5crypto not found
make: 1254-004 The error code from the last command is 1.

Any ideas, or even a clear statement that this will or not work?  I  
really don't want to build and install MIT Kerberos for our systems,  
when the IBM-provided tools work for most of what we need.

Thanks,
	-s-

--
Sandor W. Sklar
Unix Systems Administrator
Stanford University Libraries & Academic Information Resources (SULAIR)
Digital Libraries Systems & Services (DLSS)

More information about the openssh-unix-dev mailing list