Re: Debian Shishi integration: GSS-API library

help-shishi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Debian Shishi integration: GSS-API library

From:	Simon Josefsson
Subject:	Re: Debian Shishi integration: GSS-API library
Date:	Wed, 31 May 2006 15:56:31 +0200
User-agent:	Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux)

Elrond <address@hidden> writes:

> On Wed, May 31, 2006 at 12:43:16PM +0200, Simon Josefsson wrote:
> [...]
>> Then, by default, all applications will support GSS-API, and the
>> administrator can decide which GSS-implementation she wish to use, by
>> installing the GSS-library and configure the meta-GSS library.
> [...]
>
>
> I am not used to GSS-API, but:
>
> Is GSS-API standardized enough, so that the API (and
> possibly ABI) can be dropped in/wrapped all that easily?
>
> So that the hello-world application can be just recompiled
> using the meta library?

The API is well standardized for years in RFC 2743/2744, so, yes.

What's not standardized is where to find the GSS-API header file and
the library.  The ABI is not in the standard, although if you assume
C, the ABI more or less follows from the API (there are some subtle
issues for optional functions, whether they should be part of the ABI
or not, but nothing serious).

I've recompiled several real-world applications that use GSS-API
(e.g., openssh, gnu inetutils, fetchmail) and they work fine with
Shishi through my libgss.  In some cases (gnu inetutils and fetchmail)
I've sent patches to have it find my gss library's header file and
library automatically.  No code changes were necessary.  When I
implemented the SSH GSS stuff in LSH, I was able to build it against
MIT/Heimdal/Libgss without code changes.

The recommended approach to program Shishi is through libgss, since
that makes it easy to swap to any GSS-mech (or at least any
GSS-krb5-mech).

I don't know of a good GSS manual though, it really is simple to use,
only a handful of APIs to remember, but all the options make it
exceedingly difficult to understand.

> That said, I have no plan, how many applications use
> GSS-API and how many use plain kerberos.

The few that applications that are using plain kerberos is probably
not worth porting to Shishi.

My initial goal here would be to have an ssh(d) package in debian that
can utilize shishi.

/Simon

[Prev in Thread]

Current Thread

[Next in Thread]

Debian Shishi integration: GSS-API library, Simon Josefsson, 2006/05/31
- Re: Debian Shishi integration: GSS-API library, Elrond, 2006/05/31
  - Re: Debian Shishi integration: GSS-API library, Simon Josefsson <=
    - Re: Debian Shishi integration: GSS-API library, Russ Allbery, 2006/05/31
- Re: Debian Shishi integration: GSS-API library, Russ Allbery, 2006/05/31

Prev by Date: Re: Debian Shishi integration: GSS-API library
Next by Date: Re: shishi.skel somewhat large
Previous by thread: Re: Debian Shishi integration: GSS-API library
Next by thread: Re: Debian Shishi integration: GSS-API library
Index(es):
- Date
- Thread