Date: Mon, 28 Jul 2025 08:02:40 -0700 From: Rick Macklem <rick.macklem@gmail.com> To: Cy Schubert <Cy.Schubert@cschubert.com> Cc: current@freebsd.org, cy@freebsd.org Subject: Re: ssh errors, libgssapi_krb5 Message-ID: <CAM5tNy4f_e1KEyguTgi69f9oXjYzaeaV8uF1nWBNhjgGhMMmKA@mail.gmail.com> In-Reply-To: <20250728144620.0E87840D@slippy.cwsent.com> References: <aId7_7d5iFCxQhLI@freefall.freebsd.org> <20250728144620.0E87840D@slippy.cwsent.com>
index | next in thread | previous in thread | raw e-mail
On Mon, Jul 28, 2025 at 7:46 AM Cy Schubert <Cy.Schubert@cschubert.com> wrote: > > In message <aId7_7d5iFCxQhLI@freefall.freebsd.org>, Lexi Winter writes: > > > > > > --YisN3FRhoKLVVIz9 > > Content-Type: text/plain; charset=us-ascii > > Content-Disposition: inline > > > > hello, > > > > on recent (last ~2 days) main with WITH_MITKRB5, ssh with GSSAPI seems > > broken: > > > > % git push lf > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > git@git.le-fay.org: Permission denied (publickey,gssapi-with-mic). > > fatal: Could not read from remote repository. > > > > am i missing some config change or do i need to update something? > > That was fixed by c0fae431fd6a. Too many moving parts, I missed that one. > GSSAPI is a clearinghouse. It's a lookup table that calls the various > GSSAPI modules made available by providers, i.e. Kerberos or in the case of > Linux the gssproxy daemon. > > This will make having two kerberos in our tree as rickm@ requested a little > challenging, because MIT and Heimdal share the same OID (for obvious > reasons). If we want to keep the Heimdal libraries in our tree, > temporarily, while we work through the kernel NFS issue we may to alter our > gssapi to use a second lookup table (in /etc/gss/mech) just for heimdal. I > have some ideas how to implement this securely so that no other app could > use the alternate table. Forget about that request. MIT's gssapi has something called gss_inquire_sec_context_by_oid() which I think can return the session key, which is what the code in sys/kgssapi/krb5/krb5_mech.c does manually. My current plan is to add a new upcall RPC to the gssd, so the gssd can use this call to do the work. rick > > > -- > Cheers, > Cy Schubert <Cy.Schubert@cschubert.com> > FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org > NTP: <cy@nwtime.org> Web: https://nwtime.org > > e**(i*pi)+1=0 > > >home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy4f_e1KEyguTgi69f9oXjYzaeaV8uF1nWBNhjgGhMMmKA>