From nobody Mon Jul 28 15:02:40 2025 X-Original-To: current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4brMD61KC1z639l4 for ; Mon, 28 Jul 2025 15:03:02 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4brMD5680zz3P23; Mon, 28 Jul 2025 15:03:01 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-ej1-x633.google.com with SMTP id a640c23a62f3a-ae0de1c378fso644883766b.3; Mon, 28 Jul 2025 08:03:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1753714975; x=1754319775; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=SBedcK10aJ8fcxpByvV3LuTv/QHDX2VyNZ3goTmPlq4=; b=OAaDaqYJUUNln5VWY5QwyC8KgYY7K2WmPWhp1HfdjfiK4Y8j+dYTPOCNd1trCp4n8F 12q/rbjDpWQRWkD4fu3hIzfnUPpBAms/QOU+Zpcb9JeO7pc0C9ahTdyNKiAXkxGP7Ts/ QPGgaR7cBwgx1rG3GlbzqWjZmI7Kow3XKCBeUbK7hj9vCcrWtjIk6De6ZS5CTkhfto67 KubuajUAERYe5iOe093w73VhnkQjMmzlxMu3o1WAnTTj6tUR1M1dfG/2kbd5yOrPB3M+ B+HO5C4E7pioDyxJI6ehcnufGQLh9KU6orL1FAFvOLEEL2ZaUOBkCvq/zIPEXk24dA04 W9kQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1753714975; x=1754319775; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SBedcK10aJ8fcxpByvV3LuTv/QHDX2VyNZ3goTmPlq4=; b=MvzzLKg+PCdN2nczqjsmv7qwdoQUV820bc7Ug+ckLl3j9qY1KHGtnWKVtr60oBlHZR ruig9NJYa5/TPxDe4g6WvANXj1SLsAoFdJZ5k6l5y/prXyKDiH9wwQRdNh3URpcdSSoa ryoLVegyftXPwibbC1RFdG91cegqTU830geGIbfivi0Hf+lyczTAOE0392PXlMSjE3Rc I1GQOlmYUnzHSJBTveNswXmoqyxJmHyqVw7e6n7CwE4+uOWZbi4QXmCnFdKWPBQ8+5PL hyh4zar/hqOWa1AHNpQRGenBDRWTTNS6vIbpy5EHd56/eIyGtjOAI8CMHmjosFJJKEU2 FUUQ== X-Forwarded-Encrypted: i=1; AJvYcCU9zbTpku49LEx1BuXvw7IQMS6ElKcHK2nMiM4ljZhwpefzpgScaTOd/e1zqcCf2KSd6A==@freebsd.org X-Gm-Message-State: AOJu0Yz0BFXRVOLKxthBttSvM2AbGwabtfyVTmeHjmS50dELlgxrNLOT hDhZojTuywGsrWQ99hnckLuU7Qkidfxhu3es/pXq9bfqISGmwc5PAjVQqQxQPT47xOzaeLez2Ub DHulXS/dovLxWlOSw9wh3CtPjb4M7wuTX X-Gm-Gg: ASbGncvTbzki5fdZuaFBU4SSslJ5DrkgnwLO9J7weoQ7qqTdAI25WbH8Z9lHDubqeVu 4Gjjx+VG5RXdqJUAmyJui2EOUsPhcQ61+oEbaOztQVGuAhAhhhvwkjDbkX7tp6fp8SqmYyQZV5P cgZReo3GglDn/VTn2tZ2EYRRHI3kJFVXZzTZC0HkRt2Gj8DKHL4f3/IkZ+PIEBMVMjz/jAEluZd V+RLtGNFGEuU+aOft4vJKamLy+OZI5+alF9hSU= X-Google-Smtp-Source: AGHT+IHR1GeNpKx6XZQHXaP1v1X1ghFbXdy3D7xJz+iX/gPHxMGbgnG2TV5MhJn3eOfpA5fOhrsF35M5KJIjf8RtJKU= X-Received: by 2002:a17:907:7245:b0:adf:f8f4:2001 with SMTP id a640c23a62f3a-af61d77a04emr1418226866b.49.1753714974550; Mon, 28 Jul 2025 08:02:54 -0700 (PDT) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 References: <20250728144620.0E87840D@slippy.cwsent.com> In-Reply-To: <20250728144620.0E87840D@slippy.cwsent.com> From: Rick Macklem Date: Mon, 28 Jul 2025 08:02:40 -0700 X-Gm-Features: Ac12FXwKONQttEqv2Cxq1EnxSCc-_pzvGju5I9tP7VTWKGMoK0Kl7uRoli_1iV4 Message-ID: Subject: Re: ssh errors, libgssapi_krb5 To: Cy Schubert Cc: current@freebsd.org, cy@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4brMD5680zz3P23 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US] On Mon, Jul 28, 2025 at 7:46=E2=80=AFAM Cy Schubert wrote: > > In message , Lexi Winter writes: > > > > > > --YisN3FRhoKLVVIz9 > > Content-Type: text/plain; charset=3Dus-ascii > > Content-Disposition: inline > > > > hello, > > > > on recent (last ~2 days) main with WITH_MITKRB5, ssh with GSSAPI seems > > broken: > > > > % git push lf > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > git@git.le-fay.org: Permission denied (publickey,gssapi-with-mic). > > fatal: Could not read from remote repository. > > > > am i missing some config change or do i need to update something? > > That was fixed by c0fae431fd6a. Too many moving parts, I missed that one. > GSSAPI is a clearinghouse. It's a lookup table that calls the various > GSSAPI modules made available by providers, i.e. Kerberos or in the case = of > Linux the gssproxy daemon. > > This will make having two kerberos in our tree as rickm@ requested a litt= le > challenging, because MIT and Heimdal share the same OID (for obvious > reasons). If we want to keep the Heimdal libraries in our tree, > temporarily, while we work through the kernel NFS issue we may to alter o= ur > gssapi to use a second lookup table (in /etc/gss/mech) just for heimdal. = I > have some ideas how to implement this securely so that no other app could > use the alternate table. Forget about that request. MIT's gssapi has something called gss_inquire_sec_context_by_oid() which I think can return the session key, which is what the code in sys/kgssapi/krb5/krb5_mech.c does manually. My current plan is to add a new upcall RPC to the gssd, so the gssd can use this call to do the work. rick > > > -- > Cheers, > Cy Schubert > FreeBSD UNIX: Web: https://FreeBSD.org > NTP: Web: https://nwtime.org > > e**(i*pi)+1=3D0 > > >