On Mon, Jul 28, 2025 at 7:46 AM Cy Schubert <cy.schub...@cschubert.com> wrote: > > In message <aid7_7d5ifcxq...@freefall.freebsd.org>, Lexi Winter writes: > > > > > > --YisN3FRhoKLVVIz9 > > Content-Type: text/plain; charset=us-ascii > > Content-Disposition: inline > > > > hello, > > > > on recent (last ~2 days) main with WITH_MITKRB5, ssh with GSSAPI seems > > broken: > > > > % git push lf > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > > g...@git.le-fay.org: Permission denied (publickey,gssapi-with-mic). > > fatal: Could not read from remote repository. > > > > am i missing some config change or do i need to update something? > > That was fixed by c0fae431fd6a. Too many moving parts, I missed that one. > GSSAPI is a clearinghouse. It's a lookup table that calls the various > GSSAPI modules made available by providers, i.e. Kerberos or in the case of > Linux the gssproxy daemon. > > This will make having two kerberos in our tree as rickm@ requested a little > challenging, because MIT and Heimdal share the same OID (for obvious > reasons). If we want to keep the Heimdal libraries in our tree, > temporarily, while we work through the kernel NFS issue we may to alter our > gssapi to use a second lookup table (in /etc/gss/mech) just for heimdal. I > have some ideas how to implement this securely so that no other app could > use the alternate table. Forget about that request. MIT's gssapi has something called gss_inquire_sec_context_by_oid() which I think can return the session key, which is what the code in sys/kgssapi/krb5/krb5_mech.c does manually.
My current plan is to add a new upcall RPC to the gssd, so the gssd can use this call to do the work. rick > > > -- > Cheers, > Cy Schubert <cy.schub...@cschubert.com> > FreeBSD UNIX: <c...@freebsd.org> Web: https://FreeBSD.org > NTP: <c...@nwtime.org> Web: https://nwtime.org > > e**(i*pi)+1=0 > > >
