Using Solaris 10 built in Kerberos support with Kerberos application

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Using Solaris 10 built in Kerberos support with Kerberos application

Douglas E. Engert
In an attempt to use vendor provided Kerberos support where possible, we have
been able to use the Solaris 10 Kerberos and the Solaris provided kinit, pam_krb5
and ssh or any application that uses Kerberos via GSSAPI.

But we have a number of other Kerberos applications, including qpop for Kerberized
pop service, aklog with OpenAFS and kerberized CVS.

The problem is that Solaris only exposes Kerberos via GSSAPI, and does not
provide the krb5.h files or the normal Kerberos libraries.

*What I would like to ask SUN is to include the krb5.h and its friends with the
Solaris 10 base system.*

To get around this,
http:/www.opesolaris.org/source/xref/usr/src/uts/common/gsspai/mechs/krb5/include
has a krb5.h that appears to match the /usr/lib/gss/mech_krb5.so that comes
with Solaris 10.  (I actually downloaded the tarfile to get the header files.)

I have managed to get qpop-4.0.5 and OpenAFS-1.4.0-RC1 aklog to compile and run
using this krb5.h with some modification, and the MIT-1.4.1 profile.h and com_err.h.

Some problems along the way:

   o mech_krb5.so has most of the Kerberos routines and can be used as a shared
     library, but is clumsy to link as its not a "libxxx"

   o The opensolaris krb5.h is not guaranteed to match the mech_krb5.so

   o The krb5.h refers to profile.h  which is not supplied.

   o Many of the Kerberos applications also use com_err.h which is not supplied.

   o There is no com_err add_error_table.

   o Solaris does not have krb524. So aklog can not use this feature.

But so far it still looks promising to use the Solaris 10 Kerberos and we
are expecting that Sun will continue to improve the usability of their
Kerberos support.

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Using Solaris 10 built in Kerberos support with Kerberos application

Wyllys Ingersoll
Douglas E. Engert wrote:

>
> *What I would like to ask SUN is to include the krb5.h and its friends
> with the
> Solaris 10 base system.*


We are well aware of your desire for these headers to be included in the
base OS :)
We have heard it from many customers, actually.

>
> I have managed to get qpop-4.0.5 and OpenAFS-1.4.0-RC1 aklog to
> compile and run
> using this krb5.h with some modification, and the MIT-1.4.1 profile.h
> and com_err.h.
>
> Some problems along the way:
>
> o mech_krb5.so has most of the Kerberos routines and can be used as a
> shared
> library, but is clumsy to link as its not a "libxxx"


Yes, inconvenient, but not difficult to overcome with proper linker
options at
build time.

>
> o The opensolaris krb5.h is not guaranteed to match the mech_krb5.so

Correct.

>
> o The krb5.h refers to profile.h which is not supplied.
>
> o Many of the Kerberos applications also use com_err.h which is not
> supplied.


profile.h and com_err.h are in the userspace kerberos code tree, which
is not yet
posted to opensolaris.org. It should be posted sometime in the near
future (but
don't ask me to define "near", it's out of my control at this point).
Just be aware
that it is coming, eventually, along with a bunch of other
crypto-related code and
GSSAPI mechanisms like SPNEGO and DH.

>
> o There is no com_err add_error_table.
>
> o Solaris does not have krb524. So aklog can not use this feature.

krb524 is not part of Solaris and will not be part of opensolaris. We
made the decision
long ago not to support Kerberos V4 and thus dropped all krb4 related
code from our
codebase.

>
> But so far it still looks promising to use the Solaris 10 Kerberos and we
> are expecting that Sun will continue to improve the usability of their
> Kerberos support.
>
Thanks for the support and we are working hard on improving support for
developers and end-users.

-Wyllys


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos