Bugzilla – Bug 7203
GSI-OpenSSH use with current GSSAPI mechglue in MIT Kerberos
Last modified: 2011-08-17 13:43:35
You need to
before you can comment on or make changes to this bug.
To support multiple GSSAPI mechanisms in OpenSSH (i.e., Kerberos and GSI), we
use a custom mechglue library forked from an old version of MIT Kerberos, as
We learned at a recent Project Moonshot presentation that the GSSAPI mechglue
included in the MIT Kerberos distribution has been updated to better support
plugging in additional GSSAPI mechanisms (i.e., GSI), so our custom mechglue
library should hopefully no longer be required. However, this requires some
investigation, testing, and documentation on how to use GSI with the current
I think the first step is to look at how Project Moonshot does it:
Hopefully we can follow their example for use with GSI.
Volunteers from the community to look into this would be much appreciated. To
volunteer, please assign this bug to yourself.
I forgot to mention that one very attractive benefit of using mechglue in the
MIT Kerberos libraries is that the operating system default OpenSSH is often
already linked with those libraries, so it's possible we could avoid needing to
distribute separate gsi-openssh packages (RPMs, etc.) and instead load in GSI
support at run-time using standard Kerberos-enabled OpenSSH packages.