From nobody Mon Jul 28 14:46:20 2025 X-Original-To: current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4brLrt4YbKz6391W for ; Mon, 28 Jul 2025 14:46:22 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta004.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4brLrs70Qnz3JP9; Mon, 28 Jul 2025 14:46:21 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of cy.schubert@cschubert.com designates 3.97.99.33 as permitted sender) smtp.mailfrom=cy.schubert@cschubert.com; dmarc=permerror reason="p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com" header.from=cschubert.com (policy=permerror) Received: from shw-obgw-4002a.ext.cloudfilter.net ([10.228.9.250]) by cmsmtp with ESMTPS id gKUnuyx7w5MqygP7NuEr2a; Mon, 28 Jul 2025 14:46:21 +0000 Received: from spqr.komquats.com ([70.66.136.217]) by cmsmtp with ESMTPSA id gP7MuCYjkl5eGgP7NuhEIZ; Mon, 28 Jul 2025 14:46:21 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=EO6l0EZC c=1 sm=1 tr=0 ts=68878d3d a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17 a=kj9zAlcOel0A:10 a=Wb1JkmetP80A:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=Rk-M77FJAAAA:8 a=YxBL1-UpAAAA:8 a=hChkFNv6i12Ynuzsh-MA:9 a=CjuIK1q_8ugA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=ef1k35tKgZpiIrJ2aQ5N:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 14A6A531; Mon, 28 Jul 2025 07:46:20 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id 0E87840D; Mon, 28 Jul 2025 07:46:20 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: current@freebsd.org, cy@freebsd.org Subject: Re: ssh errors, libgssapi_krb5 In-reply-to: References: Comments: In-reply-to Lexi Winter message dated "Mon, 28 Jul 2025 14:32:47 +0100." List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 28 Jul 2025 07:46:20 -0700 Message-Id: <20250728144620.0E87840D@slippy.cwsent.com> X-CMAE-Envelope: MS4xfFmenHBvsi56CL/Bf0t6rPQl3CwjMm31XYRnHdyMp/wyGXcp58ykulPOBBiRJ0ookVlEwMgonw9VRJszhaEbk4u4FQEcnzIl1GYhdkJAUxeRY2Yca2Iz iRbd5GqK7AQyM1WG+hCYHikY+ZN7r1M6P7aX5Mg/7VpTCJ62/Mc0xrmVOPiGB6xX0CrqZlXbFkH3xDxlYx6hImqg7yCgbTgCVqlOJMp4jvlkc3oNdjfsJOS+ X-Spamd-Result: default: False [-1.67 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.97)[-0.969]; NEURAL_SPAM_LONG(0.60)[0.603]; MV_CASE(0.50)[]; RWL_MAILSPIKE_EXCELLENT(-0.40)[3.97.99.33:from]; R_SPF_ALLOW(-0.20)[+ip4:3.97.99.32/31]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.33:from]; MIME_GOOD(-0.10)[text/plain]; ARC_NA(0.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; DMARC_BAD_POLICY(0.00)[cschubert.com : p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com]; R_DKIM_NA(0.00)[]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; RCVD_TLS_LAST(0.00)[]; MLMMJ_DEST(0.00)[current@freebsd.org]; REPLYTO_EQ_FROM(0.00)[] X-Rspamd-Queue-Id: 4brLrs70Qnz3JP9 X-Spamd-Bar: - In message , Lexi Winter writes: > > > --YisN3FRhoKLVVIz9 > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > > hello, > > on recent (last ~2 days) main with WITH_MITKRB5, ssh with GSSAPI seems > broken: > > % git push lf > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > git@git.le-fay.org: Permission denied (publickey,gssapi-with-mic). > fatal: Could not read from remote repository. > > am i missing some config change or do i need to update something? That was fixed by c0fae431fd6a. Too many moving parts, I missed that one. GSSAPI is a clearinghouse. It's a lookup table that calls the various GSSAPI modules made available by providers, i.e. Kerberos or in the case of Linux the gssproxy daemon. This will make having two kerberos in our tree as rickm@ requested a little challenging, because MIT and Heimdal share the same OID (for obvious reasons). If we want to keep the Heimdal libraries in our tree, temporarily, while we work through the kernel NFS issue we may to alter our gssapi to use a second lookup table (in /etc/gss/mech) just for heimdal. I have some ideas how to implement this securely so that no other app could use the alternate table. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e**(i*pi)+1=0