Re: removing MK_GSSAPI
- Reply: Rick Macklem : "Re: removing MK_GSSAPI"
- In reply to: Lexi Winter : "removing MK_GSSAPI"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 11 Aug 2025 15:49:13 UTC
In message <aJoEZhS5_JQbjLRK@freefall.freebsd.org>, Lexi Winter writes: > hello, > > i've posted a review to remove the WITHOUT_GSSAPI src.conf knob in 15.0: > https://reviews.freebsd.org/D51859. my rationale for this is that since > this is already a no-op for MIT Kerberos, there's no real need to keep > it around for legacy Heimdal and removing it simplifies the build logic > a little, since you either have Kerberos or you don't. > > Cy suggested that we might instead want to modify MIT Kerberos to make > WITHOUT_GSSAPI do something. i'm not sure this is useful, because > without GSSAPI you can't really use Kerberos for anything even if you > build it; in particular, both ssh and gssd require GSSAPI. in the past, > this knob might have made sense since base gssapi was separate from the > implementation (Heimdal), but with MIT Kerberos, this is no longer true. > > but, perhaps there's a reason to keep this knob around? My thoughts, lib/libgssapi uses Heimdal data structures. GSS apps will run into trouble when using MIT's GSSAPI with libgssapi. MIT's GSSAPI can replace our libgssapi. Installing it by itself is pointless. I agree with removing MK_GSSAPI. There are people here with more history than I. I understand why we might want GSSAPI without Kerberos, there could be other GSS providers. Is this realistic? -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org e**(i*pi)+1=0