Re: removing MK_GSSAPI
- Reply: Lexi Winter : "Re: removing MK_GSSAPI"
- Reply: Brooks Davis : "Re: removing MK_GSSAPI"
- In reply to: Cy Schubert : "Re: removing MK_GSSAPI"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 11 Aug 2025 16:29:31 UTC
On Mon, Aug 11, 2025 at 8:49 AM Cy Schubert <Cy.Schubert@cschubert.com> wrote: > > In message <aJoEZhS5_JQbjLRK@freefall.freebsd.org>, Lexi Winter writes: > > hello, > > > > i've posted a review to remove the WITHOUT_GSSAPI src.conf knob in 15.0: > > https://reviews.freebsd.org/D51859. my rationale for this is that since > > this is already a no-op for MIT Kerberos, there's no real need to keep > > it around for legacy Heimdal and removing it simplifies the build logic > > a little, since you either have Kerberos or you don't. > > > > Cy suggested that we might instead want to modify MIT Kerberos to make > > WITHOUT_GSSAPI do something. i'm not sure this is useful, because > > without GSSAPI you can't really use Kerberos for anything even if you > > build it; in particular, both ssh and gssd require GSSAPI. in the past, > > this knob might have made sense since base gssapi was separate from the > > implementation (Heimdal), but with MIT Kerberos, this is no longer true. > > > > but, perhaps there's a reason to keep this knob around? > > My thoughts, > > lib/libgssapi uses Heimdal data structures. GSS apps will run into trouble > when using MIT's GSSAPI with libgssapi. > > MIT's GSSAPI can replace our libgssapi. Installing it by itself is > pointless. I agree with removing MK_GSSAPI. There are people here with > more history than I. I understand why we might want GSSAPI without > Kerberos, there could be other GSS providers. Is this realistic? Highly unlikely, I think. Once upon a time, GSSAPI was envisioned to someday have a variety of mechanisms, with Kerberos being one possible one. That has never happened, and since MIT sticks the GSSAPI in the same library as the Kerberos mechanism glue, I cannot see a GSSAPI that does not use Kerberos as ever likely to happen. The only mumbling about other mechanisms I've heard is for Oauth2 (or whatever that token stuff is called), but all that ever seemed to happen is getting an OID for it. (It would actually be nice to have, I think, but I'm not volunteered to write it.;-) rick > > > -- > Cheers, > Cy Schubert <Cy.Schubert@cschubert.com> > FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org > NTP: <cy@nwtime.org> Web: https://nwtime.org > > e**(i*pi)+1=0 > > >