Re: ssh errors, libgssapi_krb5
- Reply: Rick Macklem : "Re: ssh errors, libgssapi_krb5"
- In reply to: Lexi Winter : "ssh errors, libgssapi_krb5"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 28 Jul 2025 14:46:20 UTC
In message <aId7_7d5iFCxQhLI@freefall.freebsd.org>, Lexi Winter writes: > > > --YisN3FRhoKLVVIz9 > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > > hello, > > on recent (last ~2 days) main with WITH_MITKRB5, ssh with GSSAPI seems > broken: > > % git push lf > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > dlopen: Cannot open "/usr/lib/libgssapi_krb5.so.121" > git@git.le-fay.org: Permission denied (publickey,gssapi-with-mic). > fatal: Could not read from remote repository. > > am i missing some config change or do i need to update something? That was fixed by c0fae431fd6a. Too many moving parts, I missed that one. GSSAPI is a clearinghouse. It's a lookup table that calls the various GSSAPI modules made available by providers, i.e. Kerberos or in the case of Linux the gssproxy daemon. This will make having two kerberos in our tree as rickm@ requested a little challenging, because MIT and Heimdal share the same OID (for obvious reasons). If we want to keep the Heimdal libraries in our tree, temporarily, while we work through the kernel NFS issue we may to alter our gssapi to use a second lookup table (in /etc/gss/mech) just for heimdal. I have some ideas how to implement this securely so that no other app could use the alternate table. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org e**(i*pi)+1=0