Hello, there is a problem with OpenSSH 4.5p1 (dates back to 4.2 IIRC) where configure, if called with `configure --enable-kerberos5=/usr`, will incorrectly determine the libraries to be linked into the final binaries on openSUSE 10.2 (and before) when /usr/lib/libgssapi* exists, i.e. the libgssapi.rpm package is installed. krb5 and krb5-devel are installed to. I suppose this problem also surfaces on other distributions. configure output is: checking for gss_init_sec_context in -lgssapi... yes but actually compiling and linking the program suite yields: gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o audit-bsm.o platform.o -L. -Lopenbsd-compat/ -L/usr/lib -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl -lcrypt -lgssapi -lkrb5 -lk5crypto -lcom_err gss-serv-krb5.o: In function `ssh_gssapi_krb5_storecreds': /usr/src/packages/BUILD/openssh-4.5p1/gss-serv-krb5.c:164: undefined reference to `gss_krb5_copy_ccache' collect2: ld returned 1 exit status make: *** [sshd] Error 1 This missing function is defined in libgssapi_krb5. I think the problem behind this is that gss_init_sec_context, which is used in the configure{,.ac} test is present in both: $ readelf -a /usr/lib/libgssapi.so | grep init_sec 73: 00003cb0 551 FUNC GLOBAL DEFAULT 11 gss_init_sec_context@@libgssapi_CITI_2 $ readelf -a /usr/lib/libgssapi_krb5.so | grep init_sec ... 183: 00009b00 617 FUNC GLOBAL DEFAULT 11 gss_init_sec_context@@gssapi_krb5_2_MIT While gss_krb5_copy_cache is only in the latter: $ readelf -a /usr/lib/libgssapi.so | grep gss_krb5_copy_ccache $ readelf -a /usr/lib/libgssapi_krb5.so | grep gss_krb5_copy_ccache 196: 0001d680 136 FUNC GLOBAL DEFAULT 11 gss_krb5_copy_ccache@@gssapi_krb5_2_MIT Googling turns up http://marc2.theaimsgroup.com/?l=secure-shell&m=112109538913024&w=2 but I doubt my gssapi is "old", as this is a default openSUSE install and I am quite "clean" (gssapi _is_ under rpm control). Here is a patch that "fixes" it for me: <attachment>
Created attachment 1226 [details] proposed fix
Comment on attachment 1226 [details] proposed fix from the patch: >- K5LIBS="-lgssapi $K5LIBS"; echo SCREW THE WORLD; ], On some days I agree with this sentiment, but I'm not certain that this is a pristine OpenSSH source :)
Created attachment 1233 [details] configure.ac patch
Comment on attachment 1233 [details] configure.ac patch I've done a test build with MIT krb5 1.5 and heimdal version 0.7.2 and 1.1, so this patch looks OK to me. Standard disclaimer: I don't use kerberos and disclaim all knowledge of it.
This patch looks fine. There's two issues here: *) The Kerberos GSSAPI code uses a function that isn't strictly part of the GSS API, gss_krb5_copy_cache. Both the MIT and Heimdal GSSAPI libraries provide this function as part of their libgssapi *) When adding NFSv4 support, UMich wrote a new 'libgssapi' wrapper library. Unfortunately, this isn't as generic as the name suggests, and doesn't implement the full GSS API. We need to avoid picking up this library. The patch will work in systems which have (MIT + Umich) libgssapis installed. I suspect it won't work only systems with (Heimdal + Umich) installed (as both the Heimdal and UMich libraries are called libgssapi). I can't see any easy way of making it work in that case. Simon.
Patch has been applied and will be in the next (5.1) release. Thanks to both Jan and Simon.
Mass update RESOLVED->CLOSED after release of openssh-5.1