[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: heimdal/mit-krb mix in ssh-krb5 via libnss-ldap

Jeremie Koenig <sprite@sprite.fr.eu.org> writes:

> I got no luck lately and managed to make ssh-krb5 fail due to library
> linkage weirdness. It took me ages to figure out what was going on!  (I
> learnt alot on the way, however.)

> To reproduce the breakage:
>  1. install libsasl2-modules-gssapi-heimdal, libnss-ldap and ssh-krb5
>     (something else linked against libkrb53 may "work" as well);
>  2. configure /etc/nsswitch.conf to use ldap for some lookups;
>  3. configure /etc/ldap/ldap.conf or ~/.ldaprc to use SASL
>     authentication.

> Then run ssh-krb5, linked with some mit-kerberos libraries. NSS pulls
> LDAP, which pulls SASL, which pulls its heimdal GSSAPI module, which
> pulls a lot of heimdal stuff. GDB shows them all when attach'ing to the
> process. ssh-krb5's gssapi authentications spew out a few "debug1:
> \n\n\n" lines and fail silently, which is more than graceful with such a
> mess in place if you ask me :-P

> The quick fix was to install MIT's gssapi SASL module rather than
> heimdal's one. Surely a library wizard here can think of a better one,
> or at least a specific (set of) package(s) to be blamed.

You've pretty much got the solution I'd recommend.  Heimdal and MIT
Kerberos are parallel implementations of the same protocol and API and
share *most* of the same function signatures but not all.  This means
they're both not interchangeable and they stomp on each other.  You're not
going to be able to load both libraries into the same namespace and have
them be comfortable next to each other.  It's kind of like trying to use
both OpenSSL and gnutls in the same binary, except possibly even worse.

It's really best to decide whether you're using Heimdal or you're using
MIT Kerberos and then install a consistent set of libraries and programs
across the board.  Many things in Debian are built for both in two
separate packages, but I think there's slightly more available for MIT
(including ssh-krb5) than for Heimdal at the moment.

Even if you did deal with the NSS situation, at some point something on
your system is going to link with both the krb5 libraries and SASL
directly, at which point you're likely to have the same issues with it.

That being said...

> There must be a way to use an nss module without it's library
> dependencies polluting what it's called from! In contrast sshd doesn't
> experience such a thing while it's linked against the same MIT stuff and
> pam, which uses both libpam-{ldap,heimdal} here. Maybe sasl or the nss
> are improperly loading their modules?

...this is an interesting point.  I seem to recall that there's some way
with dlopen and ELF to isolate the symbol table of the newly loaded shared
object and its dependencies from the rest of the program, but I don't know
if that's sufficient to prevent this sort of clobber.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

Reply to: