[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [the perfectly harmless] heimdal/mit-krb mix in ssh-krb5 via libnss-ldap

On Thu, Jun 16, 2005 at 03:44:41PM +0200, Jeremie Koenig wrote:
> I got no luck lately and managed to make ssh-krb5 fail due to library
> linkage weirdness. It took me ages to figure out what was going on!
> (I learnt alot on the way, however.)
> To reproduce the breakage:
>  1. install libsasl2-modules-gssapi-heimdal, libnss-ldap and ssh-krb5
>     (something else linked against libkrb53 may "work" as well);
>  2. configure /etc/nsswitch.conf to use ldap for some lookups;
>  3. configure /etc/ldap/ldap.conf or ~/.ldaprc to use SASL
>     authentication.

Actually this is all crap, the libraries are fine. Sorry everybody for
the noise, especially Russ for the extra wasted brain and finger cycles. 

Here's what happens if you wonder: the real problem is that libkrb53
recognizes comments only when # is the first character of a line, while
heimdal libraries allows some leading whitespace.

The heimdal plugin is much appropriately loaded via dlopen without the
RTLD_GLOBAL flag and its namespace is disjoint from the main one. The
name service switch probably does something similar with libnss-ldap, so
we may even have two levels of isolation. Besides, the libraries are
used for two completely different things.

I'm still not completely understanding how I have been able to come up
with this library clash "evidence" (maybe I just needed a culprit.)
The sensible thing I'm going to do now is reporting a wishlist bug
against libkrb53 to tolerate whitespace and a minor one against ssh-krb5
for the crappy debug lines.

Jeremie Koenig <sprite@sprite.fr.eu.org>

Reply to: