Re: [the perfectly harmless] heimdal/mit-krb mix in ssh-krb5 via libnss-ldap
On Thu, Jun 16, 2005 at 03:44:41PM +0200, Jeremie Koenig wrote:
> I got no luck lately and managed to make ssh-krb5 fail due to library
> linkage weirdness. It took me ages to figure out what was going on!
> (I learnt alot on the way, however.)
>
> To reproduce the breakage:
> 1. install libsasl2-modules-gssapi-heimdal, libnss-ldap and ssh-krb5
> (something else linked against libkrb53 may "work" as well);
> 2. configure /etc/nsswitch.conf to use ldap for some lookups;
> 3. configure /etc/ldap/ldap.conf or ~/.ldaprc to use SASL
> authentication.
Actually this is all crap, the libraries are fine. Sorry everybody for
the noise, especially Russ for the extra wasted brain and finger cycles.
Here's what happens if you wonder: the real problem is that libkrb53
recognizes comments only when # is the first character of a line, while
heimdal libraries allows some leading whitespace.
The heimdal plugin is much appropriately loaded via dlopen without the
RTLD_GLOBAL flag and its namespace is disjoint from the main one. The
name service switch probably does something similar with libnss-ldap, so
we may even have two levels of isolation. Besides, the libraries are
used for two completely different things.
I'm still not completely understanding how I have been able to come up
with this library clash "evidence" (maybe I just needed a culprit.)
The sensible thing I'm going to do now is reporting a wishlist bug
against libkrb53 to tolerate whitespace and a minor one against ssh-krb5
for the crappy debug lines.
--
Jeremie Koenig <sprite@sprite.fr.eu.org>
Reply to: