Re: Interest in packaging GNU Shishi and GNU Generic Security Service?

To: debian-devel@lists.debian.org
Subject: Re: Interest in packaging GNU Shishi and GNU Generic Security Service?
From: Simon Josefsson <jas@extundo.com>
Date: Wed, 31 Aug 2005 12:51:43 +0200
Message-id: <[🔎] ilu7je2wf9c.fsf@latte.josefsson.org>
In-reply-to: <[🔎] 20050831102017.GA29161@uio.no> (Steinar H. Gunderson's message of "Wed, 31 Aug 2005 12:20:17 +0200")
References: <[🔎] iluk6i43lkg.fsf@latte.josefsson.org> <[🔎] 877je4r4q7.fsf@windlord.stanford.edu> <[🔎] iluk6i3282d.fsf@latte.josefsson.org> <[🔎] 87psrvtj6r.fsf@windlord.stanford.edu> <[🔎] iluhdd7xq0q.fsf@latte.josefsson.org> <[🔎] 20050831102017.GA29161@uio.no>

"Steinar H. Gunderson" <sgunderson@bigfoot.com> writes:

> On Tue, Aug 30, 2005 at 08:01:41PM +0200, Simon Josefsson wrote:
>> Shishi can co-exist with either of MIT or Heimdal.  It doesn't use a
>> similar API at all.  The library has a clean name space (shishi_*).
>> The tools doesn't conflict with any (to me) known tools.
>
> But I take it that it can still use the same ticket files etc.?

No, those formats were too limited.  I needed to store tickets for
multiple principals.  Reading/writing the MIT/Heimdal ticket/hostkey
files as a compatibility feature would be possible, though, and is on
the todo-list.

> I'm not sure if adding Shishi support to $whatever_program is a
> process that would be very useful (given what time it took to get
> Kerberos support into those programs the first time), but having
> Shishi kinit and perhaps libpam-shishi would be interesting for
> smart card use.

Agreed.  I don't want programs to be changed to support Shishi
directly.  Rather, applications should be written to use GSS-API.
Shishi can be used through GSS-API.

There is a Shishi kinit, and a PAM module is shipped with Shishi too.

Some older protocols, e.g. telnet and rsh, doesn't support GSS-API,
and they will have to support Shishi directly.  But maybe few care
about those protocols.  In any case, I have written patches for GNU
InetUtils that use Shishi directly:

http://josefsson.org/shishi/feg-inetutils/

I have submitted the patches up-stream, and while nobody has objected,
they haven't been installed yet.

Fortunately, SSH uses GSS-API directly, and I have patches LSH to
support GSS/Shishi:

http://josefsson.org/gss/gss-lsh.html

It still use an older version of the protocol, when IETF publish the
final protocol I'll update the patch.  Using the GSS implementation
from MIT/Heimdal with my patch is possible and works too.  Although
since LSH is GPL it is probably not possible to distribute binaries
linked to Heimdal.

Thanks,
Simon

Reply to:

References:
- Interest in packaging GNU Shishi and GNU Generic Security Service?
  - From: Simon Josefsson <jas@extundo.com>
- Re: Interest in packaging GNU Shishi and GNU Generic Security Service?
  - From: Russ Allbery <rra@stanford.edu>
- Re: Interest in packaging GNU Shishi and GNU Generic Security Service?
  - From: Simon Josefsson <jas@extundo.com>
- Re: Interest in packaging GNU Shishi and GNU Generic Security Service?
  - From: Russ Allbery <rra@stanford.edu>
- Re: Interest in packaging GNU Shishi and GNU Generic Security Service?
  - From: Simon Josefsson <jas@extundo.com>
- Re: Interest in packaging GNU Shishi and GNU Generic Security Service?
  - From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>

Prev by Date: Re: [OT] FTPmasters (again)
Next by Date: Re: Version tracking in the BTS
Previous by thread: Re: Interest in packaging GNU Shishi and GNU Generic Security Service?
Next by thread: Stocks discovered for quick profit kegful
Index(es):
- Date
- Thread