Re: Interest in packaging GNU Shishi and GNU Generic Security Service?
"Steinar H. Gunderson" <firstname.lastname@example.org> writes:
> On Tue, Aug 30, 2005 at 08:01:41PM +0200, Simon Josefsson wrote:
>> Shishi can co-exist with either of MIT or Heimdal. It doesn't use a
>> similar API at all. The library has a clean name space (shishi_*).
>> The tools doesn't conflict with any (to me) known tools.
> But I take it that it can still use the same ticket files etc.?
No, those formats were too limited. I needed to store tickets for
multiple principals. Reading/writing the MIT/Heimdal ticket/hostkey
files as a compatibility feature would be possible, though, and is on
> I'm not sure if adding Shishi support to $whatever_program is a
> process that would be very useful (given what time it took to get
> Kerberos support into those programs the first time), but having
> Shishi kinit and perhaps libpam-shishi would be interesting for
> smart card use.
Agreed. I don't want programs to be changed to support Shishi
directly. Rather, applications should be written to use GSS-API.
Shishi can be used through GSS-API.
There is a Shishi kinit, and a PAM module is shipped with Shishi too.
Some older protocols, e.g. telnet and rsh, doesn't support GSS-API,
and they will have to support Shishi directly. But maybe few care
about those protocols. In any case, I have written patches for GNU
InetUtils that use Shishi directly:
I have submitted the patches up-stream, and while nobody has objected,
they haven't been installed yet.
Fortunately, SSH uses GSS-API directly, and I have patches LSH to
It still use an older version of the protocol, when IETF publish the
final protocol I'll update the patch. Using the GSS implementation
from MIT/Heimdal with my patch is possible and works too. Although
since LSH is GPL it is probably not possible to distribute binaries
linked to Heimdal.