[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Interest in packaging GNU Shishi and GNU Generic Security Service?

"Steinar H. Gunderson" <sgunderson@bigfoot.com> writes:

> On Tue, Aug 30, 2005 at 08:01:41PM +0200, Simon Josefsson wrote:
>> Shishi can co-exist with either of MIT or Heimdal.  It doesn't use a
>> similar API at all.  The library has a clean name space (shishi_*).
>> The tools doesn't conflict with any (to me) known tools.
> But I take it that it can still use the same ticket files etc.?

No, those formats were too limited.  I needed to store tickets for
multiple principals.  Reading/writing the MIT/Heimdal ticket/hostkey
files as a compatibility feature would be possible, though, and is on
the todo-list.

> I'm not sure if adding Shishi support to $whatever_program is a
> process that would be very useful (given what time it took to get
> Kerberos support into those programs the first time), but having
> Shishi kinit and perhaps libpam-shishi would be interesting for
> smart card use.

Agreed.  I don't want programs to be changed to support Shishi
directly.  Rather, applications should be written to use GSS-API.
Shishi can be used through GSS-API.

There is a Shishi kinit, and a PAM module is shipped with Shishi too.

Some older protocols, e.g. telnet and rsh, doesn't support GSS-API,
and they will have to support Shishi directly.  But maybe few care
about those protocols.  In any case, I have written patches for GNU
InetUtils that use Shishi directly:


I have submitted the patches up-stream, and while nobody has objected,
they haven't been installed yet.

Fortunately, SSH uses GSS-API directly, and I have patches LSH to
support GSS/Shishi:


It still use an older version of the protocol, when IETF publish the
final protocol I'll update the patch.  Using the GSS implementation
from MIT/Heimdal with my patch is possible and works too.  Although
since LSH is GPL it is probably not possible to distribute binaries
linked to Heimdal.


Reply to: