Re: Debian Shishi integration: GSS-API library

[Russ Allbery]

Simon Josefsson <address@hidden> writes:

> The API is well standardized for years in RFC 2743/2744, so, yes.

Well, there are a bunch of portability checks that you need to be able to
link against both Heimdal and MIT including older versions, but that's
mostly true.  I think these are all the compatibility hacks I've had to
use in practice:

#ifdef HAVE_GSSAPI_H
# include <gssapi.h>
#else
# include <gssapi/gssapi_generic.h>
#endif

/* Handle compatibility to older versions of MIT Kerberos. */
#ifndef HAVE_GSS_RFC_OIDS
# define GSS_C_NT_USER_NAME gss_nt_user_name
#endif

/* Heimdal provides a nice #define for this. */
#if !HAVE_DECL_GSS_KRB5_MECHANISM
# include <gssapi/gssapi_krb5.h>
# define GSS_KRB5_MECHANISM gss_mech_krb5
#endif

> The recommended approach to program Shishi is through libgss, since that
> makes it easy to swap to any GSS-mech (or at least any GSS-krb5-mech).

Yeah, MIT recommends the same.

> The few that applications that are using plain kerberos is probably not
> worth porting to Shishi.

The packages that use plain Kerberos that I personally care about are AFS
(via aklog), kstart, and WebAuth.  But porting any of those to Shishi
isn't really high on my list at the moment.

-- 
Russ Allbery (address@hidden)             <http://www.eyrie.org/~eagle/>