[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#34632] GSS development status

From: Simon Josefsson via Discussion list for GNU Generic Security Service
Subject: [bug#34632] GSS development status
Date: Sat, 06 Aug 2022 16:02:31 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)

Maxim Cournoyer <> writes:

> Hello,
> I'd like to inquire about the development status of GSS? Has it left the
> beta status? Are bugs still being fixed? Is there any known or presumed
> security issues when using GSS rather than its more mainstream
> implementation in MIT Kerberos?
> I'm asking because the GNU Guix project is considering a switch from GNU
> GSS to MIT krb5 for security reasons [0], given that no new releases have
> been made since 2014.
> Thank you,
> Maxim Cournoyer
> [0]

Hi Maxim,

Sorry for the slow response, which may in part be an answer to your
question.  However I have just released GNU GSS version 1.0.4 to refresh
the project, and have setup CI/CD checking of it to pave the road for
future improvements.  To my knowledge there are only two major missing

  1) Missing gss_wrap() AES functionality.  This prevents SASL GSS-API
     to complete on modern machines.  Shishi supports AES and GSSLib
     supports it for GSS_Init_sec_context etc but not GSS_wrap.

  2) Shishi doesn't use the same ccache/keytab files as MIT Kerberos and

I hope to complete 1) in the future.  For 2), fixing it would be a GNU
Shishi feature that should be simple to resolve -- it ships with tools
ccache2shishi and keytab2shishi to convert the files, but that should be
done automatically internally by the library instead.

Indeed getting these enrolled in the OSS Fuzz project would be a great
contribution.  My primary goal is to do a new release of GNU Shishi and
improve the CI/CD integration checks to have good confidence in future

Regarding what 'gsasl' and 'curl' should be linked against in GNU Guix,
I believe it would be much nicer if you would use the 'Libgssglue'
package instead!  Then the user can change GSS-API library at run-time.
Read about this work here:


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]