Received: from hermes.ctd.anl.gov (hermes.ctd.anl.gov [130.202.113.27]) by krbdev.mit.edu (8.9.3p2) with ESMTP id OAA04989; Thu, 19 Feb 2004 14:09:18 -0500 (EST)
Received: from hermes.ctd.anl.gov (localhost [127.0.0.1]) by hermes.ctd.anl.gov (8.9.1a/8.9.1) with ESMTP id NAA24764 for <rt@krbdev.mit.edu>; Thu, 19 Feb 2004 13:08:47 -0600 (CST)
Received: from anl.gov (atalanta.ctd.anl.gov [146.137.194.4]) by hermes.ctd.anl.gov (8.9.1a/8.9.1) with ESMTP id NAA24757; Thu, 19 Feb 2004 13:08:46 -0600 (CST)
Message-Id: <403509DB.F34C51E@anl.gov>
Date: Thu, 19 Feb 2004 13:09:15 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Sam Hartman <hartmans@mit.edu>
Cc: rt@krbdev.mit.edu, Darren Tucker <dtucker@zip.com.au>
Subject: Re: [krbdev.mit.edu #2240] krb5-config --cflags gssapi  whenusedbyOpenSSH-snap-20040212
References: <rt-2240-9871.13.5984392555379@krbdev.mit.edu> <4034B8F9.31474EF3@anl.gov> <tsl1xorq73v.fsf@konishi-polis.mit.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
RT-Send-Cc: 
X-RT-Original-Encoding: us-ascii
Content-Length: 3667

My argument is that the MIT krb5-config does not do what is expected.

I would also point out that the OpenSSH code already is doing some
strange things with the output which it should not have to to,
namely trying to split the output of krb5-config --libs 
into LDFLAGS and LIBS:

  2105           K5LDFLAGS="`$KRB5CONF --libs | sed 's/-l@<:@^ @:>@*//g'`"
  2106           K5LIBS="`$KRB5CONF --libs | sed 's/-L@<:@^ @:>@*//g'`"

(I saw a fix on the list against this, as it would not allow a - 
in a path name. It was trying to delete -L/path/to/heimdal-0.6/lib
but stoped short and left -0.6/lib.) 

So the question is then: When will krb5-config be useable? Is it worth
trying to use with OpenSSH in its current state?

The patch I sent would work against the current krb5-config scripts,
including the krb5-1.3.2-beta4.  




I also have some other concerns about the krb5-config, as it returns
the final install location of the files. We like to build and install
Kerberos in AFS,along with OpenSSL, and OpenSSH and install them all
as a package on to a local system in a well known location: /krb5/*.
This require the Kerberos and OpenSSL to be installed somewhere not 
on the running system while OpenSSH is built. 

Without krb5-config, we can easily configure OpenSSH with something like:

   ...
   --prefix=/krb5 \
    --with-kerberos5=/afs/anl.gov/appl/krb5-1.3.2/@sys/krb5 \ 
   ...

But with krb5-config, it will try to include the /krb5/lib 
rather then /afs/anl.gov/appl/krb5-1.3.2/@sys/krb5/lib
So it may try and include the wrong libs from the running system. 

krb5-config has the same relocaiton problem as trying to compile in the 
-R or -rpath for a shared lib. YOu need the final locaiton in the
shared lib, even if you are installing somewhere else. 
 
(I have a local circumvention for this last point, and we also 
provide the -R or -rpath to point at /krb5/lib for OpenSSL, 
Kerberos and OpenSSH.) 

  

Sam Hartman wrote:
> 
> >>>>> "Douglas" == Douglas E Engert <deengert@anl.gov> writes:
> 
>     Douglas> Darren Tucker wrote:
>     >>
>     >> Douglas E. Engert wrote:
>     >> > More or less, but the new code uses > CPPFLAGS="$CPPFLAGS
>     >> ${K5CFLAGS}/gssapi"
>     >>
>     >> What guarantee is there that K5CFLAGS will contain only
>     >> -I/path/to/includes?"  What happens if it contains, eg,
>     >> "-I/path/to/include -DSOME_FLAG"?
> 
>     Douglas> The current MIT krb5-config returns only
>     Douglas> -I/path/to/include
> 
>     Douglas> By the time MIT releases a new version of krb5-config,
>     Douglas> they should have gssapi.h in the path so the code in
>     Douglas> question to test for gssapi.h in the sub directory will
>     Douglas> not be executed. The Heimdal code (as I understand) does
>     Douglas> not have this problem, so does not execute this code.
> 
> Hi.  MIT has not made a determination as to whether Doug's bug is
> actually a bug nor whether we will fix it.  We certainly will not fix
> it for the upcoming 1.3.2 release; we have passed our final change
> deadline for that release.
> 
> I disagree with Doug's assertion that most programs include gssapi.h
> not gssapi/gssapi.h.
> 
> AT this time I would recommend including gssapi.h for Heimdal and
> gssapi/gssapi.h for MIT Kerberos.
> 
> We'll certainly evaluate Doug's bug report and make a determination
> about whet we think the correct behavior is.  However I am very
> reluctant to recommend that people accept patches that depend on the
> specific output of krb5-config.
> 
> --Sam

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444