Comment 4 for bug 2044535

Thanks for positive response @slyon @adrien-n

Indeed libgssglue dlopen a Kerberos implementation, and if none can be found, the GSS-API functions will return error codes.

The application deals with error conditions, and of course, any GSS-API and Kerberos related functionality will not work in this scenario. GSS-API and Kerberos functions often fail due to insufficient credentials or configurations, so this isn't a fatal application error but merely a soft error.

If a user wants to use Kerberos, I think they would have Kerberos stuff installed and thus everything will work for them (modulo any bugs).

Today almost anything brings in Kerberos anyway, so it is often included, but as you could see above, it IS possible to use 'gsasl' without libkrb5 installed and have everything work (except for, of course, Kerberos).

I did review OpenSSH's usage of GSS-API and it has two libkrb5-specific uses but they are isolated into gss-serv-krb5.c. The first is to call krb5_kuserok(), but that should easily be ported to use gss_userok() which was added to major GSS-API libraries back in 2010-2012. The second is to store forwarded credentials, and I haven't analyzer that usage yet to see how to port that to use native GSS-API interfaces, but it seems it should use a non-standard but de-facto krb5_gss_store_cred() which libgssglue should support.