Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 23 Sep 2010 13:47:19 -0600
From:      John Hein <jhein@symmetricom.com>
To:        Grzegorz Blach <magik@roorback.net>
Cc:        ports@freebsd.org, bug-followup@FreeBSD.org
Subject:   Re: ports/150493: Update for: security%2Fopenssh-portable port from 5.2p1 to 5.6p1
Message-ID:  <19611.44743.884250.799604@gossamer.timing.com>
In-Reply-To: <bda0b7e3643cd07ed798d9419951abc0@roorback.net>
References:  <19611.33234.127943.370546@gossamer.timing.com> <bda0b7e3643cd07ed798d9419951abc0@roorback.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Grzegorz Blach wrote at 20:00 +0200 on Sep 23, 2010:
 > Thanks for your patches, I'll review its at the weekend,
 > but now I thing, that GSSAPI option should be explicit removed,
 > not marked as broken. On
 > http://www.sxw.org.uk/computing/patches/openssh.html
 > is noticed: "OpenSSH now contains support out of the box for
 > GSSAPI user authentication using the 'gssapi-with-mic' mechanism".

I emailed the gssapi patch maintainer.

>From his reply [1], it turns out the "now" is not really "now"
anymore.  It's "now" as of perhaps 5 years ago.  3.5 doesn't
have the GSSAPIAuthentication stuff, but 4.3 does, so it was
added somewhere in between (I didn't bisect any further).

The second paragraph on the web page ("Larger sites...") cites why the
patch is still useful.

I let Simon know that his latest patch set...
http://www.sxw.org.uk/computing/patches/openssh-5.3p1-gsskex-all-20100124.patch

... does not apply cleanly to 5.6p1.
He may refresh that patch (it's only slightly broken), so I think it
will be useful to just mark it BROKEN for now.  We can always
remove it later.

We can even deprecate the option, but right now bsd.ports.mk doesn't
really support deprecating individual options so just adding some text
to that effect to the BROKEN string may be the best option I am aware
of.  I CC'd ports@ - maybe someone there knows of some precedent in this
area.

Unfortunately, there's really no way of knowing how many people will
be disappointed if the GSSAPI option disappears.

[1]
=================================
From: Simon Wilkinson <simon@sxw.org.uk>
To: John Hein <jhein@symmetricom.com>
Subject: Re: gssapi patches for openssh
Date: Thu, 23 Sep 2010 19:37:06 +0100
Message-Id: <92C531E6-D12C-4180-BDA3-C0757FF39636@sxw.org.uk>

On 23 Sep 2010, at 19:27, John Hein wrote:
> For the freebsd port of openssh-portable (about to be updated to
> openssh 5.6p1), I am trying to determine whether to remove
> the GSSAPI patch option or perhaps to refresh it for 5.6p1.
>
> A couple questions:
> 
> - The "now" above refers to which version of OpenSSH?
>   ("OpenSSH now contains...").

The now is OpenSSH for about the last 5 years. OpenSSH includes GSSAPI
user authentication, but not GSSAPI key exchange. User authentication
is useful until you have more than 5 or so machines on your site,
beyond that, virtually every large organisation that I'm aware of with
Kerberos deployed is using OpenSSH with GSSAPI key exchange.

> - It sounds like there may be some benefit to using
>   the key exchange part of the patch.  Do you think
>   someone should try to determine which parts could
>   still be useful on 5.6p1 or should we just remove
>   the GSSAPI option altogether?

The patch as given on my website is all applicable to 5.6p1. In
addition to supporting key exchange it also supports cascading
credentials upon renewal, which is useful if you have a chain of many
ssh connections from your desktop machine.

Cheers,

Simon.
=================================




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19611.44743.884250.799604>