Date: Thu, 23 Sep 2010 19:50:05 GMT From: John Hein <jhein@symmetricom.com> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/150493: Update for: security%2Fopenssh-portable port from 5.2p1 to 5.6p1 Message-ID: <201009231950.o8NJo58d055409@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/150493; it has been noted by GNATS. From: John Hein <jhein@symmetricom.com> To: Grzegorz Blach <magik@roorback.net> Cc: <bug-followup@FreeBSD.org>, ports@freebsd.org Subject: Re: ports/150493: Update for: security%2Fopenssh-portable port from 5.2p1 to 5.6p1 Date: Thu, 23 Sep 2010 13:47:19 -0600 Grzegorz Blach wrote at 20:00 +0200 on Sep 23, 2010: > Thanks for your patches, I'll review its at the weekend, > but now I thing, that GSSAPI option should be explicit removed, > not marked as broken. On > http://www.sxw.org.uk/computing/patches/openssh.html > is noticed: "OpenSSH now contains support out of the box for > GSSAPI user authentication using the 'gssapi-with-mic' mechanism". I emailed the gssapi patch maintainer. From his reply [1], it turns out the "now" is not really "now" anymore. It's "now" as of perhaps 5 years ago. 3.5 doesn't have the GSSAPIAuthentication stuff, but 4.3 does, so it was added somewhere in between (I didn't bisect any further). The second paragraph on the web page ("Larger sites...") cites why the patch is still useful. I let Simon know that his latest patch set... http://www.sxw.org.uk/computing/patches/openssh-5.3p1-gsskex-all-20100124.patch ... does not apply cleanly to 5.6p1. He may refresh that patch (it's only slightly broken), so I think it will be useful to just mark it BROKEN for now. We can always remove it later. We can even deprecate the option, but right now bsd.ports.mk doesn't really support deprecating individual options so just adding some text to that effect to the BROKEN string may be the best option I am aware of. I CC'd ports@ - maybe someone there knows of some precedent in this area. Unfortunately, there's really no way of knowing how many people will be disappointed if the GSSAPI option disappears. [1] ================================= From: Simon Wilkinson <simon@sxw.org.uk> To: John Hein <jhein@symmetricom.com> Subject: Re: gssapi patches for openssh Date: Thu, 23 Sep 2010 19:37:06 +0100 Message-Id: <92C531E6-D12C-4180-BDA3-C0757FF39636@sxw.org.uk> On 23 Sep 2010, at 19:27, John Hein wrote: > For the freebsd port of openssh-portable (about to be updated to > openssh 5.6p1), I am trying to determine whether to remove > the GSSAPI patch option or perhaps to refresh it for 5.6p1. > > A couple questions: > > - The "now" above refers to which version of OpenSSH? > ("OpenSSH now contains..."). The now is OpenSSH for about the last 5 years. OpenSSH includes GSSAPI user authentication, but not GSSAPI key exchange. User authentication is useful until you have more than 5 or so machines on your site, beyond that, virtually every large organisation that I'm aware of with Kerberos deployed is using OpenSSH with GSSAPI key exchange. > - It sounds like there may be some benefit to using > the key exchange part of the patch. Do you think > someone should try to determine which parts could > still be useful on 5.6p1 or should we just remove > the GSSAPI option altogether? The patch as given on my website is all applicable to 5.6p1. In addition to supporting key exchange it also supports cascading credentials upon renewal, which is useful if you have a chain of many ssh connections from your desktop machine. Cheers, Simon. =================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201009231950.o8NJo58d055409>