For some hosts one sometimes needs outdated or patched ssh binaries (special kerberos implementations and such stuff like at FNAL). This solves that problem: when emerging openssh using the "sshchooser" use flag, the /usr/bin/ssh file will be script that decides depending on /etc/ssh-chooser.conf which ssh binary to call -- depending on the remote site name. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Created attachment 72307 [details] openssh-4.2_p1-r1.ebuild sshchooser use flag
Created attachment 72308 [details] ssh-chooser.conf example
Created attachment 72309 [details] ssh-chooser.sh
see http://omnibus.uni-freiburg.de/~stierm/d0/kerberos_linux_client/ and http://forums.gentoo.org/viewtopic-t-172610-highlight-.html
Comment on attachment 72307 [details] openssh-4.2_p1-r1.ebuild sshchooser use flag post a *diff* not the full ebuild is this 'sshchooser' something you wrote ?
> is this 'sshchooser' something you wrote ? Yes. It is a simple script replacing /usr/bin/ssh (and installed by the openssh ebuild). It uses the contents of /etc/sshchooser.conf to decide which ssh binary to use to connect to a specific host. There is also openssh-krb5 at https://stier.dynu.com/~myportage/net-misc/. The default sshchooser.conf is set up to use that ssh binary to connect to hosts ending with .fnal.gov. It is installed in /opt/ssh-krb5. I don't know the reason why only that old debian-patched openssh release works with Fermilab Kerberos, but that's how it is. I have used it for over a year in combination with mit-krb5. Additional note: even sftp in konqueror works like a charm to connect to Fermilab machines using a Kerberos ticket. Second note: the most recent openssh ebuild on my server also includes a "padlock" use flag: it enables patches to activate support for VIA's PadLock AES hardware acceleration.
dont really want to modify openssh in this way, sorry
