The ebuild of OpenSSH-4.2_p1 in the portage tree does'nt support GSSAPI/Kerberos key exchange properly. I've found a patch on this site: http://www.sxw.org.uk/computing/patches/openssh.html which fixes the problem. Since it's not included in the ebuild i had to create an overlay ebuild to compile it in. After fixing some minor problems with the patch(there are line breaks which cause the compilation to fail due to syntax errors) i've successfuly compiled the overlay ebuild. I'm posting this bug report to ask that the specified patch be included in the ebuild of OpenSSH in the portage tree. Reproducible: Always Steps to Reproduce: 1. emerge OpenSSH-4.2_p1 with USE flags: kerberos -pam 2. Setup GSSAPI/Kerberos authentication 3. On client, use kinit -f to get a forwardable ticket 4. Try to connect to server. Actual Results: I've been asked for password. Expected Results: The ticket should have been forwarded to sshd which then should have log me in without asking for password. After compiling the ebuild with the patch and USE="kerberos", at least the following settings should be used in /etc/ssh/sshd_config to enable GSSAPI/Kerberos Key Exchange in sshd: # Kerberos KerberosAuthentication yes # GSSAPI GSSAPIAuthentication yes GSSAPIKeyExchange yes
Created attachment 74741 [details, diff] This is the FIXED version of the patch mentioned in the bug report. This is the FIXED(with the problematic line breaks removed) version of the patch file from the site:http://www.sxw.org.uk/computing/patches/openssh.html site. All that's left to do is to add this patch to the "files" folder of the ebuild and add the line "use kerberos && <patch name>" to the OpenSSH .ebuild file in the src_unpack() function.
Is there any progress regarding this bug report?
I ahve 0 experience with the GSSAPI/kerberos framework and I don't like overpatching openssh, is there a reason why this is not included upstream? CCing vapier since he might have more insight in this. (sorry for the delay)
This patch appears to fail with USE="X509" (I was also using "smartcard", so that could have been the source of my woes - could someone confirm?), but otherwise functions as stated when applied after all current Gentoo patches. Could we please get this out into the wild? Debian's ssh-krb5 black magic has been a forbidden fruit for us Kerberos nuts... The reason why this isn't included upstream is because the OpenSSH folks seem to have some kind of religious objection to adding application-specific code into the body of OpenSSH. I can't say I blame them. It SHOULD be possible to do all of this in PAM (I've gotten key delegation to work with a [relatively] unpatched OpenSSH using PPK authentication - trying setting "GSSAPIDelegateCredentials on" for the host entries you want in /etc/ssh/ssh_config), but managing the KRB5CCNAME and other variables across multiple PAGs on different machines is extremely tricky... On a side note, "KerberosAuthentication yes" shouldn't be necessary. IIRC, that's for server-side Kerberos validation of passwords sent across the wire. If you already have credentials, it is ignored... Unless the reason for putting it there was because of USE="-pam", which is also not necessary to get GSSAPI credential delegation working. It appears that a more recent version of this patch may be obtained from http://www.sxw.org.uk/computing/patches/openssh.html . A tip: make sure your .k5login files are correct! This one cost me a lot of time... Each file should contain a newline-separated list of principals (with realms attached) that are authorized to log in as a given user.
Kerberos support in openssh was always "unsupported". As there was never a dedicated developer of the kerberos code, some 2 two or three years ago the kerberos code has been completely ripped out. Somewhere in the Changelog I think was stated something like "unless fully tested and supported". Simply, people make and release their own patches on the web. You should accept it for us. Or make the epatch run only when kerberos flag is set. ;) BTW, someone should pick up these patches: - djm@cvs.openbsd.org 2006/03/20 04:07:22 [auth2-gss.c] GSSAPI related leaks detected by Coverity via elad AT netbsd.org; reviewed by simon AT sxw.org.uk; deraadt@ ok - djm@cvs.openbsd.org 2006/03/20 04:07:49 [gss-genr.c] more GSSAPI related leaks detected by Coverity via elad AT netbsd.org; reviewed by simon AT sxw.org.uk; deraadt@ ok - djm@cvs.openbsd.org 2006/03/20 04:08:18 [gss-serv.c] last lot of GSSAPI related leaks detected by Coverity via elad AT netbsd.org; reviewed by simon AT sxw.org.uk; deraadt@ ok Regarding the proposed patch, the following snippet from the webpage is for me personally the best marking: "Acknowledgements Fixes and suggestions have been provided by Jeffrey Altman, Jim Basney, Derrick J Brashear, Chris Chiappa, Nalin Dahyabhai, Douglas E Engert, Bill Fithen, Sam Hartman, John Hawkinson, Karsten Huneycutt, John Kilburg, Daniel Kouril, David Leonard, Dan Russell, Vern Staats, Von Welch and Nicolas Williams." See also bug #132243.
*** Bug 134973 has been marked as a duplicate of this bug. ***
Can we please get this patch integrated in the ebuild? We are using this feature extensively in our infrastructure. Currently I've rolled my own addition to the Gentoo ebuild to support this feature. It would be good to have it officially in the distribution, even if it had to be enabled with a use flag. Apple has included this patch in their shipping versions of OS X, so I believe that even though it's not yet integrated in to OpenSSH proper it is fairly stable. You can get the current version of the patch (for 4.7p1) here: http://www.sxw.org.uk/computing/patches/openssh.html
Created attachment 145176 [details, diff] Latest patch against openssh-4.7p1
Created attachment 145178 [details, diff] Patch against openssh-4.7_p1-r4 ebuild Here's a patch to the ebuild which will add in the key exchange patch. The previous GSSAPI patch appears to be unnecessary as it is incorporated in to this one.
added to openssh-4.7_p1-r5
We use GSSAPI KeyExchange in our sshd and it is annoying to have to tell gentoo users who want to connect to our site that they have to downgrade before they can do so. I know that there is no patch for 5.2 yet so I ported Simon's patch to 5.2 and have it available here: http://www.stacken.kth.se/~haba/openssh-5.2p1-gsskex-20090610.patch Simon says there will be an official better patch later this week (2009-07-04 that would be). Please keep an eye on http://www.sxw.org.uk/computing/patches/ and if a new patch does not surface by the end of the week decide if you want to nag Simon or verify my patch instead. Thanks, Harald.
As support for KeyExchange is _not_ in 5.2, I'd like to reopen this bug instead of creating a new one.
then again, relying on custom patchsets doesnt seem like a terribly grand idea either ... considering you're the one interested in the patch, why dont you keep tabs on it and let us know when it gets updated
Patch for 5.2p1 finaly available from the usual place: http://www.sxw.org.uk/computing/patches/openssh.html
This patch is essential to be able to use local infrastructure for me, just as for Kamil, and I can easily guess, a lot of other people world wide. Can someone please include the patch?! This issue is definitely not "resolved fixed".
the answer hasnt changed: get the upstream site to update their patches. we arent going to develop/port these random patches.