324903 – net-ftp/proftpd - Using kerberos results in blockers between various ebuilds depending on app-crypt/heimdal or app-crypt/mit-krb5

Bug 324903 - net-ftp/proftpd - Using kerberos results in blockers between various ebuilds depending on app-crypt/heimdal or app-crypt/mit-krb5

Summary: net-ftp/proftpd - Using kerberos results in blockers between various ebuilds ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo's FTP Packages Maintainers

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-06-21 07:35 UTC by Alex Buell
Modified:	2010-06-23 13:36 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Buell 2010-06-21 07:35:12 UTC

Unfortunately, stabilizing mit-krb5 1.8.2 has had the undesirable side-effect
of putting a blocker on apps that uses heimdal. 

equery d heimdal
[ Searching for packages depending on heimdal... ]
net-ftp/proftpd-1.3.2d (kerberos? app-crypt/heimdal)
net-nds/openldap-2.4.19-r1 (!minimal & smbkrb5passwd? app-crypt/heimdal)

This really needs sorting out as I use kerberos as one of my USE flags!

# equery d mit-krb5
[ Searching for packages depending on mit-krb5... ]
dev-lang/php-5.2.13 (kerberos? virtual/krb5)
dev-libs/cyrus-sasl-2.1.23-r1 (kerberos? virtual/krb5)
dev-libs/openssl-0.9.8o (kerberos? app-crypt/mit-krb5)
dev-perl/GSSAPI-0.24 (virtual/krb5)
dev-util/cvs-1.12.12-r6 (kerberos? virtual/krb5)
gnome-base/gnome-vfs-2.24.3-r1 (kerberos? virtual/krb5)
gnome-extra/evolution-data-server-2.28.3.1-r1 (kerberos? virtual/krb5)
                                              (krb4? app-crypt/mit-krb5[krb4])
mail-client/evolution-2.28.3.1 (kerberos? virtual/krb5)
                               (krb4? app-crypt/mit-krb5[krb4])
net-fs/nfs-utils-1.1.4-r1 (!nonfsv4 & kerberos? app-crypt/mit-krb5)
net-fs/samba-3.4.6 (ads? virtual/krb5)
net-ftp/proftpd-1.3.2d (kerberos? <app-crypt/mit-krb5-1.7)
net-im/pidgin-2.6.6 (zephyr? >=app-crypt/mit-krb5-1.3.6-r1[krb4])
net-mail/fetchmail-6.3.17 (kerberos? virtual/krb5)
net-misc/curl-7.20.0-r2 (kerberos? virtual/krb5)
net-misc/neon-0.29.3 (kerberos? virtual/krb5)
net-misc/openssh-5.3_p1-r1 (kerberos? virtual/krb5)
net-nds/openldap-2.4.19-r1 (!minimal & kerberos? virtual/krb5)
net-print/cups-1.3.11-r1 (kerberos? virtual/krb5)

Changing from proftpd to netkit-ftpd solved the problem for me but this shouldn't happen. 

Splitting the kerberos USE flag into kerberos-mit and kerberos-heimdal might solve the problem of depending on these two libraries?

Comment 1 Eray Aslan gentoo-dev

2010-06-21 14:45:45 UTC

(In reply to comment #0)
> Changing from proftpd to netkit-ftpd solved the problem for me but this
> shouldn't happen. 

proftpd is the culprit.  des and krb4 is not considered secure anymore and is off by default in later versions of mit-krb5.  proftpd configure script should not assume that it can link against des425 anymore.

Following patch should work:

Jun 21 14:10:38 mod_auth_gss/1.3.3[8173]: GSSAPI-UPENN User client_name.value: testuser@CAF.COM.TR cmd->argv[0]: testuser.
Jun 21 14:10:38 mod_auth_gss/1.3.3[8173]: GSSAPI-UPENN User testuser@CAF.COM.TR is authorized as testuser.
Jun 21 14:10:38 south proftpd[8173]: south.caf.com.tr (south.caf.com.tr[127.0.0.1]) - USER testuser: Authenticated without password
Jun 21 14:10:38 south proftpd[8173]: south.caf.com.tr (south.caf.com.tr[127.0.0.1]) - Preparing to chroot to directory '/tmp'
Jun 21 14:10:38 south proftpd[8173]: south.caf.com.tr (south.caf.com.tr[127.0.0.1]) - USER testuser: Login successful.

@net-ftp herd:
You will need to decide on the suitability of the patch for general consumption as I do not use ftp and can't do much of a test.


--- proftpd-1.3.3.ebuild        2010-06-17 21:08:16.000000000 +0000
+++ proftpd-1.3.3-r1.ebuild     2010-06-21 14:17:25.000000000 +0000
@@ -31,7 +31,7 @@
 DEPEND="acl? ( sys-apps/acl sys-apps/attr )
        caps? ( sys-libs/libcap )
        clamav? ( app-antivirus/clamav )
-       kerberos? ( || ( <app-crypt/mit-krb5-1.7 app-crypt/heimdal ) )
+       kerberos? ( virtual/krb5 )
        ldap? ( net-nds/openldap )
        mysql? ( virtual/mysql )
        ncurses? ( sys-libs/ncurses )
@@ -85,6 +85,15 @@
        # Manipulate build system
        sed -i -e "s/utils install-conf install/utils install/g" Makefile.in
        sed -i -e "s/ @INSTALL_STRIP@//g" Make.rules.in
+
+       if use kerberos ; then
+               if has_version app-crypt/mit-krb5 ; then
+                       cd "${WORKDIR}"/mod_gss-${GSS_VER} || die "cd failed"
+                       sed -i -e '/ac_gss_libs/s/\-ldes425\ //' configure{,.in} || \
+                       die "sed failed"
+               fi
+       fi
+
 }

 src_configure() {
@@ -102,7 +111,7 @@
        use exec && mym="${mym}:mod_exec"
        if use kerberos ; then
                cd "${WORKDIR}"/mod_gss-${GSS_VER}
-               if has_version <app-crypt/mit-krb5-1.7 ; then
+               if has_version app-crypt/mit-krb5 ; then
                        econf --enable-mit
                else
                        econf --enable-heimdal

Comment 2 Alex Buell 2010-06-21 16:00:26 UTC

Patch looks good, should go into proftpd ebuild for unstable testing.

Comment 3 Bernard Cafarelli gentoo-dev

2010-06-23 13:36:42 UTC

Thanks both of you for the report and the patch!

I've just added 1.3.3-r1 in CVS, with an adapted patch from this one. This will be the next version to be marked stable (if all goes fine)