RH patches openssh to support KRB5CCNAME=KCM: (KCM=Kerberos Cache Manager) which is impl. in sssd. Info and patch can be found via https://bugzilla.mindrot.org/show_bug.cgi?id=3203
We are already maintaining quite a large number of patches for OpenSSH. Ideally, we would prefer to wait for upstream to accept this patch to reduce the workload on developers. Generally we are ahead of other distros in OpenSSH bumps, so we usually end up doing the patch updating work ourselves when a new release comes out.
I see, getting this upstream is a slow process though. Seem like there must be some consensus how to proceed first. For me KCM is not of much use until openssh can use it.
(In reply to Joakim Tjernlund from comment #2) > I see, getting this upstream is a slow process though. Seem like there must > be some consensus how to proceed first. > > For me KCM is not of much use until openssh can use it. It is fully possible to carry the patch locally by dropping it in /etc/portage/patches/net-misc/openssh
(In reply to Patrick McLean from comment #3) > (In reply to Joakim Tjernlund from comment #2) > > I see, getting this upstream is a slow process though. Seem like there must > > be some consensus how to proceed first. > > > > For me KCM is not of much use until openssh can use it. > > It is fully possible to carry the patch locally by dropping it in > /etc/portage/patches/net-misc/openssh I tested that but the patch did not apply, didn't check further.
(In reply to Joakim Tjernlund from comment #4) > (In reply to Patrick McLean from comment #3) > > (In reply to Joakim Tjernlund from comment #2) > > > I see, getting this upstream is a slow process though. Seem like there must > > > be some consensus how to proceed first. > > > > > > For me KCM is not of much use until openssh can use it. > > > > It is fully possible to carry the patch locally by dropping it in > > /etc/portage/patches/net-misc/openssh > > I tested that but the patch did not apply, didn't check further. So what were we supposed to do? :)
That is not unexpected, the patch will need to be modified to apply correctly against the version (and USE flag combination) of OpenSSH you are installing. This is generally the case with every applied patch for each new version of OpenSSH, which is why we are reluctant to add more patches as this work gets added to the work that needs doing for every new release of OpenSSH.
For other people looking at KCM, there is a simple workarond, in /etc/security/pam_env.conf add: KRB5CCNAME DEFAULT="KCM:"
From this I fond KCM becoming more popular: https://github.com/openssh-gsskex/openssh-gsskex/issues/24#issuecomment-1768955946 leading to https://git.launchpad.net/~canonical-server/ubuntu/+source/openssh/tree/debian/gssapi-unique-patches?h=openssh-split-unique-gssapi Trying those patches failed though, Gentoo seems vastly different than anyone else. Why is that ? Anyhow, I backported gssapi-new-unique.patch and seems to work for me, attaching patch
Created attachment 874478 [details, diff] Makes KCM: work for openssh
Redhat applies a very large patchset to OpenSSH.
(In reply to Sam James from comment #10) > Redhat applies a very large patchset to OpenSSH. So seems Debian and Ubuntu
Yep. Debian applies a similar but different large GSS patch. Please send the patch upstream if you want it in Gentoo.
(In reply to Sam James from comment #12) > Yep. Debian applies a similar but different large GSS patch. Please send the > patch upstream if you want it in Gentoo. Redhat already sent it upstream long ago, don't know why it has not been accepted yet but I do think upstream moves very slow sometimes. I am thinking that if Redhat, Debian and Ubuntu carries this patch so maybe can Gentoo too?
We really don't want to get back into the game of applying various non-upstream patches for OpenSSH which require regular rebasing. Maybe bring it up on their ML if you're wondering why the bug hasn't gone anywhere.
(In reply to Sam James from comment #14) > We really don't want to get back into the game of applying various > non-upstream patches for OpenSSH which require regular rebasing. > > Maybe bring it up on their ML if you're wondering why the bug hasn't gone > anywhere. That is a lost cause as RH already did that. It seems upstream is hard to work with as most, if not all, distributions carry patches. That is an indication that it is unavoidable if you want to offer a modern openssh If your policy is to reject patches that aren't upstream there isn't anything more I can do.
